-
Notifications
You must be signed in to change notification settings - Fork 19
/
config_v17.xml
388 lines (385 loc) · 30.9 KB
/
config_v17.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
<?xml version="1.0"?>
<!-- Sysmon sample configuration file (Updated: 12/7/2018)
Created by: Moti Bani ([email protected])
This file was build based on SwiftOnSecurity configuratuin file (https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config)
=====================================================
THIS SAMPLE FILE AND ANY RELATED INFORMATION
ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND/OR FITNESS FOR A PARTICULAR PURPOSE
Use is subject to the terms specified at http://www.microsoft.com/info/cpyright.htm. -->
<Sysmon schemaversion="4.1">
<HashAlgorithms>SHA256</HashAlgorithms>
<EventFiltering>
<!--Event ID 1: Process creation-->
<ProcessCreate onmatch="exclude">
<!-- Exclude Universal sandboxed apps -->
<IntegrityLevel condition="is">AppContainer</IntegrityLevel>
<!-- Exclude common Windows binaries-->
<Image condition="is">C:\Windows\System32\conhost.exe</Image>
<Image condition="is">C:\Program Files (x86)\BigFix Enterprise\BES Client\x64environment.exe</Image>
<Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe</Image>
<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
<Image condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</Image>
<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image>
<Image condition="is">C:\Windows\System32\RuntimeBroker.exe</Image>
<Image condition="is">C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe</Image>
<Image condition="is">C:\Windows\System32\MusNotification.exe</Image>
<Image condition="is">C:\Windows\System32\csrss.exe</Image>
<Image condition="is">C:\Windows\System32\wermgr.exe</Image>
<Image condition="is">C:\Windows\System32\audiodg.exe</Image>
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Image condition="is">C:\Windows\System32\BackgroundTransferHost.exe</Image>
<Image condition="is">C:\Windows\System32\dllhost.exe</Image>
<Image condition="is">C:\Windows\System32\smartscreen.exe</Image>
<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
<Image condition="is">C:\Windows\System32\conhost.exe</Image>
<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
<Image condition="is">C:\Windows\System32\msiexec.exe</Image>
<Image condition="is">C:\Windows\System32\consent.exe</Image>
<Image condition="is">C:\Windows\System32\taskhostw.exe</Image>
<Image condition="is">C:\Windows\System32\taskhost.exe</Image>
<Image condition="is">C:\Windows\system32\sppsvc.exe</Image>
<Image condition="is">C:\Windows\system32\svchost.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image>
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</Image>
</ProcessCreate>
<!-- Event ID 2: A process changed a file creation time -->
<FileCreateTime onmatch="include">
<Image name="Mitre: T1099" condition="begin with">C:\Users</Image>
</FileCreateTime>
<FileCreateTime onmatch="exclude">
<Image condition="contains">Microsoft\OneDrive\OneDrive.exe</Image>
<Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image>
<Image condition="is">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Windows\system32\svchost.exe</Image>
<Image condition="is">C:\Windows\system32\ServerManager.exe</Image>
<Image condition="is">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.7369.6900.105\Bin\ccSvcHst.exe</Image>
</FileCreateTime>
<!--Event ID 3: Network connection-->
<NetworkConnect onmatch="include">
<!-- Suspicious Directories-->
<Image condition="begin with">C:\Users</Image>
<Image condition="begin with">C:\ProgramData</Image>
<Image condition="begin with">C:\Windows\Temp</Image>
<Image condition="begin with">C:\Temp</Image>
<Image name="Mitre: T1218" condition="image">SyncAppvPublishingServer.exe</Image>
<Image name="Mitre: T1218" condition="image">Mavinject.exe</Image>
<!-- Suspicious Processes-->
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">net.exe</Image>
<Image condition="end with">auditpol.exe</Image>
<Image condition="end with">at.exe</Image>
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">notepad.exe</Image>
<Image condition="end with">reg.exe</Image>
<Image condition="end with">sc.exe</Image>
<Image condition="end with">powershell.exe</Image>
<Image condition="end with">cmd.exe</Image>
<Image name="Mitre:https://attack.mitre.org/wiki/Technique/T1047" condition="end with">wmic.exe</Image>
<Image condition="end with">cscript.exe</Image>
<Image condition="end with">wscript.exe</Image>
<Image name="Mitre: https://attack.mitre.org/wiki/Technique/T1085" condition="end with">rundll32.exe</Image>
<Image name="Mitre: https://attack.mitre.org/wiki/Technique/T1117" condition="end with">regsvr32.exe</Image>
<Image condition="end with">dsquery.exe</Image>
<Image condition="end with">qwinsta.exe</Image>
<!-- SysIntenrlas PsExec -->
<Image condition="contains">psexe</Image>
<!-- Common Ports [https://attack.mitre.org/wiki/Technique/T1043]-->
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">80</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">8080</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">443</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">53</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">135</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">22</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">23</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">25</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">3389</DestinationPort>
<!-- Interesting ports -->
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">445</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">3389</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">5985</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1043" condition="is">5986</DestinationPort>
<!-- Suspicious uncommon ports [https://attack.mitre.org/wiki/Technique/T1065]-->
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">1913</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">81</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">8081</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">8282</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">8083</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">995</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">6868</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">7777</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">8888</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">13000</DestinationPort>
<DestinationPort name="Mitre: https://attack.mitre.org/wiki/Technique/T1065" condition="is">8088</DestinationPort>
<!-- Tor protocol -->
<DestinationPort condition="is">1723</DestinationPort>
<DestinationPort condition="is">4500</DestinationPort>
<DestinationPort condition="is">9001</DestinationPort>
</NetworkConnect>
<NetworkConnect onmatch="exclude">
<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
<Image condition="contains">Microsoft\OneDrive\OneDrive.exe</Image>
<Image condition="is">C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe</Image>
<Image condition="is">C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image>
<Image condition="is">C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe</Image>
<Image condition="end with">\AppData\Local\WhatsApp\app-0.2.9229\WhatsApp.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe</Image>
<Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</Image>
<Image condition="is">C:\WindowsAzure\GuestAgent_2.7.41491.875\Telemetry\WindowsAzureTelemetryService.exe</Image>
<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
</NetworkConnect>
<!--Event ID 5: Process terminated-->
<ProcessTerminate onmatch="include">
<Image name="Mitre: https://attack.mitre.org/wiki/Technique/T1044" condition="begin with">C:\Users</Image>
<Image name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="is">Sysmon.exe</Image>
<!--Detect killing Sysmon, Credit: @vector_sec-->
</ProcessTerminate>
<ProcessTerminate onmatch="exclude">
</ProcessTerminate>
<!--Event ID 6: Driver loaded-->
<DriverLoad onmatch="exclude">
<Signature condition="is">Microsoft Windows</Signature>
<Signature condition="is">Microsoft Corporation</Signature>
<Signature condition="is">NVIDIA Corporation</Signature>
<Signature condition="begin with">Intel</Signature>
</DriverLoad>
<!--Event ID 7: Image loaded-->
<ImageLoad onmatch="include">
<!-- Temp DLL's loaded-->
<ImageLoaded condition="contains">\Temp\</ImageLoaded>
<ImageLoaded condition="begin with">C:\Users</ImageLoaded>
<!-- Mimikatz DLLs-->
<ImageLoaded name="Mitre: https://attack.mitre.org/wiki/Technique/T1098" condition="contains">mimilib.dll</ImageLoaded>
<ImageLoaded name="Mitre: https://attack.mitre.org/wiki/Technique/T1098" condition="contains">WinSCard.dll</ImageLoaded>
<ImageLoaded name="Mitre: https://attack.mitre.org/wiki/Technique/T1098" condition="contains">samlib.dll</ImageLoaded>
<!-- PowerShell DLL -->
<ImageLoaded name="Mitre: https://attack.mitre.org/wiki/Technique/T1086" condition="contains">System.Management.Automation</ImageLoaded>
</ImageLoad>
<ImageLoad onmatch="exclude">
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Image condition="is">C:\Windows\System32\mmc.exe</Image>
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<!-- Windows Store apps unsigned -->
<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded>
<!-- Event Viewer -->
<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded>
<!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
</ImageLoad>
<!--Event ID 8: CreateRemoteThread-->
<!-- Exclude 'safe' list of certain processes that cause high event volumes -->
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\rdpclip.exe</SourceImage>
<SourceImage condition="is">c:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
</CreateRemoteThread>
<!--Event ID 9: RawAccessRead-->
<RawAccessRead onmatch="include">
<!-- Focus on scripts as many Windows binaries are using RawAccess -->
<Image name="https://attack.mitre.org/wiki/Software/S0029" condition="image">psexec.exe</Image>
<Image name="https://attack.mitre.org/wiki/Software/S0029" condition="image">psexesvc.exe</Image>
<Image condition="image">powershell.exe</Image>
<Image condition="image">cmd.exe</Image>
