security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fe9b91c504b66d0032b565f8a2dc2e5f8359368e
blue-team-tools/rules/windows/sysmon
T
History
Cyb3rEng fe9b91c504 Completed changes to selection1 
changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
2021-09-08 21:26:01 -06:00
..
Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml
Changed Category
2021-09-08 20:38:07 -06:00
Monitor_LOLBins_Process_Creations_by_Office_applications.yml
Completed Changes Based on Comments
2021-09-07 21:19:43 -06:00
Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml
Changed selection2 condition
2021-09-08 21:24:18 -06:00
Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
Completed changes to selection1
2021-09-08 21:26:01 -06:00
Office_Applications_Spawning_WMI_command-line.yml
Completed Changes Based on Comments
2021-09-07 21:26:42 -06:00
sysmon_abusing_windows_telemetry_for_persistence.yml
Various fixes
2021-09-07 23:38:07 +02:00
sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
Merge branch 'master' into falsepositives_NOT_a_list
2021-05-27 10:23:19 +02:00
sysmon_config_modification_error.yml
Split global rules
2021-09-07 13:30:32 +02:00
sysmon_config_modification_status.yml
Split global rules
2021-09-07 13:30:32 +02:00
sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
Update global ID
2021-09-02 21:16:55 +02:00
sysmon_dcom_iertutil_dll_hijack.yml
Updated rules with modifiers instead of '*' and remove trailing '\\'
2021-06-27 14:51:29 +02:00
sysmon_dns_hybridconnectionmgr_servicebus.yml
Convert eventID 22 to category dns_query
2021-06-10 16:43:33 +02:00
sysmon_pingback_backdoor.yml
update global id
2021-09-02 21:03:25 +02:00
sysmon_wmiprvse_wbemcomn_dll_hijack.yml
Update global ID
2021-09-02 20:07:03 +02:00