security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
abf1a2c6d7eb6a031fcb60dd003fccf62bd7af33
blue-team-tools/rules/windows/sysmon
T
History
Sander Wiebing b8ee736f44 Remove AppData folder as suspicious folder 
A lot of software is using the AppData folder for startup keys. Some examples:
- Microsoft Teams (\AppData\Local\Microsoft\Teams)
- Resilio (\AppData\Roaming\Resilio Sync\)
- Discord ( (\AppData\Local\Discord\)
- Spotify ( (\AppData\Roaming\Spotify\)

Too many to whitelist them all
2020-05-24 15:16:07 +02:00
..
sysmon_ads_executable.yml
fix: multiple false positive conditions
2020-01-28 10:11:09 +01:00
sysmon_alternate_powershell_hosts_pipe.yml
fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml
2020-05-23 10:56:23 -04:00
sysmon_apt_oceanlotus_registry.yml
sysmon registry events fix
2020-03-09 12:02:04 -04:00
sysmon_apt_pandemic.yml
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
2020-03-04 12:47:42 -05:00
sysmon_apt_turla_namedpipes.yml
refactor: moved rues from 'apt' folder in respective folders
2020-02-01 17:59:26 +01:00
sysmon_asep_reg_keys_modification.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_cactustorch.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_cmstp_execution.yml
filter on createkey only when needed
2020-05-22 10:37:00 -04:00
sysmon_cobaltstrike_process_injection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_createremotethread_loadlibrary.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
sysmon_cred_dump_lsass_access.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_cred_dump_tools_dropped_files.yml
Update sysmon_cred_dump_tools_dropped_files.yml
2020-02-28 15:16:18 +01:00
sysmon_cred_dump_tools_named_pipes.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_cve-2020-1048.yml
refactor: simplified and extended expression in CVE-2020-1048 rule
2020-05-23 09:16:19 +02:00
sysmon_dhcp_calloutdll.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
sysmon_disable_security_events_logging_adding_reg_key_minint.yml
filter on createkey only when needed
2020-05-22 10:37:00 -04:00
sysmon_dns_serverlevelplugindll.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_ghostpack_safetykatz.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_hack_dumpert.yml
fix: dumpert rule with wrong sysmon event id
2020-02-07 13:14:18 +01:00
sysmon_hack_wce.yml
Fixed rule: added condition
2020-01-07 15:20:16 +01:00
sysmon_in_memory_assembly_execution.yml
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
sysmon_in_memory_powershell.yml
fix FP + remove powershell rule redundant with sysmon_in_memory_powershell.yml
2020-05-23 10:56:23 -04:00
sysmon_invoke_phantom.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
sysmon_logon_scripts_userinitmprlogonscript.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_lsass_memdump.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_lsass_memory_dump_file_creation.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_mal_namedpipes.yml
Add Covenant default named pipe
2019-12-18 15:19:47 +00:00
sysmon_malware_backconnect_ports.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_malware_verclsid_shellcode.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_mimikatz_inmemory_detection.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_mimikatz_trough_winrm.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_narrator_feedback_persistance.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
sysmon_new_dll_added_to_appcertdlls_registry_key.yml
sysmon registry events fix
2020-03-09 12:02:04 -04:00
sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
sysmon registry events fix
2020-03-09 12:02:04 -04:00
sysmon_notepad_network_connection.yml
Update condition to filter out printer port
2020-05-14 18:22:49 +07:00
sysmon_password_dumper_lsass.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_possible_dns_rebinding.yml
UUIDs + moved unsupported logic
2019-12-19 23:56:36 +01:00
sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_powershell_execution_moduleload.yml
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
sysmon_powershell_exploit_scripts.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_powershell_network_connection.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_quarkspw_filedump.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_raw_disk_access_using_illegitimate_tools.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_rdp_registry_modification.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
sysmon_rdp_reverse_tunnel.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
sysmon_rdp_settings_hijack.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_registry_persistence_key_linking.yml
filter on createkey only when needed
2020-05-22 10:37:00 -04:00
sysmon_registry_persistence_search_order.yml
Add Windows Registry Persistence COM Search Order Hijacking
2020-04-14 12:59:29 +02:00
sysmon_registry_trust_record_modification.yml
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
sysmon_regsvr32_network_activity.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_remote_powershell_session_network.yml
OSCD QA wave 3
2020-02-02 12:41:12 +01:00
sysmon_rundll32_net_connections.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_ssp_added_lsa_config.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
sysmon_stickykey_like_backdoor.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_adsi_cache_usage.yml
Title capitalized
2020-03-26 17:04:08 +01:00
sysmon_susp_desktop_ini.yml
Update sysmon_susp_desktop_ini.yml
2020-03-28 13:19:10 +01:00
sysmon_susp_download_run_key.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_driver_load.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_susp_image_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_lsass_dll_load.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_office_dotnet_assembly_dll_load.yml
various rules cleaning
2020-05-18 20:29:53 -04:00
sysmon_susp_office_dotnet_clr_dll_load.yml
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
sysmon_susp_office_dotnet_gac_dll_load.yml
various rules cleaning
2020-05-18 20:29:53 -04:00
sysmon_susp_office_dsparse_dll_load.yml
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
sysmon_susp_office_kerberos_dll_load.yml
various rules cleaning
2020-05-18 20:29:53 -04:00
sysmon_susp_powershell_rundll32.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
Casing
2020-04-14 13:39:58 +02:00
sysmon_susp_prog_location_network_connection.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_rdp.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_susp_reg_persist_explorer_run.yml
sysmon registry events fix
2020-03-09 12:02:04 -04:00
sysmon_susp_run_key_img_folder.yml
Remove AppData folder as suspicious folder
2020-05-24 15:16:07 +02:00
sysmon_susp_service_installed.yml
Casing
2020-04-14 13:40:34 +02:00
sysmon_susp_winword_vbadll_load.yml
various rules cleaning
2020-05-18 20:29:53 -04:00
sysmon_susp_winword_wmidll_load.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
sysmon_suspicious_dbghelp_dbgcore_load.yml
fix test
2020-05-23 10:02:58 -04:00
sysmon_suspicious_keyboard_layout_load.yml
sysmon registry events fix
2020-03-09 12:02:04 -04:00
sysmon_suspicious_outbound_kerberos_connection.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_suspicious_remote_thread.yml
Date typos...more than I thought...
2020-04-02 10:00:00 +02:00
sysmon_svchost_dll_search_order_hijack.yml
various rules cleaning
2020-05-18 20:29:53 -04:00
sysmon_sysinternals_eula_accepted.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_tsclient_filewrite_startup.yml
fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00
sysmon_uac_bypass_eventvwr.yml
fix sysmon registry rules with HKLM/HKU format as used since 02/2017 in sysmon
2020-03-04 12:47:42 -05:00
sysmon_uac_bypass_sdclt.yml
sysmon registry events fix
2020-03-09 12:02:04 -04:00
sysmon_unsigned_image_loaded_into_lsass.yml
Rule fixes
2020-02-20 23:00:16 +01:00
sysmon_webshell_creation_detect.yml
flake 8
2020-05-18 10:03:18 -04:00
sysmon_win_binary_github_com.yml
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
sysmon_win_binary_susp_com.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_win_reg_persistence.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_event_subscription.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_module_load.yml
add 1 more FP to wmi load
2020-05-23 07:44:45 -04:00
sysmon_wmi_persistence_commandline_event_consumer.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_persistence_script_event_consumer_write.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
sysmon_wmi_susp_scripting.yml
Added UUIDs to rules
2019-11-12 23:12:27 +01:00