Merge branch 'master' into akira-ransomware

frack113 · Jan 26, 2025 · c736391 · c736391
2 parents 96b5006 + a99b163
commit c736391
Show file tree

Hide file tree

Showing 3,520 changed files with 18,932 additions and 11,711 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -44,4 +44,4 @@ Link the fixed issues here, in case your commit fixes issues with rules or code
 
 ### SigmaHQ Rule Creation Conventions
 
-- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
+- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)
diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
@@ -29,6 +29,6 @@ jobs:
             
             It looks like this is your first pull request on the Sigma rules repository!
 
-            Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
+            Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
 
             Thanks again, and welcome to the Sigma community! :smiley:
diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
@@ -75,7 +75,7 @@ jobs:
         python-version: 3.11
     - name: Install dependencies
       run: |
-        # pip install sigma-cli~=0.7.1
+        pip install pysigma
         pip install sigma-cli
         pip install pySigma-validators-sigmahq==0.7.0
     - name: Test Sigma Rule Syntax

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -48,6 +48,6 @@ git push origin your-feature-branch
 
 ## 📚 Adding or Updating Detection Rules
 
-To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions document](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
+To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.
 
 Thank you for contributing to Sigma! 🧙‍♂️
diff --git a/README.md b/README.md
@@ -93,6 +93,7 @@ If you find a false positive or would like to propose a new detection rule idea
 * [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM
 * [AttackIQ](https://www.attackiq.com/2024/01/10/sigmaiq-attackiqs-latest-innovation-for-actionable-detections/) - Sigma Rules integrated in AttackIQ's platform, and [SigmAIQ](https://github.com/AttackIQ/SigmAIQ) for Sigma rule conversion and LLM apps
 * [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018)
+* [AttackRuleMap - Mapping of Atomic Red Team tests and Sigma Rules](https://attackrulemap.com/)
 * [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules
 * [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation)
 * [Impede Detection Platform](https://impede.ai/)
@@ -102,6 +103,7 @@ If you find a false positive or would like to propose a new detection rule idea
 * [Nextron's Aurora Agent](https://www.nextron-systems.com/aurora/)
 * [Nextron's THOR Scanner](https://www.nextron-systems.com/thor/) - Scan with Sigma rules on endpoints
 * [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
+* [Security Onion](https://docs.securityonion.net/en/latest/sigma.html)
 * [Sekoia.io XDR](https://www.sekoia.io) - XDR supporting Sigma and Sigma Correlation rules languages
 * [sigma2stix](https://github.com/muchdogesec/sigma2stix) - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects.
   * A versioned archive of sigma2stix STIX 2.1 data is also available to [download here](https://github.com/muchdogesec/cti_knowledge_base_store/tree/main/sigma-rules).

diff --git a/...scx_runasprovider_executeshellcommand.yml → ...scx_runasprovider_executeshellcommand.yml b/...scx_runasprovider_executeshellcommand.yml → ...scx_runasprovider_executeshellcommand.yml
@@ -1,6 +1,6 @@
 title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
 id: 045b5f9c-49f7-4419-a236-9854fb3c827a
-status: test
+status: unsupported # This rule requires correlations. See https://github.com/SigmaHQ/sigma/discussions/4440#discussioncomment-7070862 and https://user-images.githubusercontent.com/9653181/133756156-4fb9c2b1-aa65-4380-957b-72170de36fc4.png
 description: |
     Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
     SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
@@ -9,11 +9,11 @@ references:
     - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
     - https://github.com/Azure/Azure-Sentinel/pull/3059
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2021/09/17
-modified: 2022/11/26
+date: 2021-09-17
+modified: 2024-09-02
 tags:
-    - attack.privilege_escalation
-    - attack.initial_access
+    - attack.privilege-escalation
+    - attack.initial-access
     - attack.execution
     - attack.t1068
     - attack.t1190

diff --git a/deprecated/windows/driver_load_win_mal_poortry_driver.yml b/deprecated/windows/driver_load_win_mal_poortry_driver.yml
@@ -42,28 +42,6 @@ detection:
             - 'MD5=0f16a43f7989034641fd2de3eb268bf1'
             - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
             - 'MD5=909f3fc221acbe999483c87d9ead024a'
-    selection_hash:
-        - sha256:
-            - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
-            - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
-            - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
-            - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
-            - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
-            - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
-        - sha1:
-            - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
-            - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
-            - '6debce728bcff73d9d1d334df0c6b1c3735e295c'
-            - 'cc65bf60600b64feece5575f21ab89e03a728332'
-            - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
-            - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
-        - md5:
-            - '10f3679384a03cb487bda9621ceb5f90'
-            - '04a88f5974caa621cee18f34300fc08a'
-            - '6fcf56f6ca3210ec397e55f727353c4a'
-            - '0f16a43f7989034641fd2de3eb268bf1'
-            - 'ee6b1a79cb6641aa44c762ee90786fe0'
-            - '909f3fc221acbe999483c87d9ead024a'
     condition: 1 of selection*
 falsepositives:
     - Legitimate BIOS driver updates (should be rare)

diff --git a/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml b/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml
@@ -19,16 +19,12 @@ detection:
             - 'MD5=a179c4093d05a3e1ee73f6ff07f994aa'
             - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
             - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
-    selection_other:
-        - md5: 'a179c4093d05a3e1ee73f6ff07f994aa'
-        - sha1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
-        - sha256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
     driver_img:
         ImageLoaded|endswith: '\aswArPot.sys'
     driver_status:
         - Signed: 'false'
         - SignatureStatus: Expired
-    condition: 1 of selection* or all of driver_*
+    condition: selection_sysmon or all of driver_*
 falsepositives:
     - Unknown
 level: high
diff --git a/deprecated/windows/driver_load_win_vuln_dell_driver.yml b/deprecated/windows/driver_load_win_vuln_dell_driver.yml
@@ -26,16 +26,6 @@ detection:
             - 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25'
             - 'MD5=C996D7971C49252C582171D9380360F2'
             - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'
-    selection_hash:
-        - sha256:
-            - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
-            - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
-        - sha1:
-            - 'c948ae14761095e4d76b55d9de86412258be7afd'
-            - '10b30bdee43b3a2ec4aa63375577ade650269d25'
-        - md5:
-            - 'c996d7971c49252c582171d9380360f2'
-            - 'd2fd132ab7bbc6bbb87a84f026fa0244'
     condition: 1 of selection*
 falsepositives:
     - Legitimate BIOS driver updates (should be rare)

diff --git a/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml b/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml
@@ -18,25 +18,15 @@ logsource:
     product: windows
     category: driver_load
 detection:
-    selection_sysmon:
+    selection:
         Hashes|contains:
             - 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3'
             - 'MD5=C832A4313FF082258240B61B88EFA025'
             - 'SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39'
             - 'SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46'
             - 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427'
             - 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B'
-    selection_other:
-        - md5:
-            - '9ab9f3b75a2eb87fafb1b7361be9dfb3'
-            - 'c832a4313ff082258240b61b88efa025'
-        - sha1:
-            - 'fe10018af723986db50701c8532df5ed98b17c39'
-            - '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46'
-        - sha256:
-            - '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427'
-            - 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'
-    condition: 1 of selection*
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/deprecated/windows/driver_load_win_vuln_hw_driver.yml b/deprecated/windows/driver_load_win_vuln_hw_driver.yml
@@ -28,19 +28,6 @@ detection:
             - 'MD5=3247014BA35D406475311A2EAB0C4657'
             - 'MD5=376B1E8957227A3639EC1482900D9B97'
             - 'MD5=45C2D133D41D2732F3653ED615A745C8'
-    selection_other:
-        - sha256:
-            - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8'
-            - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa'
-            - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5'
-        - sha1:
-            - '74e4e3006b644392f5fcea4a9bae1d9d84714b57'
-            - '18f34a0005e82a9a1556ba40b997b0eae554d5fd'
-            - '4e56e0b1d12664c05615c69697a2f5c5d893058a'
-        - md5:
-            - '3247014ba35d406475311a2eab0c4657'
-            - '376b1e8957227a3639ec1482900d9b97'
-            - '45c2d133d41d2732f3653ed615a745c8'
     condition: 1 of selection*
 falsepositives:
     - Unknown

diff --git a/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml b/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml
@@ -16,16 +16,12 @@ logsource:
     category: driver_load
     product: windows
 detection:
-    selection_sysmon:
+    selection:
         Hashes|contains:
             - 'SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE'
             - 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F'
             - 'MD5=B941C8364308990EE4CC6EADF7214E0F'
-    selection_hash:
-        - sha256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'
-        - sha1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f'
-        - md5: 'b941c8364308990ee4cc6eadf7214e0f'
-    condition: 1 of selection*
+    condition: selection
 falsepositives:
     - Legitimate driver loads (old driver that didn't receive an update)
 level: high
diff --git a/deprecated/windows/file_event_win_susp_clr_logs.yml b/deprecated/windows/file_event_win_susp_clr_logs.yml
@@ -3,7 +3,7 @@ id: e4b63079-6198-405c-abd7-3fe8b0ce3263
 status: deprecated
 description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
 references:
-    - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
     - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
     - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml
 author: omkar72, oscd.community, Wojciech Lesicki

diff --git a/deprecated/windows/proc_access_win_lsass_susp_access.yml b/deprecated/windows/proc_access_win_lsass_susp_access.yml
@@ -6,7 +6,7 @@ references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
     - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-    - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
 date: 2017/02/16
 modified: 2023/11/30

diff --git a/deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml b/deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml
@@ -3,7 +3,7 @@ id: b916cba1-b38a-42da-9223-17114d846fd6
 status: deprecated
 description: Detects potential NT API stub patching as seen used by the project PatchingAPI
 references:
-    - https://github.com/D1rkMtr/UnhookingPatch
+    - https://web.archive.org/web/20230106211702/https://github.com/D1rkMtr/UnhookingPatch
     - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 author: frack113
 date: 2023/01/07

diff --git a/deprecated/windows/proc_creation_win_apt_gallium.yml b/deprecated/windows/proc_creation_win_apt_gallium.yml
@@ -25,7 +25,7 @@ detection:
             - ':\Program Files(x86)\'
             - ':\Program Files\'
     legitimate_executable:
-        sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f'
+        Hashes|contains: 'SHA1=e570585edc69f9074cb5e8a790708336bd45ca0f'
     condition: legitimate_executable and not legitimate_process_path
 falsepositives:
     - Unknown

diff --git a/deprecated/windows/proc_creation_win_renamed_paexec.yml b/deprecated/windows/proc_creation_win_renamed_paexec.yml
@@ -21,11 +21,6 @@ logsource:
 detection:
     selection:
         - Product|contains: 'PAExec'
-        - Imphash:
-            - 11D40A7B7876288F919AB819CC2D9802
-            - 6444f8a34e99b8f7d9647de66aabe516
-            - dfd6aa3f7b2b1035b76b718f1ddc689f
-            - 1a6cca4d5460b1710a12dea39e4a592c
         - Hashes|contains:
             - IMPHASH=11D40A7B7876288F919AB819CC2D9802
             - IMPHASH=6444f8a34e99b8f7d9647de66aabe516

diff --git a/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml b/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml
@@ -6,7 +6,8 @@ references:
     - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
     - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
 author: Florian Roth (Nextron Systems)
-date: 2024/02/23
+date: 2022-01-14
+modified: 2024-02-23
 tags:
     - attack.defense_evasion
 logsource:

diff --git a/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml b/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml
@@ -1,5 +1,8 @@
 title: Potential Persistence Via COM Hijacking From Suspicious Locations
 id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
+related:
+    - id: 790317c0-0a36-4a6a-a105-6e576bf99a14
+      type: derived
 status: deprecated
 description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
 references:

diff --git a/...registry_set_persistence_search_order.yml → ...registry_set_persistence_search_order.yml b/...registry_set_persistence_search_order.yml → ...registry_set_persistence_search_order.yml
@@ -1,12 +1,15 @@
 title: Potential Persistence Via COM Search Order Hijacking
 id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
-status: experimental
+related:
+    - id: 790317c0-0a36-4a6a-a105-6e576bf99a14
+      type: derived
+status: deprecated
 description: Detects potential COM object hijacking leveraging the COM Search Order
 references:
     - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
-date: 2020/04/14
-modified: 2023/09/28
+date: 2020-04-14
+modified: 2024-09-02
 tags:
     - attack.persistence
     - attack.t1546.015

diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml
@@ -18,8 +18,8 @@ id: def6caac-a999-4fc9-8800-cfeff700ba98
 description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
 status: experimental
 author: Florian Roth (Nextron Systems)
-date: 2019/12/22
-modified: 2022/08/04
+date: 2019-12-22
+modified: 2022-08-04
 level: high
 action: global
 ---

diff --git a/...s-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml b/...s-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml
@@ -7,13 +7,13 @@ description: |
 references:
     - https://github.com/projectdiscovery/nuclei-templates
 author: Subhash Popuri (@pbssubhash)
-date: 2021/08/25
-modified: 2023/01/02
+date: 2021-08-25
+modified: 2023-01-02
 tags:
-    - attack.initial_access
+    - attack.initial-access
     - attack.t1190
-    - cve.2010.5278
-    - detection.emerging_threats
+    - cve.2010-5278
+    - detection.emerging-threats
 logsource:
     category: webserver
 detection:

diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml
@@ -7,14 +7,14 @@ references:
     - https://www.exploit-db.com/exploits/39161
     - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
 author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/07/19
-modified: 2023/01/02
+date: 2022-07-19
+modified: 2023-01-02
 tags:
-    - attack.initial_access
+    - attack.initial-access
     - attack.t1190
     - attack.t1505.003
-    - cve.2014.6287
-    - detection.emerging_threats
+    - cve.2014-6287
+    - detection.emerging-threats
 logsource:
     category: webserver
 detection:

diff --git a/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml
@@ -6,16 +6,16 @@ references:
     - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
     - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
 author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
-date: 2017/07/20
-modified: 2021/11/27
+date: 2017-07-20
+modified: 2021-11-27
 tags:
     - attack.execution
     - attack.t1059.003
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.t1218.011
     - attack.s0412
     - attack.g0001
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml
@@ -5,18 +5,18 @@ description: Detects automated lateral movement by Turla group
 references:
     - https://securelist.com/the-epic-turla-operation/65545/
 author: Markus Neis
-date: 2017/11/07
-modified: 2022/10/09
+date: 2017-11-07
+modified: 2022-10-09
 tags:
     - attack.g0010
     - attack.execution
     - attack.t1059
-    - attack.lateral_movement
+    - attack.lateral-movement
     - attack.t1021.002
     - attack.discovery
     - attack.t1083
     - attack.t1135
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows
Original file line number	Diff line number	Diff line change
Expand Up		@@ -44,4 +44,4 @@ Link the fixed issues here, in case your commit fixes issues with rules or code

		### SigmaHQ Rule Creation Conventions

		- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)
		- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)