chore: move rules to new folders (SigmaHQ#4205)

bazops · May 2, 2023 · 637d610 · 637d610
1 parent 03f3f77
commit 637d610
Show file tree

Hide file tree

Showing 203 changed files with 145 additions and 32 deletions.
diff --git a/...n_win_malware_trickbot_recon_activity.yml → ...n_win_malware_trickbot_recon_activity.yml b/...n_win_malware_trickbot_recon_activity.yml → ...n_win_malware_trickbot_recon_activity.yml
@@ -3,14 +3,14 @@ id: 410ad193-a728-4107-bc79-4419789fcbf8
 related:
     - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
       type: similar
-status: test
+status: deprecated
 description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.
 references:
     - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
     - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
 author: David Burkett, Florian Roth
 date: 2019/12/28
-modified: 2023/02/02
+modified: 2023/04/28
 tags:
     - attack.discovery
     - attack.t1482

diff --git a/...n_security_group_modification_logging.yml → ...n_security_group_modification_logging.yml b/...n_security_group_modification_logging.yml → ...n_security_group_modification_logging.yml
@@ -1,12 +1,12 @@
 title: Group Modification Logging
 id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
-status: stable
+status: deprecated
 description: |
   Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
   Sigma detects
-  Event ID 4728 indicates a ‘Member is added to a Security Group’.
-  Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .
-  Event ID 4730 indicates a ‘Security Group is deleted’.
+  Event ID 4728 indicates a "Member is added to a Security Group".
+  Event ID 4729 indicates a "Member is removed from a Security enabled-group".
+  Event ID 4730 indicates a "Security Group is deleted".
   The case is not applicable for Unix OS.
   Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
 references:
@@ -21,6 +21,7 @@ references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019/03/26
+modified: 2023/04/26
 # tags:
     # - CSC4
     # - CSC4.8
@@ -53,12 +54,12 @@ logsource:
 detection:
     selection:
         EventID:
-            - 4728
-            - 4729
-            - 4730
-            - 633
-            - 632
-            - 634
+            - 4728 # A member was added to a security-enabled global group
+            - 4729 # A member was removed from a security-enabled global group
+            - 4730 # A security-enabled global group was deleted
+            - 633 # Security Enabled Global Group Member Removed
+            - 632 # Security Enabled Global Group Member Added
+            - 634 # Security Enabled Global Group Deleted
     condition: selection
 falsepositives:
     - Unknown

diff --git a/documentation/logsource-guides/windows/service/security.md b/documentation/logsource-guides/windows/service/security.md
@@ -427,6 +427,7 @@ If you want to learn more about this sub-category. You can do so via MSDN - [Lea
 - Event Volume: `Low`
 - API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)
 - EventID(s):
+  - `4728`
   - `4731`
   - `4732`
   - `4733`
@@ -2640,6 +2641,7 @@ TBD
 - [4725: A user account was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725)
 - [4726: A user account was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726)
 - [4727: A security-enabled global group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727)
+- 4728: A member was added to a security-enabled global group
 - [4729: A member was removed from a security-enabled global group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729)
 - [4730: A security-enabled global group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4730)
 - [4731: A security-enabled local group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731)
@@ -2902,7 +2904,7 @@ TBD
 - [5478: IPsec Services has started successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5478)
 - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
 - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
-- 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.]
+- 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.
 - 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
 - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
 - [5632: A request was made to authenticate to a wireless network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5632)

diff --git a/...eb_cve_2010_5278_exploitation_attempt.yml → ...eb_cve_2010_5278_exploitation_attempt.yml b/...eb_cve_2010_5278_exploitation_attempt.yml → ...eb_cve_2010_5278_exploitation_attempt.yml
diff --git a/...ver_generic/web_cve_2014_6287_hfs_rce.yml → ...E-2014-6287/web_cve_2014_6287_hfs_rce.yml b/...ver_generic/web_cve_2014_6287_hfs_rce.yml → ...E-2014-6287/web_cve_2014_6287_hfs_rce.yml
diff --git a/...reation/proc_creation_win_apt_zxshell.yml → ...A/Axiom/proc_creation_win_apt_zxshell.yml b/...reation/proc_creation_win_apt_zxshell.yml → ...A/Axiom/proc_creation_win_apt_zxshell.yml
@@ -4,6 +4,7 @@ status: test
 description: Detects a ZxShell start by the called and well-known function name
 references:
     - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+    - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
 author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
 date: 2017/07/20
 modified: 2021/11/27

diff --git a/...ation_win_apt_turla_commands_critical.yml → ...ation_win_apt_turla_commands_critical.yml b/...ation_win_apt_turla_commands_critical.yml → ...ation_win_apt_turla_commands_critical.yml
diff --git a/...c_creation_win_apt_turla_comrat_may20.yml → ...c_creation_win_apt_turla_comrat_may20.yml b/...c_creation_win_apt_turla_comrat_may20.yml → ...c_creation_win_apt_turla_comrat_may20.yml
diff --git a/...oc_creation_win_exploit_cve_2015_1641.yml → ...oc_creation_win_exploit_cve_2015_1641.yml b/...oc_creation_win_exploit_cve_2015_1641.yml → ...oc_creation_win_exploit_cve_2015_1641.yml
diff --git a/...oc_creation_win_exploit_cve_2017_0261.yml → ...oc_creation_win_exploit_cve_2017_0261.yml b/...oc_creation_win_exploit_cve_2017_0261.yml → ...oc_creation_win_exploit_cve_2017_0261.yml
diff --git a/...c_creation_win_exploit_cve_2017_11882.yml → ...c_creation_win_exploit_cve_2017_11882.yml b/...c_creation_win_exploit_cve_2017_11882.yml → ...c_creation_win_exploit_cve_2017_11882.yml
diff --git a/...oc_creation_win_exploit_cve_2017_8759.yml → ...oc_creation_win_exploit_cve_2017_8759.yml b/...oc_creation_win_exploit_cve_2017_8759.yml → ...oc_creation_win_exploit_cve_2017_8759.yml
diff --git a/...tion/proc_creation_win_malware_adwind.yml → ...-RAT/proc_creation_win_malware_adwind.yml b/...tion/proc_creation_win_malware_adwind.yml → ...-RAT/proc_creation_win_malware_adwind.yml
diff --git a/...on/proc_creation_win_malware_fireball.yml → ...ll/proc_creation_win_malware_fireball.yml b/...on/proc_creation_win_malware_fireball.yml → ...ll/proc_creation_win_malware_fireball.yml
diff --git a/...on/proc_creation_win_malware_notpetya.yml → ...ya/proc_creation_win_malware_notpetya.yml b/...on/proc_creation_win_malware_notpetya.yml → ...ya/proc_creation_win_malware_notpetya.yml
diff --git a/..._win_malware_plugx_susp_exe_locations.yml → ..._win_malware_plugx_susp_exe_locations.yml b/..._win_malware_plugx_susp_exe_locations.yml → ..._win_malware_plugx_susp_exe_locations.yml
diff --git a/...on/proc_creation_win_malware_wannacry.yml → ...ry/proc_creation_win_malware_wannacry.yml b/...on/proc_creation_win_malware_wannacry.yml → ...ry/proc_creation_win_malware_wannacry.yml
diff --git a/...c_creation_win_apt_apt10_cloud_hopper.yml → ...c_creation_win_apt_apt10_cloud_hopper.yml b/...c_creation_win_apt_apt10_cloud_hopper.yml → ...c_creation_win_apt_apt10_cloud_hopper.yml
diff --git a/...on/proc_creation_win_apt_ta17_293a_ps.yml → ...ly/proc_creation_win_apt_ta17_293a_ps.yml b/...on/proc_creation_win_apt_ta17_293a_ps.yml → ...ly/proc_creation_win_apt_ta17_293a_ps.yml
@@ -6,7 +6,7 @@ references:
     - https://www.us-cert.gov/ncas/alerts/TA17-293A
 author: Florian Roth (Nextron Systems)
 date: 2017/10/22
-modified: 2021/11/27
+modified: 2023/05/02
 tags:
     - attack.defense_evasion
     - attack.g0035
@@ -17,7 +17,9 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine: 'ps.exe -accepteula'
+        CommandLine|contains|all:
+            - 'ps.exe -accepteula'
+            - '-s cmd /c netstat'
     condition: selection
 falsepositives:
     - Renamed SysInternals tool

diff --git a/...n_win_apt_lazarus_binary_masquerading.yml → ...n_win_apt_lazarus_binary_masquerading.yml b/...n_win_apt_lazarus_binary_masquerading.yml → ...n_win_apt_lazarus_binary_masquerading.yml
diff --git a/...8_13379_fortinet_preauth_read_exploit.yml → ...8_13379_fortinet_preauth_read_exploit.yml b/...8_13379_fortinet_preauth_read_exploit.yml → ...8_13379_fortinet_preauth_read_exploit.yml
diff --git a/...ic/web_cve_2018_2894_weblogic_exploit.yml → ...94/web_cve_2018_2894_weblogic_exploit.yml b/...ic/web_cve_2018_2894_weblogic_exploit.yml → ...94/web_cve_2018_2894_weblogic_exploit.yml
diff --git a/...ation/proc_creation_win_malware_elise.yml → ...kdoor/proc_creation_win_malware_elise.yml b/...ation/proc_creation_win_malware_elise.yml → ...kdoor/proc_creation_win_malware_elise.yml
diff --git a/...creation_win_apt_apt27_emissary_panda.yml → ...creation_win_apt_apt27_emissary_panda.yml b/...creation_win_apt_apt27_emissary_panda.yml → ...creation_win_apt_apt27_emissary_panda.yml
diff --git a/...creation/proc_creation_win_apt_sofacy.yml → ...TA/APT28/proc_creation_win_apt_sofacy.yml b/...creation/proc_creation_win_apt_sofacy.yml → ...TA/APT28/proc_creation_win_apt_sofacy.yml
diff --git a/...ozy_bear_phishing_campaign_indicators.yml → ...ozy_bear_phishing_campaign_indicators.yml b/...ozy_bear_phishing_campaign_indicators.yml → ...ozy_bear_phishing_campaign_indicators.yml
diff --git a/...pt_apt29_phishing_campaign_indicators.yml → ...pt_apt29_phishing_campaign_indicators.yml b/...pt_apt29_phishing_campaign_indicators.yml → ...pt_apt29_phishing_campaign_indicators.yml
diff --git a/..._creation_win_apt_muddywater_activity.yml → ..._creation_win_apt_muddywater_activity.yml b/..._creation_win_apt_muddywater_activity.yml → ..._creation_win_apt_muddywater_activity.yml
diff --git a/...on/proc_creation_win_apt_oilrig_mar18.yml → ...ig/proc_creation_win_apt_oilrig_mar18.yml b/...on/proc_creation_win_apt_oilrig_mar18.yml → ...ig/proc_creation_win_apt_oilrig_mar18.yml
diff --git a/.../OilRig/win_security_apt_oilrig_mar18.yml → .../OilRig/win_security_apt_oilrig_mar18.yml b/.../OilRig/win_security_apt_oilrig_mar18.yml → .../OilRig/win_security_apt_oilrig_mar18.yml
diff --git a/...18/OilRig/win_system_apt_oilrig_mar18.yml → ...TA/OilRig/win_system_apt_oilrig_mar18.yml b/...18/OilRig/win_system_apt_oilrig_mar18.yml → ...TA/OilRig/win_system_apt_oilrig_mar18.yml
diff --git a/...ation/proc_creation_win_apt_slingshot.yml → ...gshot/proc_creation_win_apt_slingshot.yml b/...ation/proc_creation_win_apt_slingshot.yml → ...gshot/proc_creation_win_apt_slingshot.yml
diff --git a/...n/security/win_security_apt_slingshot.yml → .../Slingshot/win_security_apt_slingshot.yml b/...n/security/win_security_apt_slingshot.yml → .../Slingshot/win_security_apt_slingshot.yml
diff --git a/...n/proc_creation_win_apt_tropictrooper.yml → ...r/proc_creation_win_apt_tropictrooper.yml b/...n/proc_creation_win_apt_tropictrooper.yml → ...r/proc_creation_win_apt_tropictrooper.yml
@@ -3,7 +3,7 @@ id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
 status: stable
 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
 references:
-    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+    - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
 author: '@41thexplorer, Microsoft Defender ATP'
 date: 2019/11/12
 modified: 2020/08/27

diff --git a/...oc_creation_win_exploit_other_bearlpe.yml → ...oc_creation_win_exploit_other_bearlpe.yml b/...oc_creation_win_exploit_other_bearlpe.yml → ...oc_creation_win_exploit_other_bearlpe.yml
diff --git a/...eb_cve_2019_11510_pulsesecure_exploit.yml → ...eb_cve_2019_11510_pulsesecure_exploit.yml b/...eb_cve_2019_11510_pulsesecure_exploit.yml → ...eb_cve_2019_11510_pulsesecure_exploit.yml
diff --git a/...oc_creation_win_exploit_cve_2019_1378.yml → ...oc_creation_win_exploit_cve_2019_1378.yml b/...oc_creation_win_exploit_cve_2019_1378.yml → ...oc_creation_win_exploit_cve_2019_1378.yml
diff --git a/...oc_creation_win_exploit_cve_2019_1388.yml → ...oc_creation_win_exploit_cve_2019_1388.yml b/...oc_creation_win_exploit_cve_2019_1388.yml → ...oc_creation_win_exploit_cve_2019_1388.yml
diff --git a/...ric/web_cve_2019_19781_citrix_exploit.yml → ...781/web_cve_2019_19781_citrix_exploit.yml b/...ric/web_cve_2019_19781_citrix_exploit.yml → ...781/web_cve_2019_19781_citrix_exploit.yml
diff --git a/..._generic/web_cve_2019_3398_confluence.yml → ...019-3398/web_cve_2019_3398_confluence.yml b/..._generic/web_cve_2019_3398_confluence.yml → ...019-3398/web_cve_2019_3398_confluence.yml
diff --git a/...n/proc_creation_win_malware_babyshark.yml → ...k/proc_creation_win_malware_babyshark.yml b/...n/proc_creation_win_malware_babyshark.yml → ...k/proc_creation_win_malware_babyshark.yml
diff --git a/...tion/proc_creation_win_malware_dridex.yml → ...idex/proc_creation_win_malware_dridex.yml b/...tion/proc_creation_win_malware_dridex.yml → ...idex/proc_creation_win_malware_dridex.yml
diff --git a/...tion/proc_creation_win_malware_dtrack.yml → ...-RAT/proc_creation_win_malware_dtrack.yml b/...tion/proc_creation_win_malware_dtrack.yml → ...-RAT/proc_creation_win_malware_dtrack.yml
diff --git a/...tion/proc_creation_win_malware_emotet.yml → ...otet/proc_creation_win_malware_emotet.yml b/...tion/proc_creation_win_malware_emotet.yml → ...otet/proc_creation_win_malware_emotet.yml
diff --git a/...on/proc_creation_win_malware_formbook.yml → ...ok/proc_creation_win_malware_formbook.yml b/...on/proc_creation_win_malware_formbook.yml → ...ok/proc_creation_win_malware_formbook.yml
diff --git a/...ion_win_malware_lockergoga_ransomware.yml → ...ion_win_malware_lockergoga_ransomware.yml b/...ion_win_malware_lockergoga_ransomware.yml → ...ion_win_malware_lockergoga_ransomware.yml
diff --git a/...eation/proc_creation_win_malware_qbot.yml → ...e/QBot/proc_creation_win_malware_qbot.yml b/...eation/proc_creation_win_malware_qbot.yml → ...e/QBot/proc_creation_win_malware_qbot.yml
diff --git a/...eation/proc_creation_win_malware_ryuk.yml → ...e/Ryuk/proc_creation_win_malware_ryuk.yml b/...eation/proc_creation_win_malware_ryuk.yml → ...e/Ryuk/proc_creation_win_malware_ryuk.yml
diff --git a/...reation_win_malware_snatch_ransomware.yml → ...reation_win_malware_snatch_ransomware.yml b/...reation_win_malware_snatch_ransomware.yml → ...reation_win_malware_snatch_ransomware.yml
diff --git a/..._creation_win_apt_aptc12_bluemushroom.yml → ..._creation_win_apt_aptc12_bluemushroom.yml b/..._creation_win_apt_aptc12_bluemushroom.yml → ..._creation_win_apt_aptc12_bluemushroom.yml
diff --git a/...reation_win_apt_apt31_judgement_panda.yml → ...reation_win_apt_apt31_judgement_panda.yml b/...reation_win_apt_apt31_judgement_panda.yml → ...reation_win_apt_apt31_judgement_panda.yml
diff --git a/..._creation_win_apt_bear_activity_gtr19.yml → ..._creation_win_apt_bear_activity_gtr19.yml b/..._creation_win_apt_bear_activity_gtr19.yml → ..._creation_win_apt_bear_activity_gtr19.yml
diff --git a/...ey/proc_creation_win_apt_empiremonkey.yml → ...ey/proc_creation_win_apt_empiremonkey.yml b/...ey/proc_creation_win_apt_empiremonkey.yml → ...ey/proc_creation_win_apt_empiremonkey.yml
diff --git a/...tion_win_apt_equationgroup_dll_u_load.yml → ...tion_win_apt_equationgroup_dll_u_load.yml b/...tion_win_apt_equationgroup_dll_u_load.yml → ...tion_win_apt_equationgroup_dll_u_load.yml
diff --git a/...da/proc_creation_win_apt_mustangpanda.yml → ...da/proc_creation_win_apt_mustangpanda.yml b/...da/proc_creation_win_apt_mustangpanda.yml → ...da/proc_creation_win_apt_mustangpanda.yml
diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/README.md b/rules-emerging-threats/2019/TA/Operation-Wocao/README.md
@@ -0,0 +1,9 @@
+# Operation Wocao
+
+## Summary
+
+Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.
+
+You can find more information on the threat in the following articles:
+
+- [Operation Wocao Shining a light on one of China’s hidden hacking groups](https://web.archive.org/web/20200215212348/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf)
diff --git a/..._creation/proc_creation_win_apt_wocao.yml → ...ion-Wocao/proc_creation_win_apt_wocao.yml b/..._creation/proc_creation_win_apt_wocao.yml → ...ion-Wocao/proc_creation_win_apt_wocao.yml
diff --git a/...iltin/security/win_security_apt_wocao.yml → ...peration-Wocao/win_security_apt_wocao.yml b/...iltin/security/win_security_apt_wocao.yml → ...peration-Wocao/win_security_apt_wocao.yml
@@ -3,7 +3,8 @@ id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
 status: test
 description: Detects activity mentioned in Operation Wocao report
 references:
-    - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+    - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+    - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
     - https://twitter.com/SBousseaden/status/1207671369963646976
 author: Florian Roth (Nextron Systems), frack113
 date: 2019/12/20

diff --git a/...ic/web_cve_2020_0688_exchange_exploit.yml → ...88/web_cve_2020_0688_exchange_exploit.yml b/...ic/web_cve_2020_0688_exchange_exploit.yml → ...88/web_cve_2020_0688_exchange_exploit.yml
diff --git a/..._generic/web_cve_2020_0688_msexchange.yml → ...020-0688/web_cve_2020_0688_msexchange.yml b/..._generic/web_cve_2020_0688_msexchange.yml → ...020-0688/web_cve_2020_0688_msexchange.yml
diff --git a/...web_cve_2020_10148_solarwinds_exploit.yml → ...web_cve_2020_10148_solarwinds_exploit.yml b/...web_cve_2020_10148_solarwinds_exploit.yml → ...web_cve_2020_10148_solarwinds_exploit.yml
diff --git a/...c_creation_win_exploit_cve_2020_10189.yml → ...c_creation_win_exploit_cve_2020_10189.yml b/...c_creation_win_exploit_cve_2020_10189.yml → ...c_creation_win_exploit_cve_2020_10189.yml
diff --git a/...oc_creation_win_exploit_cve_2020_1048.yml → ...oc_creation_win_exploit_cve_2020_1048.yml b/...oc_creation_win_exploit_cve_2020_1048.yml → ...oc_creation_win_exploit_cve_2020_1048.yml
diff --git a/...oc_creation_win_exploit_cve_2020_1350.yml → ...oc_creation_win_exploit_cve_2020_1350.yml b/...oc_creation_win_exploit_cve_2020_1350.yml → ...oc_creation_win_exploit_cve_2020_1350.yml
diff --git a/...c/web_cve_2020_14882_weblogic_exploit.yml → ...2/web_cve_2020_14882_weblogic_exploit.yml b/...c/web_cve_2020_14882_weblogic_exploit.yml → ...2/web_cve_2020_14882_weblogic_exploit.yml
diff --git a/...ve_2020_28188_terramaster_rce_exploit.yml → ...ve_2020_28188_terramaster_rce_exploit.yml b/...ve_2020_28188_terramaster_rce_exploit.yml → ...ve_2020_28188_terramaster_rce_exploit.yml
diff --git a/...neric/web_cve_2020_3452_cisco_asa_ftd.yml → ...-3452/web_cve_2020_3452_cisco_asa_ftd.yml b/...neric/web_cve_2020_3452_cisco_asa_ftd.yml → ...-3452/web_cve_2020_3452_cisco_asa_ftd.yml
diff --git a/...er_generic/web_cve_2020_5902_f5_bigip.yml → ...-2020-5902/web_cve_2020_5902_f5_bigip.yml b/...er_generic/web_cve_2020_5902_f5_bigip.yml → ...-2020-5902/web_cve_2020_5902_f5_bigip.yml
diff --git a/...web_cve_2020_8193_8195_citrix_exploit.yml → ...web_cve_2020_8193_8195_citrix_exploit.yml b/...web_cve_2020_8193_8195_citrix_exploit.yml → ...web_cve_2020_8193_8195_citrix_exploit.yml
diff --git a/...creation_win_malware_blue_mockingbird.yml → ...creation_win_malware_blue_mockingbird.yml b/...creation_win_malware_blue_mockingbird.yml → ...creation_win_malware_blue_mockingbird.yml
diff --git a/...win_malware_emotet_rundll32_execution.yml → ...win_malware_emotet_rundll32_execution.yml b/...win_malware_emotet_rundll32_execution.yml → ...win_malware_emotet_rundll32_execution.yml
diff --git a/...reation_win_malware_ke3chang_tidepool.yml → ...reation_win_malware_ke3chang_tidepool.yml b/...reation_win_malware_ke3chang_tidepool.yml → ...reation_win_malware_ke3chang_tidepool.yml
diff --git a/..._creation_win_malware_maze_ransomware.yml → ..._creation_win_malware_maze_ransomware.yml b/..._creation_win_malware_maze_ransomware.yml → ..._creation_win_malware_maze_ransomware.yml
diff --git a/..._creation_win_malware_trickbot_wermgr.yml → ..._creation_win_malware_trickbot_wermgr.yml b/..._creation_win_malware_trickbot_wermgr.yml → ..._creation_win_malware_trickbot_wermgr.yml
diff --git a/...m/proc_creation_win_apt_evilnum_jul20.yml → ...m/proc_creation_win_apt_evilnum_jul20.yml b/...m/proc_creation_win_apt_evilnum_jul20.yml → ...m/proc_creation_win_apt_evilnum_jul20.yml
diff --git a/...UM/proc_creation_win_apt_gallium_iocs.yml → ...UM/proc_creation_win_apt_gallium_iocs.yml b/...UM/proc_creation_win_apt_gallium_iocs.yml → ...UM/proc_creation_win_apt_gallium_iocs.yml
diff --git a/.../proc_creation_win_apt_greenbug_may20.yml → .../proc_creation_win_apt_greenbug_may20.yml b/.../proc_creation_win_apt_greenbug_may20.yml → .../proc_creation_win_apt_greenbug_may20.yml
diff --git a/...eation_win_apt_lazarus_group_activity.yml → ...eation_win_apt_lazarus_group_activity.yml b/...eation_win_apt_lazarus_group_activity.yml → ...eation_win_apt_lazarus_group_activity.yml
diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/README.md b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/README.md
@@ -0,0 +1 @@
+# SolarWinds’ Orion Supply Chain
diff --git a/...in/proc_creation_win_apt_unc2452_cmds.yml → ...in/proc_creation_win_apt_unc2452_cmds.yml b/...in/proc_creation_win_apt_unc2452_cmds.yml → ...in/proc_creation_win_apt_unc2452_cmds.yml
diff --git a/...hain/proc_creation_win_apt_unc2452_ps.yml → ...hain/proc_creation_win_apt_unc2452_ps.yml b/...hain/proc_creation_win_apt_unc2452_ps.yml → ...hain/proc_creation_win_apt_unc2452_ps.yml
diff --git a/...tion_win_apt_unc2452_vbscript_pattern.yml → ...tion_win_apt_unc2452_vbscript_pattern.yml b/...tion_win_apt_unc2452_vbscript_pattern.yml → ...tion_win_apt_unc2452_vbscript_pattern.yml
diff --git a/...ric/web_solarwinds_supernova_webshell.yml → ...ain/web_solarwinds_supernova_webshell.yml b/...ric/web_solarwinds_supernova_webshell.yml → ...ain/web_solarwinds_supernova_webshell.yml
diff --git a/...reation/proc_creation_win_apt_taidoor.yml → ...OOR-RAT/proc_creation_win_apt_taidoor.yml b/...reation/proc_creation_win_apt_taidoor.yml → ...OOR-RAT/proc_creation_win_apt_taidoor.yml
diff --git a/..._creation_win_apt_winnti_mal_hk_jan20.yml → ..._creation_win_apt_winnti_mal_hk_jan20.yml b/..._creation_win_apt_winnti_mal_hk_jan20.yml → ..._creation_win_apt_winnti_mal_hk_jan20.yml
diff --git a/.../proc_creation_win_apt_winnti_pipemon.yml → .../proc_creation_win_apt_winnti_pipemon.yml b/.../proc_creation_win_apt_winnti_pipemon.yml → .../proc_creation_win_apt_winnti_pipemon.yml
diff --git a/...in_exploit_cve_2021_1675_printspooler.yml → ...in_exploit_cve_2021_1675_printspooler.yml b/...in_exploit_cve_2021_1675_printspooler.yml → ...in_exploit_cve_2021_1675_printspooler.yml
diff --git a/...ve_2021_1675_printspooler_operational.yml → ...ve_2021_1675_printspooler_operational.yml b/...ve_2021_1675_printspooler_operational.yml → ...ve_2021_1675_printspooler_operational.yml
diff --git a/...t_cve_2021_1675_printspooler_security.yml → ...t_cve_2021_1675_printspooler_security.yml b/...t_cve_2021_1675_printspooler_security.yml → ...t_cve_2021_1675_printspooler_security.yml
diff --git a/...eb_cve_2021_2109_weblogic_rce_exploit.yml → ...eb_cve_2021_2109_weblogic_rce_exploit.yml b/...eb_cve_2021_2109_weblogic_rce_exploit.yml → ...eb_cve_2021_2109_weblogic_rce_exploit.yml
diff --git a/...2021_21972_vsphere_unauth_rce_exploit.yml → ...2021_21972_vsphere_unauth_rce_exploit.yml b/...2021_21972_vsphere_unauth_rce_exploit.yml → ...2021_21972_vsphere_unauth_rce_exploit.yml
diff --git a/...021_21978_vmware_view_planner_exploit.yml → ...021_21978_vmware_view_planner_exploit.yml b/...021_21978_vmware_view_planner_exploit.yml → ...021_21978_vmware_view_planner_exploit.yml
diff --git a/...web_cve_2021_22005_vmware_file_upload.yml → ...web_cve_2021_22005_vmware_file_upload.yml b/...web_cve_2021_22005_vmware_file_upload.yml → ...web_cve_2021_22005_vmware_file_upload.yml
diff --git a/...c/web_cve_2021_22123_fortinet_exploit.yml → ...3/web_cve_2021_22123_fortinet_exploit.yml b/...c/web_cve_2021_22123_fortinet_exploit.yml → ...3/web_cve_2021_22123_fortinet_exploit.yml
diff --git a/...e_2021_22893_pulse_secure_rce_exploit.yml → ...e_2021_22893_pulse_secure_rce_exploit.yml b/...e_2021_22893_pulse_secure_rce_exploit.yml → ...e_2021_22893_pulse_secure_rce_exploit.yml
diff --git a/...t_cve_2021_26084_atlassian_confluence.yml → ...t_cve_2021_26084_atlassian_confluence.yml b/...t_cve_2021_26084_atlassian_confluence.yml → ...t_cve_2021_26084_atlassian_confluence.yml
diff --git a/...cve_2021_26084_confluence_rce_exploit.yml → ...cve_2021_26084_confluence_rce_exploit.yml b/...cve_2021_26084_confluence_rce_exploit.yml → ...cve_2021_26084_confluence_rce_exploit.yml
diff --git a/...r_generic/web_cve_2021_26814_wzuh_rce.yml → ...021-26814/web_cve_2021_26814_wzuh_rce.yml b/...r_generic/web_cve_2021_26814_wzuh_rce.yml → ...021-26814/web_cve_2021_26814_wzuh_rce.yml
diff --git a/...win_exploit_cve_2021_26857_msexchange.yml → ...win_exploit_cve_2021_26857_msexchange.yml b/...win_exploit_cve_2021_26857_msexchange.yml → ...win_exploit_cve_2021_26857_msexchange.yml
diff --git a/...er_generic/web_cve_2021_26858_iis_rce.yml → ...2021-26858/web_cve_2021_26858_iis_rce.yml b/...er_generic/web_cve_2021_26858_iis_rce.yml → ...2021-26858/web_cve_2021_26858_iis_rce.yml
diff --git a/...eb_cve_2021_27905_apache_solr_exploit.yml → ...eb_cve_2021_27905_apache_solr_exploit.yml b/...eb_cve_2021_27905_apache_solr_exploit.yml → ...eb_cve_2021_27905_apache_solr_exploit.yml
diff --git a/...c/web_cve_2021_28480_exchange_exploit.yml → ...0/web_cve_2021_28480_exchange_exploit.yml b/...c/web_cve_2021_28480_exchange_exploit.yml → ...0/web_cve_2021_28480_exchange_exploit.yml
diff --git a/..._cve_2021_33766_msexchange_proxytoken.yml → ..._cve_2021_33766_msexchange_proxytoken.yml b/..._cve_2021_33766_msexchange_proxytoken.yml → ..._cve_2021_33766_msexchange_proxytoken.yml
diff --git a/...tion_win_exploit_cve_2021_35211_servu.yml → ...tion_win_exploit_cve_2021_35211_servu.yml b/...tion_win_exploit_cve_2021_35211_servu.yml → ...tion_win_exploit_cve_2021_35211_servu.yml
diff --git a/...c_creation_win_exploit_cve_2021_40444.yml → ...c_creation_win_exploit_cve_2021_40444.yml b/...c_creation_win_exploit_cve_2021_40444.yml → ...c_creation_win_exploit_cve_2021_40444.yml
diff --git a/...2021_40444_office_directory_traversal.yml → ...2021_40444_office_directory_traversal.yml b/...2021_40444_office_directory_traversal.yml → ...2021_40444_office_directory_traversal.yml
diff --git a/...eric/web_cve_2021_40539_adselfservice.yml → ...0539/web_cve_2021_40539_adselfservice.yml b/...eric/web_cve_2021_40539_adselfservice.yml → ...0539/web_cve_2021_40539_adselfservice.yml
diff --git a/...39_manageengine_adselfservice_exploit.yml → ...39_manageengine_adselfservice_exploit.yml b/...39_manageengine_adselfservice_exploit.yml → ...39_manageengine_adselfservice_exploit.yml
diff --git a/...c_creation_win_exploit_cve_2021_41379.yml → ...c_creation_win_exploit_cve_2021_41379.yml b/...c_creation_win_exploit_cve_2021_41379.yml → ...c_creation_win_exploit_cve_2021_41379.yml
diff --git a/..._cve_2021_41773_apache_path_traversal.yml → ..._cve_2021_41773_apache_path_traversal.yml b/..._cve_2021_41773_apache_path_traversal.yml → ..._cve_2021_41773_apache_path_traversal.yml
diff --git a/...b_cve_2021_42237_sitecore_report_ashx.yml → ...b_cve_2021_42237_sitecore_report_ashx.yml b/...b_cve_2021_42237_sitecore_report_ashx.yml → ...b_cve_2021_42237_sitecore_report_ashx.yml
diff --git a/...ter/win_system_exploit_cve_2021_42278.yml → ...278/win_system_exploit_cve_2021_42278.yml b/...ter/win_system_exploit_cve_2021_42278.yml → ...278/win_system_exploit_cve_2021_42278.yml
diff --git a/...amaccountname_spoofing_cve_2021_42287.yml → ...amaccountname_spoofing_cve_2021_42287.yml b/...amaccountname_spoofing_cve_2021_42287.yml → ...amaccountname_spoofing_cve_2021_42287.yml
diff --git a/...er_generic/web_cve_2021_43798_grafana.yml → ...2021-43798/web_cve_2021_43798_grafana.yml b/...er_generic/web_cve_2021_43798_grafana.yml → ...2021-43798/web_cve_2021_43798_grafana.yml
diff --git a/...rver_generic/web_cve_2021_44228_log4j.yml → ...E-2021-44228/web_cve_2021_44228_log4j.yml b/...rver_generic/web_cve_2021_44228_log4j.yml → ...E-2021-44228/web_cve_2021_44228_log4j.yml
diff --git a/...neric/web_cve_2021_44228_log4j_fields.yml → ...44228/web_cve_2021_44228_log4j_fields.yml b/...neric/web_cve_2021_44228_log4j_fields.yml → ...44228/web_cve_2021_44228_log4j_fields.yml
diff --git a/...erver_generic/web_exchange_proxyshell.yml → ...Shell-Exploit/web_exchange_proxyshell.yml b/...erver_generic/web_exchange_proxyshell.yml → ...Shell-Exploit/web_exchange_proxyshell.yml
diff --git a/...ic/web_exchange_proxyshell_successful.yml → ...it/web_exchange_proxyshell_successful.yml b/...ic/web_exchange_proxyshell_successful.yml → ...it/web_exchange_proxyshell_successful.yml
diff --git a/..._win_exploit_other_razorinstaller_lpe.yml → ..._win_exploit_other_razorinstaller_lpe.yml b/..._win_exploit_other_razorinstaller_lpe.yml → ..._win_exploit_other_razorinstaller_lpe.yml
diff --git a/...ion_win_exploit_other_systemnightmare.yml → ...ion_win_exploit_other_systemnightmare.yml b/...ion_win_exploit_other_systemnightmare.yml → ...ion_win_exploit_other_systemnightmare.yml
diff --git a/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/README.md b/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/README.md
@@ -0,0 +1,9 @@
+# VisualDoor: SonicWall SSL-VPN Exploit
+
+## Summary
+
+SonicWall "Virtual Office" SSL-VPN Products ship an old version of Bash that's vulnerable to ShellShock, and are therefore vulnerable to an unauthenticated remote code execution (as a “nobody” user) via the `/cgi-bin/jarrewrite.sh` URL.
+
+## Rules
+
+- [SonicWall SSL/VPN Jarrewrite Exploitation](./web_sonicwall_jarrewrite_exploit.yml)
diff --git a/...eric/web_sonicwall_jarrewrite_exploit.yml → ...loit/web_sonicwall_jarrewrite_exploit.yml b/...eric/web_sonicwall_jarrewrite_exploit.yml → ...loit/web_sonicwall_jarrewrite_exploit.yml
@@ -1,12 +1,13 @@
-title: SonicWall SSL/VPN Jarrewrite Exploit
+title: SonicWall SSL/VPN Jarrewrite Exploitation
 id: 6f55f047-112b-4101-ad32-43913f52db46
 status: test
 description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
 references:
-    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
+    - https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
+    - https://github.com/darrenmartyn/VisualDoor
 author: Florian Roth (Nextron Systems)
 date: 2021/01/25
-modified: 2023/01/02
+modified: 2023/04/27
 tags:
     - attack.t1190
     - attack.initial_access

diff --git a/...ve_2021_31979_cve_2021_33771_exploits.yml → ...ve_2021_31979_cve_2021_33771_exploits.yml b/...ve_2021_31979_cve_2021_33771_exploits.yml → ...ve_2021_31979_cve_2021_33771_exploits.yml
diff --git a/...90_2021_20091_arcadyan_router_exploit.yml → ...90_2021_20091_arcadyan_router_exploit.yml b/...90_2021_20091_arcadyan_router_exploit.yml → ...90_2021_20091_arcadyan_router_exploit.yml
diff --git a/...tion_win_malware_blackbyte_ransomware.yml → ...tion_win_malware_blackbyte_ransomware.yml b/...tion_win_malware_blackbyte_ransomware.yml → ...tion_win_malware_blackbyte_ransomware.yml
diff --git a/...ation/proc_creation_win_malware_conti.yml → ...Conti/proc_creation_win_malware_conti.yml b/...ation/proc_creation_win_malware_conti.yml → ...Conti/proc_creation_win_malware_conti.yml
diff --git a/.../proc_creation_win_malware_conti_7zip.yml → .../proc_creation_win_malware_conti_7zip.yml b/.../proc_creation_win_malware_conti_7zip.yml → .../proc_creation_win_malware_conti_7zip.yml
diff --git a/...win_malware_conti_ransomware_commands.yml → ...win_malware_conti_ransomware_commands.yml b/...win_malware_conti_ransomware_commands.yml → ...win_malware_conti_ransomware_commands.yml
diff --git a/...alware_conti_ransomware_database_dump.yml → ...alware_conti_ransomware_database_dump.yml b/...alware_conti_ransomware_database_dump.yml → ...alware_conti_ransomware_database_dump.yml
diff --git a/...ation_win_malware_darkside_ransomware.yml → ...ation_win_malware_darkside_ransomware.yml b/...ation_win_malware_darkside_ransomware.yml → ...ation_win_malware_darkside_ransomware.yml
diff --git a/...reation_win_malware_pingback_backdoor.yml → ...reation_win_malware_pingback_backdoor.yml b/...reation_win_malware_pingback_backdoor.yml → ...reation_win_malware_pingback_backdoor.yml
diff --git a/rules-emerging-threats/2021/Solarwinds-Supply-Chain/README.md b/rules-emerging-threats/2021/Solarwinds-Supply-Chain/README.md
diff --git a/...HAFNIUM/proc_creation_win_apt_hafnium.yml → ...HAFNIUM/proc_creation_win_apt_hafnium.yml b/...HAFNIUM/proc_creation_win_apt_hafnium.yml → ...HAFNIUM/proc_creation_win_apt_hafnium.yml
diff --git a/...ric/web_exchange_exploitation_hafnium.yml → ...IUM/web_exchange_exploitation_hafnium.yml b/...ric/web_exchange_exploitation_hafnium.yml → ...IUM/web_exchange_exploitation_hafnium.yml
diff --git a/...in/proc_creation_win_apt_revil_kaseya.yml → ...in/proc_creation_win_apt_revil_kaseya.yml b/...in/proc_creation_win_apt_revil_kaseya.yml → ...in/proc_creation_win_apt_revil_kaseya.yml
diff --git a/...ATELOG/image_load_usp_svchost_clfsw32.yml → ...ATELOG/image_load_usp_svchost_clfsw32.yml b/...ATELOG/image_load_usp_svchost_clfsw32.yml → ...ATELOG/image_load_usp_svchost_clfsw32.yml
diff --git a/...eation/proc_creation_win_apt_sourgrum.yml → ...OURGUM/proc_creation_win_apt_sourgrum.yml b/...eation/proc_creation_win_apt_sourgrum.yml → ...OURGUM/proc_creation_win_apt_sourgrum.yml
diff --git a/...eric/web_unc2546_dewmode_php_webshell.yml → ...2546/web_unc2546_dewmode_php_webshell.yml b/...eric/web_unc2546_dewmode_php_webshell.yml → ...2546/web_unc2546_dewmode_php_webshell.yml
@@ -3,7 +3,7 @@ id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5
 status: test
 description: Detects access to DEWMODE webshell as described in FIREEYE report
 references:
-    - https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
+    - https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
 author: Florian Roth (Nextron Systems)
 date: 2021/02/22
 modified: 2023/01/02

