security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f707cb37caa91d5203d55831e19cf0bc8caefce
blue-team-tools/rules/windows/sysmon
T
History
Roberto Rodriguez 87ce07088f Update sysmon_plugx_susp_exe_locations.yml 
Duplicate rule title: https://github.com/Neo23x0/sigma/search?q=Executable+used+by+PlugX+in+Uncommon+Location&unscoped_q=Executable+used+by+PlugX+in+Uncommon+Location

This impats Elastalert integration since you cannot have two rules with the same name
2018-12-05 07:58:13 +03:00
..
sysmon_ads_executable.yml
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
sysmon_attrib_hiding_files.yml
Escaped * where required
2018-08-10 13:53:08 +02:00
sysmon_bitsadmin_download.yml
ATT&CK software tag is added to Bitsadmin Download rule
2018-07-20 09:35:35 +03:00
sysmon_bypass_squiblytwo.yml
Further ATT&CK tagging
2018-07-19 23:36:13 +02:00
sysmon_cmdkey_recon.yml
style: changed title casing and minor fixes
2018-09-04 16:15:41 +02:00
sysmon_cmstp_com_object_access.yml
Update sysmon_cmstp_com_object_access.yml
2018-10-09 19:03:30 -05:00
sysmon_cmstp_execution.yml
Further ATT&CK tagging
2018-07-19 23:36:13 +02:00
sysmon_cobaltstrike_process_injection.yml
rule: Cobalt Strike beacon detection via Remote Threat Creation
2018-11-30 10:25:05 +01:00
sysmon_dhcp_calloutdll.yml
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
sysmon_dns_serverlevelplugindll.yml
Simplified rule conditions with new condition constructs
2018-03-06 23:14:43 +01:00
sysmon_exploit_cve_2015_1641.yml
Rule: CVE-2015-1641
2018-02-22 16:59:40 +01:00
sysmon_exploit_cve_2017_0261.yml
Lowered severity of rule - prone to false positives
2018-02-22 16:59:11 +01:00
sysmon_exploit_cve_2017_8759.yml
Fixed file names "vuln" > "exploit"
2018-02-22 13:29:19 +01:00
sysmon_exploit_cve_2017_11882.yml
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
sysmon_ghostpack_safetykatz.yml
Cosmetics
2018-07-25 07:37:17 +02:00
sysmon_lethalhta.yml
style: renamed rule files to all lower case
2018-09-08 10:27:19 +02:00
sysmon_mal_namedpipes.yml
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
sysmon_malware_backconnect_ports.yml
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
sysmon_malware_script_dropper.yml
Added field names to first rules
2017-09-12 23:54:04 +02:00
sysmon_malware_verclsid_shellcode.yml
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
sysmon_mimikatz_detection_lsass.yml
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
sysmon_mimikatz_inmemory_detection.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_mshta_spawn_shell.yml
ATT&CK tagging of MSHTA Spawning Windows Shell
2018-07-20 09:53:55 +03:00
sysmon_office_macro_cmd.yml
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
sysmon_office_shell.yml
added additional binaries and attack tactics/techniques
2018-07-23 15:47:56 +02:00
sysmon_outlook_shell.yml
Rule: Outlook spawning shells to detect Turla like C&C via Outlook
2018-03-10 09:04:11 +01:00
sysmon_password_dumper_lsass.yml
ATT&CK tagging
2018-07-17 23:58:11 +02:00
sysmon_plugx_susp_exe_locations.yml
Update sysmon_plugx_susp_exe_locations.yml
2018-12-05 07:58:13 +03:00
sysmon_powershell_amsi_bypass.yml
Add MITRE ATT&CK Tagging
2018-10-09 19:09:19 -05:00
sysmon_powershell_dll_execution.yml
style: renamed rule files to all lower case
2018-09-08 10:27:19 +02:00
sysmon_powershell_download.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_powershell_exploit_scripts.yml
Add ATT&CK Matrix tags
2018-08-22 09:30:55 -05:00
sysmon_powershell_network_connection.yml
Update sysmon_powershell_network_connection.yml
2018-10-09 19:10:17 -05:00
sysmon_powershell_suspicious_parameter_variation.yml
Add MITRE ATT&CK tagging
2018-08-22 09:35:06 -05:00
sysmon_powersploit_schtasks.yml
Update sysmon_powersploit_schtasks.yml
2018-10-09 19:10:37 -05:00
sysmon_quarkspw_filedump.yml
Various rule fixes
2018-03-27 14:35:49 +02:00
sysmon_rundll32_net_connections.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_sdbinst_shim_persistence.yml
Fixed tag and date
2018-08-07 08:22:11 +02:00
sysmon_shell_spawn_susp_program.yml
fix: fixed date in rule
2018-10-10 15:27:58 +02:00
sysmon_stickykey_like_backdoor.yml
Fixed tag
2018-07-24 07:58:25 +02:00
sysmon_susp_certutil_command.yml
Include cases in which certutil.exe is used
2018-09-23 20:57:34 +02:00
sysmon_susp_cmd_http_appdata.yml
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
sysmon_susp_control_dll_load.yml
Change All "str" references to be "list"to mach schema update
2018-01-28 02:24:16 +03:00
sysmon_susp_driver_load.yml
Update sysmon_susp_driver_load.yml
2018-07-13 18:36:12 -05:00
sysmon_susp_exec_folder.yml
Cleaning up empty list items
2018-01-28 02:36:39 +03:00
sysmon_susp_execution_path_webserver.yml
Added field names to first rules
2017-09-12 23:54:04 +02:00
sysmon_susp_execution_path.yml
Added field names to first rules
2017-09-12 23:54:04 +02:00
sysmon_susp_image_load.yml
user subTee was removed from Twitter
2018-07-04 17:29:05 +02:00
sysmon_susp_mmc_source.yml
Update sysmon_susp_mmc_source.yml
2018-07-13 18:49:08 -05:00
sysmon_susp_net_execution.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_susp_ping_hex_ip.yml
Rule: Ping hex IP address
2018-03-23 17:00:00 +01:00
sysmon_susp_powershell_parent_combo.yml
Update sysmon_susp_powershell_parent_combo.yml
2018-10-09 19:11:17 -05:00
sysmon_susp_powershell_rundll32.yml
Update sysmon_susp_powershell_rundll32.yml
2018-10-09 19:11:47 -05:00
sysmon_susp_prog_location_network_connection.yml
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
sysmon_susp_recon_activity.yml
Added field names to first rules
2017-09-12 23:54:04 +02:00
sysmon_susp_reg_persist_explorer_run.yml
rule: Changed Registry persistence Explorer RUN key rule
2018-07-19 16:27:19 -06:00
sysmon_susp_regsvr32_anomalies.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_susp_run_key_img_folder.yml
Rule simplification
2018-09-28 10:58:50 +03:00
sysmon_susp_schtask_creation.yml
ATT&CK tagging of Scheduled Task Creation
2018-07-22 15:56:47 +03:00
sysmon_susp_script_execution.yml
Massive Title Cleanup
2018-01-27 10:57:30 +01:00
sysmon_susp_svchost.yml
added att&ck tactic
2018-08-07 08:36:53 +02:00
sysmon_susp_taskmgr_localsystem.yml
Rule: Suspicious taskmgr as LOCAL_SYSTEM
2018-03-19 16:36:39 +01:00
sysmon_susp_taskmgr_parent.yml
Several rule updates
2018-03-19 16:36:15 +01:00
sysmon_susp_tscon_localsystem.yml
Rules: tscon.exe anomalies
2018-03-17 19:14:13 +01:00
sysmon_susp_tscon_rdp_redirect.yml
Replace "logsource: description" with "definition" to match the specs
2018-11-15 09:00:06 +03:00
sysmon_susp_vssadmin_ntds_activity.yml
Update att&ck tag
2018-08-07 08:27:24 +02:00
sysmon_susp_wmi_execution.yml
Update sysmon_susp_wmi_execution.yml
2018-08-07 08:19:58 +02:00
sysmon_sysinternals_eula_accepted.yml
Rule: SysInternals EULA accept improved and renamed
2018-08-30 13:16:28 +02:00
sysmon_system_exe_anomaly.yml
added att&ck tactic
2018-08-07 08:37:51 +02:00
sysmon_uac_bypass_eventvwr.yml
Fixed tags
2018-08-07 08:20:09 +02:00
sysmon_uac_bypass_sdclt.yml
Tag fixes
2018-08-07 08:18:16 +02:00
sysmon_vul_java_remote_debugging.yml
fixed typo
2018-07-16 16:20:33 -05:00
sysmon_webshell_detection.yml
added att&ck tag
2018-08-07 08:49:05 +02:00
sysmon_webshell_spawn.yml
added att&ck tag
2018-08-07 08:50:01 +02:00
sysmon_win_binary_github_com.yml
Rule: Improved Github communication rule
2018-08-30 10:12:12 +02:00
sysmon_win_binary_susp_com.yml
Rule: Suspicious communication endpoints
2018-08-30 10:12:12 +02:00
sysmon_win_reg_persistence.yml
changed .yaml files to .yml for consistency
2018-11-20 21:07:36 -08:00
sysmon_wmi_persistence_commandline_event_consumer.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_wmi_persistence_script_event_consumer_write.yml
added a few mitre attack tags to windows sysmon rules
2018-07-26 21:15:07 -07:00
sysmon_workflow_compiler.yml
Fixed rule
2018-08-23 08:20:28 +02:00