wagga40
diff --git a/‎rules_linux.json
+18 b/‎rules_linux.json
+18
diff --git a/‎rules_windows_generic.json
+3-22 b/‎rules_windows_generic.json
+3-22
diff --git a/‎rules_windows_generic_full.json
+53-111 b/‎rules_windows_generic_full.json
+53-111
diff --git a/‎rules_windows_generic_high.json
+3-22 b/‎rules_windows_generic_high.json
+3-22
@@ -1085,6 +1085,24 @@
         ],
         "filename": "proc_creation_lnx_setgid_setuid.yml"
     },
+    {
+        "title": "Remote Access Tool - Team Viewer Session Started On Linux Host",
+        "id": "1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d",
+        "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n",
+        "author": "Josh Nickels, Qi Nan",
+        "tags": [
+            "attack.initial_access",
+            "attack.t1133"
+        ],
+        "falsepositives": [
+            "Legitimate usage of TeamViewer"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE (ParentImage LIKE '%/TeamViewer\\_Service' ESCAPE '\\' AND Image LIKE '%/TeamViewer\\_Desktop' ESCAPE '\\' AND CommandLine LIKE '%/TeamViewer\\_Desktop --IPCport 5939 --Module 1' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml"
+    },
     {
         "title": "Cat Sudoers",
         "id": "0f79c4d2-4e1f-4683-9c36-b5469a665e06",
 
@@ -5833,7 +5833,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\') OR OriginalFileName = 'livekd.exe') AND (CommandLine LIKE '% /m%' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\') OR OriginalFileName = 'livekd.exe') AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% /m%' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml"
     },
@@ -6227,25 +6227,6 @@
         ],
         "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml"
     },
-    {
-        "title": "Imports Registry Key From an ADS",
-        "id": "0b80ade5-6997-4b1d-99a1-71701778ea61",
-        "status": "test",
-        "description": "Detects the import of a alternate datastream to the registry with regedit.exe.",
-        "author": "Oddvar Moe, Sander Wiebing, oscd.community",
-        "tags": [
-            "attack.t1112",
-            "attack.defense_evasion"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))"
-        ],
-        "filename": "proc_creation_win_regedit_import_keys_ads.yml"
-    },
     {
         "title": "HackTool - Certipy Execution",
         "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd",
@@ -6898,7 +6879,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% -E %' ESCAPE '\\' OR CommandLine LIKE '% /E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_regedit_export_critical_keys.yml"
     },
@@ -7975,7 +7956,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml"
     },
 
@@ -5833,7 +5833,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\') OR OriginalFileName = 'livekd.exe') AND (CommandLine LIKE '% /m%' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\') OR OriginalFileName = 'livekd.exe') AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% /m%' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml"
     },
@@ -6227,25 +6227,6 @@
         ],
         "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml"
     },
-    {
-        "title": "Imports Registry Key From an ADS",
-        "id": "0b80ade5-6997-4b1d-99a1-71701778ea61",
-        "status": "test",
-        "description": "Detects the import of a alternate datastream to the registry with regedit.exe.",
-        "author": "Oddvar Moe, Sander Wiebing, oscd.community",
-        "tags": [
-            "attack.t1112",
-            "attack.defense_evasion"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))"
-        ],
-        "filename": "proc_creation_win_regedit_import_keys_ads.yml"
-    },
     {
         "title": "HackTool - Certipy Execution",
         "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd",
@@ -6898,7 +6879,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% -E %' ESCAPE '\\' OR CommandLine LIKE '% /E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_regedit_export_critical_keys.yml"
     },
@@ -7975,7 +7956,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml"
     },