SigmaHQ

yugoslavskiy 5756df1922 rename file	2019-11-10 21:56:34 +03:00
..
sysmon_ads_executable.yml	Replace "logsource: description" with "definition" to match the specs	2018-11-15 09:00:06 +03:00
sysmon_alternate_powershell_hosts_moduleload.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_alternate_powershell_hosts_pipe.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_asep_reg_keys_modification.yml	rename file	2019-11-10 21:56:34 +03:00
sysmon_cactustorch.yml	Escaped '\' to '\\' where required	2019-02-03 00:24:57 +01:00
sysmon_cmstp_execution.yml	First Pass	2019-06-13 23:15:38 -05:00
sysmon_cobaltstrike_process_injection.yml	improve sysmon_cobaltstrike_process_injection.yml	2019-11-08 01:41:26 +03:00
sysmon_createremotethread_loadlibrary.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_dhcp_calloutdll.yml	Added missing tags and some minor improvements	2019-03-05 23:25:49 +01:00
sysmon_dns_serverlevelplugindll.yml	Converted to use the new process_creation data source	2019-03-09 20:57:59 +03:00
sysmon_ghostpack_safetykatz.yml	atc review	2019-03-06 05:25:12 +01:00
sysmon_logon_scripts_userinitmprlogonscript.yml	fix: FPs with UserInitMprLogonScript rule	2019-11-09 23:32:53 +01:00
sysmon_lsass_memdump.yml	Update sysmon_lsass_memdump.yml	2019-04-03 14:06:49 +02:00
sysmon_mal_namedpipes.yml	Rule: suspicious pipes extended	2019-02-21 13:26:48 +01:00
sysmon_malware_backconnect_ports.yml	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
sysmon_malware_verclsid_shellcode.yml	rules update	2019-03-06 00:43:42 +01:00
sysmon_mimikatz_detection_lsass.yml	Merge pull request #371 from savvyspoon/issue285	2019-06-19 23:21:43 +02:00
sysmon_mimikatz_inmemory_detection.yml	First Pass	2019-06-13 23:15:38 -05:00
sysmon_mimikatz_trough_winrm.yml	Update sysmon_mimikatz_trough_winrm.yml	2019-05-20 13:22:36 +02:00
sysmon_password_dumper_lsass.yml	ATT&CK tagging	2018-07-17 23:58:11 +02:00
sysmon_powershell_execution_moduleload.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_powershell_execution_pipe.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_powershell_exploit_scripts.yml	Removed duplicate filters	2019-01-25 12:21:57 +03:00
sysmon_powershell_network_connection.yml	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
sysmon_quarkspw_filedump.yml	Added missing tags and some minor improvements	2019-03-05 23:25:49 +01:00
sysmon_rdp_registry_modification.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_rdp_reverse_tunnel.yml	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
sysmon_rdp_settings_hijack.yml	Create sysmon_rdp_settings_hijack.yml	2019-04-03 14:16:25 +02:00
sysmon_registry_persistence_key_linking.yml	Update sysmon_registry_persistence_key_linking.yml	2019-11-07 04:23:20 +03:00
sysmon_remote_powershell_session_network.yml	added:	2019-10-24 15:48:38 +02:00
sysmon_remote_powershell_session_process.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_renamed_powershell.yml	fix: renamed powershell rule	2019-09-06 17:33:56 +02:00
sysmon_renamed_psexec.yml	fix: PsExec false positives	2019-09-26 04:50:43 -04:00
sysmon_rundll32_net_connections.yml	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
sysmon_ssp_added_lsa_config.yml	Update sysmon_ssp_added_lsa_config.yml	2019-02-05 16:28:06 -05:00
sysmon_stickykey_like_backdoor.yml	First Pass	2019-06-13 23:15:38 -05:00
sysmon_susp_download_run_key.yml	rule: suspicious RUN key created by exe in temp/download folders	2019-10-01 16:08:13 +02:00
sysmon_susp_driver_load.yml	atc review	2019-03-06 05:25:12 +01:00
sysmon_susp_file_characteristics.yml	rule: reduced level of rule to medium due to FPs	2019-11-09 23:24:31 +01:00
sysmon_susp_image_load.yml	Added missing tags and some minor improvements	2019-03-05 23:25:49 +01:00
sysmon_susp_lsass_dll_load.yml	fix: relevant fields in lsass dll load rule	2019-10-16 19:09:20 +02:00
sysmon_susp_powershell_rundll32.yml	Update sysmon_susp_powershell_rundll32.yml	2018-10-09 19:11:47 -05:00
sysmon_susp_prog_location_network_connection.yml	added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.	2019-04-08 08:07:30 -04:00
sysmon_susp_rdp.yml	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
sysmon_susp_reg_persist_explorer_run.yml	Escaped '\' to '\\' where required	2019-02-03 00:24:57 +01:00
sysmon_susp_run_key_img_folder.yml	fix: merged duplicate rules	2019-10-01 16:14:38 +02:00
sysmon_suspicious_keyboard_layout_load.yml	rule: keyboad layout preloads extended with '	2019-10-15 15:11:00 +02:00
sysmon_svchost_dll_search_order_hijack.yml	rule: svchost dll search order hijack	2019-10-28 12:03:03 +01:00
sysmon_sysinternals_eula_accepted.yml	Corrected Typo	2019-06-10 09:51:34 +03:00
sysmon_tsclient_filewrite_startup.yml	Escaped '\' to '\' where required	2019-09-04 14:05:58 +03:00
sysmon_uac_bypass_eventvwr.yml	First Pass	2019-06-13 23:15:38 -05:00
sysmon_uac_bypass_sdclt.yml	First Pass	2019-06-13 23:15:38 -05:00
sysmon_webshell_creation_detect.yml	Update sysmon_webshell_creation_detect.yml	2019-11-04 19:23:52 +03:00
sysmon_win_binary_github_com.yml	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
sysmon_win_binary_susp_com.yml	sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives	2019-09-25 11:11:22 -04:00
sysmon_win_reg_persistence.yml	First Pass	2019-06-13 23:15:38 -05:00
sysmon_wmi_event_subscription.yml	Rule: added date to Tom's WMI rule	2019-04-15 09:06:53 +02:00
sysmon_wmi_module_load.yml	oscd task #6 done.	2019-11-10 18:43:41 +03:00
sysmon_wmi_persistence_commandline_event_consumer.yml	added a few mitre attack tags to windows sysmon rules	2018-07-26 21:15:07 -07:00
sysmon_wmi_persistence_script_event_consumer_write.yml	added a few mitre attack tags to windows sysmon rules	2018-07-26 21:15:07 -07:00
sysmon_wmi_susp_scripting.yml	Rule: Suspicious scripting in a WMI consumer	2019-04-15 08:13:35 +02:00

sysmon_ads_executable.yml

Replace "logsource: description" with "definition" to match the specs

2018-11-15 09:00:06 +03:00

sysmon_alternate_powershell_hosts_moduleload.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_alternate_powershell_hosts_pipe.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_asep_reg_keys_modification.yml

rename file

2019-11-10 21:56:34 +03:00

sysmon_cactustorch.yml

Escaped '\*' to '\\*' where required

2019-02-03 00:24:57 +01:00

sysmon_cmstp_execution.yml

First Pass

2019-06-13 23:15:38 -05:00

sysmon_cobaltstrike_process_injection.yml

improve sysmon_cobaltstrike_process_injection.yml

2019-11-08 01:41:26 +03:00

sysmon_createremotethread_loadlibrary.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_dhcp_calloutdll.yml

Added missing tags and some minor improvements

2019-03-05 23:25:49 +01:00

sysmon_dns_serverlevelplugindll.yml

Converted to use the new process_creation data source

2019-03-09 20:57:59 +03:00

sysmon_ghostpack_safetykatz.yml

atc review

2019-03-06 05:25:12 +01:00

sysmon_logon_scripts_userinitmprlogonscript.yml

fix: FPs with UserInitMprLogonScript rule

2019-11-09 23:32:53 +01:00

sysmon_lsass_memdump.yml

Update sysmon_lsass_memdump.yml

2019-04-03 14:06:49 +02:00

sysmon_mal_namedpipes.yml

Rule: suspicious pipes extended

2019-02-21 13:26:48 +01:00

sysmon_malware_backconnect_ports.yml

sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00

sysmon_malware_verclsid_shellcode.yml

rules update

2019-03-06 00:43:42 +01:00

sysmon_mimikatz_detection_lsass.yml

Merge pull request #371 from savvyspoon/issue285

2019-06-19 23:21:43 +02:00

sysmon_mimikatz_inmemory_detection.yml

First Pass

2019-06-13 23:15:38 -05:00

sysmon_mimikatz_trough_winrm.yml

Update sysmon_mimikatz_trough_winrm.yml

2019-05-20 13:22:36 +02:00

sysmon_password_dumper_lsass.yml

ATT&CK tagging

2018-07-17 23:58:11 +02:00

sysmon_powershell_execution_moduleload.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_powershell_execution_pipe.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_powershell_exploit_scripts.yml

