valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
648ac5a52e
SigmaHQ/rules/windows/sysmon
History
Florian Roth 648ac5a52e Rules: tscon.exe anomalies 
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
2018-03-17 19:14:13 +01:00
..
sysmon_bitsadmin_download.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_dhcp_calloutdll.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_dns_serverlevelplugindll.yml Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
sysmon_exploit_cve_2015_1641.yml Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
sysmon_exploit_cve_2017_0261.yml Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
sysmon_exploit_cve_2017_8759.yml Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
sysmon_exploit_cve_2017_11882.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_mal_namedpipes.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_malware_backconnect_ports.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_malware_script_dropper.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_malware_verclsid_shellcode.yml Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
sysmon_mimikatz_detection_lsass.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_mimikatz_inmemory_detection.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_mshta_spawn_shell.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_office_macro_cmd.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_office_shell.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_outlook_shell.yml Rule: Outlook spawning shells to detect Turla like C&C via Outlook 2018-03-10 09:04:11 +01:00
sysmon_password_dumper_lsass.yml Added proper handling of null/not null values 2017-10-29 23:57:39 +01:00
sysmon_plugx_susp_exe_locations.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_powershell_download.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_powershell_network_connection.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_powershell_suspicious_parameter_variation.yml Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
sysmon_quarkspw_filedump.yml Rule: QuarksPwDump temp dump file 2018-02-10 15:25:36 +01:00
sysmon_rundll32_net_connections.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_stickykey_like_backdoor.yml Add missing binaries 2018-03-16 10:52:43 +01:00
sysmon_susp_certutil_command.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_susp_cmd_http_appdata.yml Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
sysmon_susp_control_dll_load.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_susp_driver_load.yml Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00
sysmon_susp_exec_folder.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_susp_execution_path_webserver.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_execution_path.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_mmc_source.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_susp_net_execution.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_susp_powershell_parent_combo.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_susp_prog_location_network_connection.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_susp_recon_activity.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_regsvr32_anomalies.yml Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
sysmon_susp_run_key_img_folder.yml Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 16:19:56 +02:00
sysmon_susp_schtask_creation.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_script_execution.yml Massive Title Cleanup 2018-01-27 10:57:30 +01:00
sysmon_susp_svchost.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_taskmgr_parent.yml Rule: Suspicious process started from taskmgr 2018-03-15 19:54:03 +01:00
sysmon_susp_tscon_localsystem.yml Rules: tscon.exe anomalies 2018-03-17 19:14:13 +01:00
sysmon_susp_tscon_rdp_redirect.yml Rules: tscon.exe anomalies 2018-03-17 19:14:13 +01:00
sysmon_susp_vssadmin_ntds_activity.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_susp_wmi_execution.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_system_exe_anomaly.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_uac_bypass_eventvwr.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_uac_bypass_sdclt.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_vul_java_remote_debugging.yml Massive Title Cleanup 2018-01-27 10:57:30 +01:00
sysmon_webshell_detection.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_webshell_spawn.yml Massive Title Cleanup 2018-01-27 10:57:30 +01:00
sysmon_win_binary_github_com.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_wmi_persistence_commandline_event_consumer.yml WMI persistence rules derived from blog article 2018-03-07 23:05:10 +01:00
win_wmi_persistence_script_event_consumer_write.yml WMI persistence rules derived from blog article 2018-03-07 23:05:10 +01:00