security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
17c00d8a11d58e25ef5ba2e98e66d7a4ee2c5ac3
blue-team-tools/rules/windows/sysmon
T
History
Tim Burrell (MSTIC) 5051334e85 Sigma queries for 
-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.
2020-01-02 14:47:55 +00:00
..
sysmon_ads_executable.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_cactustorch.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_cmstp_execution.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_cobaltstrike_process_injection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_dhcp_calloutdll.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_dns_serverlevelplugindll.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_ghostpack_safetykatz.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_invoke_phantom.yml
Sigma queries for
2020-01-02 14:47:55 +00:00
sysmon_logon_scripts_userinitmprlogonscript.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_lsass_memdump.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_mal_namedpipes.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_malware_backconnect_ports.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_malware_verclsid_shellcode.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_mimikatz_detection_lsass.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_mimikatz_inmemory_detection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_mimikatz_trough_winrm.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_password_dumper_lsass.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_powershell_exploit_scripts.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_powershell_network_connection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_quarkspw_filedump.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_rdp_reverse_tunnel.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_rdp_settings_hijack.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_registry_persistence_key_linking.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_renamed_powershell.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_renamed_procdump.yml
fix: fixed typo in rule for renamed procdump
2019-11-19 15:59:07 +01:00
sysmon_renamed_psexec.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_rundll32_net_connections.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_ssp_added_lsa_config.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_stickykey_like_backdoor.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_download_run_key.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_driver_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_file_characteristics.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_image_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_lsass_dll_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_powershell_rundll32.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_prog_location_network_connection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_rdp.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_reg_persist_explorer_run.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_run_key_img_folder.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_suspicious_keyboard_layout_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_svchost_dll_search_order_hijack.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_sysinternals_eula_accepted.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_tsclient_filewrite_startup.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_uac_bypass_eventvwr.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_uac_bypass_sdclt.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_webshell_creation_detect.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_win_binary_github_com.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_win_binary_susp_com.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_win_reg_persistence.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_event_subscription.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_persistence_commandline_event_consumer.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_persistence_script_event_consumer_write.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_susp_scripting.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
win_susp_winword_wmidll_load.yml
Update win_susp_winword_wmidll_load.yml
2019-12-30 18:49:39 +09:00