diff --git a/...in_exploit_cve_2023_21554_queuejumper.yml → ...in_exploit_cve_2023_21554_queuejumper.yml b/...in_exploit_cve_2023_21554_queuejumper.yml → ...in_exploit_cve_2023_21554_queuejumper.yml
diff --git a/...generic/web_cve_2022_21587_oracle_ebs.yml → ...2-21587/web_cve_2022_21587_oracle_ebs.yml b/...generic/web_cve_2022_21587_oracle_ebs.yml → ...2-21587/web_cve_2022_21587_oracle_ebs.yml
diff --git a/...022_26809_rpcss_child_process_anomaly.yml → ...022_26809_rpcss_child_process_anomaly.yml b/...022_26809_rpcss_child_process_anomaly.yml → ...022_26809_rpcss_child_process_anomaly.yml
diff --git a/...er_generic/web_cve_2022_27925_exploit.yml → ...2022-27925/web_cve_2022_27925_exploit.yml b/...er_generic/web_cve_2022_27925_exploit.yml → ...2022-27925/web_cve_2022_27925_exploit.yml
diff --git a/...ation_win_exploit_cve_2022_29072_7zip.yml → ...ation_win_exploit_cve_2022_29072_7zip.yml b/...ation_win_exploit_cve_2022_29072_7zip.yml → ...ation_win_exploit_cve_2022_29072_7zip.yml
diff --git a/...eneric/web_cve_2022_31656_auth_bypass.yml → ...-31656/web_cve_2022_31656_auth_bypass.yml b/...eneric/web_cve_2022_31656_auth_bypass.yml → ...-31656/web_cve_2022_31656_auth_bypass.yml
diff --git a/...generic/web_cve_2022_31659_vmware_rce.yml → ...2-31659/web_cve_2022_31659_vmware_rce.yml b/...generic/web_cve_2022_31659_vmware_rce.yml → ...2-31659/web_cve_2022_31659_vmware_rce.yml
diff --git a/...2_33891_spark_shell_command_injection.yml → ...2_33891_spark_shell_command_injection.yml b/...2_33891_spark_shell_command_injection.yml → ...2_33891_spark_shell_command_injection.yml
diff --git a/...atlassian_bitbucket_command_injection.yml → ...atlassian_bitbucket_command_injection.yml b/...atlassian_bitbucket_command_injection.yml → ...atlassian_bitbucket_command_injection.yml
diff --git a/...win_exploit_cve_2022_41120_sysmon_eop.yml → ...win_exploit_cve_2022_41120_sysmon_eop.yml b/...win_exploit_cve_2022_41120_sysmon_eop.yml → ...win_exploit_cve_2022_41120_sysmon_eop.yml
diff --git a/...b_cve_2022_44877_exploitation_attempt.yml → ...b_cve_2022_44877_exploitation_attempt.yml b/...b_cve_2022_44877_exploitation_attempt.yml → ...b_cve_2022_44877_exploitation_attempt.yml
diff --git a/...2022_46169_cacti_exploitation_attempt.yml → ...2022_46169_cacti_exploitation_attempt.yml b/...2022_46169_cacti_exploitation_attempt.yml → ...2022_46169_cacti_exploitation_attempt.yml
diff --git a/...ric/web_exchange_owassrf_exploitation.yml → ...oit/web_exchange_owassrf_exploitation.yml b/...ric/web_exchange_owassrf_exploitation.yml → ...oit/web_exchange_owassrf_exploitation.yml
diff --git a/...web_exchange_owassrf_poc_exploitation.yml → ...web_exchange_owassrf_poc_exploitation.yml b/...web_exchange_owassrf_poc_exploitation.yml → ...web_exchange_owassrf_poc_exploitation.yml
diff --git a/...n_win_malware_hermetic_wiper_activity.yml → ...n_win_malware_hermetic_wiper_activity.yml b/...n_win_malware_hermetic_wiper_activity.yml → ...n_win_malware_hermetic_wiper_activity.yml
diff --git a/...aspberry_robin_single_dot_ending_file.yml → ...aspberry_robin_single_dot_ending_file.yml b/...aspberry_robin_single_dot_ending_file.yml → ...aspberry_robin_single_dot_ending_file.yml
diff --git a/...creation_win_apt_actinium_persistence.yml → ...creation_win_apt_actinium_persistence.yml b/...creation_win_apt_actinium_persistence.yml → ...creation_win_apt_actinium_persistence.yml
diff --git a/...reation/proc_creation_win_apt_mercury.yml → ...MERCURY/proc_creation_win_apt_mercury.yml b/...reation/proc_creation_win_apt_mercury.yml → ...MERCURY/proc_creation_win_apt_mercury.yml
diff --git a/...e_2023_23397_outlook_reminder_trigger.yml → ...e_2023_23397_outlook_reminder_trigger.yml b/...e_2023_23397_outlook_reminder_trigger.yml → ...e_2023_23397_outlook_reminder_trigger.yml
diff --git a/..._2023_23397_outlook_remote_file_query.yml → ..._2023_23397_outlook_remote_file_query.yml b/..._2023_23397_outlook_remote_file_query.yml → ..._2023_23397_outlook_remote_file_query.yml
diff --git a/...it_cve_2023_23397_outlook_remote_file.yml → ...it_cve_2023_23397_outlook_remote_file.yml b/...it_cve_2023_23397_outlook_remote_file.yml → ...it_cve_2023_23397_outlook_remote_file.yml
diff --git a/...cve_2023_23752_joomla_exploit_attempt.yml → ...cve_2023_23752_joomla_exploit_attempt.yml b/...cve_2023_23752_joomla_exploit_attempt.yml → ...cve_2023_23752_joomla_exploit_attempt.yml
diff --git a/...oit_other_win_server_undocumented_rce.yml → ...oit_other_win_server_undocumented_rce.yml b/...oit_other_win_server_undocumented_rce.yml → ...oit_other_win_server_undocumented_rce.yml
@@ -3,7 +3,7 @@ id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
 status: experimental
 description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
 references:
-    - https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw
+    - https://github.com/SigmaHQ/sigma/pull/3946
     - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
 date: 2023/01/21

diff --git a/...creation_win_malware_griffon_patterns.yml → ...creation_win_malware_griffon_patterns.yml b/...creation_win_malware_griffon_patterns.yml → ...creation_win_malware_griffon_patterns.yml
diff --git a/...lware_rhadamanthys_stealer_dll_launch.yml → ...lware_rhadamanthys_stealer_dll_launch.yml b/...lware_rhadamanthys_stealer_dll_launch.yml → ...lware_rhadamanthys_stealer_dll_launch.yml
diff --git a/...malware_rorschach_ransomware_activity.yml → ...malware_rorschach_ransomware_activity.yml b/...malware_rorschach_ransomware_activity.yml → ...malware_rorschach_ransomware_activity.yml
diff --git a/...g-threats/2023/3CX-Supply-Chain/README.md → ...hreats/2023/TA/3CX-Supply-Chain/README.md b/...g-threats/2023/3CX-Supply-Chain/README.md → ...hreats/2023/TA/3CX-Supply-Chain/README.md
diff --git a/.../dns_query_win_malware_3cx_compromise.yml → .../dns_query_win_malware_3cx_compromise.yml b/.../dns_query_win_malware_3cx_compromise.yml → .../dns_query_win_malware_3cx_compromise.yml
diff --git a/..._load_malware_3cx_compromise_susp_dll.yml → ..._load_malware_3cx_compromise_susp_dll.yml b/..._load_malware_3cx_compromise_susp_dll.yml → ..._load_malware_3cx_compromise_susp_dll.yml
diff --git a/...are_3cx_compromise_beaconing_activity.yml → ...are_3cx_compromise_beaconing_activity.yml b/...are_3cx_compromise_beaconing_activity.yml → ...are_3cx_compromise_beaconing_activity.yml
diff --git a/..._win_malware_3cx_compromise_execution.yml → ..._win_malware_3cx_compromise_execution.yml b/..._win_malware_3cx_compromise_execution.yml → ..._win_malware_3cx_compromise_execution.yml
diff --git a/..._malware_3cx_compromise_susp_children.yml → ..._malware_3cx_compromise_susp_children.yml b/..._malware_3cx_compromise_susp_children.yml → ..._malware_3cx_compromise_susp_children.yml
diff --git a/...in_malware_3cx_compromise_susp_update.yml → ...in_malware_3cx_compromise_susp_update.yml b/...in_malware_3cx_compromise_susp_update.yml → ...in_malware_3cx_compromise_susp_update.yml
diff --git a/...are_3cx_compromise_c2_beacon_activity.yml → ...are_3cx_compromise_c2_beacon_activity.yml b/...are_3cx_compromise_c2_beacon_activity.yml → ...are_3cx_compromise_c2_beacon_activity.yml
diff --git a/...ware_3cx_compromise_susp_ico_requests.yml → ...ware_3cx_compromise_susp_ico_requests.yml b/...ware_3cx_compromise_susp_ico_requests.yml → ...ware_3cx_compromise_susp_ico_requests.yml
diff --git a/...ing-threats/2023/Mint-Sandstorm/README.md → ...-threats/2023/TA/Mint-Sandstorm/README.md b/...ing-threats/2023/Mint-Sandstorm/README.md → ...-threats/2023/TA/Mint-Sandstorm/README.md
diff --git a/...torm_aspera_faspex_susp_child_process.yml → ...torm_aspera_faspex_susp_child_process.yml b/...torm_aspera_faspex_susp_child_process.yml → ...torm_aspera_faspex_susp_child_process.yml
diff --git a/...nt_sandstorm_log4j_wstomcat_execution.yml → ...nt_sandstorm_log4j_wstomcat_execution.yml b/...nt_sandstorm_log4j_wstomcat_execution.yml → ...nt_sandstorm_log4j_wstomcat_execution.yml
diff --git a/...torm_manage_engine_susp_child_process.yml → ...torm_manage_engine_susp_child_process.yml b/...torm_manage_engine_susp_child_process.yml → ...torm_manage_engine_susp_child_process.yml
diff --git a/...t-Print-Management-Exploitation/README.md → ...t-Print-Management-Exploitation/README.md b/...t-Print-Management-Exploitation/README.md → ...t-Print-Management-Exploitation/README.md
diff --git a/...nt_management_exploitation_indicators.yml → ...nt_management_exploitation_indicators.yml b/...nt_management_exploitation_indicators.yml → ...nt_management_exploitation_indicators.yml
diff --git a/..._print_management_exploitation_pc_app.yml → ..._print_management_exploitation_pc_app.yml b/..._print_management_exploitation_pc_app.yml → ..._print_management_exploitation_pc_app.yml
diff --git a/rules-emerging-threats/README.md b/rules-emerging-threats/README.md
@@ -1 +1,9 @@
-TBD
+# Emerging Threats Rules
+
+This folder contains rules that belongs to the "emerging-threats" category of SIGMA. This category aims to cover specific threats that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
+
+The folder structure is split by year and every folder can contain two sub-folders
+
+- `Exploits`: Contains specific rules that cover exploitation of vulnerabilities.
+- `Malware`: Contains specific rules that cover malware, ransomware and any type of suspicious software used by Threat Actors or malicious actors
+- `TA`: Contains specific rules that cover APT, Threat Actor and malware activities.
diff --git a/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml b/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml
@@ -7,7 +7,7 @@ references:
     - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
     - https://brightsec.com/blog/sql-injection-payloads/
     - https://github.com/payloadbox/sql-injection-payload-list
-author: Saw Win Naung, Nasreddine Bencherchali
+author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/02/22
 modified: 2022/07/25
 logsource:

diff --git a/...urity/win_security_access_token_abuse.yml → ...ement/win_security_access_token_abuse.yml b/...urity/win_security_access_token_abuse.yml → ...ement/win_security_access_token_abuse.yml
@@ -1,13 +1,13 @@
-title: Access Token Abuse
+title: Potential Access Token Abuse
 id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
 status: experimental
-description: 'This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)'
+description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
 references:
     - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
     - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
 author: Michaela Adams, Zach Mathis
 date: 2022/11/06
-modified: 2022/11/06
+modified: 2023/04/26
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation

diff --git a/...security/win_security_admin_rdp_login.yml → ...nagement/win_security_admin_rdp_login.yml b/...security/win_security_admin_rdp_login.yml → ...nagement/win_security_admin_rdp_login.yml
diff --git a/..._diagtrack_eop_default_login_username.yml → ..._diagtrack_eop_default_login_username.yml b/..._diagtrack_eop_default_login_username.yml → ..._diagtrack_eop_default_login_username.yml
diff --git a/...n/security/account_management/win_security_member_added_security_enabled_global_group.yml b/...n/security/account_management/win_security_member_added_security_enabled_global_group.yml
@@ -0,0 +1,27 @@
+title: A Member Was Added to a Security-Enabled Global Group
+id: c43c26be-2e87-46c7-8661-284588c5a53e
+related:
+    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
+      type: obsoletes
+status: stable
+description: Detects activity when a member is added to a security-enabled global group
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
+author: Alexandr Yampolskyi, SOC Prime
+date: 2023/04/26
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 4728 # A member was added to a security-enabled global group
+            - 632 # Security Enabled Global Group Member Added
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/...security/account_management/win_security_member_removed_security_enabled_global_group.yml b/...security/account_management/win_security_member_removed_security_enabled_global_group.yml
@@ -0,0 +1,27 @@
+title: A Member Was Removed From a Security-Enabled Global Group
+id: 02c39d30-02b5-45d2-b435-8aebfe5a8629
+related:
+    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
+      type: obsoletes
+status: stable
+description: Detects activity when a member is removed from a security-enabled global group
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
+author: Alexandr Yampolskyi, SOC Prime
+date: 2023/04/26
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 633 # Security Enabled Global Group Member Removed
+            - 4729 # A member was removed from a security-enabled global group
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/...curity/win_security_overpass_the_hash.yml → ...gement/win_security_overpass_the_hash.yml b/...curity/win_security_overpass_the_hash.yml → ...gement/win_security_overpass_the_hash.yml
diff --git a/...security/win_security_pass_the_hash_2.yml → ...nagement/win_security_pass_the_hash_2.yml b/...security/win_security_pass_the_hash_2.yml → ...nagement/win_security_pass_the_hash_2.yml
diff --git a/...win_security_rdp_bluekeep_poc_scanner.yml → ...win_security_rdp_bluekeep_poc_scanner.yml b/...win_security_rdp_bluekeep_poc_scanner.yml → ...win_security_rdp_bluekeep_poc_scanner.yml
diff --git a/...rity/win_security_rdp_localhost_login.yml → ...ment/win_security_rdp_localhost_login.yml b/...rity/win_security_rdp_localhost_login.yml → ...ment/win_security_rdp_localhost_login.yml
diff --git a/...crcons_remote_wmi_scripteventconsumer.yml → ...crcons_remote_wmi_scripteventconsumer.yml b/...crcons_remote_wmi_scripteventconsumer.yml → ...crcons_remote_wmi_scripteventconsumer.yml
diff --git a/...uiltin/security/account_management/win_security_security_enabled_global_group_deleted.yml b/...uiltin/security/account_management/win_security_security_enabled_global_group_deleted.yml
@@ -0,0 +1,27 @@
+title: A Security-Enabled Global Group Was Deleted
+id: b237c54b-0f15-4612-a819-44b735e0de27
+related:
+    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
+      type: obsoletes
+status: stable
+description: Detects activity when a security-enabled global group is deleted
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
+author: Alexandr Yampolskyi, SOC Prime
+date: 2023/04/26
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 4730 # A security-enabled global group was deleted
+            - 634 # Security Enabled Global Group Deleted
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/..._successful_external_remote_rdp_login.yml → ..._successful_external_remote_rdp_login.yml b/..._successful_external_remote_rdp_login.yml → ..._successful_external_remote_rdp_login.yml
diff --git a/..._successful_external_remote_smb_login.yml → ..._successful_external_remote_smb_login.yml b/..._successful_external_remote_smb_login.yml → ..._successful_external_remote_smb_login.yml
diff --git a/...win_security_susp_failed_logon_source.yml → ...win_security_susp_failed_logon_source.yml b/...win_security_susp_failed_logon_source.yml → ...win_security_susp_failed_logon_source.yml
diff --git a/...security/win_security_susp_krbrelayup.yml → ...nagement/win_security_susp_krbrelayup.yml b/...security/win_security_susp_krbrelayup.yml → ...nagement/win_security_susp_krbrelayup.yml
diff --git a/...in_security_susp_logon_newcredentials.yml → ...in_security_susp_logon_newcredentials.yml b/...in_security_susp_logon_newcredentials.yml → ...in_security_susp_logon_newcredentials.yml
diff --git a/...curity/win_security_susp_rottenpotato.yml → ...gement/win_security_susp_rottenpotato.yml b/...curity/win_security_susp_rottenpotato.yml → ...gement/win_security_susp_rottenpotato.yml
diff --git a/.../security/win_security_susp_wmi_login.yml → ...anagement/win_security_susp_wmi_login.yml b/.../security/win_security_susp_wmi_login.yml → ...anagement/win_security_susp_wmi_login.yml
diff --git a/rules/windows/builtin/security/win_security_hidden_user_creation.yml b/rules/windows/builtin/security/win_security_hidden_user_creation.yml
@@ -18,9 +18,6 @@ detection:
         EventID: 4720
         TargetUserName|endswith: '$'
     condition: selection
-fields:
-    - EventCode
-    - AccountName
 falsepositives:
     - Unknown
 level: high
diff --git a/...enter/win_system_kdcsvc_rc4_downgrade.yml → ...enter/win_system_kdcsvc_rc4_downgrade.yml b/...enter/win_system_kdcsvc_rc4_downgrade.yml → ...enter/win_system_kdcsvc_rc4_downgrade.yml
diff --git a/...t_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/...t_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
@@ -6,7 +6,7 @@ references:
     - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
 author: Cybex
 date: 2022/08/16
-modified: 2023/04/27
+modified: 2023/05/02
 tags:
     - attack.execution
 logsource:
@@ -19,4 +19,4 @@ detection:
     condition: selection
 falsepositives:
     - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
-level: high
+level: low