Cyb3rWard0g/test_rulenames.xml

## test_rulenames.xml
<Sysmon schemaversion="4.1">
   <!-- Capture all hashes -->
   <HashAlgorithms>*</HashAlgorithms>
   <EventFiltering>
      <!-- Event ID 1 == Process Creation. -->
      <ProcessCreate onmatch="include">
      	<CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine>
        <CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine>
	<CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine>
	<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine>
	<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">sc qc</CommandLine>
	<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">sc sdshow</CommandLine>
      </ProcessCreate>
      <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
      <RegistryEvent onmatch="exclude">
	<TargetObject name="technique_id=T1088,technique_name=bypass_user_account_control,tactic=privilege_escalation, platform=windows" condition="contains">\mscfile\shell\open\command</TargetObject>
	<TargetObject name="technique_id=T1088,technique_name=bypass_user_account_control,tactic=privilege_escalation, platform=windows" condition="contains">ms-settings\shell\open\command</TargetObject>
      </RegistryEvent>
  </EventFiltering>
</Sysmon>
	<Sysmon schemaversion="4.1">
	<!-- Capture all hashes -->
	<HashAlgorithms>*</HashAlgorithms>
	<EventFiltering>
	<!-- Event ID 1 == Process Creation. -->
	<ProcessCreate onmatch="include">
	<CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine>
	<CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine>
	<CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine>
	<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine>
	<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">sc qc</CommandLine>
	<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">sc sdshow</CommandLine>
	</ProcessCreate>
	<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
	<RegistryEvent onmatch="exclude">
	<TargetObject name="technique_id=T1088,technique_name=bypass_user_account_control,tactic=privilege_escalation, platform=windows" condition="contains">\mscfile\shell\open\command</TargetObject>
	<TargetObject name="technique_id=T1088,technique_name=bypass_user_account_control,tactic=privilege_escalation, platform=windows" condition="contains">ms-settings\shell\open\command</TargetObject>
	</RegistryEvent>
	</EventFiltering>
	</Sysmon>