Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g

Cyb3rWard0g/StartLogging.xml

Last active July 6, 2022 23:18
Download ZIP

Revisions

  1. Cyb3rWard0g revised this gist Jul 23, 2020. 1 changed file with 190 additions and 117 deletions.
    307 changes: 190 additions & 117 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,122 +1,195 @@
    <Sysmon schemaversion="4.1">
    <Sysmon schemaversion="4.32">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <DnsLookup>False</DnsLookup>
    <ArchiveDirectory>Archive</ArchiveDirectory>
    <EventFiltering>
    <!-- Event ID 1 == Process Creation. Log all newly created processes except -->
    <ProcessCreate onmatch="exclude">
    <Image condition="contains">splunk</Image>
    <Image condition="contains">btool.exe</Image>
    <Image condition="contains">SnareCore</Image>
    <Image condition="contains">nxlog</Image>
    <Image condition="contains">winlogbeat</Image>
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
    <Image condition="begin with">C:\Program Files\Windows Defender</Image>
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    <CommandLine condition="begin with">C:\WIndows\System32\poqexec.exe /noreboot /transaction</CommandLine>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. POC - Log file modified creation time -->
    <FileCreateTime onmatch="exclude"/>
    <!-- Event ID 3 == Network Connection. Log all initiated network connection except -->
    <NetworkConnect onmatch="exclude">
    <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image>
    <Image condition="end with">Spotify.exe</Image>
    <Image condition="end with">OneDrive.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
    <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
    <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
    <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
    </NetworkConnect>
    <!-- Event ID 5 == Process Terminated. Log processes terminated -->
    <ProcessTerminate onmatch="exclude" />
    <!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures -->
    <DriverLoad onmatch="exclude">
    <Signature condition="contains">microsoft</Signature>
    <Signature condition="contains">windows</Signature>
    <Signature condition="is">VMware</Signature>
    <Signature condition="begin with">Intel </Signature>
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="image">chrome.exe</Image>
    <Image condition="image">vmtoolsd.exe</Image>
    <Image condition="image">Sysmon.exe</Image>
    <Image condition="image">mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
    <!-- Event ID 9 == RawAccessRead. Log everything -->
    <RawAccessRead onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    </RawAccessRead>
    <!-- Event ID 10 == ProcessAccess. Log everything except -->
    <ProcessAccess onmatch="exclude">
    <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
    <SourceImage condition="image">Sysmon.exe</SourceImage>
    <SourceImage condition="image">GoogleUpdate.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage>
    <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\system32\mmc.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\system32\sihost.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
    <TargetImage condition="is">c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\system32\ApplicationFrameHost.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\System32\taskhostw.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\System32\RuntimeBroker.exe</TargetImage>
    </ProcessAccess>
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
    <Image condition="image">SearchIndexer.exe</Image>
    <Image condition="image">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
    </FileCreate>
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
    <RegistryEvent onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Windows\system32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    <Image condition="is">C:\Windows\system32\lsass.exe</Image>
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="image">GoogleUpdate.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
    <TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject>
    <TargetObject condition="end with">LanguageList</TargetObject>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="exclude" />
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
    <PipeEvent onmatch="exclude" />
    <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
    <WmiEvent onmatch="exclude" />
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 1 == Process Creation. Log all newly created processes except -->
    <ProcessCreate onmatch="exclude">
    <Image condition="contains">splunk</Image>
    <Image condition="contains">btool.exe</Image>
    <Image condition="contains">SnareCore</Image>
    <Image condition="contains">nxlog</Image>
    <Image condition="contains">winlogbeat</Image>
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
    <Image condition="begin with">C:\Program Files\Windows Defender</Image>
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">Sysmon.exe</Image>
    <Image condition="end with">ec2config.exe</Image>
    <CommandLine condition="begin with">C:\WIndows\System32\poqexec.exe /noreboot /transaction</CommandLine>
    </ProcessCreate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 2 == File Creation Time. POC - Log file modified creation time -->
    <FileCreateTime onmatch="exclude"/>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 3 == Network Connection. Log all initiated network connection except -->
    <NetworkConnect onmatch="exclude">
    <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image>
    <Image condition="end with">Spotify.exe</Image>
    <Image condition="end with">OneDrive.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="end with">ec2config.exe</Image>
    <Image condition="end with">cfn-signal.exe</Image>
    <Image condition="end with">amazon-ssm-agent.exe</Image>
    <Image condition="end with">ec2wallpaperinfo.exe</Image>
    <Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
    <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
    <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
    <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</Image>
    <Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
    <Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
    <DestinationIp condition="is">10.0.1.10</DestinationIp> <!--Mordor APT29 Evals: Windows Event Collector-->
    </NetworkConnect>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 5 == Process Terminated. Log processes terminated -->
    <ProcessTerminate onmatch="exclude" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures -->
    <DriverLoad onmatch="exclude">
    <Signature condition="contains">microsoft</Signature>
    <Signature condition="contains">windows</Signature>
    <Signature condition="is">VMware</Signature>
    <Signature condition="begin with">Intel </Signature>
    </DriverLoad>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="image">chrome.exe</Image>
    <Image condition="image">vmtoolsd.exe</Image>
    <Image condition="image">Sysmon.exe</Image>
    <Image condition="image">mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
    <Image condition="end with">onedrivesetup.exe</Image>
    <Image condition="end with">onedrive.exe</Image>
    <Image condition="end with">skypeapp.exe</Image>
    <Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
    <Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
    </ImageLoad>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 8 == CreateRemoteThread. Log everything except -->
    <CreateRemoteThread onmatch="exclude" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 9 == RawAccessRead. Log everything except -->
    <RawAccessRead onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    </RawAccessRead>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 10 == ProcessAccess. Log everything except -->
    <ProcessAccess onmatch="exclude">
    <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
    <SourceImage condition="image">Sysmon.exe</SourceImage>
    <SourceImage condition="image">GoogleUpdate.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
    <SourceImage condition="is">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1907.4-0\MsMpEng.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage>
    <SourceImage condition="end with">onedrivesetup.exe</SourceImage>
    <SourceImage condition="is">C:\WindowsAzure\Packages\CollectGuestLogs.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
    <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
    <TargetImage condition="is">c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</TargetImage>
    <TargetImage condition="is">C:\windows\system32\CompatTelRunner.exe</TargetImage>
    <TargetImage condition="begin with">C:\Packages\Plugins\</TargetImage> <!--Azure ARM Extensions -->
    <TargetImage condition="begin with">C:\WindowsAzure\</TargetImage> <!--Azure -->
    <TargetImage condition="begin with">C:\Program Files\WindowsApps\</TargetImage>
    </ProcessAccess>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
    <Image condition="image">SearchIndexer.exe</Image>
    <Image condition="image">winlogbeat.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
    <Image condition="end with">onedrivesetup.exe</Image>
    <Image condition="end with">onedrive.exe</Image>
    <Image condition="end with">skypeapp.exe</Image>
    <Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
    <Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
    <TargetFilename condition="begin with">C:\Windows\System32\winevt\Logs\</TargetFilename>
    </FileCreate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
    <RegistryEvent onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="image">Sysmon.exe</Image>
    <Image condition="image">GoogleUpdate.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
    <Image condition="end with">onedrivesetup.exe</Image>
    <Image condition="end with">onedrive.exe</Image>
    <Image condition="end with">skypeapp.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</Image>
    <Image condition="is">C:\windows\system32\AUDIODG.EXE</Image>
    <TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject>
    <TargetObject condition="end with">LanguageList</TargetObject>
    </RegistryEvent>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="exclude" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
    <PipeEvent onmatch="exclude">
    <Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
    <Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
    <Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    </PipeEvent>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
    <WmiEvent onmatch="exclude"/>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!--Event ID 22 == DNS Query-->
    <DnsQuery onmatch="exclude">
    <Image condition="is">C:\Program Files (x86)\nxlog\nxlog.exe</Image>
    </DnsQuery>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!--Event ID 23 == File Delete-->
    <FileDelete onmatch="include">
    <TargetFilename condition="begin with">C:\Users\</TargetFilename>
    <TargetFilename condition="begin with">C:\ProgramData\</TargetFilename>
    <TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
    <TargetFilename condition="begin with">C:\Program Files\</TargetFilename>
    </FileDelete>
    </RuleGroup>
    </EventFiltering>
    </Sysmon>
  2. Cyb3rWard0g revised this gist May 2, 2019. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -40,8 +40,8 @@
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
    </NetworkConnect>
    <!-- Event ID 5 == Process Terminated. Do not log processes terminated -->
    <ProcessTerminate onmatch="include"/>
    <!-- Event ID 5 == Process Terminated. Log processes terminated -->
    <ProcessTerminate onmatch="exclude" />
    <!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures -->
    <DriverLoad onmatch="exclude">
    <Signature condition="contains">microsoft</Signature>
    @@ -113,7 +113,7 @@
    <TargetObject condition="end with">LanguageList</TargetObject>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
    <FileCreateStreamHash onmatch="exclude" />
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
    <PipeEvent onmatch="exclude" />
    <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
  3. Cyb3rWard0g revised this gist Apr 15, 2019. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -20,8 +20,8 @@
    <Image condition="end with">\Sysmon.exe</Image>
    <CommandLine condition="begin with">C:\WIndows\System32\poqexec.exe /noreboot /transaction</CommandLine>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
    <FileCreateTime onmatch="include"/>
    <!-- Event ID 2 == File Creation Time. POC - Log file modified creation time -->
    <FileCreateTime onmatch="exclude"/>
    <!-- Event ID 3 == Network Connection. Log all initiated network connection except -->
    <NetworkConnect onmatch="exclude">
    <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image>
  4. Cyb3rWard0g revised this gist Sep 18, 2018. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -18,6 +18,7 @@
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    <CommandLine condition="begin with">C:\WIndows\System32\poqexec.exe /noreboot /transaction</CommandLine>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
    <FileCreateTime onmatch="include"/>
  5. Cyb3rWard0g revised this gist Jul 6, 2018. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    <Sysmon schemaversion="4.0">
    <Sysmon schemaversion="4.1">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
  6. Cyb3rWard0g revised this gist Feb 8, 2018. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    <Sysmon schemaversion="3.4">
    <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
  7. Cyb3rWard0g revised this gist Nov 14, 2017. 1 changed file with 80 additions and 58 deletions.
    138 changes: 80 additions & 58 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,93 +1,115 @@
    <Sysmon schemaversion="3.30">
    <Sysmon schemaversion="3.4">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
    <!-- Event ID 1 == Process Creation. Log all newly created processes except -->
    <ProcessCreate onmatch="exclude">
    <Image condition="contains">splunk</Image>
    <Image condition="contains">btool.exe</Image>
    <Image condition="contains">SnareCore</Image>
    <Image condition="contains">nxlog</Image>
    <Image condition="contains">winlogbeat</Image>
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
    <Image condition="begin with">C:\Program Files\Windows Defender</Image>
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    <Image condition="contains">splunk</Image>
    <Image condition="contains">btool.exe</Image>
    <Image condition="contains">SnareCore</Image>
    <Image condition="contains">nxlog</Image>
    <Image condition="contains">winlogbeat</Image>
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
    <Image condition="begin with">C:\Program Files\Windows Defender</Image>
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
    <FileCreateTime onmatch="include"/>
    <!-- Event ID 3 == Network Connection. Log all initiated network connection except -->
    <NetworkConnect onmatch="exclude">
    <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image>
    <Image condition="end with">Spotify.exe</Image>
    <Image condition="end with">OneDrive.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
    <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
    <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
    <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image>
    <Image condition="end with">Spotify.exe</Image>
    <Image condition="end with">OneDrive.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
    <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
    <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
    <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
    </NetworkConnect>
    <!-- Event ID 5 == Process Terminated. Do not log processes terminated -->
    <ProcessTerminate onmatch="include"/>
    <!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures -->
    <DriverLoad onmatch="exclude">
    <Signature condition="contains">microsoft</Signature>
    <Signature condition="contains">windows</Signature>
    <Signature condition="is">VMware</Signature>
    <Signature condition="begin with">Intel </Signature>
    <Signature condition="contains">microsoft</Signature>
    <Signature condition="contains">windows</Signature>
    <Signature condition="is">VMware</Signature>
    <Signature condition="begin with">Intel </Signature>
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="image">chrome.exe</Image>
    <Image condition="image">vmtoolsd.exe</Image>
    <Image condition="image">Sysmon.exe</Image>
    <Image condition="image">mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="image">chrome.exe</Image>
    <Image condition="image">vmtoolsd.exe</Image>
    <Image condition="image">Sysmon.exe</Image>
    <Image condition="image">mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
    <!-- Event ID 9 == RawAccessRead. Log everything -->
    <RawAccessRead onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    </RawAccessRead>
    <!-- Event ID 10 == ProcessAccess. Log everything except -->
