Change All "str" references to be "list"to mach schema update

rules/application/app_sqlinjection_errors.yml

@@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
-references: http://www.sqlinjection.net/errors
+references:
+    - http://www.sqlinjection.net/errors
 logsource:
     category: application
     product: sql

rules/apt/apt_apt29_tor.yml

@@ -1,7 +1,8 @@
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-references: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 logsource:
     product: windows
 detection:

rules/apt/apt_carbonpaper_turla.yml

@@ -1,6 +1,7 @@
 title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
-references: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+references:
+    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 logsource:
     product: windows
     service: system

rules/apt/apt_cloudhopper.yml

@@ -1,7 +1,8 @@
 title: WMIExec VBS Script
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
-references: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+references:
+    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 logsource:
     product: windows
     service: sysmon

rules/apt/apt_equationgroup_lnx.yml

@@ -1,6 +1,7 @@
 title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
-references: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+references:
+    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
 author: Florian Roth
 logsource:
     product: linux

rules/apt/apt_pandemic.yml

@@ -1,7 +1,8 @@
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
-references: 
+references:
+    - 
     - https://wikileaks.org/vault7/#Pandemic
     - https://twitter.com/MalwareJake/status/870349480356454401
 author: Florian Roth

rules/apt/apt_stonedrill.yml

@@ -1,7 +1,8 @@
 title: StoneDrill Service Install
 description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
 author: Florian Roth
-references: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 logsource:
     product: windows
     service: system

rules/apt/apt_ta17_293a_ps.yml

@@ -1,6 +1,7 @@
 title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
-references: https://www.us-cert.gov/ncas/alerts/TA17-293A
+references:
+    - https://www.us-cert.gov/ncas/alerts/TA17-293A
 author: Florian Roth
 date: 2017/10/22
 logsource:

rules/apt/apt_turla_commands.yml

@@ -3,7 +3,8 @@ action: global
 title: Turla Group Lateral Movement 
 status: experimental
 description: Detects automated lateral movement by Turla group 
-references: https://securelist.com/the-epic-turla-operation/65545/
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
 author: Markus Neis
 date: 2017/11/07
 logsource:

rules/apt/apt_turla_namedpipes.yml

@@ -1,7 +1,8 @@
 title: Turla Group Named Pipes 
 status: experimental
 description: Detects a named pipe used by Turla group samples
-references: Internal Research
+references:
+    - Internal Research
 date: 2017/11/06
 author: Markus Neis
 logsource:

rules/apt/apt_zxshell.yml

@@ -1,7 +1,8 @@
 title: ZxShell Malware
 description: Detects a ZxShell start by the called and well-known function name   
 author: Florian Roth
-references: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 logsource:
     product: windows
     service: sysmon

rules/apt/crime_fireball.yml

@@ -3,7 +3,8 @@ status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
-references: 
+references:
+    - 
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 logsource:

rules/linux/auditd/lnx_auditd_susp_cmds.yml

@@ -1,7 +1,8 @@
 title: Detects Suspicious Commands on Linux systems
 status: experimental
 description: Detects relevant commands often related to malware or hacking activity
-references: 'Internal Research - mostly derived from exploit code including code in MSF'
+references:
+    - 'Internal Research - mostly derived from exploit code including code in MSF'
 date: 2017/12/12
 author: Florian Roth
 logsource:

rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

@@ -1,7 +1,8 @@
 title: Program Executions in Suspicious Folders
 status: experimental
 description: Detects program executions in suspicious non-program folders related to malware or hacking activity
-references: 'Internal Research'
+references:
+    - 'Internal Research'
 date: 2018/01/23
 author: Florian Roth
 logsource:

rules/linux/lnx_buffer_overflows.yml

@@ -1,6 +1,7 @@
 title: Buffer Overflow Attempts
 description: Detects buffer overflow attempts in Linux system log files
-references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
     product: linux
 detection:

rules/linux/lnx_clamav.yml

@@ -1,6 +1,7 @@
 title: Relevant ClamAV Message
 description: Detects relevant ClamAV messages
-references: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
     product: linux
     service: clamav

rules/linux/lnx_shell_susp_commands.yml

@@ -1,6 +1,7 @@
 title: Suspicious Activity in Shell Commands
 description: Detects suspicious shell commands used in various exploit codes (see references)
-references: 
+references:
+    - 
     - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg

rules/linux/lnx_shellshock.yml

@@ -1,6 +1,7 @@
 title: Shellshock Expression
 description: Detects shellshock expressions in log files
-references: http://rubular.com/r/zxBfjWfFYs
+references:
+    - http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:

rules/linux/lnx_susp_ssh.yml

@@ -1,6 +1,7 @@
 title: Suspicious SSHD Error
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-references: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+references:
+    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
 author: Florian Roth
 date: 2017/06/30
 logsource:

rules/linux/lnx_susp_vsftp.yml

@@ -1,6 +1,7 @@
 title: Suspicious VSFTPD Error Messages
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-references: https://github.com/dagwieers/vsftpd/
+references:
+    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/proxy/proxy_download_susp_dyndns.yml

@@ -1,7 +1,8 @@
 title: Download from Suspicious Dyndns Hosts
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-references: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 logsource:

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -1,7 +1,8 @@
 title: Download from Suspicious TLD
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs 
-references: 
+references:
+    - 
     - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
     - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
     - https://www.spamhaus.org/statistics/tlds/

rules/proxy/proxy_powershell_ua.yml

@@ -1,7 +1,8 @@
 title: Windows PowerShell User Agent
 status: experimental
 description: Detects Windows PowerShell Web Access
-references: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -1,7 +1,8 @@
 title: Flash Player Update from Suspicious Location
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-references: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_ua_apt.yml

@@ -1,7 +1,8 @@
 title: APT User Agent
 status: experimental
 description: Detects suspicious user agent strings used in APT malware in proxy logs
-references: Internal Research
+references:
+    - Internal Research
 author: Florian Roth
 logsource:
     category: proxy

rules/web/web_apache_segfault.yml

@@ -1,7 +1,8 @@
 title: Apache Segmentation Fault
 description: Detects a segmentation fault error message caused by a creashing apacke worker process 
 author: Florian Roth
-references: http://www.securityfocus.com/infocus/1633
+references:
+    - http://www.securityfocus.com/infocus/1633
 logsource:
     product: apache
 detection:

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -1,6 +1,7 @@
 title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
-references: 
+references:
+    - 
     - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -1,6 +1,7 @@
 title: Weak Encryption Enabled and Kerberoast
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
-references: 
+references:
+    - 
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'

rules/windows/builtin/win_eventlog_cleared.yml

@@ -3,7 +3,8 @@ status: experimental
 description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
 author: Florian Roth
 date: 2017/06/27
-references: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_mal_wceaux_dll.yml

@@ -2,7 +2,8 @@ title: WCE wceaux.dll Access
 status: experimental
 description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
 author: Thomas Patzke
-references: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+references:
+    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_multiple_suspicious_cli.yml

@@ -2,7 +2,8 @@ action: global
 title: Quick Execution of a Series of Suspicious Commands
 description: Detects multiple suspicious process in a limited timeframe
 status: experimental
-references: 
+references:
+    - 
     - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
 detection:

rules/windows/builtin/win_pass_the_hash.yml

@@ -1,7 +1,8 @@
 title: Pass the Hash Activity
 status: experimental
 description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
-references: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+references:
+    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
 logsource:
     product: windows

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -1,7 +1,8 @@
 title: Executable used by PlugX in Uncommon Location
 status: experimental
 description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-references: 
+references:
+    - 
     - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
     - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
 author: Florian Roth

rules/windows/builtin/win_susp_add_sid_history.yml

@@ -1,7 +1,8 @@
 title: Addition of SID History to Active Directory Object
 status: stable
 description: An attacker can use the SID history attribute to gain additional privileges.
-references: https://adsecurity.org/?p=1772
+references:
+    - https://adsecurity.org/?p=1772
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_backup_delete.yml

@@ -1,7 +1,8 @@
 title: Backup Catalog Deleted
 status: experimental
 description: Detects backup catalog deletions
-references: 
+references:
+    - 
     - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 

rules/windows/builtin/win_susp_cli_escape.yml

@@ -2,7 +2,8 @@ action: global
 title: Suspicious Commandline Escape
 description: Detects suspicious process that use escape characters
 status: experimental
-references: 
+references:
+    - 
     - https://twitter.com/vysecurity/status/885545634958385153
     - https://twitter.com/Hexacorn/status/885553465417756673
     - https://twitter.com/Hexacorn/status/885570278637678592

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -3,7 +3,8 @@ action: global
 title: Reconnaissance Activity with Net Command
 status: experimental
 description: 'Detects a set of commands often used in recon stages by different attack groups' 
-references: 
+references:
+    - 
     - https://twitter.com/haroonmeer/status/939099379834658817
     - https://twitter.com/c_APT_ure/status/939475433711722497
 author: Florian Roth

rules/windows/builtin/win_susp_dns_config.yml

@@ -2,7 +2,8 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL
 description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
 status: experimental
 date: 2017/05/08
-references: 
+references:
+    - 
     - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
     - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
     - https://twitter.com/gentilkiwi/status/861641945944391680

rules/windows/builtin/win_susp_dsrm_password_change.yml

@@ -1,7 +1,8 @@
 title: Password Change on Directory Service Restore Mode (DSRM) Account
 status: stable
 description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
-references: https://adsecurity.org/?p=1714
+references:
+    - https://adsecurity.org/?p=1714
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -1,6 +1,7 @@
 title: Eventlog Cleared
 description: One of the Windows Eventlogs has been cleared
-references: https://twitter.com/deviouspolack/status/832535435960209408
+references:
+    - https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
 logsource:
     product: windows

rules/windows/builtin/win_susp_iss_module_install.yml

@@ -3,7 +3,8 @@ action: global
 title: IIS Native-Code Module Command Line Installation
 description: Detects suspicious IIS native-code module installations via command line
 status: experimental
-references: 
+references:
+    - 
     - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
 author: Florian Roth
 detection: