Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g
Last active July 6, 2018 23:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Cyb3rWard0g/73c0234d971a620537ce07539146c1fb to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/73c0234d971a620537ce07539146c1fb to your computer and use it in GitHub Desktop.
T1136_net_config.xml
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<Image condition="end with">net.exe</Image>
<CommandLine name="technique_id=T1136,technique_name=Create_Account,tactic=persistence, platform=windows" condition="contains">user /add</CommandLine>
</ProcessCreate>
</EventFiltering>
</Sysmon>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment