security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a5a2f2137823c0ffff78e1a094562bbaec10efd4
blue-team-tools/rules/windows/sysmon
T
History
Thomas Patzke 5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
2017-08-03 00:05:48 +02:00
..
sysmon_bitsadmin_download.yml
Added reference
2017-04-07 15:42:08 +02:00
sysmon_dhcp_calloutdll.yml
Corrected rule
2017-05-25 12:06:23 +02:00
sysmon_dns_serverlevelplugindll.yml
Suspicious DNS Server Config Error - Sysmon Rule
2017-05-08 13:39:50 +02:00
sysmon_malware_backconnect_ports.yml
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
sysmon_malware_script_dropper.yml
Extended malware script dropper rule
2017-05-25 14:59:16 +02:00
sysmon_malware_verclsid_shellcode.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_mimikatz_detection_lsass.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_mimikatz_inmemory_detection.yml
Parsing of "near ... within" aggregation operator
2017-08-03 00:05:48 +02:00
sysmon_mshta_spawn_shell.yml
Minor fix > list to single value
2017-04-16 12:01:03 +02:00
sysmon_office_macro_cmd.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_office_shell.yml
MSHTA Rule v1
2017-04-13 01:08:37 +02:00
sysmon_password_dumper_lsass.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_plugx_susp_exe_locations.yml
Moved PlugX rule & used builtin ID 4688 for another rule
2017-06-12 11:02:49 +02:00
sysmon_powershell_download.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_powershell_network_connection.yml
Reduced to user accounts
2017-03-13 19:09:29 +01:00
sysmon_powershell_suspicious_parameter_combo.yml
Bugfix in rule
2017-03-13 15:09:48 +01:00
sysmon_powershell_suspicious_parameter_variation.yml
Rule: Suspicious PowerShell Parameter Substring
2017-03-13 17:23:25 +01:00
sysmon_susp_certutil_command.yml
Merged builtin/win_susp_certutil_activity.yml with Sysmon rule
2017-08-02 00:04:28 +02:00
sysmon_susp_cmd_http_appdata.yml
Rule: Suspicious cmd.exe combo with http and AppData
2017-04-03 10:41:10 +02:00
sysmon_susp_control_dll_load.yml
Suspicious Control Panel DLL Load
2017-04-15 23:32:26 +02:00
sysmon_susp_driver_load.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_susp_execution_path_webserver.yml
Rule: Suspicious executions in web folders / non-exe folders
2017-03-13 23:56:06 +01:00
sysmon_susp_execution_path.yml
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
sysmon_susp_mmc_source.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_susp_net_execution.yml
Improved Suspicious Net.exe Execution Rule
2017-05-25 12:44:56 +02:00
sysmon_susp_powershell_parent_combo.yml
Fixed parse errors
2017-08-02 22:49:15 +02:00
sysmon_susp_prog_location_network_connection.yml
Rules: Suspicious locations and back connect ports
2017-03-19 15:22:27 +01:00
sysmon_susp_recon_activity.yml
Rule: Windows recon activity
2017-03-16 18:59:17 +01:00
sysmon_susp_regsvr32_anomalies.yml
Improved regsvr32.exe whitelisting bypass rule
2017-06-07 13:46:36 +02:00
sysmon_susp_schtask_creation.yml
Rule: Suspicious task creation description changed
2017-03-21 10:23:53 +01:00
sysmon_susp_script_execution.yml
Renamed and double removed
2017-03-26 01:27:08 +01:00
sysmon_susp_vssadmin_ntds_activity.yml
Combined vssadmin rule
2017-03-26 01:27:26 +01:00
sysmon_susp_wmi_execution.yml
Improved WMIC process call create rule
2017-03-29 22:11:05 +02:00
sysmon_uac_bypass_eventvwr.yml
Updated Eventvwr UAC evasion
2017-03-22 14:40:55 +01:00
sysmon_uac_bypass_sdclt.yml
Bugfix: Minor fix cause Sysmon uses SID as Software key
2017-03-21 10:44:53 +01:00
sysmon_vul_java_remote_debugging.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_webshell_detection.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
sysmon_webshell_spawn.yml
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00