.. |
sysmon_ads_executable.yml
|
Replace "logsource: description" with "definition" to match the specs
|
2018-11-15 09:00:06 +03:00 |
sysmon_attrib_hiding_files.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_bitsadmin_download.yml
|
ATT&CK software tag is added to Bitsadmin Download rule
|
2018-07-20 09:35:35 +03:00 |
sysmon_bypass_squiblytwo.yml
|
Further ATT&CK tagging
|
2018-07-19 23:36:13 +02:00 |
sysmon_cactustorch.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_cmdkey_recon.yml
|
Corrected reference to references as per Sigma's standard
|
2018-12-25 16:25:12 +03:00 |
sysmon_cmstp_com_object_access.yml
|
Update sysmon_cmstp_com_object_access.yml
|
2018-10-09 19:03:30 -05:00 |
sysmon_cmstp_execution.yml
|
Further ATT&CK tagging
|
2018-07-19 23:36:13 +02:00 |
sysmon_cobaltstrike_process_injection.yml
|
rule: Cobalt Strike beacon detection via Remote Threat Creation
|
2018-11-30 10:25:05 +01:00 |
sysmon_dhcp_calloutdll.yml
|
Cleaning up empty list items
|
2018-01-28 02:36:39 +03:00 |
sysmon_dns_serverlevelplugindll.yml
|
Simplified rule conditions with new condition constructs
|
2018-03-06 23:14:43 +01:00 |
sysmon_exploit_cve_2015_1641.yml
|
Rule: CVE-2015-1641
|
2018-02-22 16:59:40 +01:00 |
sysmon_exploit_cve_2017_0261.yml
|
Lowered severity of rule - prone to false positives
|
2018-02-22 16:59:11 +01:00 |
sysmon_exploit_cve_2017_8759.yml
|
Fixed file names "vuln" > "exploit"
|
2018-02-22 13:29:19 +01:00 |
sysmon_exploit_cve_2017_11882.yml
|
Cleaning up empty list items
|
2018-01-28 02:36:39 +03:00 |
sysmon_ghostpack_safetykatz.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
sysmon_lethalhta.yml
|
style: renamed rule files to all lower case
|
2018-09-08 10:27:19 +02:00 |
sysmon_logon_scripts_userinitmprlogonscript.yml
|
Rule: UserInitMprLogonScript persistence method
|
2019-01-12 12:03:36 +01:00 |
sysmon_mal_namedpipes.yml
|
Rule: suspicious pipes extended
|
2019-02-21 13:26:48 +01:00 |
sysmon_malware_backconnect_ports.yml
|
Added private IP filter to reduce FPs
|
2019-02-23 21:15:03 +03:00 |
sysmon_malware_script_dropper.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_malware_verclsid_shellcode.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_mimikatz_detection_lsass.yml
|
ATT&CK tagging QA
|
2018-09-20 12:44:44 +02:00 |
sysmon_mimikatz_inmemory_detection.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
sysmon_mshta_spawn_shell.yml
|
ATT&CK tagging of MSHTA Spawning Windows Shell
|
2018-07-20 09:53:55 +03:00 |
sysmon_office_shell.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
sysmon_password_dumper_lsass.yml
|
ATT&CK tagging
|
2018-07-17 23:58:11 +02:00 |
sysmon_plugx_susp_exe_locations.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_powershell_amsi_bypass.yml
|
Add MITRE ATT&CK Tagging
|
2018-10-09 19:09:19 -05:00 |
sysmon_powershell_dll_execution.yml
|
style: renamed rule files to all lower case
|
2018-09-08 10:27:19 +02:00 |
sysmon_powershell_download.yml
|
added keywords & source to sysmon_powershell_download.yml
|
2019-02-07 18:25:04 -08:00 |
sysmon_powershell_exploit_scripts.yml
|
Removed duplicate filters
|
2019-01-25 12:21:57 +03:00 |
sysmon_powershell_network_connection.yml
|
Corrected class B private IP range to prevent false negatives
|
2019-01-04 12:50:41 +03:00 |
sysmon_powershell_renamed_ps.yml
|
Rule: fixed bug in Renamed PowerShell rule
|
2019-02-13 13:23:02 +01:00 |
sysmon_powershell_suspicious_parameter_variation.yml
|
Improve Rule & Updated HELK SIGMA Standardization Config
|
2018-12-08 11:30:21 +03:00 |
sysmon_powersploit_schtasks.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
sysmon_quarkspw_filedump.yml
|
Various rule fixes
|
2018-03-27 14:35:49 +02:00 |
sysmon_rdp_reverse_tunnel.yml
|
Rule: RDP over Reverse SSH Tunnel
|
2019-02-16 19:36:13 +01:00 |
sysmon_rundll32_net_connections.yml
|
Corrected class B private IP range to prevent false negatives
|
2019-01-04 12:50:41 +03:00 |
sysmon_sdbinst_shim_persistence.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_shell_spawn_susp_program.yml
|
Rule: FP in WMI persistence with SCCM
|
2019-02-05 15:57:54 +01:00 |
sysmon_ssp_added_lsa_config.yml
|
Update sysmon_ssp_added_lsa_config.yml
|
2019-02-05 16:28:06 -05:00 |
sysmon_stickykey_like_backdoor.yml
