Last active
July 6, 2022 23:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="3.30"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> | |
| <Image condition="contains">btool.exe</Image> | |
| <Image condition="contains">SnareCore</Image> | |
| <Image condition="contains">nxlog</Image> | |
| <Image condition="contains">winlogbeat</Image> | |
| <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image> | |
| <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> | |
| <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> | |
| <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> | |
| <Image condition="begin with">C:\Program Files\Windows Defender</Image> | |
| <Image condition="is">C:\Windows\System32\audiodg.exe</Image> | |
| <Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> | |
| </ProcessCreate> | |
| <!-- Event ID 2 == File Creation Time. Do not log file modified creation time --> | |
| <FileCreateTime onmatch="include"/> | |
| <!-- Event ID 3 == Network Connection. Log all initiated network connection except --> | |
| <NetworkConnect onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image> | |
| <Image condition="end with">Spotify.exe</Image> | |
| <Image condition="end with">OneDrive.exe</Image> | |
| <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> | |
| <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> | |
| <Image condition="is">C:\Windows\System32\spoolsv.exe</Image> | |
| <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image> | |
| <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> | |
| <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image> | |
| </NetworkConnect> | |
| <!-- Event ID 5 == Process Terminated. Do not log processes terminated --> | |
| <ProcessTerminate onmatch="include"/> | |
| <!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures --> | |
| <DriverLoad onmatch="exclude"> | |
| <Signature condition="contains">microsoft</Signature> | |
| <Signature condition="contains">windows</Signature> | |
| <Signature condition="is">VMware</Signature> | |
| <Signature condition="begin with">Intel </Signature> | |
| </DriverLoad> | |
| <!-- Event ID 7 == Image Loaded. Log everything except --> | |
| <ImageLoad onmatch="exclude"> | |
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | |
| <Image condiiton="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> | |
| </ImageLoad> | |
| <!-- Event ID 8 == CreateRemoteThread. Log everything --> | |
| <CreateRemoteThread onmatch="exclude" /> | |
| <!-- Event ID 9 == RawAccessRead. Log everything --> | |
| <RawAccessRead onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> | |
| </RawAccessRead> | |
| <!-- Event ID 10 == ProcessAccess. Log everything except --> | |
| <ProcessAccess onmatch="exclude"> | |
| <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage> | |
| </ProcessAccess> | |
| <!-- Event ID 11 == FileCreate. Log everything except --> | |
| <FileCreate onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\Winlogbeat\winlogbeat.exe</Image> | |
| <Image condition="is">C:\Windows\system32\mmc.exe</Image> | |
| </FileCreate> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except --> | |
| <RegistryEvent onmatch="exclude"> | |
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | |
| <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> | |
| </RegistryEvent> | |
| <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream --> | |
| <FileCreateStreamHash onmatch="include" /> | |
| <!-- Event ID 17 == PipeEvent. Log Named pipe created & Named pipe connected --> | |
| <PipeEvent onmatch="exclude" /> | |
| </EventFiltering> | |
| </Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To work with Sysmon v7.01 (latest) the schema version must be updated to
4.0. @Cyb3rWard0g