.. |
sysmon_bitsadmin_download.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_dhcp_calloutdll.yml
|
Corrected rule
|
2017-05-25 12:06:23 +02:00 |
sysmon_dns_serverlevelplugindll.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_exploit_cve_2017_11882.yml
|
Rule to detect droppers exploiting CVE-2017-11882
|
2017-11-23 00:58:31 +01:00 |
sysmon_mal_namedpipes.yml
|
Sysmon: Named Pipe detection for APT malware
|
2017-11-06 14:24:42 +01:00 |
sysmon_malware_backconnect_ports.yml
|
Rules: Suspicious locations and back connect ports
|
2017-03-19 15:22:27 +01:00 |
sysmon_malware_script_dropper.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_malware_verclsid_shellcode.yml
|
Sysmon as 'service' of product 'windows'
|
2017-03-13 09:23:08 +01:00 |
sysmon_mimikatz_detection_lsass.yml
|
Removed unneeded array
|
2017-10-18 15:12:29 +02:00 |
sysmon_mimikatz_inmemory_detection.yml
|
Dropped within keyword
|
2017-10-30 00:25:56 +01:00 |
sysmon_mshta_spawn_shell.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_office_macro_cmd.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_office_shell.yml
|
Improved Office Shell rule > added 'schtasks.exe'
|
2017-10-25 23:53:45 +02:00 |
sysmon_password_dumper_lsass.yml
|
Added proper handling of null/not null values
|
2017-10-29 23:57:39 +01:00 |
sysmon_plugx_susp_exe_locations.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_powershell_download.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_powershell_network_connection.yml
|
Reduced to user accounts
|
2017-03-13 19:09:29 +01:00 |
sysmon_powershell_suspicious_parameter_combo.yml
|
Bugfix in rule
|
2017-03-13 15:09:48 +01:00 |
sysmon_powershell_suspicious_parameter_variation.yml
|
Rule: Suspicious PowerShell Parameter Substring
|
2017-03-13 17:23:25 +01:00 |
sysmon_rundll32_net_connections.yml
|
Rundll32.exe suspicious network connections
|
2017-11-04 14:44:30 +01:00 |
sysmon_susp_certutil_command.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_cmd_http_appdata.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_control_dll_load.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_driver_load.yml
|
Sysmon as 'service' of product 'windows'
|
2017-03-13 09:23:08 +01:00 |
sysmon_susp_exec_folder.yml
|
Executables Started in Suspicious Folder
|
2017-10-14 23:23:04 +02:00 |
sysmon_susp_execution_path_webserver.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_execution_path.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_mmc_source.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_net_execution.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_powershell_parent_combo.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_prog_location_network_connection.yml
|
Rules: Suspicious locations and back connect ports
|
2017-03-19 15:22:27 +01:00 |
sysmon_susp_recon_activity.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_regsvr32_anomalies.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_run_key_img_folder.yml
|
Rule: New RUN Key Pointing to Suspicious Folder
|
2017-10-17 16:19:56 +02:00 |
sysmon_susp_schtask_creation.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_script_execution.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_svchost.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_vssadmin_ntds_activity.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_wmi_execution.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_system_exe_anomaly.yml
|
Removed duplicate string
|
2017-12-11 09:31:54 +01:00 |
sysmon_uac_bypass_eventvwr.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_uac_bypass_sdclt.yml
|
Bugfix: Minor fix cause Sysmon uses SID as Software key
|
2017-03-21 10:44:53 +01:00 |
sysmon_vul_java_remote_debugging.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_vuln_cve_2017_8759.yml
|
CVE-2017-8759 - Winword.exe > csc.exe
|
2017-09-15 15:49:56 +02:00 |
sysmon_webshell_detection.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_webshell_spawn.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_win_binary_github_com.yml
|
Rule: Microsoft Binary Github Communication
|
2017-08-24 18:27:40 +02:00 |