security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68cb5e8921636d4bd1ff3a4a8a2e08b65b45d9ed
blue-team-tools/rules/windows/sysmon
T
History
Thomas Patzke 68cb5e8921 Merge pull request #45 from secman-pl/patch-1 
Update sysmon_susp_regsvr32_anomalies to detect wscript child process
2017-09-10 22:52:37 +02:00
..
sysmon_bitsadmin_download.yml
Added reference
2017-04-07 15:42:08 +02:00
sysmon_dhcp_calloutdll.yml
Corrected rule
2017-05-25 12:06:23 +02:00
sysmon_dns_serverlevelplugindll.yml
Suspicious DNS Server Config Error - Sysmon Rule
2017-05-08 13:39:50 +02:00
sysmon_malware_backconnect_ports.yml
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
sysmon_malware_script_dropper.yml
Extended malware script dropper rule
2017-05-25 14:59:16 +02:00
sysmon_malware_verclsid_shellcode.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_mimikatz_detection_lsass.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_mimikatz_inmemory_detection.yml
Removed 'last' from timeframe
2017-08-05 00:32:24 +02:00
sysmon_mshta_spawn_shell.yml
Minor fix > list to single value
2017-04-16 12:01:03 +02:00
sysmon_office_macro_cmd.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_office_shell.yml
Office Shell: Reference added to new entry
2017-08-22 10:04:22 +02:00
sysmon_password_dumper_lsass.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_plugx_susp_exe_locations.yml
Moved PlugX rule & used builtin ID 4688 for another rule
2017-06-12 11:02:49 +02:00
sysmon_powershell_download.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_powershell_network_connection.yml
Reduced to user accounts
2017-03-13 19:09:29 +01:00
sysmon_powershell_suspicious_parameter_combo.yml
Bugfix in rule
2017-03-13 15:09:48 +01:00
sysmon_powershell_suspicious_parameter_variation.yml
Rule: Suspicious PowerShell Parameter Substring
2017-03-13 17:23:25 +01:00
sysmon_susp_certutil_command.yml
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule
2017-08-02 00:04:28 +02:00
sysmon_susp_cmd_http_appdata.yml
Small Typo fix
2017-08-22 10:56:25 +02:00
sysmon_susp_control_dll_load.yml
Suspicious Control Panel DLL Load
2017-04-15 23:32:26 +02:00
sysmon_susp_driver_load.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_susp_execution_path_webserver.yml
Rule: Suspicious executions in web folders / non-exe folders
2017-03-13 23:56:06 +01:00
sysmon_susp_execution_path.yml
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
sysmon_susp_mmc_source.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_susp_net_execution.yml
Improved Suspicious Net.exe Execution Rule
2017-05-25 12:44:56 +02:00
sysmon_susp_powershell_parent_combo.yml
Fixed parse errors
2017-08-02 22:49:15 +02:00
sysmon_susp_prog_location_network_connection.yml
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
sysmon_susp_recon_activity.yml
Rule: Windows recon activity
2017-03-16 18:59:17 +01:00
sysmon_susp_regsvr32_anomalies.yml
Update sysmon_susp_regsvr32_anomalies
2017-08-29 12:21:47 +02:00
sysmon_susp_schtask_creation.yml
Rule: Suspicious task creation description changed
2017-03-21 10:23:53 +01:00
sysmon_susp_script_execution.yml
Renamed and double removed
2017-03-26 01:27:08 +01:00
sysmon_susp_svchost.yml
Rule: Suspicious svchost.exe process
2017-08-31 11:07:45 +02:00
sysmon_susp_vssadmin_ntds_activity.yml
Combined vssadmin rule
2017-03-26 01:27:26 +01:00
sysmon_susp_wmi_execution.yml
Improved WMIC process call create rule
2017-03-29 22:11:05 +02:00
sysmon_uac_bypass_eventvwr.yml
Updated Eventvwr UAC evasion
2017-03-22 14:40:55 +01:00
sysmon_uac_bypass_sdclt.yml
Bugfix: Minor fix cause Sysmon uses SID as Software key
2017-03-21 10:44:53 +01:00
sysmon_vul_java_remote_debugging.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_webshell_detection.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_webshell_spawn.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_win_binary_github_com.yml
Rule: Microsoft Binary Github Communication
2017-08-24 18:27:40 +02:00