<Image name="Mitre:https://attack.mitre.org/wiki/Technique/T1047" condition="image">wmic.exe</Image>
<Image condition="image">cscript.exe</Image>
<Image condition="image">wscript.exe</Image>
<Image name="Mitre: https://attack.mitre.org/wiki/Technique/T1085" condition="image">rundll32.exe</Image>
<Image name="Mitre: https://attack.mitre.org/wiki/Technique/T1117" condition="image">regsvr32.exe</Image>
</RawAccessRead>
<!--Event ID 10: ProcessAccess-->
<ProcessAccess onmatch="include">
<SourceImage condition="image">winword.exe</SourceImage>
<SourceImage condition="image">excel.exe</SourceImage>
<SourceImage condition="image">mspub.exe</SourceImage>
<SourceImage name="Mitre: https://attack.mitre.org/wiki/Technique/T1127" condition="image">msbuild.exe</SourceImage>
<SourceImage condition="image">powerpnt.exe</SourceImage>
<SourceImage condition="contains">powershell.exe</SourceImage>
<!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
<CallTrace condition="contains">VBE7.dll</CallTrace>
<CallTrace condition="contains">VBE6.dll</CallTrace>
<!--Include mimikatz-specific events.-->
<TargetImage name="Mitre: https://attack.mitre.org/wiki/Technique/T1098" condition="contains">C:\Windows\System32\lsass.exe</TargetImage>
<TargetImage condition="contains">C:\Windows\System32\winlogon.exe</TargetImage>
</ProcessAccess>
<ProcessAccess onmatch="exclude">
<!-- Exclude 'safe' list of certain processes that cause high event volumes -->
<SourceImage condition="is">C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MsMpEng.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.7369.6900.105\Bin\ccSvcHst.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\133\pmfexe.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\PowerPlug\Agent\p3comsvc.exe</SourceImage>
<SourceImage condition="is">C:\Packages\Plugins\Microsoft.Azure.Diagnostics.IaaSDiagnostics\1.11.3.9\Monitor\x64\MonAgentCore.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Logitech\SetPointP\SetPoint.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\PerfWatson2.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</SourceImage>
<SourceImage condition="is">c:\windows\system32\svchost.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\wbem\wmiprvse.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\System32\perfmon.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\LogonUI.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\MRT.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\MsiExec.exe</SourceImage>
<SourceImage condition="is">C:\windows\CCM\CcmExec.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\taskmgr.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\lsass.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\services.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\wininit.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\system32\csrss.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\System32\smss.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
<SourceImage condition="is">C:\Windows\syswow64\MsiExec.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\Explorer.EXE</SourceImage>
<SourceImage condition="is">C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe</SourceImage>
</ProcessAccess>
<!--Event ID 11: FileCreate-->
<FileCreate onmatch="include">
<!-- Windows File System on Startup Persistence -->
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="contains">\Startup\</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="contains">\Start Menu</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="contains">\Content.Outlook\</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="contains">\Downloads\</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="begin with">C:\Windows\System32\Tasks</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1165" condition="contains">ntuser.dat</TargetFilename>
<!-- Drivers-->
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1014" condition="begin with">C:\Windows\system32\Drivers</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1014" condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
<!-- WMI-->
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1047" condition="begin with">C:\Windows\system32\Wbem</TargetFilename>
<TargetFilename name="Mitre: https://attack.mitre.org/wiki/Technique/T1047" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
<!-- Suspicious Files-->
<TargetFilename condition="end with">.cmd</TargetFilename>
<TargetFilename condition="end with">.dll</TargetFilename>
<TargetFilename condition="end with">.ps1</TargetFilename>
<TargetFilename condition="end with">.bat</TargetFilename>
<TargetFilename condition="end with">.exe</TargetFilename>
<TargetFilename condition="end with">.sys</TargetFilename>
<TargetFilename condition="end with">.hta</TargetFilename>
<TargetFilename condition="end with">.ps1</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
<TargetFilename condition="end with">.lnk</TargetFilename>
<TargetFilename condition="end with">.pif</TargetFilename>
<TargetFilename condition="end with">.url</TargetFilename>
