Sigma Rules - readloud.org

title: Example Threats
id: 0506a799-698b-43b4-85a1-ac4c84c720e9
status: experimental
description: This is an example rule.
author: John
date: 2023/01/14
modified: 
references:
    - https://example.com/example-threats
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        ParentImage|endswith:
            - 'chrome.exe'
        Image|endswith:
            - 'mshta.exe'
        CommandLine|contains:
            - '\mshta.exe'
            - '-f'
            - ' -e '
        Hashes:
            - '31B87C94B9AFB492B845CEA2360A4B35'
    selection2:
        EventID: 2
    condition: selection OR selection2
fields:
falsepositives:
    - Unknown
level: medium
tags: # associated from MITRE ATT&CK
    - attack.credential access # MITRE Tactic
    - attack.t1110 # MITRE Technique