Order yaml field

rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml

@@ -1,7 +1,9 @@
 title: Credential Manager Access
 id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
 status: experimental
-description: Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
+description: |
+  Detects suspicious processes based on name and location that access the windows credential manager and vault.
+  Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
 references:
     - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
     - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml

@@ -1,7 +1,9 @@
 title: Suspicious Access To Windows DPAPI Master Keys
 id: 46612ae6-86be-4802-bc07-39b59feb1309
 status: experimental
-description: Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
+description: |
+  Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.
+  Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
 references:
     - https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords

rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml

@@ -1,7 +1,9 @@
 title: Suspicious Access To Windows Credential History File
 id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
 status: experimental
-description: Detects suspicious processes based on name and location that access the Windows Credential History File. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
+description: |
+  Detects suspicious processes based on name and location that access the Windows Credential History File.
+  Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
 references:
     - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist
     - https://www.passcape.com/windows_password_recovery_dpapi_credhist

rules/windows/file/file_change/file_change_win_2022_timestomping.yml

@@ -2,8 +2,8 @@ title: File Creation Date Changed to Another Year
 id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
 status: experimental
 description: |
-  Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
-  Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
+    Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
+    Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
 references:
     - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
 author: frack113, Florian Roth

rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml

@@ -1,11 +1,11 @@
 title: Unusual File Modification by dns.exe
 id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
 status: experimental
-author: Tim Rauch
-date: 2022/09/27
 description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
     - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
+author: Tim Rauch
+date: 2022/09/27
 tags:
     - attack.initial_access
     - attack.t1133

rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml

@@ -2,10 +2,13 @@ title: Delete Log from Application
 id: b1decb61-ed83-4339-8e95-53ea51901720
 status: experimental
 description: Deletion of log files is a known anti-forensic technique
-author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
+author: frack113
 date: 2022/01/16
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
 logsource:
     product: windows
     category: file_delete
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: low
-tags:
-    - attack.defense_evasion
-    - attack.t1070.004

rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml

@@ -2,11 +2,14 @@ title: Deletes Backup Files
 id: 06125661-3814-4e03-bfa2-1e4411c60ac3
 status: experimental
 description: Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
-author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
+author: frack113
 date: 2022/01/02
 modified: 2022/06/02
+tags:
+    - attack.impact
+    - attack.t1490
 logsource:
     product: windows
     category: file_delete
@@ -26,6 +29,3 @@ detection:
 falsepositives:
     - Legitime usage
 level: medium
-tags:
-    - attack.impact
-    - attack.t1490

rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml

@@ -2,7 +2,6 @@ title: Prefetch File Deletion
 id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
 status: experimental
 description: Detects the deletion of a prefetch file (AntiForensic)
-level: high
 author: Cedric MAURUGEON
 date: 2021/09/29
 modified: 2022/05/27
@@ -24,3 +23,4 @@ detection:
     condition: selection and not exception
 falsepositives:
     - Unknown
+level: high

rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml

@@ -2,12 +2,15 @@ title: Sysinternals SDelete File Deletion
 id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
 status: test
 description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/9
     - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
 modified: 2022/09/21
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
 logsource:
     product: windows
     category: file_delete
@@ -22,6 +25,3 @@ detection:
 falsepositives:
     - Legitime usage of SDelete
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1070.004

rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml

@@ -1,11 +1,11 @@
 title: Unusual File Deletion by dns.exe
 id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
 status: experimental
-author: Tim Rauch
-date: 2022/09/27
 description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
     - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
+author: Tim Rauch
+date: 2022/09/27
 tags:
     - attack.initial_access
     - attack.t1133

rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml

@@ -6,12 +6,12 @@ references:
     - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
 author: Tim Rauch
 date: 2022/09/16
-logsource:
-    category: file_delete
-    product: windows
 tags:
     - attack.defense_evasion
     - attack.t1070
+logsource:
+    category: file_delete
+    product: windows
 detection:
     selection:
         FileName|startswith: 'C:\inetpub\logs\LogFiles\'
@@ -20,4 +20,4 @@ detection:
 falsepositives:
     - During uninstallation of the IIS service
     - During log rotation
-level: medium
+level: medium

rules/windows/file/file_event/file_event_win_access_susp_teams.yml

@@ -2,25 +2,25 @@ title: Suspicious File Event With Teams Objects
 id: 6902955a-01b7-432c-b32a-6f5f81d8f624
 status: experimental
 description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
-author: '@SerkinValery'
 references:
-  - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
-  - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
+    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+author: '@SerkinValery'
 date: 2022/09/16
+tags:
+    - attack.credential_access
+    - attack.t1528
 logsource:
-  product: windows
-  category: file_event
+    product: windows
+    category: file_event
 detection:
-  selection:
-    TargetFilename|contains:
-      - '\Microsoft\Teams\Cookies'
-      - '\Microsoft\Teams\Local Storage\leveldb'
-  filter:
-    Image|contains: '\Microsoft\Teams\current\Teams.exe'
-  condition: selection and not filter
+    selection:
+        TargetFilename|contains:
+            - '\Microsoft\Teams\Cookies'
+            - '\Microsoft\Teams\Local Storage\leveldb'
+    filter:
+        Image|contains: '\Microsoft\Teams\current\Teams.exe'
+    condition: selection and not filter
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
-tags:
-  - attack.credential_access
-  - attack.t1528

rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml

@@ -2,12 +2,15 @@ title: Suspicious Unattend.xml File Access
 id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb
 status: experimental
 description: |
-  Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
-  If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
-author: frack113
+    Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+    If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
+author: frack113
 date: 2021/12/19
+tags:
+    - attack.credential_access
+    - attack.t1552.001
 logsource:
     product: windows
     category: file_event
@@ -18,6 +21,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.credential_access
-    - attack.t1552.001

rules/windows/file/file_event/file_event_win_anydesk_artefact.yml

@@ -2,16 +2,19 @@ title: Anydesk Temporary Artefact
 id: 0b9ad457-2554-44c1-82c2-d56a99c42377
 status: experimental
 description: |
-  An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
-  These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
 author: frack113
 date: 2022/02/11
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
-     category: file_event
-     product: windows
+    category: file_event
+    product: windows
 detection:
     selection:
         TargetFilename|contains:
@@ -22,6 +25,3 @@ detection:
 falsepositives:
     - Legitimate use
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml

@@ -1,11 +1,17 @@
 title: Suspicious Binary Writes Via AnyDesk
 id: 2d367498-5112-4ae5-a06a-96e7bc33a211
 status: experimental
-description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
-author: Nasreddine Bencherchali
+description: |
+  Detects anydesk writing binaries files to disk other than "gcapi.dll".
+  According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
+  which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
 references:
     - https://redcanary.com/blog/misbehaving-rats/
+author: Nasreddine Bencherchali
 date: 2022/09/28
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
     product: windows
     category: file_event
@@ -21,6 +27,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml

@@ -4,8 +4,7 @@ related:
     - id: 7453575c-a747-40b9-839b-125a0aae324b
       type: derived
 status: stable
-description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
-    YYTRIUM/APT29 campaign in 2016.
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
 references:
     - https://twitter.com/DrunkBinary/status/1063075530180886529
 author: '@41thexplorer, Microsoft Defender ATP'
@@ -19,6 +18,6 @@ logsource:
     category: file_event
 detection:
     selection:
-        TargetFilename|contains: 'ds7002.lnk' 
+        TargetFilename|contains: 'ds7002.lnk'
     condition: selection
-level: high
+level: high

rules/windows/file/file_event/file_event_win_bloodhound_collection.yml

@@ -1,10 +1,10 @@
 title: BloodHound Collection Files
 id: 02773bed-83bf-469f-b7ff-e676e7d78bab
-description: Detects default file names outputted by the BloodHound collection tool SharpHound
 status: experimental
-author: C.J. May
+description: Detects default file names outputted by the BloodHound collection tool SharpHound
 references:
     - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
+author: C.J. May
 date: 2022/08/09
 modified: 2022/08/09
 tags:

rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml

@@ -1,10 +1,10 @@
 title: CrackMapExec File Creation Patterns
 id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
-description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
 status: experimental
-author: Florian Roth
+description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
 references:
     - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
+author: Florian Roth
 date: 2022/03/12
 modified: 2022/05/27
 tags:
@@ -55,4 +55,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Unknown
-level: high
+level: high

rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml

@@ -2,12 +2,15 @@ title: New Shim Database Created in the Default Directory
 id: ee63c85c-6d51-4d12-ad09-04e25877a947
 status: experimental
 description: |
-  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
-  The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
-author: frack113
+    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
+    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
+author: frack113
 date: 2021/12/29
+tags:
+    - attack.persistence
+    - attack.t1547.009
 logsource:
     product: windows
     category: file_event
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1547.009