Cyb3rWard0g/erebor-SilkServiceConfig.xml

## erebor-SilkServiceConfig.xml
<!--
  SilkService Config
  Author:   Roberto Rodriguez (@Cyb3rWard0g)
  License:  GPL-3.0
  Version:	0.0.1

  References:   https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
-->
<SilkServiceConfig>
    <!--
        Microsoft-Windows-LDAP-Client ETW Provider
    -->
    <ETWCollector>
        <Guid>859efb51-6985-480f-8094-77192b2a7407</Guid>
        <CollectorType>user</CollectorType>
        <ProviderName>099614a5-5dd7-4788-8bc9-e29f43db28fc</ProviderName>
        <UserKeywords>0x1</UserKeywords><!--Search-->
        <OutputType>eventlog</OutputType>
    </ETWCollector>
    <!--
        Microsoft-Windows-Crypto-DPAPI ETW Provider
    -->
    <ETWCollector>
        <Guid>df7461c7-7c11-4429-806f-a6ec34d08c0c</Guid>
        <CollectorType>user</CollectorType>
        <ProviderName>89fe8f40-cdce-464e-8217-15ef97d4c7c3</ProviderName>
        <UserKeywords>0xa</UserKeywords><!--ETW_TASK_MASTERKEY_OPERATION,ETW_TASK_CREDKEY_OPERATION-->
        <OutputType>eventlog</OutputType>
    </ETWCollector>
    <!--
        Microsoft-Windows-DNS-Client ETW Provider
    -->
    <ETWCollector>
        <Guid>c96e5920-f384-49b7-be43-2b408b4f0d75</Guid>
        <CollectorType>user</CollectorType>
        <ProviderName>1c95126e-7eea-49a9-a3fe-a378b03ddb4d</ProviderName>
        <OutputType>eventlog</OutputType>
    </ETWCollector>
    <!--
        Microsoft-Windows-DotNETRuntime ETW Provider
    -->
    <ETWCollector>
        <Guid>072e0373-213b-4e3d-881a-6430d6d9e369</Guid>
        <CollectorType>user</CollectorType>
        <ProviderName>e13c0d23-ccbc-4e12-931b-d9cc2eee27e4</ProviderName>
        <UserKeywords>0x2038</UserKeywords><!--Loader,Jit,NGen,Interop"-->
        <OutputType>eventlog</OutputType>
    </ETWCollector>
    <!--
        Microsoft-Windows-SMBServer ETW Provider
    -->
    <ETWCollector>
        <Guid>f7569862-691a-4a38-9f0e-e3ed815920ba</Guid>
        <CollectorType>user</CollectorType>
        <ProviderName>D48CE617-33A2-4BC3-A5C7-11AA4F29619E</ProviderName>
        <UserKeywords>0x9</UserKeywords><!--Request,Operational"-->
        <OutputType>eventlog</OutputType>
    </ETWCollector>
    <!--
        Microsoft-Windows-WMI-Activity ETW Provider
    -->
    <ETWCollector>
        <Guid>e58efae6-883b-4a05-95b5-ec2f697b2dc5</Guid>
        <CollectorType>user</CollectorType>
        <ProviderName>1418ef04-b0b4-4623-bf7e-d74ab47bbdaa</ProviderName>
        <OutputType>eventlog</OutputType>
    </ETWCollector>
    <!--
		This is a kernel collector (ImageLoad)
	-->
	<ETWCollector>
		<Guid>870b50e1-04c2-43e4-82ac-817444a56364</Guid>
		<CollectorType>kernel</CollectorType>
		<KernelKeywords>ImageLoad</KernelKeywords>
        <FilterValue>Image/Load</FilterValue>
		<OutputType>eventlog</OutputType>
	</ETWCollector>
</SilkServiceConfig>
	<!--
	SilkService Config
	Author: Roberto Rodriguez (@Cyb3rWard0g)
	License: GPL-3.0
	Version: 0.0.1

	References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml
	-->
	<SilkServiceConfig>
	<!--
	Microsoft-Windows-LDAP-Client ETW Provider
	-->
	<ETWCollector>
	<Guid>859efb51-6985-480f-8094-77192b2a7407</Guid>
	<CollectorType>user</CollectorType>
	<ProviderName>099614a5-5dd7-4788-8bc9-e29f43db28fc</ProviderName>
	<UserKeywords>0x1</UserKeywords><!--Search-->
	<OutputType>eventlog</OutputType>
	</ETWCollector>
	<!--
	Microsoft-Windows-Crypto-DPAPI ETW Provider
	-->
	<ETWCollector>
	<Guid>df7461c7-7c11-4429-806f-a6ec34d08c0c</Guid>
	<CollectorType>user</CollectorType>
	<ProviderName>89fe8f40-cdce-464e-8217-15ef97d4c7c3</ProviderName>
	<UserKeywords>0xa</UserKeywords><!--ETW_TASK_MASTERKEY_OPERATION,ETW_TASK_CREDKEY_OPERATION-->
	<OutputType>eventlog</OutputType>
	</ETWCollector>
	<!--
	Microsoft-Windows-DNS-Client ETW Provider
	-->
	<ETWCollector>
	<Guid>c96e5920-f384-49b7-be43-2b408b4f0d75</Guid>
	<CollectorType>user</CollectorType>
	<ProviderName>1c95126e-7eea-49a9-a3fe-a378b03ddb4d</ProviderName>
	<OutputType>eventlog</OutputType>
	</ETWCollector>
	<!--
	Microsoft-Windows-DotNETRuntime ETW Provider
	-->
	<ETWCollector>
	<Guid>072e0373-213b-4e3d-881a-6430d6d9e369</Guid>
	<CollectorType>user</CollectorType>
	<ProviderName>e13c0d23-ccbc-4e12-931b-d9cc2eee27e4</ProviderName>
	<UserKeywords>0x2038</UserKeywords><!--Loader,Jit,NGen,Interop"-->
	<OutputType>eventlog</OutputType>
	</ETWCollector>
	<!--
	Microsoft-Windows-SMBServer ETW Provider
	-->
	<ETWCollector>
	<Guid>f7569862-691a-4a38-9f0e-e3ed815920ba</Guid>
	<CollectorType>user</CollectorType>
	<ProviderName>D48CE617-33A2-4BC3-A5C7-11AA4F29619E</ProviderName>
	<UserKeywords>0x9</UserKeywords><!--Request,Operational"-->
	<OutputType>eventlog</OutputType>
	</ETWCollector>
	<!--
	Microsoft-Windows-WMI-Activity ETW Provider
	-->
	<ETWCollector>
	<Guid>e58efae6-883b-4a05-95b5-ec2f697b2dc5</Guid>
	<CollectorType>user</CollectorType>
	<ProviderName>1418ef04-b0b4-4623-bf7e-d74ab47bbdaa</ProviderName>
	<OutputType>eventlog</OutputType>
	</ETWCollector>
	<!--
	This is a kernel collector (ImageLoad)
	-->
	<ETWCollector>
	<Guid>870b50e1-04c2-43e4-82ac-817444a56364</Guid>
	<CollectorType>kernel</CollectorType>
	<KernelKeywords>ImageLoad</KernelKeywords>
	<FilterValue>Image/Load</FilterValue>
	<OutputType>eventlog</OutputType>
	</ETWCollector>
	</SilkServiceConfig>