Removed duplicate filters

2019-01-25 12:21:57 +03:00

sysmon_powershell_network_connection.yml

sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00

sysmon_quarkspw_filedump.yml

Added missing tags and some minor improvements

2019-03-05 23:25:49 +01:00

sysmon_rdp_registry_modification.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_rdp_reverse_tunnel.yml

sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00

sysmon_rdp_settings_hijack.yml

Create sysmon_rdp_settings_hijack.yml

2019-04-03 14:16:25 +02:00

sysmon_registry_persistence_key_linking.yml

Update sysmon_registry_persistence_key_linking.yml

2019-11-07 04:23:20 +03:00

sysmon_remote_powershell_session_network.yml

added:

2019-10-24 15:48:38 +02:00

sysmon_remote_powershell_session_process.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_renamed_powershell.yml

fix: renamed powershell rule

2019-09-06 17:33:56 +02:00

sysmon_renamed_psexec.yml

fix: PsExec false positives

2019-09-26 04:50:43 -04:00

sysmon_rundll32_net_connections.yml

sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00

sysmon_ssp_added_lsa_config.yml

Update sysmon_ssp_added_lsa_config.yml

2019-02-05 16:28:06 -05:00

sysmon_stickykey_like_backdoor.yml

First Pass

2019-06-13 23:15:38 -05:00

sysmon_susp_download_run_key.yml

rule: suspicious RUN key created by exe in temp/download folders

2019-10-01 16:08:13 +02:00

sysmon_susp_driver_load.yml

atc review

2019-03-06 05:25:12 +01:00

sysmon_susp_file_characteristics.yml

rule: reduced level of rule to medium due to FPs

2019-11-09 23:24:31 +01:00

sysmon_susp_image_load.yml

Added missing tags and some minor improvements

2019-03-05 23:25:49 +01:00

sysmon_susp_lsass_dll_load.yml

fix: relevant fields in lsass dll load rule

2019-10-16 19:09:20 +02:00

sysmon_susp_powershell_rundll32.yml

Update sysmon_susp_powershell_rundll32.yml

2018-10-09 19:11:47 -05:00

sysmon_susp_prog_location_network_connection.yml

added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.

2019-04-08 08:07:30 -04:00

sysmon_susp_rdp.yml

sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00

sysmon_susp_reg_persist_explorer_run.yml

Escaped '\*' to '\\*' where required

2019-02-03 00:24:57 +01:00

sysmon_susp_run_key_img_folder.yml

fix: merged duplicate rules

2019-10-01 16:14:38 +02:00

sysmon_suspicious_keyboard_layout_load.yml

rule: keyboad layout preloads extended with '

2019-10-15 15:11:00 +02:00

sysmon_svchost_dll_search_order_hijack.yml

rule: svchost dll search order hijack

2019-10-28 12:03:03 +01:00

sysmon_sysinternals_eula_accepted.yml

Corrected Typo

2019-06-10 09:51:34 +03:00

sysmon_tsclient_filewrite_startup.yml

Escaped '\*' to '\*' where required

2019-09-04 14:05:58 +03:00

sysmon_uac_bypass_eventvwr.yml

First Pass

2019-06-13 23:15:38 -05:00

sysmon_uac_bypass_sdclt.yml

First Pass

2019-06-13 23:15:38 -05:00

sysmon_webshell_creation_detect.yml

Update sysmon_webshell_creation_detect.yml

2019-11-04 19:23:52 +03:00

sysmon_win_binary_github_com.yml

sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00

sysmon_win_binary_susp_com.yml

sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00

sysmon_win_reg_persistence.yml

First Pass

2019-06-13 23:15:38 -05:00

sysmon_wmi_event_subscription.yml

Rule: added date to Tom's WMI rule

2019-04-15 09:06:53 +02:00

sysmon_wmi_module_load.yml

oscd task #6 done.

2019-11-10 18:43:41 +03:00

sysmon_wmi_persistence_commandline_event_consumer.yml

added a few mitre attack tags to windows sysmon rules

2018-07-26 21:15:07 -07:00

sysmon_wmi_persistence_script_event_consumer_write.yml

added a few mitre attack tags to windows sysmon rules

2018-07-26 21:15:07 -07:00

sysmon_wmi_susp_scripting.yml

Rule: Suspicious scripting in a WMI consumer

2019-04-15 08:13:35 +02:00