| .. |
|
sysmon_ads_executable.yml
|
Replace "logsource: description" with "definition" to match the specs
|
2018-11-15 09:00:06 +03:00 |
|
sysmon_attrib_hiding_files.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_bitsadmin_download.yml
|
ATT&CK software tag is added to Bitsadmin Download rule
|
2018-07-20 09:35:35 +03:00 |
|
sysmon_bypass_squiblytwo.yml
|
Further ATT&CK tagging
|
2018-07-19 23:36:13 +02:00 |
|
sysmon_cactustorch.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_cmdkey_recon.yml
|
Corrected reference to references as per Sigma's standard
|
2018-12-25 16:25:12 +03:00 |
|
sysmon_cmstp_com_object_access.yml
|
Update sysmon_cmstp_com_object_access.yml
|
2018-10-09 19:03:30 -05:00 |
|
sysmon_cmstp_execution.yml
|
Further ATT&CK tagging
|
2018-07-19 23:36:13 +02:00 |
|
sysmon_cobaltstrike_process_injection.yml
|
rule: Cobalt Strike beacon detection via Remote Threat Creation
|
2018-11-30 10:25:05 +01:00 |
|
sysmon_dhcp_calloutdll.yml
|
Cleaning up empty list items
|
2018-01-28 02:36:39 +03:00 |
|
sysmon_dns_serverlevelplugindll.yml
|
Simplified rule conditions with new condition constructs
|
2018-03-06 23:14:43 +01:00 |
|
sysmon_exploit_cve_2015_1641.yml
|
Rule: CVE-2015-1641
|
2018-02-22 16:59:40 +01:00 |
|
sysmon_exploit_cve_2017_0261.yml
|
Lowered severity of rule - prone to false positives
|
2018-02-22 16:59:11 +01:00 |
|
sysmon_exploit_cve_2017_8759.yml
|
Fixed file names "vuln" > "exploit"
|
2018-02-22 13:29:19 +01:00 |
|
sysmon_exploit_cve_2017_11882.yml
|
Cleaning up empty list items
|
2018-01-28 02:36:39 +03:00 |
|
sysmon_ghostpack_safetykatz.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
|
sysmon_lethalhta.yml
|
style: renamed rule files to all lower case
|
2018-09-08 10:27:19 +02:00 |
|
sysmon_logon_scripts_userinitmprlogonscript.yml
|
Rule: UserInitMprLogonScript persistence method
|
2019-01-12 12:03:36 +01:00 |
|
sysmon_mal_namedpipes.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
|
sysmon_malware_backconnect_ports.yml
|
Replace "logsource: description" with "definition" to match the specs
|
2018-11-15 09:00:06 +03:00 |
|
sysmon_malware_script_dropper.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_malware_verclsid_shellcode.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_mimikatz_detection_lsass.yml
|
ATT&CK tagging QA
|
2018-09-20 12:44:44 +02:00 |
|
sysmon_mimikatz_inmemory_detection.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
|
sysmon_mshta_spawn_shell.yml
|
ATT&CK tagging of MSHTA Spawning Windows Shell
|
2018-07-20 09:53:55 +03:00 |
|
sysmon_office_shell.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
|
sysmon_password_dumper_lsass.yml
|
ATT&CK tagging
|
2018-07-17 23:58:11 +02:00 |
|
sysmon_plugx_susp_exe_locations.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_powershell_amsi_bypass.yml
|
Add MITRE ATT&CK Tagging
|
2018-10-09 19:09:19 -05:00 |
|
sysmon_powershell_dll_execution.yml
|
style: renamed rule files to all lower case
|
2018-09-08 10:27:19 +02:00 |
|
sysmon_powershell_download.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
|
sysmon_powershell_exploit_scripts.yml
|
Add ATT&CK Matrix tags
|
2018-08-22 09:30:55 -05:00 |
|
sysmon_powershell_network_connection.yml
|
Corrected class B private IP range to prevent false negatives
|
2019-01-04 12:50:41 +03:00 |
|
sysmon_powershell_renamed_ps.yml
|
Rule: Renamed PowerShell.exe
|
2019-01-12 12:03:36 +01:00 |
|
sysmon_powershell_suspicious_parameter_variation.yml
|
Improve Rule & Updated HELK SIGMA Standardization Config
|
2018-12-08 11:30:21 +03:00 |
|
sysmon_powersploit_schtasks.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
|
sysmon_quarkspw_filedump.yml
|
Various rule fixes
|
2018-03-27 14:35:49 +02:00 |
|
sysmon_rundll32_net_connections.yml
|
Corrected class B private IP range to prevent false negatives
|
2019-01-04 12:50:41 +03:00 |
|
sysmon_sdbinst_shim_persistence.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_shell_spawn_susp_program.yml
|
Rule: FP in WMI persistence with SCCM
|
2019-02-05 15:57:54 +01:00 |
|
sysmon_stickykey_like_backdoor.yml
|
Fixed tag
