Merge pull request #64 from SherifEldeeb/master

Update rules to reflect schema changes "and add consistency"

rules/application/app_python_sql_exceptions.yml

@@ -1,7 +1,7 @@
 title: Python SQL Exceptions
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
-reference:
+references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
     category: application

rules/application/app_sqlinjection_errors.yml

@@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
-reference: http://www.sqlinjection.net/errors
+references:
+    - http://www.sqlinjection.net/errors
 logsource:
     category: application
     product: sql

rules/application/appframework_django_exceptions.yml

@@ -1,7 +1,7 @@
 title: Django framework exceptions
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
 logsource:

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -1,7 +1,7 @@
 title: Ruby on Rails framework exceptions
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
     - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception

rules/application/appframework_spring_exceptions.yml

@@ -1,7 +1,7 @@
 title: Spring framework exceptions
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
     category: application

rules/apt/apt_apt29_tor.yml

@@ -1,7 +1,8 @@
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 logsource:
     product: windows
 detection:

rules/apt/apt_carbonpaper_turla.yml

@@ -1,6 +1,7 @@
 title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
-reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+references:
+    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 logsource:
     product: windows
     service: system

rules/apt/apt_cloudhopper.yml

@@ -1,7 +1,8 @@
 title: WMIExec VBS Script
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
-reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+references:
+    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 logsource:
     product: windows
     service: sysmon

rules/apt/apt_equationgroup_c2.yml

@@ -1,6 +1,6 @@
 title: Equation Group C2 Communication
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
-reference:
+references:
     - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
     - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
 author: Florian Roth

rules/apt/apt_equationgroup_lnx.yml

@@ -1,6 +1,7 @@
 title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
-reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+references:
+    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
 author: Florian Roth
 logsource:
     product: linux

rules/apt/apt_pandemic.yml

@@ -1,7 +1,7 @@
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
-reference: 
+references:
     - https://wikileaks.org/vault7/#Pandemic
     - https://twitter.com/MalwareJake/status/870349480356454401
 author: Florian Roth

rules/apt/apt_stonedrill.yml

@@ -1,7 +1,8 @@
 title: StoneDrill Service Install
 description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
 author: Florian Roth
-reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 logsource:
     product: windows
     service: system

rules/apt/apt_ta17_293a_ps.yml

@@ -1,6 +1,7 @@
 title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
-reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
+references:
+    - https://www.us-cert.gov/ncas/alerts/TA17-293A
 author: Florian Roth
 date: 2017/10/22
 logsource:

rules/apt/apt_turla_commands.yml

@@ -3,7 +3,8 @@ action: global
 title: Turla Group Lateral Movement 
 status: experimental
 description: Detects automated lateral movement by Turla group 
-reference: https://securelist.com/the-epic-turla-operation/65545/
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
 author: Markus Neis
 date: 2017/11/07
 logsource:

rules/apt/apt_turla_namedpipes.yml

@@ -1,7 +1,8 @@
 title: Turla Group Named Pipes 
 status: experimental
 description: Detects a named pipe used by Turla group samples
-reference: Internal Research
+references:
+    - Internal Research
 date: 2017/11/06
 author: Markus Neis
 logsource:

rules/apt/apt_zxshell.yml

@@ -1,7 +1,8 @@
 title: ZxShell Malware
 description: Detects a ZxShell start by the called and well-known function name   
 author: Florian Roth
-reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 logsource:
     product: windows
     service: sysmon

rules/apt/crime_fireball.yml

@@ -3,7 +3,7 @@ status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
-reference: 
+references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 logsource:

rules/linux/auditd/lnx_auditd_susp_cmds.yml

@@ -1,7 +1,8 @@
 title: Detects Suspicious Commands on Linux systems
 status: experimental
 description: Detects relevant commands often related to malware or hacking activity
-reference: 'Internal Research - mostly derived from exploit code including code in MSF'
+references:
+    - 'Internal Research - mostly derived from exploit code including code in MSF'
 date: 2017/12/12
 author: Florian Roth
 logsource:

rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

@@ -1,7 +1,8 @@
 title: Program Executions in Suspicious Folders
 status: experimental
 description: Detects program executions in suspicious non-program folders related to malware or hacking activity
-reference: 'Internal Research'
+references:
+    - 'Internal Research'
 date: 2018/01/23
 author: Florian Roth
 logsource:

rules/linux/lnx_buffer_overflows.yml

@@ -1,6 +1,7 @@
 title: Buffer Overflow Attempts
 description: Detects buffer overflow attempts in Linux system log files
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
     product: linux
 detection:

