Florian Roth
c571848e9b
Rule: Scheduled task creation
2017-03-13 20:45:28 +01:00
Florian Roth
de46c8c0a0
Reduced to user accounts
2017-03-13 19:09:29 +01:00
Florian Roth
36c941d5d8
Restrict rule to non-private IP ranges only
2017-03-13 18:45:15 +01:00
Florian Roth
8d36e2a1b5
Rule: Suspicious PowerShell Parameter Substring
2017-03-13 17:23:25 +01:00
Florian Roth
85c298c43c
Bugfix in rule
2017-03-13 15:09:48 +01:00
Florian Roth
606d74546a
Rule: PowerShell with network connections
2017-03-13 13:57:41 +01:00
Florian Roth
a0047f7c67
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
Florian Roth
4470c2f893
PowerShell Suspicious Invocation > Sysmon
2017-03-12 17:11:05 +01:00
Florian Roth
d6957f1c2e
Merge pull request #10 from MHaggis/master
...
Sysmon
2017-03-09 08:05:22 +01:00
Michael Haag
c5f05dd829
bitsadmin & VSSAdmin
...
+Bitsadmin download
+VSSAdmin delete
2017-03-08 22:49:35 -08:00
Florian Roth
7b815ef3e5
Sysmon PowerShell - Suspicious Param Combination
2017-03-05 23:51:39 +01:00
Florian Roth
12535417d9
Typo
2017-03-05 01:47:37 +01:00
Michael Haag
a3cd7123a8
wscript/cscript
...
WSF, JSE, JS, VBA and VBE file execution
2017-03-04 14:40:34 -08:00
Michael Haag
4ac5d86479
mshta shells
...
🐚 for all!
2017-03-04 14:33:09 -08:00
Michael Haag
1317fe9df2
Modifications
...
+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection
2017-03-04 14:22:44 -08:00
Florian Roth
a9d6295791
Rule: Sysmon Malware Shellcode in Verclsid Process
2017-03-04 10:38:23 +01:00
Florian Roth
15e61a9681
Rule: Certutil Decode in AppData
2017-03-02 11:28:34 +01:00
Florian Roth
b6459a00ab
Two new Sysmon rules for Office Macro/PS detection
2017-03-02 11:06:53 +01:00
Florian Roth
8559837aab
Removed Sysmon EventLog from selection > via 'logsource'
2017-03-02 11:06:20 +01:00
Florian Roth
b4f2a74371
Proposed changes to mimimkatz-inmemory aggregation
2017-03-01 10:16:43 +01:00
Thomas Patzke
15c6f9411b
Rule review
...
* Typos
* Added false positive descriptions
2017-02-24 23:44:42 +01:00
Florian Roth
52d04e52ac
Removed lists from log source section
2017-02-19 11:08:40 +01:00
Florian Roth
166f207dc0
Sysmon rules 'logsource' change
2017-02-19 09:19:06 +01:00
Florian Roth
cd6e24c5ff
Added "logsource" sections and new rule
2017-02-19 00:31:59 +01:00
Florian Roth
18fd63f6b7
Levels to low, medium, high, critical
2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d
Rule review and cleanup
...
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00
Florian Roth
a6173df0b9
LSASS Remote Thread Update
2017-02-12 16:33:09 +01:00
Florian Roth
04ea201817
New rules and cleanup
2017-02-12 15:50:39 +01:00
Florian Roth
a2adb1ddb5
Renamed rule files, new rules
2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5
Moved rules to a separate directory
2017-02-07 00:44:40 +01:00