    <ProcessAccess onmatch="exclude">
    <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
    <SourceImage condition="image">Sysmon.exe</SourceImage>
    <SourceImage condition="image">GoogleUpdate.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
    <SourceImage condition="image">Sysmon.exe</SourceImage>
    <SourceImage condition="image">GoogleUpdate.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
    <SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage>
    <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\system32\mmc.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\system32\sihost.exe</TargetImage>
    <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
    <TargetImage condition="is">c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\system32\ApplicationFrameHost.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\System32\taskhostw.exe</TargetImage>
    <TargetImage condition="is">C:\Windows\System32\RuntimeBroker.exe</TargetImage>
    </ProcessAccess>
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
    <Image condition="image">SearchIndexer.exe</Image>
    <Image condition="image">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="image">SearchIndexer.exe</Image>
    <Image condition="image">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
    </FileCreate>
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
    <RegistryEvent onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Windows\system32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    <Image condition="is">C:\Windows\system32\lsass.exe</Image>
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="image">GoogleUpdate.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Windows\system32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    <Image condition="is">C:\Windows\system32\lsass.exe</Image>
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="image">GoogleUpdate.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
    <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
    <TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject>
    <TargetObject condition="end with">LanguageList</TargetObject>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
  8. Cyb3rWard0g revised this gist Sep 12, 2017. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -91,8 +91,9 @@
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
    <!-- Event ID 17 == PipeEvent. Log Named pipe created & Named pipe connected -->
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
    <PipeEvent onmatch="exclude" />

    <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
    <WmiEvent onmatch="exclude" />
    </EventFiltering>
    </Sysmon>
  9. Cyb3rWard0g revised this gist May 9, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -70,6 +70,7 @@
    <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
    <SourceImage condition="image">Sysmon.exe</SourceImage>
    <SourceImage condition="image">GoogleUpdate.exe</SourceImage>
    </ProcessAccess>
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
    @@ -86,6 +87,7 @@
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    <Image condition="is">C:\Windows\system32\lsass.exe</Image>
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="image">GoogleUpdate.exe</Image>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
  10. Cyb3rWard0g revised this gist Apr 5, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -36,6 +36,7 @@
    <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    </NetworkConnect>
    <!-- Event ID 5 == Process Terminated. Do not log processes terminated -->
    <ProcessTerminate onmatch="include"/>
  11. Cyb3rWard0g revised this gist Apr 5, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -28,7 +28,7 @@
    <Image condition="end with">OneDrive.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
    <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
  12. Cyb3rWard0g revised this gist Apr 5, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -48,11 +48,12 @@
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="image">chrome.exe</Image>
    <Image condition="image">vmtoolsd.exe</Image>
    <Image condition="image">Sysmon.exe</Image>
    <Image condition="image">mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
  13. Cyb3rWard0g revised this gist Apr 5, 2017. 1 changed file with 5 additions and 4 deletions.
    9 changes: 5 additions & 4 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -48,8 +48,8 @@
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="end with">\vmtoolsd.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    <Image condition="image">vmtoolsd.exe</Image>
    <Image condition="image">Sysmon.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    @@ -67,11 +67,12 @@
    <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
    <SourceImage condition="end with">Sysmon.exe</SourceImage>
    <SourceImage condition="image">Sysmon.exe</SourceImage>
    </ProcessAccess>
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="image">SearchIndexer.exe</Image>
    <Image condition="image">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    </FileCreate>
  14. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -35,6 +35,7 @@
    <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
    <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    </NetworkConnect>
    <!-- Event ID 5 == Process Terminated. Do not log processes terminated -->
    <ProcessTerminate onmatch="include"/>
    @@ -47,8 +48,8 @@
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="end with">vmtoolsd.exe</Image>
    <Image condition="end with">Sysmon.exe</Image>
    <Image condition="end with">\vmtoolsd.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
  15. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 4 additions and 0 deletions.
