Roberto Rodriguez Cyb3rWard0g
Cyb3rWard0g
/ StartLogging.xml
Last active
July 6, 2022 23:18
View StartLogging.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.32"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <DnsLookup>False</DnsLookup> | |
| <ArchiveDirectory>Archive</ArchiveDirectory> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> |
Cyb3rWard0g
/ winword_load.xml
Created
March 28, 2017 18:53
View winword_load.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="3.30"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>md5</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"/> | |
| <!-- Event ID 2 == File Creation Time. --> | |
| <FileCreateTime onmatch="include"/> | |
| <!-- Event ID 3 == Network Connection. --> | |
| <NetworkConnect onmatch="include"/> |
Cyb3rWard0g
/ calculator.xml
Last active
February 7, 2022 14:25
View calculator.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
| - <System> | |
| <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
| <EventID>1</EventID> | |
| <Version>5</Version> | |
| <Level>4</Level> | |
| <Task>1</Task> | |
| <Opcode>0</Opcode> | |
| <Keywords>0x8000000000000000</Keywords> | |
| <TimeCreated SystemTime="2018-07-06T12:55:22.864710300Z" /> |
Cyb3rWard0g
/ net.xml
Last active
July 6, 2018 14:07
View net.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
| - <System> | |
| <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
| <EventID>1</EventID> | |
| <Version>5</Version> | |
| <Level>4</Level> | |
| <Task>1</Task> | |
| <Opcode>0</Opcode> | |
| <Keywords>0x8000000000000000</Keywords> | |
| <TimeCreated SystemTime="2018-07-06T14:05:04.230108800Z" /> |
Cyb3rWard0g
/ StartLogging.xml
Last active
June 19, 2019 14:54
View StartLogging.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <Image name="Calculator Rule" condition="end with">Calculator.exe</Image> | |
| </ProcessCreate> | |
| </EventFiltering> | |
| </Sysmon> |
View T1136_net_config.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <Image condition="end with">net.exe</Image> | |
| <CommandLine name="technique_id=T1136,technique_name=Create_Account,tactic=persistence, platform=windows" condition="contains">user /add</CommandLine> | |
| </ProcessCreate> | |
| </EventFiltering> |
Cyb3rWard0g
/ sysmon_rulename_filter.conf
Created
July 6, 2018 22:34
View sysmon_rulename_filter.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| if [log_name] == "Microsoft-Windows-Sysmon/Operational"{ | |
| if [event_data][RuleName] { | |
| kv { | |
| source => "[event_data][RuleName]" | |
| field_split => "," | |
| value_split => "=" | |
| prefix => "mitre_" | |
| transform_key => "lowercase" | |
| } |
Cyb3rWard0g
/ test_rulenames.xml
Last active
July 7, 2018 00:58
View test_rulenames.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. --> | |
| <ProcessCreate onmatch="include"> | |
| <CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine> | |
| <CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine> | |
| <CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine> | |
| <CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine> |
Cyb3rWard0g
/ windows_filtering_platform_layers.xml
Created
October 4, 2018 05:53
View windows_filtering_platform_layers.xml
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | |
| <wfpstate> | |
| <timeStamp>2018-10-04T05:38:46.705Z</timeStamp> | |
| <sessions numItems="15"> | |
| <item> | |
| <sessionKey>{3c1f4d46-4e9d-4fab-bcb5-00c5403ee1cd}</sessionKey> | |
| <displayData> | |
| <name/> | |
| <description/> | |
| </displayData> |
Cyb3rWard0g
/ elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix.yml
Last active
December 25, 2018 06:45
View elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert: | |
| - slack | |
| slack_webhook_url: https://hooks.slack.com/services/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 | |
| description: Detects suspicious PowerShell invocation with a parameter substring | |
| filter: | |
| - query: | |
| query_string: | |
| query: (process_path:"*\\powershell.exe" AND (" \-windowstyle h " OR " \-windowstyl | |
| h" OR " \-windowsty h" OR " \-windowst h" OR " \-windows h" OR " \-windo h" | |
| OR " \-wind h" OR " \-win h" OR " \-wi h" OR " \-win h " OR " \-win hi " OR |
OlderNewer