olafhartong/sysmon-modular issues and pull requests

#97 - Added other named pipe used by Cobalt Strike.

Pull Request - State: closed - Opened by WojciechLesicki over 3 years ago - 2 comments

#96 - Events id12 with version 13.10

Issue - State: closed - Opened by janlinhart-BC over 3 years ago - 4 comments
Labels: sysmon-bug

#95 - PR - skibum1869

Pull Request - State: closed - Opened by olafhartong over 3 years ago

#94 - Source file name in XML

Issue - State: closed - Opened by istvanSA over 3 years ago - 1 comment

#93 - Deletion duplicate entries on include_living_off_the_land.xml

Pull Request - State: closed - Opened by mlp1515 over 3 years ago

#92 - Bug GroupRelation

Issue - State: closed - Opened by V1D1AN over 3 years ago - 3 comments
Labels: sysmon-bug

#91 - FileDelete instead of FileDeleteDetection?

Issue - State: closed - Opened by Fiebererdi over 3 years ago

#90 - Thousands of "network connect" logs on single RDP (port 3389) connection

Issue - State: closed - Opened by Suirand1 over 3 years ago - 2 comments

#89 - typo in file name 'include_living_of_the_land.xml'

Issue - State: closed - Opened by alireza-ebrahimi over 3 years ago - 1 comment

#88 - My bad or an issue? registry_event exclude ending up in wrong place

Issue - State: closed - Opened by DkYSwe over 3 years ago - 1 comment

#87 - Event ID 15: FileCreateStreamHash - Redundant entries

Issue - State: closed - Opened by Yuvraj-Takey over 3 years ago - 1 comment

#86 - retry "Thehack3r4chan master""

Pull Request - State: closed - Opened by olafhartong over 3 years ago - 1 comment

#85 - Added a few additional EDR and drive exclusions

Pull Request - State: closed - Opened by skibum1869 over 3 years ago - 1 comment

#84 - Revert "Thehack3r4chan master"

Pull Request - State: closed - Opened by olafhartong over 3 years ago

#83 - Thehack3r4chan master

Pull Request - State: closed - Opened by olafhartong over 3 years ago

#82 - Enriched rule names

Pull Request - State: open - Opened by Doserdog over 3 years ago - 4 comments

#81 - [Feature] Enrich rule names with Tactics and Sub-techniques ⚗️

Issue - State: open - Opened by nicpenning over 3 years ago

#80 - Version 1.0 of Sysmon to MITRE ATT&CK compare script

Pull Request - State: open - Opened by nicpenning over 3 years ago - 4 comments

#79 - [Feature] Compare Sysmon to MITRE ATT&CK - Script 🤖

Issue - State: open - Opened by nicpenning over 3 years ago

#78 - latest config erroring out

Issue - State: closed - Opened by spitzd over 3 years ago - 2 comments

#77 - File creation of ransomware extensions and notes

Pull Request - State: open - Opened by sduff over 3 years ago - 1 comment

#76 - Updating module files for service creation and scheduled tasks

Pull Request - State: closed - Opened by jsecurity101 over 3 years ago

#75 - Fixing module files

Pull Request - State: closed - Opened by jsecurity101 over 3 years ago - 1 comment

#74 - Updates around service creation and scheduled tasks

Pull Request - State: closed - Opened by jsecurity101 over 3 years ago

#73 - Fixed dns exclusion typos

Pull Request - State: closed - Opened by aguyinahoodie almost 4 years ago - 1 comment

#72 - Stop clipboard logging

Pull Request - State: closed - Opened by aguyinahoodie almost 4 years ago - 3 comments

#71 - ^ Symbol in 1_process_creation/include_dosfuscation.xml is UNICODE not ASCII

Issue - State: closed - Opened by kesheldr almost 4 years ago - 2 comments

#70 - Added 22_dns_query/exclude_hydro_group_domains.xml

Pull Request - State: closed - Opened by ghost almost 4 years ago

#69 - BSOD on windows 10 machines.

Issue - State: closed - Opened by ravenousld3341 almost 4 years ago - 3 comments

#68 - Updates Event ID 6 to default to logging all driver loads

Pull Request - State: closed - Opened by aguyinahoodie almost 4 years ago - 1 comment

#67 - Include Windows Powershell logging tampering

Pull Request - State: closed - Opened by MatilJ almost 4 years ago - 1 comment

#66 - Is the comparison in exclude_microsoft_drivers.xml secure enough?

Issue - State: closed - Opened by foxmsft almost 4 years ago - 1 comment

#65 - incorrect SecurityProviders registry path

Issue - State: closed - Opened by lslng about 4 years ago - 1 comment

#64 - technique_id fixes

Pull Request - State: closed - Opened by mtgoodman about 4 years ago

#63 - Add netlogon detection via lsass.exe and EventCode 3

Pull Request - State: closed - Opened by DustyMMiller about 4 years ago

#62 - Bad technique id ("1053" instead of "T1053")

Issue - State: closed - Opened by almico about 4 years ago - 1 comment

#61 - Exclude Slack

Pull Request - State: closed - Opened by MattLParker about 4 years ago

#60 - Exclude Palo Alto Cortex Process Hollowing/Network

Pull Request - State: closed - Opened by MattLParker about 4 years ago

#59 - Palo alto cortex

Pull Request - State: closed - Opened by MattLParker about 4 years ago

#58 - Remove exclusion for autoruns registry keys

Pull Request - State: closed - Opened by glennbarrett about 4 years ago - 1 comment

#57 - Create exclude_teams.xml for Microsoft Teams

Pull Request - State: closed - Opened by glennbarrett over 4 years ago - 1 comment

#56 - Schema Changes and Detection Inclusions

Pull Request - State: closed - Opened by TallJohnBrown over 4 years ago - 3 comments

#55 - Generating a config file

Issue - State: closed - Opened by Yuvraj-Takey over 4 years ago - 3 comments

#54 - Added organization specific include/exclude files

Pull Request - State: closed - Opened by nterl0k over 4 years ago - 2 comments

#53 - sysmonconfig.xml install/update error

Issue - State: closed - Opened by shnlnryn over 4 years ago - 5 comments

#52 - Encoding on sysmonconfig.xml

Issue - State: closed - Opened by cowbe0x004 over 4 years ago - 3 comments

#51 - Use Github Actions to generate config

Pull Request - State: closed - Opened by j91321 over 4 years ago - 4 comments

#50 - Mitre ATT@CK

Issue - State: open - Opened by V1D1AN over 4 years ago - 3 comments

#49 - schema issue with Sysmon 11.10

Issue - State: closed - Opened by russweir over 4 years ago - 5 comments

#48 - Typo fix in dbgcore DLL name

Pull Request - State: closed - Opened by emiliedns over 4 years ago - 1 comment

#47 - Rule name duplicate

Issue - State: closed - Opened by PK747 over 4 years ago - 1 comment

#46 - Sysmon-modular to unify two XML configurations

Issue - State: closed - Opened by skynet-shd over 4 years ago - 1 comment

#45 - pre v11 merge

Pull Request - State: closed - Opened by olafhartong over 4 years ago

#44 - find rules from basepath, include/exclude rule list capabilities

Pull Request - State: closed - Opened by mbmy over 4 years ago - 1 comment

#43 - Where do I change HashAlgorithms?

Issue - State: closed - Opened by cowbe0x004 over 4 years ago - 1 comment
Labels: question

#42 - Why are the rules in include_mimikatz_inmem.xml grouped with an "and"?

Issue - State: closed - Opened by rtkbkish over 4 years ago - 1 comment

#41 - MergeAllSysmonXml

Issue - State: closed - Opened by Iwatch31 over 4 years ago - 1 comment

#40 - Cannot merge config file

Issue - State: closed - Opened by francescouk over 4 years ago - 13 comments

#39 - Question - Difference between compiling the config and the sysmonconfig.xml file included

Issue - State: closed - Opened by AKPoppas over 4 years ago - 2 comments
Labels: question

#38 - Modular File Management vs Single Config File Management

Issue - State: open - Opened by kingk789 almost 5 years ago - 1 comment
Labels: good first issue, question

#37 - Addition of T1482

Pull Request - State: closed - Opened by ijlalhaider1996 almost 5 years ago - 1 comment

#36 - How to Map kill chain phases ?

Issue - State: closed - Opened by Hilmand almost 5 years ago - 1 comment

#35 - Merge-AllSysmonXml : Cannot bind argument to parameter 'Path' because it is null.

Issue - State: closed - Opened by Hilmand almost 5 years ago - 1 comment

#34 - I don't have the Merge-AllSysmonXml in my directory.

Issue - State: closed - Opened by Hilmand almost 5 years ago - 8 comments

#33 - If a target double-clicks a malicious document/executable/etc in a fi…

Pull Request - State: closed - Opened by stressboi almost 5 years ago - 1 comment

#32 - Rule T1130/T1089 triggers at every GPO update

Issue - State: open - Opened by koppensb almost 5 years ago - 2 comments
Labels: question

#31 - Added config for lsass file written to disk from task manager dumping…

Pull Request - State: closed - Opened by Joshua1909 almost 5 years ago - 2 comments

#30 - DLL added to dectect tools like powershdll.exe

Pull Request - State: closed - Opened by Pegase14 almost 5 years ago - 1 comment

#29 - Feature Request: Automated removal of entries

Issue - State: closed - Opened by Rivosyke about 5 years ago - 2 comments
Labels: enhancement, help wanted

#28 - Config file not working as expected

Issue - State: closed - Opened by PurpleV0id about 5 years ago - 2 comments

#27 - Fix pipeline support + rule ordering

Pull Request - State: closed - Opened by IISResetMe about 5 years ago - 1 comment

#26 - New exclusions for Azure Sentinel - ProcessCreate and PipeEvent

Issue - State: closed - Opened by cyb3rxp about 5 years ago - 3 comments
Labels: enhancement

#25 - Add Trend Micro Deep Security exclusions

Issue - State: closed - Opened by pdoconnell about 5 years ago - 1 comment

#24 - Update 1_process_creation/exclude_trend_micro.xml

Pull Request - State: closed - Opened by pdoconnell about 5 years ago - 1 comment

#23 - V10.4

Pull Request - State: closed - Opened by olafhartong about 5 years ago

#22 - Updates to merge script

Pull Request - State: closed - Opened by IISResetMe about 5 years ago

#21 - Add Merge-SysmonXml.ps1

Pull Request - State: closed - Opened by IISResetMe about 5 years ago - 1 comment

#20 - Error whle running Generate-sysmon-config.ps1

Issue - State: closed - Opened by Sumitsrjhs about 5 years ago - 6 comments
Labels: question

#19 - Partial duplicate file - 11_file_create/include_ms_office_documents_with_macros - Copy.xml

Issue - State: closed - Opened by Hodgegoblin over 5 years ago - 1 comment

#18 - i can't generate new configuration

Issue - State: closed - Opened by CyberKerberos over 5 years ago - 1 comment

#17 - Sysmon 9.0

Issue - State: closed - Opened by momilor over 5 years ago - 2 comments
Labels: question

#16 - Credential Dumping - false positive?

Issue - State: closed - Opened by griffo138 almost 6 years ago - 1 comment

#15 - condition="is" is removed after merge.

Issue - State: closed - Opened by 82d28a almost 6 years ago - 1 comment

#14 - Added filter out regex and force overwrite backup

Pull Request - State: closed - Opened by gwsales almost 6 years ago

#13 - New exclusions for antimalwares - NetworkConnect

Issue - State: closed - Opened by cyb3rxp about 6 years ago - 1 comment

#12 - New exclusions for antimalwares - ProcessCreate

Issue - State: closed - Opened by cyb3rxp about 6 years ago - 2 comments

#11 - Error When Running Merge-SysmonCMLConfiguration

Issue - State: closed - Opened by Th3J0kr about 6 years ago - 3 comments

#10 - Error when running Merge-SysmonXMLConfiguration

Issue - State: closed - Opened by dsplice about 6 years ago - 2 comments

#9 - The '1_process_creation/include_living_of_the_land.xml' rule item has a duplicate

Issue - State: closed - Opened by MyKings about 6 years ago - 1 comment

#8 - Question - Generate config with PSSysmonTools

Issue - State: closed - Opened by markus-nclose about 6 years ago - 3 comments

#7 - AppInit_DLLs Detection Issue

Issue - State: closed - Opened by innijjer over 6 years ago - 1 comment

#6 - AppInit_DLLs Detection

Issue - State: closed - Opened by innijjer over 6 years ago

#5 - Merge documentation maintenance fixes and addition of new configs

Pull Request - State: closed - Opened by netevert over 6 years ago

#4 - Merge documentation updates

Pull Request - State: closed - Opened by netevert over 6 years ago - 1 comment

GitHub / olafhartong/sysmon-modular issues and pull requests