Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g
Last active July 6, 2022 23:18
Show Gist options
  • Save Cyb3rWard0g/136481552d8845e52962534d1a4b8664 to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/136481552d8845e52962534d1a4b8664 to your computer and use it in GitHub Desktop.
<Sysmon schemaversion="4.32">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<DnsLookup>False</DnsLookup>
<ArchiveDirectory>Archive</ArchiveDirectory>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 1 == Process Creation. Log all newly created processes except -->
<ProcessCreate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">btool.exe</Image>
<Image condition="contains">SnareCore</Image>
<Image condition="contains">nxlog</Image>
<Image condition="contains">winlogbeat</Image>
<Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
<Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image>
<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image>
<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image>
<Image condition="begin with">C:\Program Files\Windows Defender</Image>
<Image condition="is">C:\Windows\System32\audiodg.exe</Image>
<Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<Image condition="end with">Sysmon.exe</Image>
<Image condition="end with">ec2config.exe</Image>
<CommandLine condition="begin with">C:\WIndows\System32\poqexec.exe /noreboot /transaction</CommandLine>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 2 == File Creation Time. POC - Log file modified creation time -->
<FileCreateTime onmatch="exclude"/>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 3 == Network Connection. Log all initiated network connection except -->
<NetworkConnect onmatch="exclude">
<Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image>
<Image condition="end with">Spotify.exe</Image>
<Image condition="end with">OneDrive.exe</Image>
<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image>
<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image>
<Image condition="end with">winlogbeat.exe</Image>
<Image condition="end with">ec2config.exe</Image>
<Image condition="end with">cfn-signal.exe</Image>
<Image condition="end with">amazon-ssm-agent.exe</Image>
<Image condition="end with">ec2wallpaperinfo.exe</Image>
<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
<Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
<Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image>
<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
<Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
<Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Windows\System32\mmc.exe</Image>
<Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
<Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</Image>
<Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
<Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
<DestinationIp condition="is">10.0.1.10</DestinationIp> <!--Mordor APT29 Evals: Windows Event Collector-->
</NetworkConnect>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 5 == Process Terminated. Log processes terminated -->
<ProcessTerminate onmatch="exclude" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
<Signature condition="is">VMware</Signature>
<Signature condition="begin with">Intel </Signature>
</DriverLoad>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 7 == Image Loaded. Log everything except -->
<ImageLoad onmatch="exclude">
<Image condition="image">chrome.exe</Image>
<Image condition="image">vmtoolsd.exe</Image>
<Image condition="image">Sysmon.exe</Image>
<Image condition="image">mmc.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
<Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
<Image condition="end with">onedrivesetup.exe</Image>
<Image condition="end with">onedrive.exe</Image>
<Image condition="end with">skypeapp.exe</Image>
<Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
<Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
</ImageLoad>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 8 == CreateRemoteThread. Log everything except -->
<CreateRemoteThread onmatch="exclude" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 9 == RawAccessRead. Log everything except -->
<RawAccessRead onmatch="exclude">
<Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
<Image condition="end with">\Sysmon.exe</Image>
</RawAccessRead>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 10 == ProcessAccess. Log everything except -->
<ProcessAccess onmatch="exclude">
<SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage>
<SourceImage condition="image">Sysmon.exe</SourceImage>
<SourceImage condition="image">GoogleUpdate.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
<SourceImage condition="is">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1907.4-0\MsMpEng.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</SourceImage>
<SourceImage condition="end with">onedrivesetup.exe</SourceImage>
<SourceImage condition="is">C:\WindowsAzure\Packages\CollectGuestLogs.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
<TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\Microsoft VS Code\Code.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
<TargetImage condition="is">c:\Program Files\Microsoft VS Code\resources\app\out\vs\workbench\services\files\node\watcher\win32\CodeHelper.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe</TargetImage>
<TargetImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</TargetImage>
<TargetImage condition="is">C:\windows\system32\CompatTelRunner.exe</TargetImage>
<TargetImage condition="begin with">C:\Packages\Plugins\</TargetImage> <!--Azure ARM Extensions -->
<TargetImage condition="begin with">C:\WindowsAzure\</TargetImage> <!--Azure -->
<TargetImage condition="begin with">C:\Program Files\WindowsApps\</TargetImage>
</ProcessAccess>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 11 == FileCreate. Log everything except -->
<FileCreate onmatch="exclude">
<Image condition="image">SearchIndexer.exe</Image>
<Image condition="image">winlogbeat.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image>
<Image condition="end with">onedrivesetup.exe</Image>
<Image condition="end with">onedrive.exe</Image>
<Image condition="end with">skypeapp.exe</Image>
<Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
<Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
<TargetFilename condition="begin with">C:\Windows\System32\winevt\Logs\</TargetFilename>
</FileCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
<RegistryEvent onmatch="exclude">
<Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image>
<Image condition="image">Sysmon.exe</Image>
<Image condition="image">GoogleUpdate.exe</Image>
<Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
<Image condition="end with">onedrivesetup.exe</Image>
<Image condition="end with">onedrive.exe</Image>
<Image condition="end with">skypeapp.exe</Image>
<Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</Image>
<Image condition="is">C:\windows\system32\AUDIODG.EXE</Image>
<TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject>
<TargetObject condition="end with">LanguageList</TargetObject>
</RegistryEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream -->
<FileCreateStreamHash onmatch="exclude" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
<PipeEvent onmatch="exclude">
<Image condition="begin with">C:\Packages\Plugins\</Image> <!--Azure ARM Extensions -->
<Image condition="begin with">C:\WindowsAzure\</Image> <!--Azure -->
<Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
</PipeEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
<WmiEvent onmatch="exclude"/>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!--Event ID 22 == DNS Query-->
<DnsQuery onmatch="exclude">
<Image condition="is">C:\Program Files (x86)\nxlog\nxlog.exe</Image>
</DnsQuery>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!--Event ID 23 == File Delete-->
<FileDelete onmatch="include">
<TargetFilename condition="begin with">C:\Users\</TargetFilename>
<TargetFilename condition="begin with">C:\ProgramData\</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
<TargetFilename condition="begin with">C:\Program Files\</TargetFilename>
</FileDelete>
</RuleGroup>
</EventFiltering>
</Sysmon>
@jermdw
Copy link

jermdw commented Jan 22, 2018

To work with Sysmon v7.01 (latest) the schema version must be updated to 4.0. @Cyb3rWard0g

@Cyb3rWard0g
Copy link
Author

Thank you man!! 👍 done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment