Changed category names and remove sysmon log source

rules/windows/driver_load/sysmon_susp_driver_load.yml

@@ -7,9 +7,8 @@ tags:
     - attack.persistence
     - attack.t1050
 logsource:
-    category: driver_loaded
+    category: driver_load
     product: windows
-    service: sysmon
 detection:
     selection: 
         ImageLoaded: '*\Temp\\*'

rules/windows/file_event/sysmon_creation_system_file.yml

@@ -10,9 +10,8 @@ tags:
     - attack.defense_evasion
     - attack.t1036
 logsource:
-    category: file_creation
+    category: file_event
     product: windows
-    service: sysmon
 detection:
     selection:      
         Image:

rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml

@@ -10,9 +10,8 @@ tags:
     - attack.credential_access
     - attack.t1003
 logsource:
-    category: file_creation
+    category: file_event
     product: windows
-    service: sysmon
 detection:
     selection:        
         TargetFilename|contains: 

rules/windows/file_event/sysmon_ghostpack_safetykatz.yml

@@ -10,9 +10,8 @@ tags:
 author: Markus Neis
 date: 2018/07/24
 logsource:
-    category: file_creation
+    category: file_event
     product: windows
-    service: sysmon
 detection:
     selection:        
         TargetFilename: '*\Temp\debug.bin'

rules/windows/file_event/sysmon_hack_dumpert.yml

@@ -11,9 +11,8 @@ tags:
     - attack.credential_access
     - attack.t1003
 logsource:
-    category: file_creation
+    category: file_event
     product: windows
-    service: sysmon
 falsepositives:
     - Very unlikely
 level: critical

rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml

@@ -10,9 +10,8 @@ tags:
     - attack.credential_access
     - attack.t1003
 logsource:
-    category: file_creation
+    category: file_event
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetFilename|contains: 'lsass'

rules/windows/file_event/sysmon_powershell_exploit_scripts.yml

@@ -10,9 +10,8 @@ tags:
 author: Markus Neis
 date: 2018/04/07
 logsource:
-    category: file_creation
+    category: file_event
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetFilename:

rules/windows/file_event/sysmon_quarkspw_filedump.yml

@@ -11,9 +11,8 @@ tags:
   - attack.t1003
 level: critical
 logsource:
-    category: file_creation
+    category: file_event
     product: windows
-    service: sysmon
 detection:
     selection:
         # Sysmon: File Creation (ID 11)

rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml

@@ -13,8 +13,7 @@ tags:
     - attack.persistence
 logsource:
     product: windows
-    service: sysmon
-    category: file_creation
+    category: file_event
 detection:
     selection_1:
         TargetFilename: '*\Local\Microsoft\Windows\SchCache\*.sch'

rules/windows/file_event/sysmon_susp_desktop_ini.yml

@@ -11,8 +11,7 @@ tags:
     - attack.t1023
 logsource:
     product: windows
-    service: sysmon
-    category: file_creation
+    category: file_event
 detection:
     filter:
         Image:

rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml

@@ -11,8 +11,7 @@ tags:
     - attack.defense_evasion
 logsource:
     product: windows
-    service: sysmon
-    category: file_creation
+    category: file_event
 detection:
     selection_1:
         TargetFilename: '*\AppData\Local\Temp\*\PROCEXP152.sys'

rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml

@@ -6,8 +6,7 @@ date: 2019/02/21
 author: Samir Bousseaden
 logsource:
     product: windows
-    service: sysmon
-    category: file_creation
+    category: file_event
 detection:
     selection:
         Image: '*\mstsc.exe'

rules/windows/file_event/sysmon_webshell_creation_detect.yml

@@ -13,8 +13,7 @@ tags:
 level: critical
 logsource:
     product: windows
-    service: sysmon
-    category: file_creation
+    category: file_event
 detection:
     selection_2:
         TargetFilename|contains: '\inetpub\wwwroot\'

rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml

@@ -11,7 +11,6 @@ tags:
     - attack.persistence
 logsource:
     product: windows
-    service: sysmon
     category: file_created
 detection:
     selection:

rules/windows/image_load/sysmon_in_memory_powershell.yml

@@ -12,9 +12,8 @@ tags:
     - attack.t1086
     - attack.execution
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         ImageLoaded|endswith:

rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml

@@ -11,9 +11,8 @@ tags:
     - attack.credential_access
     - car.2019-04-004
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 date: 2017/03/13
 detection:
     selector:

rules/windows/image_load/sysmon_powershell_execution_moduleload.yml

@@ -8,9 +8,8 @@ author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 tags:
     - attack.execution
     - attack.t1086

rules/windows/image_load/sysmon_susp_image_load.yml

@@ -10,9 +10,8 @@ tags:
     - attack.defense_evasion
     - attack.t1073
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml

@@ -10,9 +10,8 @@ tags:
     - attack.initial_access
     - attack.t1193
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml

@@ -10,9 +10,8 @@ tags:
     - attack.initial_access
     - attack.t1193
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml

@@ -10,9 +10,8 @@ tags:
     - attack.initial_access
     - attack.t1193
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml

@@ -10,9 +10,8 @@ tags:
     - attack.initial_access
     - attack.t1193
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml

@@ -10,9 +10,8 @@ tags:
     - attack.initial_access
     - attack.t1193
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml

@@ -10,9 +10,8 @@ tags:
     - attack.initial_access
     - attack.t1193
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml

@@ -12,9 +12,8 @@ tags:
     - attack.execution
     - attack.t1047
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml

@@ -15,9 +15,8 @@ tags:
     - attack.credential_access
     - attack.t1003
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     signedprocess:
         ImageLoaded|endswith:

rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml

@@ -15,9 +15,8 @@ tags:
     - attack.t1038
     - attack.t1112
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:

rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml

@@ -10,9 +10,8 @@ tags:
     - attack.credential_access
     - attack.t1003
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection:
         Image|endswith: '\lsass.exe'

rules/windows/image_load/sysmon_wmi_module_load.yml

@@ -11,9 +11,8 @@ tags:
     - attack.execution
     - attack.t1047
 logsource:
-    category: image_loaded
+    category: image_load
     product: windows
-    service: sysmon
 detection:
     selection: 
         ImageLoaded|endswith:

rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml

@@ -12,7 +12,6 @@ tags:
 logsource:
     cqtegory: image_loaded
     product: windows
-    service: sysmon
 detection:
     selection:
         Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'

rules/windows/network_connection/sysmon_malware_backconnect_ports.yml

@@ -12,7 +12,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
     definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
 detection:
     selection:

rules/windows/network_connection/sysmon_notepad_network_connection.yml

@@ -12,7 +12,6 @@ author: EagleEye Team
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 date: 2020/05/14
 detection:
     selection:

rules/windows/network_connection/sysmon_powershell_network_connection.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
         Image: '*\powershell.exe'

rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml

@@ -14,7 +14,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
         Image: '*\svchost.exe'

rules/windows/network_connection/sysmon_remote_powershell_session_network.yml

@@ -12,7 +12,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection: 
         DestinationPort:

rules/windows/network_connection/sysmon_rundll32_net_connections.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
         Image: '*\rundll32.exe'

rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml

@@ -9,7 +9,6 @@ date: 2017/03/19
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
     definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
 detection:
     selection:

rules/windows/network_connection/sysmon_susp_rdp.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
         DestinationPort: 3389

rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
         DestinationPort: 88

rules/windows/network_connection/sysmon_win_binary_github_com.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
         Initiated: 'true'

rules/windows/network_connection/sysmon_win_binary_susp_com.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: network_connection
     product: windows
-    service: sysmon
 detection:
     selection:
         Initiated: 'true'

rules/windows/process_access/sysmon_cmstp_execution.yml

@@ -25,7 +25,6 @@ level: high
 ---
 logsource:
     product: windows
-    service: sysmon
     category: registry_event
 detection:
     # Registry Object Add

rules/windows/process_access/sysmon_cred_dump_lsass_access.yml

@@ -19,7 +19,6 @@ tags:
 logsource:
     category: process_access
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetImage|endswith: '\lsass.exe'

rules/windows/process_access/sysmon_in_memory_assembly_execution.yml

@@ -16,7 +16,6 @@ tags:
 logsource:
     category: process_access
     product: windows
-    service: sysmon
 detection:
     selection_01: 
         CallTrace: 

rules/windows/process_access/sysmon_invoke_phantom.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: process_access
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetImage: '*\windows\system32\svchost.exe'

rules/windows/process_access/sysmon_lsass_memdump.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: process_access
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetImage: 'C:\windows\system32\lsass.exe'

rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml

@@ -13,7 +13,6 @@ date: 2017/03/04
 logsource:
     category: process_access
     product: windows
-    service: sysmon
     definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
 detection:
     selection:

rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml

@@ -9,7 +9,6 @@ date: 2019/05/20
 logsource:
     category: process_access
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetImage: 'C:\windows\system32\lsass.exe'

rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml

@@ -11,7 +11,6 @@ date: 2019/04/14
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:       
         TargetObject: 

