docs: 📚 Add Sigma rules from tests

Full_tests.csv

@@ -63,7 +63,7 @@ defense-evasion;T1548.002;powershell;['windows'];Disable UAC admin consent promp
 defense-evasion;T1548.002;powershell;['windows'];UAC Bypass with WSReset Registry Modification;3b96673f-9c92-40f1-8a3e-ca060846f8d9;True;23
 defense-evasion;T1548.002;powershell;['windows'];Disable UAC - Switch to the secure desktop when prompting for elevation via registry key;85f3a526-4cfa-4fe7-98c1-dea99be025c7;False;24
 defense-evasion;T1548.002;command_prompt;['windows'];Disable UAC notification via registry keys;160a7c77-b00e-4111-9e45-7c2a44eda3fd;False;25
-defense-evasion;T1548.002;command_prompt;['windows'];Disable ConsentPromptBehaviorAdmin via registry keys;a768aaa2-2442-475c-8990-69cf33af0f4e;False;26
+defense-evasion;T1548.002;command_prompt;['windows'];Disable ConsentPromptBehaviorAdmin via registry keys;a768aaa2-2442-475c-8990-69cf33af0f4e;True;26
 defense-evasion;T1548.003;sh;['macos', 'linux'];Sudo usage;150c3a08-ee6e-48a6-aeaf-3659d24ceb4e;False;1
 defense-evasion;T1548.003;sh;['linux'];Sudo usage (freebsd);2bf9a018-4664-438a-b435-cc6f8c6f71b1;False;2
 defense-evasion;T1548.003;sh;['macos', 'linux'];Unlimited sudo cache timeout;a7b17659-dd5e-46f7-b7d1-e6792c91d0bc;False;3
@@ -244,7 +244,7 @@ defense-evasion;T1562.004;powershell;['windows'];LockBit Black - Unusual Windows
 defense-evasion;T1562.004;command_prompt;['windows'];Blackbit - Disable Windows Firewall using netsh firewall;91f348e6-3760-4997-a93b-2ceee7f254ee;True;22
 defense-evasion;T1562.004;command_prompt;['windows'];ESXi - Disable Firewall via Esxcli;bac8a340-be64-4491-a0cc-0985cb227f5a;False;23
 defense-evasion;T1562.004;powershell;['windows'];Set a firewall rule using New-NetFirewallRule;94be7646-25f6-467e-af23-585fb13000c8;False;24
-defense-evasion;T1553.003;command_prompt;['windows'];SIP (Subject Interface Package) Hijacking via Custom DLL;e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675;False;1
+defense-evasion;T1553.003;command_prompt;['windows'];SIP (Subject Interface Package) Hijacking via Custom DLL;e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675;True;1
 defense-evasion;T1562.012;sh;['linux'];Delete all auditd rules using auditctl;33a29ab1-cabb-407f-9448-269041bf2856;False;1
 defense-evasion;T1562.012;sh;['linux'];Disable auditd using auditctl;7906f0a6-b527-46ee-9026-6e81a9184e08;False;2
 defense-evasion;T1207;powershell;['windows'];DCShadow (Active Directory);0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6;True;1
@@ -375,7 +375,7 @@ defense-evasion;T1612;sh;['containers'];Build Image On Host;2db30061-589d-409b-b
 defense-evasion;T1055.002;powershell;['windows'];Portable Executable Injection;578025d5-faa9-4f6d-8390-aae739d503e1;False;1
 defense-evasion;T1562.010;powershell;['linux'];ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI;062f92c9-28b1-4391-a5f8-9d8ca6852091;False;1
 defense-evasion;T1562.010;command_prompt;['linux'];ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI;14d55b96-b2f5-428d-8fed-49dc4d9dd616;False;2
-defense-evasion;T1562.010;powershell;['windows'];PowerShell Version 2 Downgrade;47c96489-2f55-4774-a6df-39faff428f6f;False;3
+defense-evasion;T1562.010;powershell;['windows'];PowerShell Version 2 Downgrade;47c96489-2f55-4774-a6df-39faff428f6f;True;3
 defense-evasion;T1218.005;command_prompt;['windows'];Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject;1483fab9-4f52-4217-a9ce-daa9d7747cae;True;1
 defense-evasion;T1218.005;command_prompt;['windows'];Mshta executes VBScript to execute malicious command;906865c3-e05f-4acc-85c4-fbc185455095;True;2