rules/linux/lnx_clamav.yml

@@ -1,6 +1,7 @@
 title: Relevant ClamAV Message
 description: Detects relevant ClamAV messages
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
     product: linux
     service: clamav

rules/linux/lnx_shell_susp_commands.yml

@@ -1,6 +1,6 @@
 title: Suspicious Activity in Shell Commands
 description: Detects suspicious shell commands used in various exploit codes (see references)
-reference: 
+references:
     - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg

rules/linux/lnx_shellshock.yml

@@ -1,6 +1,7 @@
 title: Shellshock Expression
 description: Detects shellshock expressions in log files
-reference: http://rubular.com/r/zxBfjWfFYs
+references:
+    - http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:

rules/linux/lnx_susp_ssh.yml

@@ -1,6 +1,7 @@
 title: Suspicious SSHD Error
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+references:
+    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
 author: Florian Roth
 date: 2017/06/30
 logsource:

rules/linux/lnx_susp_vsftp.yml

@@ -1,6 +1,7 @@
 title: Suspicious VSFTPD Error Messages
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/dagwieers/vsftpd/
+references:
+    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/proxy/proxy_download_susp_dyndns.yml

@@ -1,7 +1,8 @@
 title: Download from Suspicious Dyndns Hosts
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 logsource:

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -1,7 +1,7 @@
 title: Download from Suspicious TLD
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs 
-reference: 
+references:
     - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
     - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
     - https://www.spamhaus.org/statistics/tlds/

rules/proxy/proxy_empty_ua.yml

@@ -1,7 +1,7 @@
 title: Empty User Agent
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
-reference:
+references:
     - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 logsource:

rules/proxy/proxy_powershell_ua.yml

@@ -1,7 +1,8 @@
 title: Windows PowerShell User Agent
 status: experimental
 description: Detects Windows PowerShell Web Access
-reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -1,7 +1,8 @@
 title: Flash Player Update from Suspicious Location
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_ua_apt.yml

@@ -1,7 +1,8 @@
 title: APT User Agent
 status: experimental
 description: Detects suspicious user agent strings used in APT malware in proxy logs
-reference: Internal Research
+references:
+    - Internal Research
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_ua_frameworks.yml

@@ -1,7 +1,7 @@
 title: Exploit Framework User Agent
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
-reference:
+references:
     - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 logsource:

rules/proxy/proxy_ua_hacktool.yml

@@ -1,7 +1,7 @@
 title: Hack Tool User Agent
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth

rules/proxy/proxy_ua_malware.yml

@@ -1,7 +1,7 @@
 title: Malware User Agent
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
-reference:
+references:
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
     - http://www.botopedia.org/search?searchword=scan&searchphrase=all
     - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html

rules/proxy/proxy_ua_suspicious.yml

@@ -1,7 +1,7 @@
 title: Suspicious User Agent
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 logsource:

rules/web/web_apache_segfault.yml

@@ -1,7 +1,8 @@
 title: Apache Segmentation Fault
 description: Detects a segmentation fault error message caused by a creashing apacke worker process 
 author: Florian Roth
-reference: http://www.securityfocus.com/infocus/1633
+references:
+    - http://www.securityfocus.com/infocus/1633
 logsource:
     product: apache
 detection:

rules/windows/builtin/win_admin_rdp_login.yml

@@ -1,6 +1,6 @@
 title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
-reference:
+references:
   - https://car.mitre.org/wiki/CAR-2016-04-005
 status: experimental
 author: juju4

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -1,6 +1,6 @@
 title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
-reference: 
+references:
     - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -1,6 +1,6 @@
 title: Active Directory User Backdoors
 description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
-reference:
+references:
     - https://msdn.microsoft.com/en-us/library/cc220234.aspx
     - https://adsecurity.org/?p=3466
 author: '@neu5ron'

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -1,6 +1,6 @@
 title: Weak Encryption Enabled and Kerberoast
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
-reference: 
+references:
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'

rules/windows/builtin/win_disable_event_logging.yml

@@ -6,7 +6,7 @@ description: >
     that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
     Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
     specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
-reference:
+references:
     - https://bit.ly/WinLogsZero2Hero
 author: '@neu5ron'
 logsource:

rules/windows/builtin/win_eventlog_cleared.yml

@@ -3,7 +3,8 @@ status: experimental
 description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
 author: Florian Roth
 date: 2017/06/27
-reference: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_mal_wceaux_dll.yml

@@ -2,7 +2,8 @@ title: WCE wceaux.dll Access
 status: experimental
 description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
 author: Thomas Patzke
-reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+references:
+    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
 logsource:
     product: windows
     service: security