SigmaHQ/rules/windows/sysmon
2020-10-15 21:50:34 +05:30
..
silenttrinity_stager_msbuild_activity.yml Update silenttrinity_stager_msbuild_activity.yml 2020-10-15 21:50:34 +05:30
sysmon_ads_executable.yml Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
sysmon_cactustorch.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_cmstp_execution.yml Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
sysmon_cobaltstrike_process_injection.yml atc review 2019-03-06 05:25:12 +01:00
sysmon_dhcp_calloutdll.yml Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
sysmon_dns_serverlevelplugindll.yml Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
sysmon_ghostpack_safetykatz.yml atc review 2019-03-06 05:25:12 +01:00
sysmon_logon_scripts_userinitmprlogonscript.yml Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
sysmon_lsass_memdump.yml Update sysmon_lsass_memdump.yml 2019-04-03 14:06:49 +02:00
sysmon_mal_namedpipes.yml Rule: suspicious pipes extended 2019-02-21 13:26:48 +01:00
sysmon_malware_backconnect_ports.yml Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
sysmon_malware_verclsid_shellcode.yml rules update 2019-03-06 00:43:42 +01:00
sysmon_mimikatz_detection_lsass.yml atc review 2019-03-06 05:25:12 +01:00
sysmon_mimikatz_inmemory_detection.yml atc review 2019-03-06 05:25:12 +01:00
sysmon_password_dumper_lsass.yml ATT&CK tagging 2018-07-17 23:58:11 +02:00
sysmon_powershell_exploit_scripts.yml Removed duplicate filters 2019-01-25 12:21:57 +03:00
sysmon_powershell_network_connection.yml Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
sysmon_powersploit_schtasks.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_quarkspw_filedump.yml Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
sysmon_rdp_reverse_tunnel.yml Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
sysmon_rdp_settings_hijack.yml Create sysmon_rdp_settings_hijack.yml 2019-04-03 14:16:25 +02:00
sysmon_renamed_psexec.yml Rule: Renamed PsExec 2019-05-21 09:49:40 +02:00
sysmon_rundll32_net_connections.yml Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
sysmon_ssp_added_lsa_config.yml Update sysmon_ssp_added_lsa_config.yml 2019-02-05 16:28:06 -05:00
sysmon_stickykey_like_backdoor.yml Remove backslashes in CommandLine for sticky key rule 2019-04-03 16:16:18 +02:00
sysmon_susp_driver_load.yml atc review 2019-03-06 05:25:12 +01:00
sysmon_susp_file_characteristics.yml Missing tags 2019-03-06 00:02:37 +01:00
sysmon_susp_image_load.yml Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
sysmon_susp_powershell_rundll32.yml Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
sysmon_susp_prog_location_network_connection.yml added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related. 2019-04-08 08:07:30 -04:00
sysmon_susp_rdp.yml Reformatted 2019-05-15 20:22:53 +02:00
sysmon_susp_reg_persist_explorer_run.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_run_key_img_folder.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_sysinternals_eula_accepted.yml Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
sysmon_termserv_proc_spawn.yml Rule: applying recommendation 2019-05-23 09:44:25 +02:00
sysmon_tsclient_filewrite_startup.yml Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
sysmon_uac_bypass_eventvwr.yml Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
sysmon_uac_bypass_sdclt.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_win10_sched_task_0day.yml Added password flag 2019-05-22 13:20:26 +02:00
sysmon_win_binary_github_com.yml Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
sysmon_win_binary_susp_com.yml Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
sysmon_win_reg_persistence.yml Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
sysmon_wmi_event_subscription.yml Rule: added date to Tom's WMI rule 2019-04-15 09:06:53 +02:00
sysmon_wmi_persistence_commandline_event_consumer.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_wmi_persistence_script_event_consumer_write.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_wmi_susp_scripting.yml Rule: Suspicious scripting in a WMI consumer 2019-04-15 08:13:35 +02:00