Roberto Rodriguez Cyb3rWard0g
🍻
Cyb3rWard0g
/ StartLogging.xml
Last active
July 6, 2022 23:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.32"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <DnsLookup>False</DnsLookup> | |
| <ArchiveDirectory>Archive</ArchiveDirectory> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> |
Cyb3rWard0g
/ winword_load.xml
Created
March 28, 2017 18:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="3.30"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>md5</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"/> | |
| <!-- Event ID 2 == File Creation Time. --> | |
| <FileCreateTime onmatch="include"/> | |
| <!-- Event ID 3 == Network Connection. --> | |
| <NetworkConnect onmatch="include"/> |
Cyb3rWard0g
/ calculator.xml
Last active
February 7, 2022 14:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
| - <System> | |
| <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
| <EventID>1</EventID> | |
| <Version>5</Version> | |
| <Level>4</Level> | |
| <Task>1</Task> | |
| <Opcode>0</Opcode> | |
| <Keywords>0x8000000000000000</Keywords> | |
| <TimeCreated SystemTime="2018-07-06T12:55:22.864710300Z" /> |
Cyb3rWard0g
/ net.xml
Last active
July 6, 2018 14:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
| - <System> | |
| <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
| <EventID>1</EventID> | |
| <Version>5</Version> | |
| <Level>4</Level> | |
| <Task>1</Task> | |
| <Opcode>0</Opcode> | |
| <Keywords>0x8000000000000000</Keywords> | |
| <TimeCreated SystemTime="2018-07-06T14:05:04.230108800Z" /> |
Cyb3rWard0g
/ StartLogging.xml
Last active
June 19, 2019 14:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <Image name="Calculator Rule" condition="end with">Calculator.exe</Image> | |
| </ProcessCreate> | |
| </EventFiltering> | |
| </Sysmon> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <Image condition="end with">net.exe</Image> | |
| <CommandLine name="technique_id=T1136,technique_name=Create_Account,tactic=persistence, platform=windows" condition="contains">user /add</CommandLine> | |
| </ProcessCreate> | |
| </EventFiltering> |
Cyb3rWard0g
/ sysmon_rulename_filter.conf
Created
July 6, 2018 22:34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| if [log_name] == "Microsoft-Windows-Sysmon/Operational"{ | |
| if [event_data][RuleName] { | |
| kv { | |
| source => "[event_data][RuleName]" | |
| field_split => "," | |
| value_split => "=" | |
| prefix => "mitre_" | |
| transform_key => "lowercase" | |
| } |
Cyb3rWard0g
/ test_rulenames.xml
Last active
July 7, 2018 00:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine> | |
| <CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine> | |
| <CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine> | |
| <CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine> |
Cyb3rWard0g
/ windows_filtering_platform_layers.xml
Created
October 4, 2018 05:53
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <wfpstate> | |
| <timeStamp>2018-10-04T05:38:46.705Z</timeStamp> | |
| <sessions numItems="15"> | |
| <item> | |
| <sessionKey>{3c1f4d46-4e9d-4fab-bcb5-00c5403ee1cd}</sessionKey> | |
| <displayData> | |
| <name/> | |
| <description/> | |
| </displayData> |
Cyb3rWard0g
/ elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix.yml
Last active
December 25, 2018 06:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert: | |
| - slack | |
| slack_webhook_url: https://hooks.slack.com/services/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 | |
| description: Detects suspicious PowerShell invocation with a parameter substring | |
| filter: | |
| - query: | |
| query_string: | |
| query: (process_path:"*\\powershell.exe" AND (" \-windowstyle h " OR " \-windowstyl | |
| h" OR " \-windowsty h" OR " \-windowst h" OR " \-windows h" OR " \-windo h" | |
| OR " \-wind h" OR " \-win h" OR " \-wi h" OR " \-win h " OR " \-win hi " OR |
OlderNewer