<TargetFilename condition="end with">.reg</TargetFilename>
<TargetFilename condition="end with">.cer</TargetFilename>
<TargetFilename condition="end with">.crt</TargetFilename>
<TargetFilename condition="end with">.rsp</TargetFilename>
</FileCreate>
<FileCreate onmatch="exclude">
<Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
<Image condition="is">C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe</Image>
<Image condition="is">C:\windows\system32\cleanmgr.exe</Image>
<Image condition="is">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.7369.6900.105\Bin\ccSvcHst.exe</Image>
</FileCreate>
<!--Event ID 12: RegistryEvent (Object create and delete)-->
<!--Event ID 13: RegistryEvent (Value Set)-->
<!--Event ID 14: RegistryEvent (Key and Value Rename)-->
<RegistryEvent onmatch="include">
<!-- Windows Registry Persistence -->
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">CurrentVersion\Run</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">CurrentVersion\Windows\Run</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">CurrentVersion\Windows\Shell</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">CurrentVersion\Windows\Load</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Policies\Explorer\Run</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Policies\System\Shell</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Group Policy\Scripts</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Windows\System\Scripts</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Control\Session Manager\BootExecute</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">CurrentVersion\Windows\AppInit_DLLs</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Windows NT\CurrentVersion\Winlogon\UserInit</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Windows NT\CurrentVersion\Winlogon\Notify</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">CurrentVersion\Explorer\Browser Helper Objects</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1060" condition="contains">Control\Session Manager\KnownDLLs</TargetObject>
<!-- Security Center tampering -->
<TargetObject condition="contains">SOFTWARE\Microsoft\Security Center</TargetObject>
<!-- Application compatibility tampering -->
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1138" condition="contains">CurrentVersion\AppCompatFlags</TargetObject>
<!-- UAC tampering -->
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1088" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1088" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1089" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject>
<!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
<!-- Windows Security tampering -->
<TargetObject name="Mitre: https://attack.mitre.org/wiki/Technique/T1183" condition="contains">CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="contains">CurrentControlSet\Control\Safeboot\</TargetObject>
<TargetObject condition="contains">CurrentControlSet\Control\Winlogon\</TargetObject>
<TargetObject condition="end with">ServiceDll</TargetObject>
<TargetObject condition="end with">ImagePath</TargetObject>
<!-- Sysinternals Tools Detection -->
<TargetObject condition="end with">EulaAccepted</TargetObject>
</RegistryEvent>
<RegistryEvent onmatch="exclude">
<!-- Noise -->
<TargetObject condition="contains">CurrentVersion\AppCompatFlags\CIT\Module\Microsoft</TargetObject>
<!-- Only examine SetValue and RenameKey events to reduce amount of data. -->
<EventType condition="is">CreateKey</EventType>
<EventType condition="is">DeleteKey</EventType>
<EventType condition="is">DeleteValue</EventType>
</RegistryEvent>
<!--Event ID 15: FileCreateStreamHash-->
<FileCreateStreamHash onmatch="include">
<!-- Suspicious Files-->
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Downloads</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Temp\7z</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.bat</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.exe</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.cmd</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.hta</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.lnk</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.ps1</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.ps2</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.reg</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.vb</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.vbe</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.vbs</TargetFilename>
<TargetFilename name="Mitre:https://attack.mitre.org/wiki/Technique/T1096" condition="image">.scr</TargetFilename>
</FileCreateStreamHash>
<!--Event ID 17: PipeEvent (Pipe Created)-->
<!--Event ID 18: PipeEvent (Pipe Connected)-->
<PipeEvent onmatch="include">
</PipeEvent>
<!--Event ID 19: WmiEvent (WmiEventFilter activity detected)-->
<!--Event ID 20: WmiEvent (WmiEventConsumer activity detected)-->
<!--Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)-->
<!-- Event ID 19,20,21: - WmiEvent (WmiEventFilter activity detected) -->
<WmiEvent onmatch="exclude">
</WmiEvent>
</EventFiltering>
</Sysmon>