Skip to content

Instantly share code, notes, and snippets.

Avatar
🍻
Working from home

Roberto Rodriguez Cyb3rWard0g

🍻
Working from home
View GitHub Profile
View StartLogging.xml
<Sysmon schemaversion="4.32">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<DnsLookup>False</DnsLookup>
<ArchiveDirectory>Archive</ArchiveDirectory>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 1 == Process Creation. Log all newly created processes except -->
<ProcessCreate onmatch="exclude">
<Image condition="contains">splunk</Image>
View winword_load.xml
<Sysmon schemaversion="3.30">
<!-- Capture all hashes -->
<HashAlgorithms>md5</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include"/>
<!-- Event ID 2 == File Creation Time. -->
<FileCreateTime onmatch="include"/>
<!-- Event ID 3 == Network Connection. -->
<NetworkConnect onmatch="include"/>
View calculator.xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-07-06T12:55:22.864710300Z" />
View net.xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-07-06T14:05:04.230108800Z" />
View StartLogging.xml
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<Image name="Calculator Rule" condition="end with">Calculator.exe</Image>
</ProcessCreate>
</EventFiltering>
</Sysmon>
@Cyb3rWard0g
Cyb3rWard0g / T1136_net_config.xml
Last active Jul 6, 2018
T1136_net_config.xml
View T1136_net_config.xml
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<Image condition="end with">net.exe</Image>
<CommandLine name="technique_id=T1136,technique_name=Create_Account,tactic=persistence, platform=windows" condition="contains">user /add</CommandLine>
</ProcessCreate>
</EventFiltering>
View sysmon_rulename_filter.conf
filter {
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
if [event_data][RuleName] {
kv {
source => "[event_data][RuleName]"
field_split => ","
value_split => "="
prefix => "mitre_"
transform_key => "lowercase"
}
View test_rulenames.xml
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<CommandLine name="technique_id=T1136,technique_name=create_accountccount,tactic=persistence, platform=windows" condition="contains">net user /add</CommandLine>
<CommandLine name="technique_id=T1124,technique_name=system_time_discovery,tactic=discovery, platform=windows" condition="contains">net time</CommandLine>
<CommandLine name="technique_id=T1087,technique_name=account_discovery,tactic=discovery, platform=windows" condition="contains">net localgroup</CommandLine>
<CommandLine name="technique_id=T1007,technique_name=system_service_discovery,tactic=discovery, platform=windows" condition="contains">net start</CommandLine>
View windows_filtering_platform_layers.xml
This file has been truncated, but you can view the full file.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wfpstate>
<timeStamp>2018-10-04T05:38:46.705Z</timeStamp>
<sessions numItems="15">
<item>
<sessionKey>{3c1f4d46-4e9d-4fab-bcb5-00c5403ee1cd}</sessionKey>
<displayData>
<name/>
<description/>
View elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix.yml
alert:
- slack
slack_webhook_url: https://hooks.slack.com/services/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
description: Detects suspicious PowerShell invocation with a parameter substring
filter:
- query:
query_string:
query: (process_path:"*\\powershell.exe" AND (" \-windowstyle h " OR " \-windowstyl
h" OR " \-windowsty h" OR " \-windowst h" OR " \-windows h" OR " \-windo h"
OR " \-wind h" OR " \-win h" OR " \-wi h" OR " \-win h " OR " \-win hi " OR