|
2018-07-24 07:58:25 +02:00 |
|
sysmon_susp_certutil_command.yml
|
rule: extended certutil rule to include verifyctl and allows renamed certutil
|
2019-01-22 16:20:06 +01:00 |
|
sysmon_susp_cmd_http_appdata.yml
|
Change "reference" to "references" to match new schema
|
2018-01-28 02:12:19 +03:00 |
|
sysmon_susp_control_dll_load.yml
|
Change All "str" references to be "list"to mach schema update
|
2018-01-28 02:24:16 +03:00 |
|
sysmon_susp_driver_load.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_exec_folder.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_execution_path_webserver.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_execution_path.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_file_characteristics.yml
|
Detects Executables without FileVersion,Description,Product,Company likely created with py2exe
|
2019-02-06 10:58:37 +01:00 |
|
sysmon_susp_image_load.yml
|
user subTee was removed from Twitter
|
2018-07-04 17:29:05 +02:00 |
|
sysmon_susp_mmc_source.yml
|
Update sysmon_susp_mmc_source.yml
|
2018-07-13 18:49:08 -05:00 |
|
sysmon_susp_net_execution.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
|
sysmon_susp_outlook.yml
|
suspicious behaviour
|
2019-02-06 10:52:41 +01:00 |
|
sysmon_susp_ping_hex_ip.yml
|
Rule: Ping hex IP address
|
2018-03-23 17:00:00 +01:00 |
|
sysmon_susp_powershell_parent_combo.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_powershell_rundll32.yml
|
Update sysmon_susp_powershell_rundll32.yml
|
2018-10-09 19:11:47 -05:00 |
|
sysmon_susp_prog_location_network_connection.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_prog_location_process_starts.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_recon_activity.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
|
sysmon_susp_reg_persist_explorer_run.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_regsvr32_anomalies.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_run_key_img_folder.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_schtask_creation.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
|
sysmon_susp_script_execution.yml
|
Massive Title Cleanup
|
2018-01-27 10:57:30 +01:00 |
|
sysmon_susp_svchost.yml
|
added att&ck tactic
|
2018-08-07 08:36:53 +02:00 |
|
sysmon_susp_taskmgr_localsystem.yml
|
Rule: Suspicious taskmgr as LOCAL_SYSTEM
|
2018-03-19 16:36:39 +01:00 |
|
sysmon_susp_taskmgr_parent.yml
|
Several rule updates
|
2018-03-19 16:36:15 +01:00 |
|
sysmon_susp_tscon_localsystem.yml
|
Corrected reference to references as per Sigma's standard
|
2018-12-25 16:25:12 +03:00 |
|
sysmon_susp_tscon_rdp_redirect.yml
|
Corrected reference to references as per Sigma's standard
|
2018-12-25 16:25:12 +03:00 |
|
sysmon_susp_vssadmin_ntds_activity.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_susp_wmi_execution.yml
|
Update sysmon_susp_wmi_execution.yml
|
2018-08-07 08:19:58 +02:00 |
|
sysmon_sysinternals_eula_accepted.yml
|
Rule: SysInternals EULA accept improved and renamed
|
2018-08-30 13:16:28 +02:00 |
|
sysmon_system_exe_anomaly.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_uac_bypass_eventvwr.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_uac_bypass_sdclt.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_vul_java_remote_debugging.yml
|
fixed typo
|
2018-07-16 16:20:33 -05:00 |
|
sysmon_webshell_detection.yml
|
added att&ck tag
|
2018-08-07 08:49:05 +02:00 |
|
sysmon_webshell_spawn.yml
|
added att&ck tag
|
2018-08-07 08:50:01 +02:00 |
|
sysmon_win_binary_github_com.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_win_binary_susp_com.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_win_reg_persistence.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
|
sysmon_wmi_event_subscription.yml
|
Rule: WMI Event Subscription
|
2019-01-12 12:03:36 +01:00 |
|
sysmon_wmi_persistence_commandline_event_consumer.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
|
sysmon_wmi_persistence_script_event_consumer_write.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
|
sysmon_workflow_compiler.yml
|
Fixed rule
|
2018-08-23 08:20:28 +02:00 |
