diff --git a/rules/windows/driver_loaded/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml
similarity index 90%
rename from rules/windows/driver_loaded/sysmon_susp_driver_load.yml
rename to rules/windows/driver_load/sysmon_susp_driver_load.yml
index a12d1475c..014f494f3 100755
--- a/rules/windows/driver_loaded/sysmon_susp_driver_load.yml
+++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml
@@ -7,9 +7,8 @@ tags:
- attack.persistence
- attack.t1050
logsource:
- category: driver_loaded
+ category: driver_load
product: windows
- service: sysmon
detection:
selection:
ImageLoaded: '*\Temp\\*'
diff --git a/rules/windows/file_creation/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml
similarity index 97%
rename from rules/windows/file_creation/sysmon_creation_system_file.yml
rename to rules/windows/file_event/sysmon_creation_system_file.yml
index aaebf3c39..7ce7adf45 100755
--- a/rules/windows/file_creation/sysmon_creation_system_file.yml
+++ b/rules/windows/file_event/sysmon_creation_system_file.yml
@@ -10,9 +10,8 @@ tags:
- attack.defense_evasion
- attack.t1036
logsource:
- category: file_creation
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/file_creation/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
similarity index 96%
rename from rules/windows/file_creation/sysmon_cred_dump_tools_dropped_files.yml
rename to rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
index 7ce6ba11b..a3517bc7f 100755
--- a/rules/windows/file_creation/sysmon_cred_dump_tools_dropped_files.yml
+++ b/rules/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
@@ -10,9 +10,8 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
- category: file_creation
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
TargetFilename|contains:
diff --git a/rules/windows/file_creation/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
similarity index 90%
rename from rules/windows/file_creation/sysmon_ghostpack_safetykatz.yml
rename to rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
index 8eb4b734f..29648630d 100755
--- a/rules/windows/file_creation/sysmon_ghostpack_safetykatz.yml
+++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml
@@ -10,9 +10,8 @@ tags:
author: Markus Neis
date: 2018/07/24
logsource:
- category: file_creation
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
TargetFilename: '*\Temp\debug.bin'
diff --git a/rules/windows/file_creation/sysmon_hack_dumpert.yml b/rules/windows/file_event/sysmon_hack_dumpert.yml
similarity index 94%
rename from rules/windows/file_creation/sysmon_hack_dumpert.yml
rename to rules/windows/file_event/sysmon_hack_dumpert.yml
index bfb748a80..f8bdb838f 100755
--- a/rules/windows/file_creation/sysmon_hack_dumpert.yml
+++ b/rules/windows/file_event/sysmon_hack_dumpert.yml
@@ -11,9 +11,8 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
- category: file_creation
+ category: file_event
product: windows
- service: sysmon
falsepositives:
- Very unlikely
level: critical
diff --git a/rules/windows/file_creation/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
similarity index 94%
rename from rules/windows/file_creation/sysmon_lsass_memory_dump_file_creation.yml
rename to rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
index d2bb40a51..578fdb843 100755
--- a/rules/windows/file_creation/sysmon_lsass_memory_dump_file_creation.yml
+++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
@@ -10,9 +10,8 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
- category: file_creation
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
TargetFilename|contains: 'lsass'
diff --git a/rules/windows/file_creation/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
similarity index 98%
rename from rules/windows/file_creation/sysmon_powershell_exploit_scripts.yml
rename to rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
index c65120664..cf59c05b5 100755
--- a/rules/windows/file_creation/sysmon_powershell_exploit_scripts.yml
+++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
@@ -10,9 +10,8 @@ tags:
author: Markus Neis
date: 2018/04/07
logsource:
- category: file_creation
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
TargetFilename:
diff --git a/rules/windows/file_creation/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
similarity index 92%
rename from rules/windows/file_creation/sysmon_quarkspw_filedump.yml
rename to rules/windows/file_event/sysmon_quarkspw_filedump.yml
index 447225def..c1ee66a7e 100755
--- a/rules/windows/file_creation/sysmon_quarkspw_filedump.yml
+++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml
@@ -11,9 +11,8 @@ tags:
- attack.t1003
level: critical
logsource:
- category: file_creation
+ category: file_event
product: windows
- service: sysmon
detection:
selection:
# Sysmon: File Creation (ID 11)
diff --git a/rules/windows/file_creation/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
similarity index 96%
rename from rules/windows/file_creation/sysmon_susp_adsi_cache_usage.yml
rename to rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
index bcdf82e78..f19697148 100755
--- a/rules/windows/file_creation/sysmon_susp_adsi_cache_usage.yml
+++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -13,8 +13,7 @@ tags:
- attack.persistence
logsource:
product: windows
- service: sysmon
- category: file_creation
+ category: file_event
detection:
selection_1:
TargetFilename: '*\Local\Microsoft\Windows\SchCache\*.sch'
diff --git a/rules/windows/file_creation/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml
similarity index 94%
rename from rules/windows/file_creation/sysmon_susp_desktop_ini.yml
rename to rules/windows/file_event/sysmon_susp_desktop_ini.yml
index 4560174f0..c55114cf1 100755
--- a/rules/windows/file_creation/sysmon_susp_desktop_ini.yml
+++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml
@@ -11,8 +11,7 @@ tags:
- attack.t1023
logsource:
product: windows
- service: sysmon
- category: file_creation
+ category: file_event
detection:
filter:
Image:
diff --git a/rules/windows/file_creation/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
similarity index 96%
rename from rules/windows/file_creation/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
rename to rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
index 4e79478a9..5d2b079c7 100755
--- a/rules/windows/file_creation/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -11,8 +11,7 @@ tags:
- attack.defense_evasion
logsource:
product: windows
- service: sysmon
- category: file_creation
+ category: file_event
detection:
selection_1:
TargetFilename: '*\AppData\Local\Temp\*\PROCEXP152.sys'
diff --git a/rules/windows/file_creation/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
similarity index 91%
rename from rules/windows/file_creation/sysmon_tsclient_filewrite_startup.yml
rename to rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
index 254f77c65..65a61b0ea 100755
--- a/rules/windows/file_creation/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -6,8 +6,7 @@ date: 2019/02/21
author: Samir Bousseaden
logsource:
product: windows
- service: sysmon
- category: file_creation
+ category: file_event
detection:
selection:
Image: '*\mstsc.exe'
diff --git a/rules/windows/file_creation/sysmon_webshell_creation_detect.yml b/rules/windows/file_event/sysmon_webshell_creation_detect.yml
similarity index 97%
rename from rules/windows/file_creation/sysmon_webshell_creation_detect.yml
rename to rules/windows/file_event/sysmon_webshell_creation_detect.yml
index 86fdb516c..86000b3ad 100755
--- a/rules/windows/file_creation/sysmon_webshell_creation_detect.yml
+++ b/rules/windows/file_event/sysmon_webshell_creation_detect.yml
@@ -13,8 +13,7 @@ tags:
level: critical
logsource:
product: windows
- service: sysmon
- category: file_creation
+ category: file_event
detection:
selection_2:
TargetFilename|contains: '\inetpub\wwwroot\'
diff --git a/rules/windows/file_creation/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
similarity index 96%
rename from rules/windows/file_creation/sysmon_wmi_persistence_script_event_consumer_write.yml
rename to rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
index 8fc77b5f4..bc07ed69d 100755
--- a/rules/windows/file_creation/sysmon_wmi_persistence_script_event_consumer_write.yml
+++ b/rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
@@ -11,7 +11,6 @@ tags:
- attack.persistence
logsource:
product: windows
- service: sysmon
category: file_created
detection:
selection:
diff --git a/rules/windows/image_loaded/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml
similarity index 96%
rename from rules/windows/image_loaded/sysmon_in_memory_powershell.yml
rename to rules/windows/image_load/sysmon_in_memory_powershell.yml
index e5c08eea7..aeb46d86d 100755
--- a/rules/windows/image_loaded/sysmon_in_memory_powershell.yml
+++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml
@@ -12,9 +12,8 @@ tags:
- attack.t1086
- attack.execution
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
ImageLoaded|endswith:
diff --git a/rules/windows/image_loaded/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
similarity index 95%
rename from rules/windows/image_loaded/sysmon_mimikatz_inmemory_detection.yml
rename to rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
index 6f7e05d4e..50568b560 100755
--- a/rules/windows/image_loaded/sysmon_mimikatz_inmemory_detection.yml
+++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
@@ -11,9 +11,8 @@ tags:
- attack.credential_access
- car.2019-04-004
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
date: 2017/03/13
detection:
selector:
diff --git a/rules/windows/image_loaded/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
similarity index 93%
rename from rules/windows/image_loaded/sysmon_powershell_execution_moduleload.yml
rename to rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
index bfed56f88..5c414c0c7 100755
--- a/rules/windows/image_loaded/sysmon_powershell_execution_moduleload.yml
+++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
@@ -8,9 +8,8 @@ author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
tags:
- attack.execution
- attack.t1086
diff --git a/rules/windows/image_loaded/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml
similarity index 93%
rename from rules/windows/image_loaded/sysmon_susp_image_load.yml
rename to rules/windows/image_load/sysmon_susp_image_load.yml
index 899bc572d..828c939e1 100755
--- a/rules/windows/image_loaded/sysmon_susp_image_load.yml
+++ b/rules/windows/image_load/sysmon_susp_image_load.yml
@@ -10,9 +10,8 @@ tags:
- attack.defense_evasion
- attack.t1073
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
similarity index 94%
rename from rules/windows/image_loaded/sysmon_susp_office_dotnet_assembly_dll_load.yml
rename to rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
index 1d0a1e80e..5fb8bc69b 100755
--- a/rules/windows/image_loaded/sysmon_susp_office_dotnet_assembly_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -10,9 +10,8 @@ tags:
- attack.initial_access
- attack.t1193
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
similarity index 94%
rename from rules/windows/image_loaded/sysmon_susp_office_dotnet_clr_dll_load.yml
rename to rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
index 6d6e10845..c38e41361 100755
--- a/rules/windows/image_loaded/sysmon_susp_office_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -10,9 +10,8 @@ tags:
- attack.initial_access
- attack.t1193
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
similarity index 94%
rename from rules/windows/image_loaded/sysmon_susp_office_dotnet_gac_dll_load.yml
rename to rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
index 8a1c1bb67..5ad0b02de 100755
--- a/rules/windows/image_loaded/sysmon_susp_office_dotnet_gac_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
@@ -10,9 +10,8 @@ tags:
- attack.initial_access
- attack.t1193
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
similarity index 94%
rename from rules/windows/image_loaded/sysmon_susp_office_dsparse_dll_load.yml
rename to rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
index eb52f0145..01f4c5a94 100755
--- a/rules/windows/image_loaded/sysmon_susp_office_dsparse_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
@@ -10,9 +10,8 @@ tags:
- attack.initial_access
- attack.t1193
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
similarity index 94%
rename from rules/windows/image_loaded/sysmon_susp_office_kerberos_dll_load.yml
rename to rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
index 90cf6879d..c9a12264b 100755
--- a/rules/windows/image_loaded/sysmon_susp_office_kerberos_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
@@ -10,9 +10,8 @@ tags:
- attack.initial_access
- attack.t1193
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
similarity index 94%
rename from rules/windows/image_loaded/sysmon_susp_winword_vbadll_load.yml
rename to rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
index ca8fa9451..b52627d18 100755
--- a/rules/windows/image_loaded/sysmon_susp_winword_vbadll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
@@ -10,9 +10,8 @@ tags:
- attack.initial_access
- attack.t1193
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_susp_winword_wmidll_load.yml b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
similarity index 96%
rename from rules/windows/image_loaded/sysmon_susp_winword_wmidll_load.yml
rename to rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
index 25b3eeaac..c2d9e429a 100755
--- a/rules/windows/image_loaded/sysmon_susp_winword_wmidll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml
@@ -12,9 +12,8 @@ tags:
- attack.execution
- attack.t1047
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
similarity index 97%
rename from rules/windows/image_loaded/sysmon_suspicious_dbghelp_dbgcore_load.yml
rename to rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
index 78298fe20..20b873c5a 100755
--- a/rules/windows/image_loaded/sysmon_suspicious_dbghelp_dbgcore_load.yml
+++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
@@ -15,9 +15,8 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
signedprocess:
ImageLoaded|endswith:
diff --git a/rules/windows/image_loaded/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
similarity index 95%
rename from rules/windows/image_loaded/sysmon_svchost_dll_search_order_hijack.yml
rename to rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
index bd44479d0..f2098fae8 100755
--- a/rules/windows/image_loaded/sysmon_svchost_dll_search_order_hijack.yml
+++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
@@ -15,9 +15,8 @@ tags:
- attack.t1038
- attack.t1112
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/image_loaded/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
similarity index 93%
rename from rules/windows/image_loaded/sysmon_unsigned_image_loaded_into_lsass.yml
rename to rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
index 34fb597bc..3a66c4dd8 100755
--- a/rules/windows/image_loaded/sysmon_unsigned_image_loaded_into_lsass.yml
+++ b/rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
@@ -10,9 +10,8 @@ tags:
- attack.credential_access
- attack.t1003
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
Image|endswith: '\lsass.exe'
diff --git a/rules/windows/image_loaded/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml
similarity index 96%
rename from rules/windows/image_loaded/sysmon_wmi_module_load.yml
rename to rules/windows/image_load/sysmon_wmi_module_load.yml
index b5e0e6dc7..44353ab39 100755
--- a/rules/windows/image_loaded/sysmon_wmi_module_load.yml
+++ b/rules/windows/image_load/sysmon_wmi_module_load.yml
@@ -11,9 +11,8 @@ tags:
- attack.execution
- attack.t1047
logsource:
- category: image_loaded
+ category: image_load
product: windows
- service: sysmon
detection:
selection:
ImageLoaded|endswith:
diff --git a/rules/windows/image_loaded/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
similarity index 96%
rename from rules/windows/image_loaded/sysmon_wmi_persistence_commandline_event_consumer.yml
rename to rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
index d67b7366f..19b7d30bf 100755
--- a/rules/windows/image_loaded/sysmon_wmi_persistence_commandline_event_consumer.yml
+++ b/rules/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -12,7 +12,6 @@ tags:
logsource:
cqtegory: image_loaded
product: windows
- service: sysmon
detection:
selection:
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
index bd14f8cf4..9c8b1f89d 100755
--- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
+++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml
@@ -12,7 +12,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
selection:
diff --git a/rules/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
index 86b3c511b..49dbcdf75 100755
--- a/rules/windows/network_connection/sysmon_notepad_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_notepad_network_connection.yml
@@ -12,7 +12,6 @@ author: EagleEye Team
logsource:
category: network_connection
product: windows
- service: sysmon
date: 2020/05/14
detection:
selection:
diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
index b34f5253f..8d6742d11 100755
--- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
Image: '*\powershell.exe'
diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
index 5775c4805..289594aec 100755
--- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
+++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
@@ -14,7 +14,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
Image: '*\svchost.exe'
diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
index 8bcace7eb..9d56a7da7 100755
--- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
+++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml
@@ -12,7 +12,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
DestinationPort:
diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
index 7092eadc0..40ca4c428 100755
--- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
Image: '*\rundll32.exe'
diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
index 3219ca943..9b152411f 100755
--- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
@@ -9,7 +9,6 @@ date: 2017/03/19
logsource:
category: network_connection
product: windows
- service: sysmon
definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
detection:
selection:
diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml
index ee37354df..00ab16ac5 100755
--- a/rules/windows/network_connection/sysmon_susp_rdp.yml
+++ b/rules/windows/network_connection/sysmon_susp_rdp.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
DestinationPort: 3389
diff --git a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
index 0965670e5..e1984104b 100755
--- a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
+++ b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
DestinationPort: 88
diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
index de0d46030..8a0ac2afd 100755
--- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
Initiated: 'true'
diff --git a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
index 87445b5b9..6e324b9cb 100755
--- a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
+++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: network_connection
product: windows
- service: sysmon
detection:
selection:
Initiated: 'true'
diff --git a/rules/windows/process_access/sysmon_cmstp_execution.yml b/rules/windows/process_access/sysmon_cmstp_execution.yml
index 2299a92f5..66e48f89d 100755
--- a/rules/windows/process_access/sysmon_cmstp_execution.yml
+++ b/rules/windows/process_access/sysmon_cmstp_execution.yml
@@ -25,7 +25,6 @@ level: high
---
logsource:
product: windows
- service: sysmon
category: registry_event
detection:
# Registry Object Add
diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
index 284d860ec..cb3bf8b56 100755
--- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
@@ -19,7 +19,6 @@ tags:
logsource:
category: process_access
product: windows
- service: sysmon
detection:
selection:
TargetImage|endswith: '\lsass.exe'
diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 9ace8464c..b8a892bd8 100755
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -16,7 +16,6 @@ tags:
logsource:
category: process_access
product: windows
- service: sysmon
detection:
selection_01:
CallTrace:
diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
index c2d61c177..c90377b16 100755
--- a/rules/windows/process_access/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: process_access
product: windows
- service: sysmon
detection:
selection:
TargetImage: '*\windows\system32\svchost.exe'
diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml
index 796e85d20..62f6a9594 100755
--- a/rules/windows/process_access/sysmon_lsass_memdump.yml
+++ b/rules/windows/process_access/sysmon_lsass_memdump.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: process_access
product: windows
- service: sysmon
detection:
selection:
TargetImage: 'C:\windows\system32\lsass.exe'
diff --git a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
index 625f78a1e..2224ad19f 100755
--- a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
+++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml
@@ -13,7 +13,6 @@ date: 2017/03/04
logsource:
category: process_access
product: windows
- service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
selection:
diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
index 87650cda7..9444b2a44 100755
--- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
+++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
@@ -9,7 +9,6 @@ date: 2019/05/20
logsource:
category: process_access
product: windows
- service: sysmon
detection:
selection:
TargetImage: 'C:\windows\system32\lsass.exe'
diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
index f87bd5087..e9500d793 100755
--- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
+++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
@@ -11,7 +11,6 @@ date: 2019/04/14
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
TargetObject:
diff --git a/rules/windows/registry_event/sysmon_apt_pandemic.yml b/rules/windows/registry_event/sysmon_apt_pandemic.yml
index 63b8addfe..01f35a58d 100755
--- a/rules/windows/registry_event/sysmon_apt_pandemic.yml
+++ b/rules/windows/registry_event/sysmon_apt_pandemic.yml
@@ -27,7 +27,6 @@ level: critical
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection1:
TargetObject:
diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
index 79013d30f..53b75b91b 100755
--- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
+++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -13,7 +13,6 @@ author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml
index 48fdfafe6..8c93c7999 100755
--- a/rules/windows/registry_event/sysmon_cmstp_execution.yml
+++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml
@@ -26,7 +26,6 @@ level: high
logsource:
category: process_creation,registry_event
product: windows
- service: sysmon
detection:
# Registry Object Add
selection2:
diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
index d7304285a..e568b4d0a 100755
--- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
+++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml
@@ -16,7 +16,6 @@ tags:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
diff --git a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
index 570353409..4c260e288 100755
--- a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
@@ -13,7 +13,6 @@ modified: 2019/11/13
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID: 12 # key create
diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
index bcf1bd39f..e104ed67a 100755
--- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
+++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml
@@ -26,7 +26,6 @@ level: high
---
logsource:
product: windows
- service: sysmon
category: registry_event
detection:
dnsregmod:
diff --git a/rules/windows/registry_event/sysmon_hack_wce.yml b/rules/windows/registry_event/sysmon_hack_wce.yml
index ab1c9e27b..92483bee8 100755
--- a/rules/windows/registry_event/sysmon_hack_wce.yml
+++ b/rules/windows/registry_event/sysmon_hack_wce.yml
@@ -30,7 +30,6 @@ detection:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
diff --git a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml
index bfb2874ef..f7a0c3534 100755
--- a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml
+++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml
@@ -13,7 +13,6 @@ modified: 2019/11/10
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection1:
EventType: DeleteValue
diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
index fbf57d3e0..8d795a34e 100755
--- a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
+++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
@@ -15,7 +15,6 @@ modified: 2019/11/13
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
- EventID:
diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
index 52a2dac65..58aa613d7 100755
--- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
+++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -14,7 +14,6 @@ modified: 2019/11/13
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
- TargetObject:
diff --git a/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
index afcee2b40..a465568c9 100755
--- a/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
+++ b/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
@@ -13,7 +13,6 @@ date: 2019/10/26
modified: 2019/11/11
logsource:
product: windows
- service: sysmon
category: registry_event
detection:
selection:
diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
index 2ebecfe74..3fe7d6cda 100755
--- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
+++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
TargetObject|endswith:
diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
index bad6cc8fe..48e48f6df 100755
--- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
+++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml
@@ -8,7 +8,6 @@ author: Samir Bousseaden
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection_reg:
TargetObject:
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
index f7594c5da..2e2abe6be 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml
@@ -13,7 +13,6 @@ tags:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
EventType: 'CreateKey' # don't want DeleteKey events
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
index 62f0c6bfd..ecb01ec89 100755
--- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -12,7 +12,6 @@ tags:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection: # Detect new COM servers in the user hive
TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)'
diff --git a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml
index 807bba139..3771c3b03 100755
--- a/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml
+++ b/rules/windows/registry_event/sysmon_registry_trust_record_modification.yml
@@ -14,7 +14,6 @@ tags:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
TargetObject|contains: 'TrustRecords'
diff --git a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml
index ea90b5dea..60547d1c8 100755
--- a/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml
+++ b/rules/windows/registry_event/sysmon_ssp_added_lsa_config.yml
@@ -13,7 +13,6 @@ date: 2019/01/18
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection_registry:
TargetObject:
diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
index 79050d328..0cd46ca49 100755
--- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
@@ -22,7 +22,6 @@ level: critical
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection_registry:
TargetObject:
diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
index 856e06dfe..7f18d8c89 100755
--- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml
+++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
@@ -12,7 +12,6 @@ tags:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
Image:
diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
index b5637468e..36bb3fcaa 100755
--- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
+++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
@@ -9,7 +9,6 @@ references:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
index 40f184b3b..68584e9c7 100755
--- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
+++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
@@ -13,7 +13,6 @@ modified: 2020/05/24
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
TargetObject:
diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml
index eaf443b6e..920c884ae 100755
--- a/rules/windows/registry_event/sysmon_susp_service_installed.yml
+++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml
@@ -12,7 +12,6 @@ tags:
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection_1:
diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
index 1ba94b9b3..ee1ac4d78 100755
--- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
+++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
@@ -11,7 +11,6 @@ modified: 2019/10/15
logsource:
category: registry_event
product: windows
- service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
index 21ab67c94..df72b3ad8 100755
--- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
@@ -16,7 +16,6 @@ level: low
---
logsource:
product: windows
- service: sysmon
category: registry_event
detection:
selection1:
diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
index ba3dfb7ce..80e3cfc97 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
@@ -9,7 +9,6 @@ author: Florian Roth
date: 2017/03/19
logsource:
product: windows
- service: sysmon
category: registry_event
detection:
methregistry:
diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
index 67fc2b842..2d3a025f9 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml
@@ -9,7 +9,6 @@ date: 2017/03/17
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection:
# usrclass.dat is mounted on HKU\USERSID_Classes\...
diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
index 7779229be..9ca5a0203 100755
--- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
@@ -8,7 +8,6 @@ author: Karneades
logsource:
category: registry_event
product: windows
- service: sysmon
detection:
selection_reg1:
TargetObject:
diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml
index 5d407de79..a2c68501a 100644
--- a/tools/config/generic/sysmon.yml
+++ b/tools/config/generic/sysmon.yml
@@ -29,7 +29,7 @@ logsources:
product: windows
service: sysmon
file_creation:
- category: file_creation
+ category: file_event
product: windows
conditions:
EventID: 11
@@ -45,7 +45,7 @@ logsources:
product: windows
service: sysmon
image_loaded:
- category: image_loaded
+ category: image_load
product: windows
conditions:
EventID: 7
@@ -53,7 +53,7 @@ logsources:
product: windows
service: sysmon
driver_loaded:
- category: driver_loaded
+ category: driver_load
product: windows
conditions:
EventID: 6