security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1968 from SigmaHQ/rule-devel

Browse Source 
docs: note to improved sysmon config
This commit is contained in:
Florian Roth
2021-09-01 13:21:28 +02:00
committed by GitHub
parent af599e4877 f102b2d9a1
commit c8b3036949
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
+1 -1
View File
@@ -16,7 +16,7 @@ tags:
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
selection_MSSE:
PipeName|contains|all:
rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
+1 -1
View File
@@ -15,7 +15,7 @@ tags:
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
selection:
- PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}'
rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
+1 -1
View File
@@ -15,7 +15,7 @@ tags:
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
detection:
selection_malleable_profiles:
- PipeName|startswith: