Florian Roth cdf0894e6a Corrected error in certutil rules (-f means force overwrite, not file) ... > the -urlcache is the relevant command		2017-07-20 12:54:55 -06:00
..
sysmon_bitsadmin_download.yml	Added reference	2017-04-07 15:42:08 +02:00
sysmon_dhcp_calloutdll.yml	Corrected rule	2017-05-25 12:06:23 +02:00
sysmon_dns_serverlevelplugindll.yml	Suspicious DNS Server Config Error - Sysmon Rule	2017-05-08 13:39:50 +02:00
sysmon_malware_backconnect_ports.yml	Rules: Suspicious locations and back connect ports	2017-03-19 15:22:27 +01:00
sysmon_malware_script_dropper.yml	Extended malware script dropper rule	2017-05-25 14:59:16 +02:00
sysmon_malware_verclsid_shellcode.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_mimikatz_detection_lsass.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_mimikatz_inmemory_detection.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_mshta_spawn_shell.yml	Minor fix > list to single value	2017-04-16 12:01:03 +02:00
sysmon_office_macro_cmd.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_office_shell.yml	MSHTA Rule v1	2017-04-13 01:08:37 +02:00
sysmon_password_dumper_lsass.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_plugx_susp_exe_locations.yml	Moved PlugX rule & used builtin ID 4688 for another rule	2017-06-12 11:02:49 +02:00
sysmon_powershell_download.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_powershell_network_connection.yml	Reduced to user accounts	2017-03-13 19:09:29 +01:00
sysmon_powershell_suspicious_parameter_combo.yml	Bugfix in rule	2017-03-13 15:09:48 +01:00
sysmon_powershell_suspicious_parameter_variation.yml	Rule: Suspicious PowerShell Parameter Substring	2017-03-13 17:23:25 +01:00
sysmon_susp_certutil_command.yml	Corrected error in certutil rules (-f means force overwrite, not file)	2017-07-20 12:54:55 -06:00
sysmon_susp_cmd_http_appdata.yml	Rule: Suspicious cmd.exe combo with http and AppData	2017-04-03 10:41:10 +02:00
sysmon_susp_control_dll_load.yml	Suspicious Control Panel DLL Load	2017-04-15 23:32:26 +02:00
sysmon_susp_driver_load.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_susp_execution_path_webserver.yml	Rule: Suspicious executions in web folders / non-exe folders	2017-03-13 23:56:06 +01:00
sysmon_susp_execution_path.yml	Rules: Suspicious locations and back connect ports	2017-03-19 15:22:27 +01:00
sysmon_susp_mmc_source.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_susp_net_execution.yml	Improved Suspicious Net.exe Execution Rule	2017-05-25 12:44:56 +02:00
sysmon_susp_powershell_parent_combo.yml	PowerShell Combo - False Positive with MOM	2017-03-29 22:10:28 +02:00
sysmon_susp_prog_location_network_connection.yml	Rules: Suspicious locations and back connect ports	2017-03-19 15:22:27 +01:00
sysmon_susp_recon_activity.yml	Rule: Windows recon activity	2017-03-16 18:59:17 +01:00
sysmon_susp_regsvr32_anomalies.yml	Improved regsvr32.exe whitelisting bypass rule	2017-06-07 13:46:36 +02:00
sysmon_susp_schtask_creation.yml	Rule: Suspicious task creation description changed	2017-03-21 10:23:53 +01:00
sysmon_susp_script_execution.yml	Renamed and double removed	2017-03-26 01:27:08 +01:00
sysmon_susp_vssadmin_ntds_activity.yml	Combined vssadmin rule	2017-03-26 01:27:26 +01:00
sysmon_susp_wmi_execution.yml	Improved WMIC process call create rule	2017-03-29 22:11:05 +02:00
sysmon_uac_bypass_eventvwr.yml	Updated Eventvwr UAC evasion	2017-03-22 14:40:55 +01:00
sysmon_uac_bypass_sdclt.yml	Bugfix: Minor fix cause Sysmon uses SID as Software key	2017-03-21 10:44:53 +01:00
sysmon_vul_java_remote_debugging.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_webshell_detection.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00
sysmon_webshell_spawn.yml	Sysmon as 'service' of product 'windows'	2017-03-13 09:23:08 +01:00