 defense-evasion;T1218.005;powershell;['windows'];Mshta Executes Remote HTML Application (HTA);c4b97eeb-5249-4455-a607-59f95485cb45;True;3
@@ -467,12 +467,12 @@ defense-evasion;T1562.001;sh;['linux'];Suspend History;94f6a1c9-aae7-46a4-9083-2
 defense-evasion;T1562.001;sh;['linux'];Reboot Linux Host via Kernel System Request;6d6d3154-1a52-4d1a-9d51-92ab8148b32e;False;41
 defense-evasion;T1562.001;sh;['linux'];Clear Pagging Cache;f790927b-ea85-4a16-b7b2-7eb44176a510;False;42
 defense-evasion;T1562.001;sh;['linux'];Disable Memory Swap;e74e4c63-6fde-4ad2-9ee8-21c3a1733114;False;43
-defense-evasion;T1562.001;powershell;['windows'];Disable Hypervisor-Enforced Code Integrity (HVCI);70bd71e6-eba4-4e00-92f7-617911dbe020;False;44
+defense-evasion;T1562.001;powershell;['windows'];Disable Hypervisor-Enforced Code Integrity (HVCI);70bd71e6-eba4-4e00-92f7-617911dbe020;True;44
 defense-evasion;T1562.001;command_prompt;['windows'];AMSI Bypass - Override AMSI via COM;17538258-5699-4ff1-92d1-5ac9b0dc21f5;True;45
 defense-evasion;T1562.001;bash;['iaas:aws'];AWS - GuardDuty Suspension or Deletion;11e65d8d-e7e4-470e-a3ff-82bc56ad938e;False;46
 defense-evasion;T1562.001;sh;['linux', 'macos'];Tamper with Defender ATP on Linux/MacOS;40074085-dbc8-492b-90a3-11bcfc52fda8;False;47
-defense-evasion;T1562.001;command_prompt;['windows'];Tamper with Windows Defender Registry - Reg.exe;1f6743da-6ecc-4a93-b03f-dc357e4b313f;False;48
-defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender Registry - Powershell;a72cfef8-d252-48b3-b292-635d332625c3;False;49
+defense-evasion;T1562.001;command_prompt;['windows'];Tamper with Windows Defender Registry - Reg.exe;1f6743da-6ecc-4a93-b03f-dc357e4b313f;True;48
+defense-evasion;T1562.001;powershell;['windows'];Tamper with Windows Defender Registry - Powershell;a72cfef8-d252-48b3-b292-635d332625c3;True;49
 defense-evasion;T1562.001;powershell;['linux'];ESXi - Disable Account Lockout Policy via PowerCLI;091a6290-cd29-41cb-81ea-b12f133c66cb;False;50
 defense-evasion;T1562.001;powershell;['windows'];Delete Microsoft Defender ASR Rules - InTune;eea0a6c2-84e9-4e8c-a242-ac585d28d0d1;False;51
 defense-evasion;T1562.001;powershell;['windows'];Delete Microsoft Defender ASR Rules - GPO;0e7b8a4b-2ca5-4743-a9f9-96051abb6e50;False;52
@@ -649,7 +649,7 @@ privilege-escalation;T1548.002;powershell;['windows'];Disable UAC admin consent
 privilege-escalation;T1548.002;powershell;['windows'];UAC Bypass with WSReset Registry Modification;3b96673f-9c92-40f1-8a3e-ca060846f8d9;True;23
 privilege-escalation;T1548.002;powershell;['windows'];Disable UAC - Switch to the secure desktop when prompting for elevation via registry key;85f3a526-4cfa-4fe7-98c1-dea99be025c7;False;24
 privilege-escalation;T1548.002;command_prompt;['windows'];Disable UAC notification via registry keys;160a7c77-b00e-4111-9e45-7c2a44eda3fd;False;25
-privilege-escalation;T1548.002;command_prompt;['windows'];Disable ConsentPromptBehaviorAdmin via registry keys;a768aaa2-2442-475c-8990-69cf33af0f4e;False;26
+privilege-escalation;T1548.002;command_prompt;['windows'];Disable ConsentPromptBehaviorAdmin via registry keys;a768aaa2-2442-475c-8990-69cf33af0f4e;True;26
 privilege-escalation;T1548.003;sh;['macos', 'linux'];Sudo usage;150c3a08-ee6e-48a6-aeaf-3659d24ceb4e;False;1
 privilege-escalation;T1548.003;sh;['linux'];Sudo usage (freebsd);2bf9a018-4664-438a-b435-cc6f8c6f71b1;False;2
 privilege-escalation;T1548.003;sh;['macos', 'linux'];Unlimited sudo cache timeout;a7b17659-dd5e-46f7-b7d1-e6792c91d0bc;False;3

sigma_rule.csv

@@ -2067,7 +2067,7 @@ proc_creation_win_powershell_defender_exclusion.yml;True
 proc_creation_win_powershell_disable_defender_av_security_monitoring.yml;True
 proc_creation_win_powershell_disable_firewall.yml;False
 proc_creation_win_powershell_disable_ie_features.yml;False
-proc_creation_win_powershell_downgrade_attack.yml;False
+proc_creation_win_powershell_downgrade_attack.yml;True
 proc_creation_win_powershell_download_com_cradles.yml;False
 proc_creation_win_powershell_download_cradles.yml;True
 proc_creation_win_powershell_download_dll.yml;False
@@ -2204,9 +2204,9 @@ proc_creation_win_regsvr32_network_pattern.yml;False
 proc_creation_win_regsvr32_remote_share.yml;False
 proc_creation_win_regsvr32_susp_child_process.yml;False
 proc_creation_win_regsvr32_susp_exec_path_1.yml;False
-proc_creation_win_regsvr32_susp_exec_path_2.yml;False
+proc_creation_win_regsvr32_susp_exec_path_2.yml;True
 proc_creation_win_regsvr32_susp_extensions.yml;True
-proc_creation_win_regsvr32_susp_parent.yml;False
+proc_creation_win_regsvr32_susp_parent.yml;True
 proc_creation_win_regsvr32_uncommon_extension.yml;True
 proc_creation_win_reg_add_run_key.yml;True
 proc_creation_win_reg_add_safeboot.yml;False
@@ -2729,7 +2729,7 @@ registry_set_custom_file_open_handler_powershell_execution.yml;False
 registry_set_dbgmanageddebugger_persistence.yml;False
 registry_set_defender_exclusions.yml;True
 registry_set_desktop_background_change.yml;False
-registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml;False
+registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml;True
 registry_set_dhcp_calloutdll.yml;False
 registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml;False
 registry_set_disabled_microsoft_defender_eventlog.yml;False
@@ -2835,7 +2835,7 @@ registry_set_sentinelone_shell_context_tampering.yml;False
 registry_set_servicedll_hijack.yml;True
 registry_set_services_etw_tamper.yml;False
 registry_set_set_nopolicies_user.yml;True
-registry_set_sip_persistence.yml;False
+registry_set_sip_persistence.yml;True
 registry_set_sophos_av_tamper.yml;False
 registry_set_special_accounts.yml;True
 registry_set_suppress_defender_notifications.yml;True

yml/1f6743da-6ecc-4a93-b03f-dc357e4b313f.yml

@@ -25,5 +25,9 @@ description: 'Disable Windows Defender by tampering with windows defender regist
 
   '
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 0eb46774-f1ab-4a74-8238-1155855f2263
+    name: registry_set_windows_defender_tamper.yml
+  - id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
+    name: proc_creation_win_reg_susp_paths.yml

yml/47c96489-2f55-4774-a6df-39faff428f6f.yml

@@ -17,5 +17,7 @@ os:
 description: Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not,
   as this cmdlet will be blocked by AMSI when active.
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: b3512211-c67e-4707-bedc-66efc7848863
+    name: proc_creation_win_powershell_downgrade_attack.yml

yml/70bd71e6-eba4-4e00-92f7-617911dbe020.yml

@@ -25,5 +25,7 @@ description: "This test disables Hypervisor-Enforced Code Integrity (HVCI) by se
   \"Enabled\" value to \"0\".\nThe pre-req needs to be ran in order to setup HVCI and have it enabled. \nWe do not recommend running this in production.\n[Black Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)\n\
   [Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)\n"
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
+    name: registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml

yml/a72cfef8-d252-48b3-b292-635d332625c3.yml

@@ -25,5 +25,7 @@ description: 'Disable Windows Defender by tampering with windows defender regist
 
   '
 executor: powershell
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 0eb46774-f1ab-4a74-8238-1155855f2263
+    name: registry_set_windows_defender_tamper.yml

yml/a768aaa2-2442-475c-8990-69cf33af0f4e.yml

@@ -23,5 +23,7 @@ description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0 conf
 
   '
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: e2482f8d-3443-4237-b906-cc145d87a076
+    name: registry_set_disable_function_user.yml

yml/e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675.yml

@@ -23,5 +23,11 @@ os:
 description: "Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from \nhttps://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby
   causing\nthe system to utilize it during signature checks, and logging said checks.\n"
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
+    name: proc_creation_win_regsvr32_susp_parent.yml
+  - id: 327ff235-94eb-4f06-b9de-aaee571324be
+    name: proc_creation_win_regsvr32_susp_exec_path_2.yml
+  - id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
+    name: registry_set_sip_persistence.yml