Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine>
<CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine>
<CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine>
<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine>
<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">sc qc</CommandLine>
<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">sc sdshow</CommandLine>
</ProcessCreate>
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
<RegistryEvent onmatch="exclude">
<TargetObject name="technique_id=T1088,technique_name=bypass_user_account_control,tactic=privilege_escalation, platform=windows" condition="contains">\mscfile\shell\open\command</TargetObject>
<TargetObject name="technique_id=T1088,technique_name=bypass_user_account_control,tactic=privilege_escalation, platform=windows" condition="contains">ms-settings\shell\open\command</TargetObject>
</RegistryEvent>
</EventFiltering>
</Sysmon>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment