Created
February 14, 2017 20:18
-
-
Save MHaggis/2cf4e8a4fe02b9ddc1cc0432c5091f06 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| sysmon-config | A sysmon configuration for everyone | |
| Public Version: 30 | |
| By @SwiftOnSecurity, with contributors credited in-line or on Git | |
| https://github.com/SwiftOnSecurity/sysmon-config | |
| Required Sysmon version: 5.02 | |
| https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx | |
| NOTE: There is best-effort support for 32-bit systems, but it's not a test scenario and will require your own tuning. | |
| --> | |
| <Sysmon schemaversion="3.20"> | |
| <HashAlgorithms>md5,IMPHASH</HashAlgorithms> | |
| <EventFiltering> | |
| <!--SYSMON EVENT ID 1 : PROCESS CREATION --> | |
| <ProcessCreate onmatch="exclude"> | |
| <!--COMMENT: All process launched will be included in log, except for what matches a rule below. It's best to be as specific as possible, to | |
| avoid user-mode executables immitating other process names to avoid logging, or if malware drops files in an existing directory. | |
| Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.--> | |
| <!--SECTION: Microsoft Windows--> | |
| <IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes--> | |
| <Image condition="image">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly--> | |
| <Image condition="image">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process--> | |
| <Image condition="image">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process--> | |
| <ParentImage condition="image">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes--> | |
| <CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows--> | |
| <ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows--> | |
| <ParentCommandLine condition="begin with">%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution--> | |
| <CommandLine condition="is">C:\windows\System32\svchost.exe -k WerSvcGroup</CommandLine> <!--Microsoft:WindowsErrorReporting--> | |
| <Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10--> | |
| <!--SECTION: Microsoft dotNet--> | |
| <ParentImage condition="image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet--> | |
| <Image condition="image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet--> | |
| <ParentImage condition="image">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet--> | |
| <Image condition="image">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet--> | |
| <!--SECTION: Microsoft Office--> | |
| <Image condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process--> | |
| <Image condition="image">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process--> | |
| <ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process--> | |
| <ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process--> | |
| <!--SECTION: Google--> | |
| <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments--> | |
| <CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments--> | |
| <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Update\</CommandLine> <!--Google:Chrome: Updater--> | |
| <!-- SECTION: Firefox --> | |
| <CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 --> | |
| <CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 --> | |
| <!--SECTION: Dell--> | |
| <Image condition="Image">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions--> | |
| <Image condition="Image">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions--> | |
| <!--SECTION: Adobe--> | |
| <CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess--> | |
| <CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess--> | |
| <Image condition="image">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess--> | |
| <Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk--> | |
| <!-- COMMENT: Still debating about consolidating Adobe common files entries below --> | |
| <Image condition="Image">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud--> | |
| <Image condition="image">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility--> | |
| <Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk--> | |
| <Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk--> | |
| <Image condition="image">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image> | |
| <!--SECTION: Drivers--> | |
| <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> <!--Nvidia:Driver: routine actions--> | |
| <Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions--> | |
| <!-- SECTION: McAfee --> | |
| <!-- <Image condition="begin with">C:\Program Files (x86)\McAfee\Common Framework</Image> --> <!-- McAfee:Framework Stops all framework actions from reporting || Contributor @Darkbat91 --> | |
| <!-- <ParentImage condition="Image">C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe</ParentImage> --> <!-- McAfee:Scans Stops engine and scans from reporting || Contributor @Darkbat91 --> | |
| <!--SECTION: Dropbox--> | |
| <!-- <Image condition="image">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> --> <!--Dropbox:Updater: Lots of command-line arguments--> | |
| <!--SECTION: Dell--> | |
| <!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process--> | |
| </ProcessCreate> | |
| <!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM --> | |
| <FileCreateTime onmatch="include"> | |
| <Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area--> | |
| </FileCreateTime> | |
| <FileCreateTime onmatch="exclude"> | |
| <Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times--> | |
| <Image condition="contains">setup</Image> <!--Ignore setups--> | |
| </FileCreateTime> | |
| <!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED --> | |
| <NetworkConnect onmatch="include"> | |
| <!--COMMENT: Takes a very conservative approach to network logging.--> | |
| <!--Suspicious sources--> | |
| <Image condition="begin with">C:\Users</Image> | |
| <Image condition="begin with">C:\ProgramData</Image> | |
| <Image condition="begin with">C:\Windows\Temp</Image> | |
| <Image condition="image">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface--> | |
| <Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt--> | |
| <Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] --> | |
| <Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] --> | |
| <Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: Credit to @arekfurt for reminder --> | |
| <Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] --> | |
| <Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] --> | |
| <Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] --> | |
| <!--Suspicious destinations--> | |
| <DestinationHostname condition="is">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address--> | |
| <DestinationHostname condition="is">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address--> | |
| <DestinationHostname condition="is">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address--> | |
| <DestinationHostname condition="is">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address--> | |
| <DestinationHostname condition="is">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address--> | |
| <DestinationHostname condition="is">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address--> | |
| <DestinationHostname condition="is">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address--> | |
| </NetworkConnect> | |
| <NetworkConnect onmatch="exclude"> | |
| <Image condition="image">Spotify.exe</Image> <!--Spotify--> | |
| <Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive--> | |
| <DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery--> | |
| <DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery--> | |
| <DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery--> | |
| </NetworkConnect> | |
| <!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY --> | |
| <!--SYSMON EVENT ID 5 : PROCESS ENDED --> | |
| <ProcessTerminate onmatch="include"> | |
| <!--COMMENT: Useful data in building infection timelines.--> | |
| <Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries--> | |
| </ProcessTerminate> | |
| <!-- NOT the COMPLETE CONFIG - FIND THE COMPLETE ONE HERE - https://github.com/SwiftOnSecurity/sysmon-config --> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment