.. |
sysmon_ads_executable.yml
|
Replace "logsource: description" with "definition" to match the specs
|
2018-11-15 09:00:06 +03:00 |
sysmon_cactustorch.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_cmstp_execution.yml
|
First Pass
|
2019-06-13 23:15:38 -05:00 |
sysmon_cobaltstrike_process_injection.yml
|
atc review
|
2019-03-06 05:25:12 +01:00 |
sysmon_dhcp_calloutdll.yml
|
Added missing tags and some minor improvements
|
2019-03-05 23:25:49 +01:00 |
sysmon_dns_serverlevelplugindll.yml
|
Converted to use the new process_creation data source
|
2019-03-09 20:57:59 +03:00 |
sysmon_ghostpack_safetykatz.yml
|
atc review
|
2019-03-06 05:25:12 +01:00 |
sysmon_logon_scripts_userinitmprlogonscript.yml
|
fix: FPs with UserInitMprLogonScript rule
|
2019-11-09 23:32:53 +01:00 |
sysmon_lsass_memdump.yml
|
Update sysmon_lsass_memdump.yml
|
2019-04-03 14:06:49 +02:00 |
sysmon_mal_namedpipes.yml
|
Rule: suspicious pipes extended
|
2019-02-21 13:26:48 +01:00 |
sysmon_malware_backconnect_ports.yml
|
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
|
2019-09-25 11:11:22 -04:00 |
sysmon_malware_verclsid_shellcode.yml
|
rules update
|
2019-03-06 00:43:42 +01:00 |
sysmon_mimikatz_detection_lsass.yml
|
Merge pull request #371 from savvyspoon/issue285
|
2019-06-19 23:21:43 +02:00 |
sysmon_mimikatz_inmemory_detection.yml
|
First Pass
|
2019-06-13 23:15:38 -05:00 |
sysmon_mimikatz_trough_winrm.yml
|
Update sysmon_mimikatz_trough_winrm.yml
|
2019-05-20 13:22:36 +02:00 |
sysmon_password_dumper_lsass.yml
|
ATT&CK tagging
|
2018-07-17 23:58:11 +02:00 |
sysmon_powershell_exploit_scripts.yml
|
Removed duplicate filters
|
2019-01-25 12:21:57 +03:00 |
sysmon_powershell_network_connection.yml
|
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
|
2019-09-25 11:11:22 -04:00 |
sysmon_quarkspw_filedump.yml
|
Added missing tags and some minor improvements
|
2019-03-05 23:25:49 +01:00 |
sysmon_rdp_reverse_tunnel.yml
|
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
|
2019-09-25 11:11:22 -04:00 |
sysmon_rdp_settings_hijack.yml
|
Create sysmon_rdp_settings_hijack.yml
|
2019-04-03 14:16:25 +02:00 |
sysmon_renamed_powershell.yml
|
fix: renamed powershell rule
|
2019-09-06 17:33:56 +02:00 |
sysmon_renamed_psexec.yml
|
fix: PsExec false positives
|
2019-09-26 04:50:43 -04:00 |
sysmon_rundll32_net_connections.yml
|
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
|
2019-09-25 11:11:22 -04:00 |
sysmon_ssp_added_lsa_config.yml
|
Update sysmon_ssp_added_lsa_config.yml
|
2019-02-05 16:28:06 -05:00 |
sysmon_stickykey_like_backdoor.yml
|
First Pass
|
2019-06-13 23:15:38 -05:00 |
sysmon_susp_download_run_key.yml
|
rule: suspicious RUN key created by exe in temp/download folders
|
2019-10-01 16:08:13 +02:00 |
sysmon_susp_driver_load.yml
|
atc review
|
2019-03-06 05:25:12 +01:00 |
sysmon_susp_file_characteristics.yml
|
rule: reduced level of rule to medium due to FPs
|
2019-11-09 23:24:31 +01:00 |
sysmon_susp_image_load.yml
|
Added missing tags and some minor improvements
|
2019-03-05 23:25:49 +01:00 |
sysmon_susp_lsass_dll_load.yml
|
fix: relevant fields in lsass dll load rule
|
2019-10-16 19:09:20 +02:00 |
sysmon_susp_powershell_rundll32.yml
|
Update sysmon_susp_powershell_rundll32.yml
|
2018-10-09 19:11:47 -05:00 |
sysmon_susp_prog_location_network_connection.yml
|
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
|
2019-04-08 08:07:30 -04:00 |
sysmon_susp_rdp.yml
|
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
|
2019-09-25 11:11:22 -04:00 |
sysmon_susp_reg_persist_explorer_run.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_run_key_img_folder.yml
|
fix: merged duplicate rules
|
2019-10-01 16:14:38 +02:00 |
sysmon_suspicious_keyboard_layout_load.yml
|
rule: keyboad layout preloads extended with '
|
2019-10-15 15:11:00 +02:00 |
sysmon_svchost_dll_search_order_hijack.yml
|
rule: svchost dll search order hijack
|
2019-10-28 12:03:03 +01:00 |
sysmon_sysinternals_eula_accepted.yml
|
Corrected Typo
|
2019-06-10 09:51:34 +03:00 |
sysmon_tsclient_filewrite_startup.yml
|
Escaped '\*' to '\*' where required
|
2019-09-04 14:05:58 +03:00 |
sysmon_uac_bypass_eventvwr.yml
|
First Pass
|
2019-06-13 23:15:38 -05:00 |
sysmon_uac_bypass_sdclt.yml
|
First Pass
|
2019-06-13 23:15:38 -05:00 |
sysmon_win_binary_github_com.yml
|
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
|
2019-09-25 11:11:22 -04:00 |
sysmon_win_binary_susp_com.yml
|
sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives
|
2019-09-25 11:11:22 -04:00 |
sysmon_win_reg_persistence.yml
|
First Pass
|
2019-06-13 23:15:38 -05:00 |
sysmon_wmi_event_subscription.yml
|
Rule: added date to Tom's WMI rule
|
2019-04-15 09:06:53 +02:00 |
sysmon_wmi_persistence_commandline_event_consumer.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
sysmon_wmi_persistence_script_event_consumer_write.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
sysmon_wmi_susp_scripting.yml
|
Rule: Suspicious scripting in a WMI consumer
|
2019-04-15 08:13:35 +02:00 |