Cyb3rWard0g/winword_load.xml

## winword_load.xml
<Sysmon schemaversion="3.30">
   <!-- Capture all hashes -->
   <HashAlgorithms>md5</HashAlgorithms>
   <EventFiltering>
      <!-- Event ID 1 == Process Creation. -->
      <ProcessCreate onmatch="include"/>
      <!-- Event ID 2 == File Creation Time. -->
      <FileCreateTime onmatch="include"/>
      <!-- Event ID 3 == Network Connection. -->
      <NetworkConnect onmatch="include"/>
      <!-- Event ID 5 == Process Terminated. -->
      <ProcessTerminate onmatch="include"/>
      <!-- Event ID 6 == Driver Loaded.-->
      <DriverLoad onmatch="include"/>
      <!-- Event ID 7 == Image Loaded. -->
      <ImageLoad onmatch="include">
          <Image condition="end with">winword.exe</Image>
          <Image condition="end with">WINWORD.EXE</Image>
      </ImageLoad>
      <!-- Event ID 8 == CreateRemoteThread. -->
      <CreateRemoteThread onmatch="include"/>
      <!-- Event ID 9 == RawAccessRead. -->
      <RawAccessRead onmatch="include"/>
      <!-- Event ID 10 == ProcessAccess. -->
      <ProcessAccess onmatch="include"/>
      <!-- Event ID 11 == FileCreate. -->
      <FileCreate onmatch="include"/>
      <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
      <RegistryEvent onmatch="include"/>
      <!-- Event ID 15 == FileStream Created. -->
      <FileCreateStreamHash onmatch="include"/>
      <!-- Event ID 17 == PipeEvent. -->
      <PipeEvent onmatch="include"/>
  </EventFiltering>
</Sysmon>
	<Sysmon schemaversion="3.30">
	<!-- Capture all hashes -->
	<HashAlgorithms>md5</HashAlgorithms>
	<EventFiltering>
	<!-- Event ID 1 == Process Creation. -->
	<ProcessCreate onmatch="include"/>
	<!-- Event ID 2 == File Creation Time. -->
	<FileCreateTime onmatch="include"/>
	<!-- Event ID 3 == Network Connection. -->
	<NetworkConnect onmatch="include"/>
	<!-- Event ID 5 == Process Terminated. -->
	<ProcessTerminate onmatch="include"/>
	<!-- Event ID 6 == Driver Loaded.-->
	<DriverLoad onmatch="include"/>
	<!-- Event ID 7 == Image Loaded. -->
	<ImageLoad onmatch="include">
	<Image condition="end with">winword.exe</Image>
	<Image condition="end with">WINWORD.EXE</Image>
	</ImageLoad>
	<!-- Event ID 8 == CreateRemoteThread. -->
	<CreateRemoteThread onmatch="include"/>
	<!-- Event ID 9 == RawAccessRead. -->
	<RawAccessRead onmatch="include"/>
	<!-- Event ID 10 == ProcessAccess. -->
	<ProcessAccess onmatch="include"/>
	<!-- Event ID 11 == FileCreate. -->
	<FileCreate onmatch="include"/>
	<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
	<RegistryEvent onmatch="include"/>
	<!-- Event ID 15 == FileStream Created. -->
	<FileCreateStreamHash onmatch="include"/>
	<!-- Event ID 17 == PipeEvent. -->
	<PipeEvent onmatch="include"/>
	</EventFiltering>
	</Sysmon>