Comply With V2 Spec Changes

.github/workflows/sigma-test.yml

@@ -75,8 +75,7 @@ jobs:
         python-version: 3.11
     - name: Install dependencies
       run: |
-        # pip install sigma-cli~=0.7.1
-        pip install pysigma==0.11.9
+        pip install pysigma
         pip install sigma-cli
         pip install pySigma-validators-sigmahq==0.7.0
     - name: Test Sigma Rule Syntax

other/godmode_sigma_rule.yml

@@ -18,8 +18,8 @@ id: def6caac-a999-4fc9-8800-cfeff700ba98
 description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'
 status: experimental
 author: Florian Roth (Nextron Systems)
-date: 2019/12/22
-modified: 2022/08/04
+date: 2019-12-22
+modified: 2022-08-04
 level: high
 action: global
 ---

rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml

@@ -7,13 +7,13 @@ description: |
 references:
     - https://github.com/projectdiscovery/nuclei-templates
 author: Subhash Popuri (@pbssubhash)
-date: 2021/08/25
-modified: 2023/01/02
+date: 2021-08-25
+modified: 2023-01-02
 tags:
-    - attack.initial_access
+    - attack.initial-access
     - attack.t1190
-    - cve.2010.5278
-    - detection.emerging_threats
+    - cve.2010-5278
+    - detection.emerging-threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -7,14 +7,14 @@ references:
     - https://www.exploit-db.com/exploits/39161
     - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
 author: Nasreddine Bencherchali (Nextron Systems)
-date: 2022/07/19
-modified: 2023/01/02
+date: 2022-07-19
+modified: 2023-01-02
 tags:
-    - attack.initial_access
+    - attack.initial-access
     - attack.t1190
     - attack.t1505.003
-    - cve.2014.6287
-    - detection.emerging_threats
+    - cve.2014-6287
+    - detection.emerging-threats
 logsource:
     category: webserver
 detection:

rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml

@@ -6,16 +6,16 @@ references:
     - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
     - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
 author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
-date: 2017/07/20
-modified: 2021/11/27
+date: 2017-07-20
+modified: 2021-11-27
 tags:
     - attack.execution
     - attack.t1059.003
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.t1218.011
     - attack.s0412
     - attack.g0001
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml

@@ -5,18 +5,18 @@ description: Detects automated lateral movement by Turla group
 references:
     - https://securelist.com/the-epic-turla-operation/65545/
 author: Markus Neis
-date: 2017/11/07
-modified: 2022/10/09
+date: 2017-11-07
+modified: 2022-10-09
 tags:
     - attack.g0010
     - attack.execution
     - attack.t1059
-    - attack.lateral_movement
+    - attack.lateral-movement
     - attack.t1021.002
     - attack.discovery
     - attack.t1083
     - attack.t1135
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml

@@ -5,15 +5,15 @@ description: Detects commands used by Turla group as reported by ESET in May 202
 references:
     - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 author: Florian Roth (Nextron Systems)
-date: 2020/05/26
-modified: 2021/11/27
+date: 2020-05-26
+modified: 2021-11-27
 tags:
     - attack.g0010
     - attack.execution
     - attack.t1059.001
     - attack.t1053.005
     - attack.t1027
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml

@@ -6,13 +6,13 @@ references:
     - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
     - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
 author: Florian Roth (Nextron Systems)
-date: 2018/02/22
-modified: 2021/11/27
+date: 2018-02-22
+modified: 2021-11-27
 tags:
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.t1036.005
-    - cve.2015.1641
-    - detection.emerging_threats
+    - cve.2015-1641
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml

@@ -5,16 +5,16 @@ description: Detects Winword starting uncommon sub process FLTLDR.exe as used in
 references:
     - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
 author: Florian Roth (Nextron Systems)
-date: 2018/02/22
-modified: 2021/11/27
+date: 2018-02-22
+modified: 2021-11-27
 tags:
     - attack.execution
     - attack.t1203
     - attack.t1204.002
-    - attack.initial_access
+    - attack.initial-access
     - attack.t1566.001
-    - cve.2017.0261
-    - detection.emerging_threats
+    - cve.2017-0261
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml

@@ -7,16 +7,16 @@ references:
     - https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
     - https://github.com/embedi/CVE-2017-11882
 author: Florian Roth (Nextron Systems)
-date: 2017/11/23
-modified: 2021/11/27
+date: 2017-11-23
+modified: 2021-11-27
 tags:
     - attack.execution
     - attack.t1203
     - attack.t1204.002
-    - attack.initial_access
+    - attack.initial-access
     - attack.t1566.001
-    - cve.2017.11882
-    - detection.emerging_threats
+    - cve.2017-11882
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml

@@ -6,16 +6,16 @@ references:
     - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
     - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
 author: Florian Roth (Nextron Systems)
-date: 2017/09/15
-modified: 2021/11/27
+date: 2017-09-15
+modified: 2021-11-27
 tags:
     - attack.execution
     - attack.t1203
     - attack.t1204.002
-    - attack.initial_access
+    - attack.initial-access
     - attack.t1566.001
-    - cve.2017.8759
-    - detection.emerging_threats
+    - cve.2017-8759
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml

@@ -6,13 +6,13 @@ references:
     - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
     - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
-date: 2017/11/10
-modified: 2022/10/09
+date: 2017-11-10
+modified: 2022-10-09
 tags:
     - attack.execution
     - attack.t1059.005
     - attack.t1059.007
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml

@@ -10,13 +10,13 @@ description: |
 references:
     - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
 author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
-date: 2017/03/27
-modified: 2022/10/09
+date: 2017-03-27
+modified: 2022-10-09
 tags:
     - attack.persistence
     - attack.t1543.003
     - attack.t1569.002
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     product: windows
     service: security

rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml

@@ -6,13 +6,13 @@ references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 author: Florian Roth (Nextron Systems)
-date: 2017/06/03
-modified: 2021/11/27
+date: 2017-06-03
+modified: 2021-11-27
 tags:
     - attack.execution
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.t1218.011
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml

@@ -5,13 +5,13 @@ description: Detects a process access to verclsid.exe that injects shellcode fro
 references:
     - https://twitter.com/JohnLaTwC/status/837743453039534080
 author: John Lambert (tech), Florian Roth (Nextron Systems)
-date: 2017/03/04
-modified: 2021/11/27
+date: 2017-03-04
+modified: 2021-11-27
 tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
+    - attack.defense-evasion
+    - attack.privilege-escalation
     - attack.t1055
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_access
     product: windows

rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml

@@ -6,16 +6,16 @@ references:
     - https://securelist.com/schroedingers-petya/78870/
     - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
 author: Florian Roth (Nextron Systems), Tom Ueltschi
-date: 2019/01/16
-modified: 2022/12/15
+date: 2019-01-16
+modified: 2022-12-15
 tags:
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.t1218.011
     - attack.t1070.001
-    - attack.credential_access
+    - attack.credential-access
     - attack.t1003.001
     - car.2016-04-002
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml

@@ -6,13 +6,13 @@ references:
     - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
     - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
 author: Florian Roth (Nextron Systems)
-date: 2017/06/12
-modified: 2023/02/03
+date: 2017-06-12
+modified: 2023-02-03
 tags:
     - attack.s0013
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.t1574.002
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml

@@ -5,13 +5,13 @@ description: This method detects a service install of the malicious Microsoft Ne
 references:
     - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 author: Florian Roth (Nextron Systems)
-date: 2017/03/07
-modified: 2021/11/30
+date: 2017-03-07
+modified: 2021-11-30
 tags:
     - attack.persistence
     - attack.g0064
     - attack.t1543.003
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     product: windows
     service: system

rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml

@@ -5,19 +5,19 @@ description: Detects WannaCry ransomware activity
 references:
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
-date: 2019/01/16
-modified: 2023/02/03
+date: 2019-01-16
+modified: 2023-02-03
 tags:
-    - attack.lateral_movement
+    - attack.lateral-movement
     - attack.t1210
     - attack.discovery
     - attack.t1083
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.t1222.001
     - attack.impact
     - attack.t1486
     - attack.t1490
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml

@@ -5,13 +5,13 @@ description: Detects potential process and execution activity related to APT10 C
 references:
     - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 author: Florian Roth (Nextron Systems)
-date: 2017/04/07
-modified: 2023/03/08
+date: 2017-04-07
+modified: 2023-03-08
 tags:
     - attack.execution
     - attack.g0045
     - attack.t1059.005
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows

rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml

@@ -5,14 +5,14 @@ description: Detects renamed SysInternals tool execution with a binary named ps.
 references:
     - https://www.us-cert.gov/ncas/alerts/TA17-293A
 author: Florian Roth (Nextron Systems)
-date: 2017/10/22
-modified: 2023/05/02
+date: 2017-10-22
+modified: 2023-05-02
 tags:
-    - attack.defense_evasion
+    - attack.defense-evasion
     - attack.g0035
     - attack.t1036.003
     - car.2013-05-009
-    - detection.emerging_threats
+    - detection.emerging-threats
 logsource:
     category: process_creation
     product: windows