Instantly share code, notes, and snippets.

@Cyb3rWard0g /StartLogging.xml Secret
Last active Nov 21, 2018

Embed
What would you like to do?
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. Log all newly created processes except -->
<ProcessCreate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">btool.exe</Image>
<Image condition="contains">SnareCore</Image>
<Image condition="contains">nxlog</Image>
<Image condition="contains">winlogbeat</Image>
<Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
<Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
<Image condition="begin with">C:\Program Files\Windows Defender</Image>
<Image condition="is">C:\Windows\System32\audiodg.exe</Image>
<Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<Image condition="end with">\Sysmon.exe</Image>
<CommandLine condition="begin with">C:\WIndows\System32\poqexec.exe /noreboot /transaction</CommandLine>
</ProcessCreate>
<!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
<FileCreateTime onmatch="include"/>
<!-- Event ID 3 == Network Connection. Log all initiated network connection except -->
<NetworkConnect onmatch="exclude">
<Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image>
<Image condition="end with">Spotify.exe</Image>
<Image condition="end with">OneDrive.exe</Image>
<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
<Image condition="end with">winlogbeat.exe</Image>
<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
<Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
<Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
<Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
<Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Windows\System32\mmc.exe</Image>
<Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
</NetworkConnect>
<!-- Event ID 5 == Process Terminated. Do not log processes terminated -->
<ProcessTerminate onmatch="include"/>
<!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
<Signature condition="is">VMware</Signature>
<Signature condition="begin with">Intel </Signature>
</DriverLoad>
<!-- Event ID 7 == Image Loaded. Log everything except -->
<ImageLoad onmatch="exclude">
<Image condition="image">chrome.exe</Image>
<Image condition="image">vmtoolsd.exe</Image>
<Image condition="image">Sysmon.exe</Image>
<Image condition="image">mmc.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
<Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
</ImageLoad>
<!-- Event ID 8 == CreateRemoteThread. Log everything -->
<CreateRemoteThread onmatch="exclude" />
<!-- Event ID 9 == RawAccessRead. Log everything -->
<RawAccessRead onmatch="exclude">
<Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<Image condition="end with">\Sysmon.exe</Image>
</RawAccessRead>
<!-- Event ID 10 == ProcessAccess. Log everything except -->
<ProcessAccess onmatch="exclude">
<SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
<SourceImage condition="image">Sysmon.exe</SourceImage>
<SourceImage condition="image">GoogleUpdate.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage>
<TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</TargetImage>
<TargetImage condition="is">C:\Windows\system32\mmc.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage>
<TargetImage condition="is">C:\Windows\system32\sihost.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
<TargetImage condition="is">c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe</TargetImage>
<TargetImage condition="is">C:\Windows\system32\ApplicationFrameHost.exe</TargetImage>
<TargetImage condition="is">C:\Windows\System32\taskhostw.exe</TargetImage>
<TargetImage condition="is">C:\Windows\System32\RuntimeBroker.exe</TargetImage>
</ProcessAccess>
<!-- Event ID 11 == FileCreate. Log everything except -->
<FileCreate onmatch="exclude">
<Image condition="image">SearchIndexer.exe</Image>
<Image condition="image">winlogbeat.exe</Image>
<Image condition="is">C:\Windows\system32\mmc.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
</FileCreate>
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
<RegistryEvent onmatch="exclude">
<Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
<Image condition="is">C:\Windows\system32\mmc.exe</Image>
<Image condition="is">C:\Windows\system32\taskeng.exe</Image>
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
<Image condition="is">C:\Windows\system32\lsass.exe</Image>
<Image condition="is">C:\Windows\Sysmon.exe</Image>
<Image condition="image">GoogleUpdate.exe</Image>
<Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
<TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject>
<TargetObject condition="end with">LanguageList</TargetObject>
</RegistryEvent>
<!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
<FileCreateStreamHash onmatch="include" />
<!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
<PipeEvent onmatch="exclude" />
<!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
<WmiEvent onmatch="exclude" />
</EventFiltering>
</Sysmon>
@jermdw

This comment has been minimized.

jermdw commented Jan 22, 2018

To work with Sysmon v7.01 (latest) the schema version must be updated to 4.0. @Cyb3rWard0g

@Cyb3rWard0g

This comment has been minimized.

Owner

Cyb3rWard0g commented Feb 8, 2018

Thank you man!! 👍 done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment