From 0c96777f6a37024263bfbb65c4cd819e17a9fc12 Mon Sep 17 00:00:00 2001 From: ecco Date: Wed, 11 Sep 2019 10:24:43 -0400 Subject: [PATCH] sysmon rules cleanup and move to process_creation --- .../win_control_panel_item.yml} | 2 +- .../win_powersploit_empire_schtasks.yml} | 4 ++-- .../win_win10_sched_task_0day.yml} | 0 3 files changed, 3 insertions(+), 3 deletions(-) rename rules/windows/{sysmon/sysmon_control_panel_item.yml => process_creation/win_control_panel_item.yml} (94%) rename rules/windows/{sysmon/sysmon_powersploit_schtasks.yml => process_creation/win_powersploit_empire_schtasks.yml} (95%) rename rules/windows/{sysmon/sysmon_win10_sched_task_0day.yml => process_creation/win_win10_sched_task_0day.yml} (100%) diff --git a/rules/windows/sysmon/sysmon_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml similarity index 94% rename from rules/windows/sysmon/sysmon_control_panel_item.yml rename to rules/windows/process_creation/win_control_panel_item.yml index 0f34beb93..254a4ae13 100644 --- a/rules/windows/sysmon/sysmon_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -12,7 +12,7 @@ date: 2019/08/27 level: critical logsource: product: windows - service: sysmon + category: process_creation detection: selection: CommandLine: '*.cpl' diff --git a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml similarity index 95% rename from rules/windows/sysmon/sysmon_powersploit_schtasks.yml rename to rules/windows/process_creation/win_powersploit_empire_schtasks.yml index bf8d355f0..cf9a1d685 100644 --- a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -9,11 +9,11 @@ author: Markus Neis, @Karneades date: 2018/03/06 logsource: product: windows - service: sysmon + category: process_creation detection: selection: ParentImage: - - '*\Powershell.exe' + - '*\powershell.exe' CommandLine: - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*' - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*' diff --git a/rules/windows/sysmon/sysmon_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml similarity index 100% rename from rules/windows/sysmon/sysmon_win10_sched_task_0day.yml rename to rules/windows/process_creation/win_win10_sched_task_0day.yml