    4 changes: 4 additions & 0 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -17,6 +17,7 @@
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
    <FileCreateTime onmatch="include"/>
    @@ -47,6 +48,7 @@
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="end with">vmtoolsd.exe</Image>
    <Image condition="end with">Sysmon.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    @@ -57,12 +59,14 @@
    <RawAccessRead onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="end with">\Sysmon.exe</Image>
    </RawAccessRead>
    <!-- Event ID 10 == ProcessAccess. Log everything except -->
    <ProcessAccess onmatch="exclude">
    <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
    <SourceImage condition="end with">Sysmon.exe</SourceImage>
    </ProcessAccess>
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
  16. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -27,6 +27,7 @@
    <Image condition="end with">OneDrive.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
    <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
    <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
    @@ -45,7 +46,7 @@
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="end with">vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
  17. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -65,7 +65,7 @@
    </ProcessAccess>
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
    <Image condition="is">C:\Program Files\Winlogbeat\winlogbeat.exe</Image>
    <Image condition="end with">winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    </FileCreate>
  18. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -76,6 +76,7 @@
    <Image condition="is">C:\Windows\system32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    <Image condition="is">C:\Windows\system32\lsass.exe</Image>
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
  19. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -48,6 +48,7 @@
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
    @@ -74,6 +75,7 @@
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Windows\system32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    <Image condition="is">C:\Windows\system32\lsass.exe</Image>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
  20. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -45,7 +45,6 @@
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    @@ -67,6 +66,7 @@
    <FileCreate onmatch="exclude">
    <Image condition="is">C:\Program Files\Winlogbeat\winlogbeat.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
    </FileCreate>
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
    <RegistryEvent onmatch="exclude">
  21. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 9 additions and 1 deletion.
    10 changes: 9 additions & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -16,6 +16,7 @@
    <Image condition="begin with">C:\Program Files\Windows Defender</Image>
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
    <FileCreateTime onmatch="include"/>
    @@ -46,16 +47,21 @@
    <ImageLoad onmatch="exclude">
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
    <!-- Event ID 9 == RawAccessRead. Log everything -->
    <RawAccessRead onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
    </RawAccessRead>
    <!-- Event ID 10 == ProcessAccess. Log everything except -->
    <ProcessAccess onmatch="exclude">
    <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage>
    <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage>
    </ProcessAccess>
    <!-- Event ID 11 == FileCreate. Log everything except -->
    <FileCreate onmatch="exclude">
    @@ -64,8 +70,10 @@
    </FileCreate>
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
    <RegistryEvent onmatch="exclude">
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Windows\system32\mmc.exe</Image>
    <Image condition="is">C:\Windows\system32\taskeng.exe</Image>
    <Image condition="is">C:\Windows\System32\svchost.exe</Image>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
  22. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -45,7 +45,7 @@
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image conditon="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
  23. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -15,7 +15,7 @@
    <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
    <Image condition="begin with">C:\Program Files\Windows Defender</Image>
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
    <FileCreateTime onmatch="include"/>
  24. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -45,7 +45,7 @@
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condiiton="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image conditon="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
  25. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -44,7 +44,8 @@
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <ImageLoaded condition="is">C:\Windows\Sysmon.exe</ImageLoaded>
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condiiton="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
  26. Cyb3rWard0g revised this gist Mar 26, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -64,7 +64,7 @@
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
    <RegistryEvent onmatch="exclude">
    <Image condition="is">C:\Windows\Sysmon.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    </RegistryEvent>
    <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
    <FileCreateStreamHash onmatch="include" />
  27. Cyb3rWard0g revised this gist Feb 23, 2017. 1 changed file with 1 addition and 2 deletions.
    3 changes: 1 addition & 2 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -44,8 +44,7 @@
    </DriverLoad>
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    <ImageLoaded condition="is">C:\Windows\Sysmon.exe</ImageLoaded>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />
  28. Cyb3rWard0g revised this gist Feb 23, 2017. 1 changed file with 2 additions and 28 deletions.
    30 changes: 2 additions & 28 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -13,35 +13,9 @@
    <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
    <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
    <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
    <Image condition="begin with">C:\Program Files\Windows Defender</Image>
    <Image condition="is">C:\Windows\System32\audiodg.exe</Image>
    <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
    <CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
    <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Update\</CommandLine>
    <CommandLine condition="is">C:\Windows\System32\smartscreen.exe -Embedding</CommandLine>
    <CommandLine condition="is">C:\WINDOWS\system32\SppExtComObj.exe -Embedding</CommandLine>
    <CommandLine condition="is">"C:\Program Files\Microsoft Office\Office15\EXCEL.EXE"</CommandLine>
    <CommandLine condition="is">C:\WINDOWS\system32\sppsvc.exe</CommandLine>
    <CommandLine condition="is">"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7830.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe" -ServerName:Hx.IPC.Server</CommandLine>
    <CommandLine condition="is">"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /s</CommandLine>
    <CommandLine condition="end with">TiWorker.exe -Embedding</CommandLine>
    <CommandLine condition="is">C:\WINDOWS\servicing\TrustedInstaller.exe</CommandLine>
    <CommandLine condition="is">C:\WINDOWS\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun -cv:qJVCZ/bbI0mBxIUL.1</CommandLine>
    <CommandLine condition="is">"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /WatchService</CommandLine>
    <CommandLine condition="is">C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding</CommandLine>
    <ParentCommandLine condition="begin with">%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!-- @SwiftOnSecurity - Triggered when programs use the command shell, but without attribution so not worth time in my situation -->
    <ParentCommandLine condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe" ws</ParentCommandLine>
    <ParentCommandLine condition="is">C:\WINDOWS\system32\SearchIndexer.exe /Embedding</ParentCommandLine>
    <ParentCommandLine condition="is">schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates" /enable</ParentCommandLine>
    <ParentCommandLine condition="is">"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service</ParentCommandLine>
    <ParentCommandLine condition="is">"C:\Program Files (x86)\LogMeIn\x86\LogMeIn.exe" oesis</ParentCommandLine>
    <CurrentDirectory condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\</CurrentDirectory>
    <!-- SECTION: Adobe -->
    <CommandLine condition="is">CommandLine "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"</CommandLine>
    <CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!-- @SwiftOnSecurity - Adobe:AcrobatReader: Uninsteresting sandbox subprocess -->
    <CommandLine condition="contains">AcroRd32.exe" --channel</CommandLine> <!-- @SwiftOnSecurity - Adobe:AcrobatReader: Uninteresting sandbox subprocess -->
    <Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!-- @SwiftOnSecurity - Adobe:Flash: Properly hardened updater, not a risk -->
    <Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
    </ProcessCreate>
    <!-- Event ID 2 == File Creation Time. Do not log file modified creation time -->
    <FileCreateTime onmatch="include"/>
    @@ -77,7 +51,7 @@
    <CreateRemoteThread onmatch="exclude" />
    <!-- Event ID 9 == RawAccessRead. Log everything -->
    <RawAccessRead onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    </RawAccessRead>
    <!-- Event ID 10 == ProcessAccess. Log everything except -->
    <ProcessAccess onmatch="exclude">
  29. Cyb3rWard0g revised this gist Feb 23, 2017. No changes.
  30. Cyb3rWard0g revised this gist Feb 23, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions StartLogging.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -71,6 +71,7 @@
    <!-- Event ID 7 == Image Loaded. Log everything except -->
    <ImageLoad onmatch="exclude">
    <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
    <Image condition="is">C:\Windows\System32\mmc.exe</Image>
    </ImageLoad>
    <!-- Event ID 8 == CreateRemoteThread. Log everything -->
    <CreateRemoteThread onmatch="exclude" />