rules/windows/registry_event/sysmon_apt_pandemic.yml

@@ -27,7 +27,6 @@ level: critical
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection1:        
         TargetObject:

rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml

@@ -13,7 +13,6 @@ author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         

rules/windows/registry_event/sysmon_cmstp_execution.yml

@@ -26,7 +26,6 @@ level: high
 logsource:
     category: process_creation,registry_event
     product: windows
-    service: sysmon
 detection:
     # Registry Object Add
     selection2:

rules/windows/registry_event/sysmon_dhcp_calloutdll.yml

@@ -16,7 +16,6 @@ tags:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         

rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml

@@ -13,7 +13,6 @@ modified: 2019/11/13
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
       - EventID: 12 # key create

rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml

@@ -26,7 +26,6 @@ level: high
 ---
 logsource:
     product: windows
-    service: sysmon
     category: registry_event
 detection:
     dnsregmod: 

rules/windows/registry_event/sysmon_hack_wce.yml

@@ -30,7 +30,6 @@ detection:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:       
         TargetObject|contains: Services\WCESERVICE\Start

rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml

@@ -13,7 +13,6 @@ modified: 2019/11/10
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection1:
         EventType: DeleteValue

rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml

@@ -15,7 +15,6 @@ modified: 2019/11/13
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
       - EventID: 

rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml

@@ -14,7 +14,6 @@ modified: 2019/11/13
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
       - TargetObject:

rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml

@@ -13,7 +13,6 @@ date: 2019/10/26
 modified: 2019/11/11
 logsource:
     product: windows
-    service: sysmon
     category: registry_event
 detection:
     selection:

rules/windows/registry_event/sysmon_rdp_registry_modification.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetObject|endswith:

rules/windows/registry_event/sysmon_rdp_settings_hijack.yml

@@ -8,7 +8,6 @@ author: Samir Bousseaden
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection_reg:
         TargetObject:

rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml

@@ -13,7 +13,6 @@ tags:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         EventType: 'CreateKey'  # don't want DeleteKey events

rules/windows/registry_event/sysmon_registry_persistence_search_order.yml

@@ -12,7 +12,6 @@ tags:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection: # Detect new COM servers in the user hive
         TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'

rules/windows/registry_event/sysmon_registry_trust_record_modification.yml

@@ -14,7 +14,6 @@ tags:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetObject|contains: 'TrustRecords'

rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml

@@ -13,7 +13,6 @@ date: 2019/01/18
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection_registry:
         TargetObject:

rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml

@@ -22,7 +22,6 @@ level: critical
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection_registry:     
         TargetObject: 

rules/windows/registry_event/sysmon_susp_download_run_key.yml

@@ -12,7 +12,6 @@ tags:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         Image: 

rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml

@@ -9,7 +9,6 @@ references:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'

rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml

@@ -13,7 +13,6 @@ modified: 2020/05/24
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         TargetObject: 

rules/windows/registry_event/sysmon_susp_service_installed.yml

@@ -12,7 +12,6 @@ tags:
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection_1:
         

rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml

@@ -11,7 +11,6 @@ modified: 2019/10/15
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
     definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
 detection:
     selection_registry:

rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml

@@ -16,7 +16,6 @@ level: low
 ---
 logsource:
     product: windows
-    service: sysmon
     category: registry_event
 detection:
     selection1:

rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml

@@ -9,7 +9,6 @@ author: Florian Roth
 date: 2017/03/19
 logsource:
     product: windows
-    service: sysmon
     category: registry_event
 detection:
     methregistry:

rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml

@@ -9,7 +9,6 @@ date: 2017/03/17
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection:
         # usrclass.dat is mounted on HKU\USERSID_Classes\...

rules/windows/registry_event/sysmon_win_reg_persistence.yml

@@ -8,7 +8,6 @@ author: Karneades
 logsource:
     category: registry_event
     product: windows
-    service: sysmon
 detection:
     selection_reg1:
         TargetObject:

tools/config/generic/sysmon.yml

@@ -29,7 +29,7 @@ logsources:
             product: windows
             service: sysmon
     file_creation:
-        category: file_creation
+        category: file_event
         product: windows
         conditions:
             EventID: 11
@@ -45,7 +45,7 @@ logsources:
             product: windows
             service: sysmon
     image_loaded:
-        category: image_loaded
+        category: image_load
         product: windows
         conditions:
             EventID: 7
@@ -53,7 +53,7 @@ logsources:
             product: windows
             service: sysmon
     driver_loaded:
-        category: driver_loaded
+        category: driver_load
         product: windows
         conditions:
             EventID: 6