valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f0c89239d3
SigmaHQ/rules/windows/sysmon
History
Florian Roth d3b623e92a Rule: suspicious pipes extended 
https://github.com/Neo23x0/sigma/issues/253
2019-02-21 13:26:48 +01:00
..
sysmon_ads_executable.yml Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
sysmon_attrib_hiding_files.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_bitsadmin_download.yml ATT&CK software tag is added to Bitsadmin Download rule 2018-07-20 09:35:35 +03:00
sysmon_bypass_squiblytwo.yml Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
sysmon_cactustorch.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_cmdkey_recon.yml Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
sysmon_cmstp_com_object_access.yml Update sysmon_cmstp_com_object_access.yml 2018-10-09 19:03:30 -05:00
sysmon_cmstp_execution.yml Further ATT&CK tagging 2018-07-19 23:36:13 +02:00
sysmon_cobaltstrike_process_injection.yml rule: Cobalt Strike beacon detection via Remote Threat Creation 2018-11-30 10:25:05 +01:00
sysmon_dhcp_calloutdll.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_dns_serverlevelplugindll.yml Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00
sysmon_exploit_cve_2015_1641.yml Rule: CVE-2015-1641 2018-02-22 16:59:40 +01:00
sysmon_exploit_cve_2017_0261.yml Lowered severity of rule - prone to false positives 2018-02-22 16:59:11 +01:00
sysmon_exploit_cve_2017_8759.yml Fixed file names "vuln" > "exploit" 2018-02-22 13:29:19 +01:00
sysmon_exploit_cve_2017_11882.yml Cleaning up empty list items 2018-01-28 02:36:39 +03:00
sysmon_ghostpack_safetykatz.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_lethalhta.yml style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
sysmon_logon_scripts_userinitmprlogonscript.yml Rule: UserInitMprLogonScript persistence method 2019-01-12 12:03:36 +01:00
sysmon_mal_namedpipes.yml Rule: suspicious pipes extended 2019-02-21 13:26:48 +01:00
sysmon_malware_backconnect_ports.yml Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00
sysmon_malware_script_dropper.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_malware_verclsid_shellcode.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_mimikatz_detection_lsass.yml ATT&CK tagging QA 2018-09-20 12:44:44 +02:00
sysmon_mimikatz_inmemory_detection.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_mshta_spawn_shell.yml ATT&CK tagging of MSHTA Spawning Windows Shell 2018-07-20 09:53:55 +03:00
sysmon_office_shell.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_password_dumper_lsass.yml ATT&CK tagging 2018-07-17 23:58:11 +02:00
sysmon_plugx_susp_exe_locations.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_powershell_amsi_bypass.yml Add MITRE ATT&CK Tagging 2018-10-09 19:09:19 -05:00
sysmon_powershell_dll_execution.yml style: renamed rule files to all lower case 2018-09-08 10:27:19 +02:00
sysmon_powershell_download.yml added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
sysmon_powershell_exploit_scripts.yml Removed duplicate filters 2019-01-25 12:21:57 +03:00
sysmon_powershell_network_connection.yml Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
sysmon_powershell_renamed_ps.yml Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
sysmon_powershell_suspicious_parameter_variation.yml Improve Rule & Updated HELK SIGMA Standardization Config 2018-12-08 11:30:21 +03:00
sysmon_powersploit_schtasks.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_quarkspw_filedump.yml Various rule fixes 2018-03-27 14:35:49 +02:00
sysmon_rdp_reverse_tunnel.yml Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
sysmon_rundll32_net_connections.yml Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
sysmon_sdbinst_shim_persistence.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_shell_spawn_susp_program.yml Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
sysmon_ssp_added_lsa_config.yml Update sysmon_ssp_added_lsa_config.yml 2019-02-05 16:28:06 -05:00
sysmon_stickykey_like_backdoor.yml Fixed tag 2018-07-24 07:58:25 +02:00
sysmon_susp_certutil_command.yml Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
sysmon_susp_cmd_http_appdata.yml Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
sysmon_susp_control_dll_load.yml Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
sysmon_susp_csc.yml Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
sysmon_susp_driver_load.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_exec_folder.yml Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
sysmon_susp_execution_path_webserver.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_execution_path.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_file_characteristics.yml adjusted spaces 2019-02-06 11:10:42 +01:00
sysmon_susp_image_load.yml user subTee was removed from Twitter 2018-07-04 17:29:05 +02:00
sysmon_susp_mmc_source.yml Update sysmon_susp_mmc_source.yml 2018-07-13 18:49:08 -05:00
sysmon_susp_net_execution.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_susp_outlook.yml adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
sysmon_susp_ping_hex_ip.yml Rule: Ping hex IP address 2018-03-23 17:00:00 +01:00
sysmon_susp_powershell_parent_combo.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_powershell_rundll32.yml Update sysmon_susp_powershell_rundll32.yml 2018-10-09 19:11:47 -05:00
sysmon_susp_prog_location_network_connection.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_prog_location_process_starts.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_recon_activity.yml Added field names to first rules 2017-09-12 23:54:04 +02:00
sysmon_susp_reg_persist_explorer_run.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_regsvr32_anomalies.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_run_key_img_folder.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_schtask_creation.yml Correct MITRE tag 2019-01-22 21:26:07 +03:00
sysmon_susp_script_execution.yml Massive Title Cleanup 2018-01-27 10:57:30 +01:00
sysmon_susp_svchost.yml added att&ck tactic 2018-08-07 08:36:53 +02:00
sysmon_susp_taskmgr_localsystem.yml Rule: Suspicious taskmgr as LOCAL_SYSTEM 2018-03-19 16:36:39 +01:00
sysmon_susp_taskmgr_parent.yml Several rule updates 2018-03-19 16:36:15 +01:00
sysmon_susp_tscon_localsystem.yml Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
sysmon_susp_tscon_rdp_redirect.yml Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
sysmon_susp_vssadmin_ntds_activity.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_susp_wmi_execution.yml Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
sysmon_sysinternals_eula_accepted.yml Rule: SysInternals EULA accept improved and renamed 2018-08-30 13:16:28 +02:00
sysmon_system_exe_anomaly.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_uac_bypass_eventvwr.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_uac_bypass_sdclt.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_vul_java_remote_debugging.yml fixed typo 2018-07-16 16:20:33 -05:00
sysmon_webshell_detection.yml added att&ck tag 2018-08-07 08:49:05 +02:00
sysmon_webshell_spawn.yml added att&ck tag 2018-08-07 08:50:01 +02:00
sysmon_win_binary_github_com.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_win_binary_susp_com.yml Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
sysmon_win_reg_persistence.yml Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
sysmon_wmi_event_subscription.yml Rule: WMI Event Subscription 2019-01-12 12:03:36 +01:00
sysmon_wmi_persistence_commandline_event_consumer.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_wmi_persistence_script_event_consumer_write.yml added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
sysmon_workflow_compiler.yml Fixed rule 2018-08-23 08:20:28 +02:00