|
Fixed tag
|
2018-07-24 07:58:25 +02:00 |
sysmon_susp_certutil_command.yml
|
Added '/' prefix, -encode switch, better renamed certutil coverage
|
2019-02-06 10:45:32 -05:00 |
sysmon_susp_cmd_http_appdata.yml
|
Change "reference" to "references" to match new schema
|
2018-01-28 02:12:19 +03:00 |
sysmon_susp_control_dll_load.yml
|
Change All "str" references to be "list"to mach schema update
|
2018-01-28 02:24:16 +03:00 |
sysmon_susp_csc.yml
|
Rule: Suspicious csc.exe parents
|
2019-02-11 13:50:51 +01:00 |
sysmon_susp_driver_load.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_exec_folder.yml
|
Rule: extended exec location rule to support 4688 events
|
2019-02-21 13:26:48 +01:00 |
sysmon_susp_execution_path_webserver.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_execution_path.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_file_characteristics.yml
|
adjusted spaces
|
2019-02-06 11:10:42 +01:00 |
sysmon_susp_image_load.yml
|
user subTee was removed from Twitter
|
2018-07-04 17:29:05 +02:00 |
sysmon_susp_mmc_source.yml
|
Update sysmon_susp_mmc_source.yml
|
2018-07-13 18:49:08 -05:00 |
sysmon_susp_net_execution.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
sysmon_susp_outlook.yml
|
adjusted MITRE ATTCK tag
|
2019-02-06 11:27:51 +01:00 |
sysmon_susp_ping_hex_ip.yml
|
Rule: Ping hex IP address
|
2018-03-23 17:00:00 +01:00 |
sysmon_susp_powershell_parent_combo.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_powershell_rundll32.yml
|
Update sysmon_susp_powershell_rundll32.yml
|
2018-10-09 19:11:47 -05:00 |
sysmon_susp_prog_location_network_connection.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_prog_location_process_starts.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_recon_activity.yml
|
Added field names to first rules
|
2017-09-12 23:54:04 +02:00 |
sysmon_susp_reg_persist_explorer_run.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_regsvr32_anomalies.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_run_key_img_folder.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_susp_schtask_creation.yml
|
Correct MITRE tag
|
2019-01-22 21:26:07 +03:00 |
sysmon_susp_script_execution.yml
|
Massive Title Cleanup
|
2018-01-27 10:57:30 +01:00 |
sysmon_susp_svchost.yml
|
added att&ck tactic
|
2018-08-07 08:36:53 +02:00 |
sysmon_susp_taskmgr_localsystem.yml
|
Rule: Suspicious taskmgr as LOCAL_SYSTEM
|
2018-03-19 16:36:39 +01:00 |
sysmon_susp_taskmgr_parent.yml
|
Several rule updates
|
2018-03-19 16:36:15 +01:00 |
sysmon_susp_tscon_localsystem.yml
|
Corrected reference to references as per Sigma's standard
|
2018-12-25 16:25:12 +03:00 |
sysmon_susp_tscon_rdp_redirect.yml
|
Corrected reference to references as per Sigma's standard
|
2018-12-25 16:25:12 +03:00 |
sysmon_susp_vssadmin_ntds_activity.yml
|
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
|
2019-02-11 21:10:49 -08:00 |
sysmon_susp_wmi_execution.yml
|
Update sysmon_susp_wmi_execution.yml
|
2018-08-07 08:19:58 +02:00 |
sysmon_sysinternals_eula_accepted.yml
|
Added a detection path through process spawn
|
2019-02-24 10:29:58 +03:00 |
sysmon_system_exe_anomaly.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_uac_bypass_eventvwr.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_uac_bypass_sdclt.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_vul_java_remote_debugging.yml
|
fixed typo
|
2018-07-16 16:20:33 -05:00 |
sysmon_webshell_detection.yml
|
added att&ck tag
|
2018-08-07 08:49:05 +02:00 |
sysmon_webshell_spawn.yml
|
added att&ck tag
|
2018-08-07 08:50:01 +02:00 |
sysmon_win_binary_github_com.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_win_binary_susp_com.yml
|
Escaped '\*' to '\\*' where required
|
2019-02-03 00:24:57 +01:00 |
sysmon_win_reg_persistence.yml
|
Removed unnecessary '1 of them' in condition
|
2019-02-13 21:26:02 +03:00 |
sysmon_wmi_event_subscription.yml
|
Rule: WMI Event Subscription
|
2019-01-12 12:03:36 +01:00 |
sysmon_wmi_persistence_commandline_event_consumer.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
sysmon_wmi_persistence_script_event_consumer_write.yml
|
added a few mitre attack tags to windows sysmon rules
|
2018-07-26 21:15:07 -07:00 |
sysmon_workflow_compiler.yml
|
Fixed rule
|
2018-08-23 08:20:28 +02:00 |