-
-
Save nguyenl95/9dc7bbc56a9eea919f6029a88c4027f1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.1"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> | |
| <Image condition="contains">btool.exe</Image> | |
| <Image condition="contains">SnareCore</Image> | |
| <Image condition="contains">nxlog</Image> | |
| <Image condition="contains">winlogbeat</Image> | |
| <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image> | |
| <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> | |
| <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> | |
| <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> | |
| <Image condition="begin with">C:\Program Files\Windows Defender</Image> | |
| <Image condition="is">C:\Windows\System32\audiodg.exe</Image> | |
| <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image> | |
| <Image condition="end with">\Sysmon.exe</Image> | |
| <CommandLine condition="begin with">C:\WIndows\System32\poqexec.exe /noreboot /transaction</CommandLine> | |
| </ProcessCreate> | |
| <!-- Event ID 2 == File Creation Time. POC - Log file modified creation time --> | |
| <FileCreateTime onmatch="exclude"/> | |
| <!-- Event ID 3 == Network Connection. Log all initiated network connection except --> | |
| <NetworkConnect onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image> | |
| <Image condition="end with">Spotify.exe</Image> | |
| <Image condition="end with">OneDrive.exe</Image> | |
| <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> | |
| <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> | |
| <Image condition="end with">winlogbeat.exe</Image> | |
| <Image condition="is">C:\Windows\System32\spoolsv.exe</Image> | |
| <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image> | |
| <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> | |
| <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> | |
| <Image condition="is">C:\Windows\System32\mmc.exe</Image> | |
| <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image> | |
| </NetworkConnect> | |
| <!-- Event ID 5 == Process Terminated. Log processes terminated --> | |
| <ProcessTerminate onmatch="exclude" /> | |
| <!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures --> | |
| <DriverLoad onmatch="exclude"> | |
| <Signature condition="contains">microsoft</Signature> | |
| <Signature condition="contains">windows</Signature> | |
| <Signature condition="is">VMware</Signature> | |
| <Signature condition="begin with">Intel </Signature> | |
| </DriverLoad> | |
| <!-- Event ID 7 == Image Loaded. Log everything except --> | |
| <ImageLoad onmatch="exclude"> | |
| <Image condition="image">chrome.exe</Image> | |
| <Image condition="image">vmtoolsd.exe</Image> | |
| <Image condition="image">Sysmon.exe</Image> | |
| <Image condition="image">mmc.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image> | |
| <Image condition="is">C:\Windows\System32\taskeng.exe</Image> | |
| <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image> | |
| <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image> | |
| <Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image> | |
| </ImageLoad> | |
| <!-- Event ID 8 == CreateRemoteThread. Log everything --> | |
| <CreateRemoteThread onmatch="exclude" /> | |
| <!-- Event ID 9 == RawAccessRead. Log everything --> | |
| <RawAccessRead onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image> | |
| <Image condition="end with">\Sysmon.exe</Image> | |
| </RawAccessRead> | |
| <!-- Event ID 10 == ProcessAccess. Log everything except --> | |
| <ProcessAccess onmatch="exclude"> | |
| <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage> | |
| <SourceImage condition="image">Sysmon.exe</SourceImage> | |
| <SourceImage condition="image">GoogleUpdate.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage> | |
| <SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage> | |
| <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe</TargetImage> | |
| <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</TargetImage> | |
| <TargetImage condition="is">C:\Windows\system32\mmc.exe</TargetImage> | |
| <TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage> | |
| <TargetImage condition="is">C:\Windows\system32\sihost.exe</TargetImage> | |
| <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage> | |
| <TargetImage condition="is">c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe</TargetImage> | |
| <TargetImage condition="is">C:\Windows\system32\ApplicationFrameHost.exe</TargetImage> | |
| <TargetImage condition="is">C:\Windows\System32\taskhostw.exe</TargetImage> | |
| <TargetImage condition="is">C:\Windows\System32\RuntimeBroker.exe</TargetImage> | |
| </ProcessAccess> | |
| <!-- Event ID 11 == FileCreate. Log everything except --> | |
| <FileCreate onmatch="exclude"> | |
| <Image condition="image">SearchIndexer.exe</Image> | |
| <Image condition="image">winlogbeat.exe</Image> | |
| <Image condition="is">C:\Windows\system32\mmc.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> | |
| <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image> | |
| </FileCreate> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except --> | |
| <RegistryEvent onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> | |
| <Image condition="is">C:\Windows\system32\mmc.exe</Image> | |
| <Image condition="is">C:\Windows\system32\taskeng.exe</Image> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| <Image condition="is">C:\Windows\system32\lsass.exe</Image> | |
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | |
| <Image condition="image">GoogleUpdate.exe</Image> | |
| <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image> | |
| <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image> | |
| <TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject> | |
| <TargetObject condition="end with">LanguageList</TargetObject> | |
| </RegistryEvent> | |
| <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream --> | |
| <FileCreateStreamHash onmatch="exclude" /> | |
| <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected --> | |
| <PipeEvent onmatch="exclude" /> | |
| <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity--> | |
| <WmiEvent onmatch="exclude" /> | |
| </EventFiltering> | |
| </Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment