security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
13f86e93336bd4e7368d4e90cdbc8cf4613f7fd8
blue-team-tools/rules/windows/sysmon
T
History
Karneades 865d971704 Remove backslashes in CommandLine for sticky key rule 
Example command line is exactly "cmd.exe sethc.exe 211".
=> the detection with *\cmd.exe... would not match.
2019-04-03 16:16:18 +02:00
..
sysmon_ads_executable.yml
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
sysmon_cactustorch.yml
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
sysmon_cmstp_execution.yml
Converted to use the new process_creation data source
2019-03-09 20:57:59 +03:00
sysmon_cobaltstrike_process_injection.yml
atc review
2019-03-06 05:25:12 +01:00
sysmon_dhcp_calloutdll.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
sysmon_dns_serverlevelplugindll.yml
Converted to use the new process_creation data source
2019-03-09 20:57:59 +03:00
sysmon_ghostpack_safetykatz.yml
atc review
2019-03-06 05:25:12 +01:00
sysmon_logon_scripts_userinitmprlogonscript.yml
Reverting back to regular Sysmon 1 to fix CI test
2019-03-09 21:31:56 +03:00
sysmon_mal_namedpipes.yml
Rule: suspicious pipes extended
2019-02-21 13:26:48 +01:00
sysmon_malware_backconnect_ports.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
sysmon_malware_verclsid_shellcode.yml
rules update
2019-03-06 00:43:42 +01:00
sysmon_mimikatz_detection_lsass.yml
atc review
2019-03-06 05:25:12 +01:00
sysmon_mimikatz_inmemory_detection.yml
atc review
2019-03-06 05:25:12 +01:00
sysmon_password_dumper_lsass.yml
ATT&CK tagging
2018-07-17 23:58:11 +02:00
sysmon_powershell_exploit_scripts.yml
Removed duplicate filters
2019-01-25 12:21:57 +03:00
sysmon_powershell_network_connection.yml
Corrected class B private IP range to prevent false negatives
2019-01-04 12:50:41 +03:00
sysmon_powersploit_schtasks.yml
Correct MITRE tag
2019-01-22 21:26:07 +03:00
sysmon_quarkspw_filedump.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
sysmon_rdp_reverse_tunnel.yml
Rule: RDP over Reverse SSH Tunnel
2019-02-16 19:36:13 +01:00
sysmon_rundll32_net_connections.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
sysmon_ssp_added_lsa_config.yml
Update sysmon_ssp_added_lsa_config.yml
2019-02-05 16:28:06 -05:00
sysmon_stickykey_like_backdoor.yml
Remove backslashes in CommandLine for sticky key rule
2019-04-03 16:16:18 +02:00
sysmon_susp_driver_load.yml
atc review
2019-03-06 05:25:12 +01:00
sysmon_susp_file_characteristics.yml
Missing tags
2019-03-06 00:02:37 +01:00
sysmon_susp_image_load.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
sysmon_susp_powershell_rundll32.yml
Update sysmon_susp_powershell_rundll32.yml
2018-10-09 19:11:47 -05:00
sysmon_susp_prog_location_network_connection.yml
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
sysmon_susp_reg_persist_explorer_run.yml
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
sysmon_susp_run_key_img_folder.yml
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
sysmon_sysinternals_eula_accepted.yml
Converted to use the new process_creation data source
2019-03-09 20:57:59 +03:00
sysmon_uac_bypass_eventvwr.yml
Reverting back to regular Sysmon 1 to fix CI test
2019-03-09 21:31:56 +03:00
sysmon_uac_bypass_sdclt.yml
Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00
sysmon_win_binary_github_com.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
sysmon_win_binary_susp_com.yml
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
sysmon_win_reg_persistence.yml
Removed unnecessary '1 of them' in condition
2019-02-13 21:26:02 +03:00
sysmon_wmi_event_subscription.yml
Rule: WMI Event Subscription
2019-01-12 12:03:36 +01:00
sysmon_wmi_persistence_commandline_event_consumer.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_wmi_persistence_script_event_consumer_write.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00