Reference Update [Batch 1]

Author: nasbench

README.md

@@ -73,9 +73,9 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
 
 ## Troubles / Troubleshooting / Help
 
-If you need help for a specific supported backend you can use e.g. `sigmac --backend-help elastalert-dsl`. More details on the usage of `sigmac` can be found in the dedicated [README.md](https://github.com/Neo23x0/sigma/blob/master/tools/README.md).
+If you need help for a specific supported backend you can use e.g. `sigmac --backend-help elastalert-dsl`. More details on the usage of `sigmac` can be found in the dedicated [README.md](https://github.com/SigmaHQ/sigma/blob/master/tools/README.md).
 
-Be sure to checkout the [guidance on backend specific settings](https://github.com/Neo23x0/sigma/blob/master/tools/README.md#choosing-the-right-sigmac) for `sigmac`.
+Be sure to checkout the [guidance on backend specific settings](https://github.com/SigmaHQ/sigma/blob/master/tools/README.md#choosing-the-right-sigmac) for `sigmac`.
 
 # Examples
 
@@ -366,7 +366,7 @@ The content of this repository is released under the following licenses:
 
 * The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html)
 * The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain
-* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md)
+* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
 
 # Credits
 

contrib/sigma2sumologic.py

@@ -198,7 +198,7 @@ def get_rule_as_sumologic(file):
 
     try:
         # Run query
-        # https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
+        # https://github.com/SumoLogic/sumologic-python-sdk/blob/3ad8033deb028ac45ac4099f11c04785fa426f51/scripts/search-job.py
         sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
         toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
         fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours=24)

rules-deprecated/windows/registry_event_asep_reg_keys_modification.yml

@@ -3,7 +3,7 @@ id: 17f878b8-9968-4578-b814-c4217fc5768c
 description: Detects modification of autostart extensibility point (ASEP) in registry.
 status: deprecated
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
     - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25

rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml

@@ -3,11 +3,13 @@ id: e75c48bd-3434-4d61-94b7-ddfaa2c08487
 related:
     - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
       type: derived
-description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block)
+references:
+    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
 status: unsupported
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
-modified: 2021/09/16
+modified: 2022/07/07
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -26,4 +28,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: high

rules/application/ruby/appframework_ruby_on_rails_exceptions.yml

@@ -9,7 +9,7 @@ references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
     - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
-    - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
+    - https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
 logsource:
     category: application
     product: ruby_on_rails

rules/cloud/aws/aws_ec2_download_userdata.yml

@@ -6,7 +6,7 @@ author: faloker
 date: 2020/02/11
 modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
+    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py
 logsource:
     product: aws
     service: cloudtrail

rules/cloud/aws/aws_ec2_startup_script_change.yml

@@ -6,7 +6,7 @@ author: faloker
 date: 2020/02/12
 modified: 2022/06/07
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
+    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
 logsource:
     product: aws
     service: cloudtrail

rules/cloud/aws/aws_ecs_task_definition_backdoor.yml

@@ -5,7 +5,7 @@ description: Detects when an Elastic Container Service (ECS) Task Definition has
 author: Darin Smith
 date: 2022/06/07
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ecs__backdoor_task_def/main.py
+    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
     - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
     - https://attack.mitre.org/techniques/T1525
 logsource:

rules/cloud/aws/aws_guardduty_disruption.yml

@@ -6,7 +6,7 @@ author: faloker
 date: 2020/02/11
 modified: 2021/08/09
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
+    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
 logsource:
     product: aws
     service: cloudtrail

rules/cloud/aws/aws_iam_backdoor_users_keys.yml

@@ -6,7 +6,7 @@ author: faloker
 date: 2020/02/12
 modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py
+    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
 logsource:
     product: aws
     service: cloudtrail

rules/cloud/aws/aws_rds_change_master_password.yml

@@ -6,7 +6,7 @@ author: faloker
 date: 2020/02/12
 modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
+    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
 logsource:
     product: aws
     service: cloudtrail

rules/cloud/aws/aws_rds_public_db_restore.yml

@@ -6,7 +6,7 @@ author: faloker
 date: 2020/02/12
 modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
+    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
 logsource:
     product: aws
     service: cloudtrail

rules/cloud/azure/azure_creating_number_of_resources_detection.yml

@@ -4,7 +4,7 @@ status: test
 description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:

rules/cloud/azure/azure_granting_permission_detection.yml

@@ -4,7 +4,7 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:

rules/cloud/azure/azure_rare_operations.yml

@@ -4,7 +4,7 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:

rules/linux/auditd/lnx_auditd_auditing_config_change.yml

@@ -4,28 +4,28 @@ status: test
 description: Detect changes in auditd configuration files
 author: Mikhail Larin, oscd.community
 references:
-  - https://github.com/Neo23x0/auditd/blob/master/audit.rules
-  - self experience
+    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
+    - Self Experience
 date: 2019/10/25
 modified: 2021/11/27
 logsource:
-  product: linux
-  service: auditd
+    product: linux
+    service: auditd
 detection:
-  selection:
-    type: PATH
-    name:
-      - /etc/audit/*
-      - /etc/libaudit.conf
-      - /etc/audisp/*
-  condition: selection
+    selection:
+        type: PATH
+        name:
+            - /etc/audit/*
+            - /etc/libaudit.conf
+            - /etc/audisp/*
+    condition: selection
 fields:
-  - exe
-  - comm
-  - key
+    - exe
+    - comm
+    - key
 falsepositives:
-  - Legitimate administrative activity
+    - Legitimate administrative activity
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1562.006
+    - attack.defense_evasion
+    - attack.t1562.006

