security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #451 from EccoTheFlintstone/sysmon_clean

Browse Source 
sysmon rules cleanup and move to process_creation
This commit is contained in:
Florian Roth
2019-09-25 17:28:23 +02:00
committed by GitHub
parent 365a46e27e 0c96777f6a
commit e77657db2f
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_control_panel_item.yml → rules/windows/process_creation/win_control_panel_item.yml
+1 -1
View File
@@ -12,7 +12,7 @@ date: 2019/08/27
level: critical
logsource:
product: windows
service: sysmon
category: process_creation
detection:
selection:
CommandLine: '*.cpl'
rules/windows/sysmon/sysmon_powersploit_schtasks.yml → rules/windows/process_creation/win_powersploit_empire_schtasks.yml
+2 -2
View File
@@ -9,11 +9,11 @@ author: Markus Neis, @Karneades
date: 2018/03/06
logsource:
product: windows
service: sysmon
category: process_creation
detection:
selection:
ParentImage:
- '*\Powershell.exe'
- '*\powershell.exe'
CommandLine:
- '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*'
- '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*'
rules/windows/sysmon/sysmon_win10_sched_task_0day.yml → rules/windows/process_creation/win_win10_sched_task_0day.yml
View File