wagga40
diff --git a/‎rules_windows_generic.json
-19 b/‎rules_windows_generic.json
-19
diff --git a/‎rules_windows_generic_full.json
+59-19 b/‎rules_windows_generic_full.json
+59-19
diff --git a/‎rules_windows_generic_high.json
-19 b/‎rules_windows_generic_high.json
-19
diff --git a/‎rules_windows_generic_medium.json
+39-19 b/‎rules_windows_generic_medium.json
+39-19
diff --git a/‎rules_windows_generic_pysigma.json
+59-19 b/‎rules_windows_generic_pysigma.json
+59-19
diff --git a/‎rules_windows_sysmon.json
-19 b/‎rules_windows_sysmon.json
-19
@@ -26116,25 +26116,6 @@
         ],
         "filename": "image_load_side_load_abused_dlls_susp_paths.yml"
     },
-    {
-        "title": "Possible Process Hollowing Image Loading",
-        "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
-        "status": "test",
-        "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz",
-        "author": "Markus Neis",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1574.002"
-        ],
-        "falsepositives": [
-            "Very likely, needs more tuning"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))"
-        ],
-        "filename": "image_load_susp_uncommon_image_load.yml"
-    },
     {
         "title": "UAC Bypass With Fake DLL",
         "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03",
 
@@ -37500,6 +37500,25 @@
         ],
         "filename": "proc_creation_win_sysinternals_procdump_evasion.yml"
     },
+    {
+        "title": "CodePage Modification Via MODE.COM To Russian Language",
+        "id": "12fbff88-16b5-4b42-9754-cd001a789fb3",
+        "status": "experimental",
+        "description": "Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.\n",
+        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1036"
+        ],
+        "falsepositives": [
+            "Russian speaking people changing the CodePage"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mode.com' ESCAPE '\\' OR OriginalFileName = 'MODE.COM') AND (CommandLine LIKE '% con %' ESCAPE '\\' AND CommandLine LIKE '% cp %' ESCAPE '\\' AND CommandLine LIKE '% select=%' ESCAPE '\\' AND (CommandLine LIKE '%=1251' ESCAPE '\\' OR CommandLine LIKE '%=866' ESCAPE '\\')))"
+        ],
+        "filename": "proc_creation_win_mode_codepage_russian.yml"
+    },
     {
         "title": "Non Interactive PowerShell Process Spawned",
         "id": "f4bbd493-b796-416e-bbf2-121235348529",
@@ -46130,25 +46149,6 @@
         ],
         "filename": "image_load_side_load_abused_dlls_susp_paths.yml"
     },
-    {
-        "title": "Possible Process Hollowing Image Loading",
-        "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
-        "status": "test",
-        "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz",
-        "author": "Markus Neis",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1574.002"
-        ],
-        "falsepositives": [
-            "Very likely, needs more tuning"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))"
-        ],
-        "filename": "image_load_susp_uncommon_image_load.yml"
-    },
     {
         "title": "UAC Bypass With Fake DLL",
         "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03",
@@ -46853,6 +46853,26 @@
         ],
         "filename": "image_load_side_load_cpl_from_non_system_location.yml"
     },
+    {
+        "title": "Unsigned DLL Loaded by RunDLL32/RegSvr32",
+        "id": "b5de0c9a-6f19-43e0-af4e-55ad01f550af",
+        "status": "experimental",
+        "description": "Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL.\nAdversaries often abuse those programs to proxy execution of malicious code.\n",
+        "author": "Swachchhanda Shrawan Poudel",
+        "tags": [
+            "attack.t1218.011",
+            "attack.t1218.010",
+            "attack.defense_evasion"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND NOT ((Signed = 'true' OR (SignatureStatus LIKE 'errorChaining' ESCAPE '\\' OR SignatureStatus LIKE 'errorCode\\_endpoint' ESCAPE '\\' OR SignatureStatus LIKE 'errorExpired' ESCAPE '\\' OR SignatureStatus LIKE 'trusted' ESCAPE '\\'))))"
+        ],
+        "filename": "image_load_susp_unsigned_dll.yml"
+    },
     {
         "title": "VMMap Signed Dbghelp.DLL Potential Sideloading",
         "id": "98ffaed4-aec2-4e04-9b07-31492fe68b3d",
@@ -49293,6 +49313,26 @@
         ],
         "filename": "proc_creation_win_taskkill_execution.yml"
     },
+    {
+        "title": "CodePage Modification Via MODE.COM",
+        "id": "d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e",
+        "status": "experimental",
+        "description": "Detects a CodePage modification using the \"mode.com\" utility.\nThis behavior has been used by threat actors behind Dharma ransomware.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1036",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mode.com' ESCAPE '\\' OR OriginalFileName = 'MODE.COM') AND (CommandLine LIKE '% con %' ESCAPE '\\' AND CommandLine LIKE '% cp %' ESCAPE '\\' AND CommandLine LIKE '% select=%' ESCAPE '\\'))"
+        ],
+        "filename": "proc_creation_win_mode_codepage_change.yml"
+    },
     {
         "title": "PsExec Default Named Pipe",
         "id": "f3f3a972-f982-40ad-b63c-bca6afdfad7c",
 
@@ -26116,25 +26116,6 @@
         ],
         "filename": "image_load_side_load_abused_dlls_susp_paths.yml"
     },
-    {
-        "title": "Possible Process Hollowing Image Loading",
-        "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
-        "status": "test",
-        "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz",
-        "author": "Markus Neis",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1574.002"
-        ],
-        "falsepositives": [
-            "Very likely, needs more tuning"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))"
-        ],
-        "filename": "image_load_susp_uncommon_image_load.yml"
-    },
     {
         "title": "UAC Bypass With Fake DLL",
         "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03",
 
@@ -35132,6 +35132,25 @@
         ],
         "filename": "proc_creation_win_sysinternals_procdump_evasion.yml"
     },
+    {
+        "title": "CodePage Modification Via MODE.COM To Russian Language",
+        "id": "12fbff88-16b5-4b42-9754-cd001a789fb3",
+        "status": "experimental",
+        "description": "Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.\n",
+        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1036"
+        ],
+        "falsepositives": [
+            "Russian speaking people changing the CodePage"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\mode.com' ESCAPE '\\' OR OriginalFileName = 'MODE.COM') AND (CommandLine LIKE '% con %' ESCAPE '\\' AND CommandLine LIKE '% cp %' ESCAPE '\\' AND CommandLine LIKE '% select=%' ESCAPE '\\' AND (CommandLine LIKE '%=1251' ESCAPE '\\' OR CommandLine LIKE '%=866' ESCAPE '\\')))"
+        ],
+        "filename": "proc_creation_win_mode_codepage_russian.yml"
+    },
     {
         "title": "MpiExec Lolbin",
         "id": "729ce0ea-5d8f-4769-9762-e35de441586d",
@@ -43329,25 +43348,6 @@
         ],
         "filename": "image_load_side_load_abused_dlls_susp_paths.yml"
     },
-    {
-        "title": "Possible Process Hollowing Image Loading",
-        "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
-        "status": "test",
-        "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz",
-        "author": "Markus Neis",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1574.002"
-        ],
-        "falsepositives": [
-            "Very likely, needs more tuning"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))"
-        ],
-        "filename": "image_load_susp_uncommon_image_load.yml"
-    },
     {
         "title": "UAC Bypass With Fake DLL",
         "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03",
@@ -44032,6 +44032,26 @@
         ],
         "filename": "image_load_side_load_cpl_from_non_system_location.yml"
     },
+    {
+        "title": "Unsigned DLL Loaded by RunDLL32/RegSvr32",
+        "id": "b5de0c9a-6f19-43e0-af4e-55ad01f550af",
+        "status": "experimental",
+        "description": "Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL.\nAdversaries often abuse those programs to proxy execution of malicious code.\n",
+        "author": "Swachchhanda Shrawan Poudel",
+        "tags": [
+            "attack.t1218.011",
+            "attack.t1218.010",
+            "attack.defense_evasion"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND NOT ((Signed = 'true' OR (SignatureStatus LIKE 'errorChaining' ESCAPE '\\' OR SignatureStatus LIKE 'errorCode\\_endpoint' ESCAPE '\\' OR SignatureStatus LIKE 'errorExpired' ESCAPE '\\' OR SignatureStatus LIKE 'trusted' ESCAPE '\\'))))"
+        ],
+        "filename": "image_load_susp_unsigned_dll.yml"
+    },
     {
         "title": "VMMap Signed Dbghelp.DLL Potential Sideloading",
         "id": "98ffaed4-aec2-4e04-9b07-31492fe68b3d",
 
@@ -25975,25 +25975,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Possible Process Hollowing Image Loading",
-        "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
-        "status": "test",
-        "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz",
-        "author": "Markus Neis",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1574.002"
-        ],
-        "falsepositives": [
-            "Very likely, needs more tuning"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\')"
-        ],
-        "filename": ""
-    },
     {
         "title": "UAC Bypass With Fake DLL",
         "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03",
@@ -30994,6 +30975,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "CodePage Modification Via MODE.COM",
+        "id": "d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e",
+        "status": "experimental",
+        "description": "Detects a CodePage modification using the \"mode.com\" utility.\nThis behavior has been used by threat actors behind Dharma ransomware.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1036",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\mode.com' ESCAPE '\\' OR OriginalFileName='MODE.COM') AND (CommandLine LIKE '% con %' ESCAPE '\\' AND CommandLine LIKE '% cp %' ESCAPE '\\' AND CommandLine LIKE '% select=%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "PsExec Default Named Pipe",
         "id": "f3f3a972-f982-40ad-b63c-bca6afdfad7c",
@@ -44444,6 +44445,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "CodePage Modification Via MODE.COM To Russian Language",
+        "id": "12fbff88-16b5-4b42-9754-cd001a789fb3",
+        "status": "experimental",
+        "description": "Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.\n",
+        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1036"
+        ],
+        "falsepositives": [
+            "Russian speaking people changing the CodePage"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\mode.com' ESCAPE '\\' OR OriginalFileName='MODE.COM') AND ((CommandLine LIKE '% con %' ESCAPE '\\' AND CommandLine LIKE '% cp %' ESCAPE '\\' AND CommandLine LIKE '% select=%' ESCAPE '\\') AND (CommandLine LIKE '%=1251' ESCAPE '\\' OR CommandLine LIKE '%=866' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Pubprn.vbs Proxy Execution",
         "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da",
@@ -48634,6 +48654,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Unsigned DLL Loaded by RunDLL32/RegSvr32",
+        "id": "b5de0c9a-6f19-43e0-af4e-55ad01f550af",
+        "status": "experimental",
+        "description": "Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL.\nAdversaries often abuse those programs to proxy execution of malicious code.\n",
+        "author": "Swachchhanda Shrawan Poudel",
+        "tags": [
+            "attack.t1218.011",
+            "attack.t1218.010",
+            "attack.defense_evasion"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Image LIKE '%\\\\rundll32.exe' ESCAPE '\\') AND (NOT (Signed='true' OR (SignatureStatus='errorChaining' OR SignatureStatus LIKE 'errorCode\\_endpoint' ESCAPE '\\' OR SignatureStatus='errorExpired' OR SignatureStatus='trusted')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "VMMap Signed Dbghelp.DLL Potential Sideloading",
         "id": "98ffaed4-aec2-4e04-9b07-31492fe68b3d",
 
@@ -26116,25 +26116,6 @@
         ],
         "filename": "image_load_side_load_abused_dlls_susp_paths.yml"
     },
-    {
-        "title": "Possible Process Hollowing Image Loading",
-        "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7",
-        "status": "test",
-        "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz",
-        "author": "Markus Neis",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1574.002"
-        ],
-        "falsepositives": [
-            "Very likely, needs more tuning"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '7' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))"
-        ],
-        "filename": "image_load_susp_uncommon_image_load.yml"
-    },
     {
         "title": "UAC Bypass With Fake DLL",
         "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03",