rules/linux/auditd/lnx_auditd_binary_padding.yml

@@ -4,7 +4,7 @@ status: test
 description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
 author: 'Igor Fits, oscd.community'
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
 date: 2020/10/13
 modified: 2021/11/27
 logsource:

rules/linux/auditd/lnx_auditd_change_file_time_attr.yml

@@ -4,7 +4,7 @@ status: test
 description: 'Detect file time attribute change to hide new or changes to existing files.'
 author: 'Igor Fits, oscd.community'
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
 date: 2020/10/15
 modified: 2021/11/27
 logsource:

rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects removing immutable file attribute.
 author: Jakob Weinzettl, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
 date: 2019/09/23
 modified: 2021/11/27
 logsource:

rules/linux/auditd/lnx_auditd_data_compressed.yml

@@ -4,7 +4,7 @@ status: test
 description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
 author: Timur Zinniatullin, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
 date: 2019/10/21
 modified: 2021/11/27
 logsource:

rules/linux/auditd/lnx_auditd_dd_delete_file.yml

@@ -5,17 +5,17 @@ description: Detects overwriting (effectively wiping/deleting) of a file.
 author: Jakob Weinzettl, oscd.community
 date: 2019/10/23
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
 logsource:
     product: linux
     service: auditd
 detection:
     selection:
         type: 'EXECVE'
-        a0|contains: 'dd'   
+        a0|contains: 'dd'
         a1|contains:
-            - 'if=/dev/null'    
-            - 'if=/dev/zero'    
+            - 'if=/dev/null'
+            - 'if=/dev/zero'
     condition: selection
 falsepositives:
     - Appending null bytes to files.

rules/linux/auditd/lnx_auditd_disable_system_firewall.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
 author: 'Pawel Mazur'
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
   - https://attack.mitre.org/techniques/T1562/004/
   - https://firewalld.org/documentation/man-pages/firewall-cmd.html
 date: 2022/01/22

rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects file and folder permission changes.
 author: Jakob Weinzettl, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
 date: 2019/09/23
 modified: 2021/11/27
 logsource:

rules/linux/auditd/lnx_auditd_find_cred_in_files.yml

@@ -4,7 +4,7 @@ status: test
 description: 'Detecting attempts to extract passwords with grep'
 author: 'Igor Fits, oscd.community'
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 date: 2020/10/15
 modified: 2021/11/27
 logsource:

rules/linux/auditd/lnx_auditd_hidden_files_directories.yml

@@ -5,7 +5,7 @@ author: 'Pawel Mazur'
 status: experimental
 date: 2021/09/06
 references:
-   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
+   - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
    - https://attack.mitre.org/techniques/T1564/001/
 logsource:
    product: linux

rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml

@@ -1,35 +1,35 @@
 title: Linux Keylogging with Pam.d
 id: 49aae26c-450e-448b-911d-b3c13d178dfc
 description: Detect attempt to enable auditing of TTY input
-    # -w /etc/pam.d/ -p wa -k pam - this rule will help you detect changes to the pam.d files-  https://github.com/Neo23x0/auditd/blob/master/audit.rules 
-    # - the TTY events detection asumes that you do not expect them in your environment or add filtering on those users that you configured it for
+    # -w /etc/pam.d/ -p wa -k pam - This rule will help you detect changes to the pam.d files - https://github.com/Neo23x0/auditd/blob/master/audit.rules
+    # The TTY events detection asumes that you do not expect them in your environment or add filtering on those users that you configured it for
 author: 'Pawel Mazur'
 status: experimental
 date: 2021/05/24
 references:
-   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md
-   - https://attack.mitre.org/techniques/T1003/
-   - https://linux.die.net/man/8/pam_tty_audit
-   - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
-   - https://access.redhat.com/articles/4409591#audit-record-types-2
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
+    - https://attack.mitre.org/techniques/T1003/
+    - https://linux.die.net/man/8/pam_tty_audit
+    - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
+    - https://access.redhat.com/articles/4409591#audit-record-types-2
 logsource:
-   product: linux
-   service: auditd
+    product: linux
+    service: auditd
 detection:
-   path_events:
-       type: PATH
-       name: 
-       - '/etc/pam.d/system-auth'
-       - '/etc/pam.d/password-auth'
-   tty_events:
+    path_events:
+        type: PATH
+        name:
+            - '/etc/pam.d/system-auth'
+            - '/etc/pam.d/password-auth'
+    tty_events:
         type:
-        - 'TTY'
-        - 'USER_TTY'
-   condition: path_events or tty_events
+            - 'TTY'
+            - 'USER_TTY'
+    condition: path_events or tty_events
 tags:
-   - attack.credential_access
-   - attack.t1003
-   - attack.t1056.001
+    - attack.credential_access
+    - attack.t1003
+    - attack.t1056.001
 falsepositives:
-   - Administrative work
+    - Administrative work
 level: high

rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml

@@ -4,7 +4,7 @@ status: test
 description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
 author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md
   - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
 date: 2019/10/24
 modified: 2021/11/27

rules/linux/auditd/lnx_auditd_load_module_insmod.yml

@@ -6,7 +6,7 @@ author: 'Pawel Mazur'
 date: 2021/11/02
 references:
     - https://attack.mitre.org/techniques/T1547/006/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
     - https://linux.die.net/man/8/insmod
     - https://man7.org/linux/man-pages/man8/kmod.8.html
 logsource:

rules/linux/auditd/lnx_auditd_masquerading_crond.yml

@@ -4,7 +4,7 @@ status: test
 description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
 author: Timur Zinniatullin, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
 date: 2019/10/21
 modified: 2021/11/27
 logsource: