Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Sysmon Base Configuration - Windows Server
<!--
This is a Microsoft Sysmon configuation to be used on Windows server systems
v0.2.1 December 2016
Florian Roth
The focus of this configuration is
- hacking activity on servers / lateral movement (bad admin, attacker)
It is not focussed on
- malware detection (execution)
- malware detection (network connections)
See Windows workstation base config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5
-->
<Sysmon schemaversion="3.20">
<!-- Capture MD5 Hashes -->
<HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<!-- Exclude certain processes that cause high event volumes -->
<ProcessCreate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">btool.exe</Image>
<Image condition="contains">SnareCore</Image>
<Image condition="contains">nxlog</Image>
<Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
<CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
</ProcessCreate>
<!-- Do only log remote thread creation events with certain targets-->
<CreateRemoteThread onmatch="include">
<TargetImage condition="image">lsass.exe</TargetImage>
<TargetImage condition="image">winlogon.exe</TargetImage>
<TargetImage condition="image">svchost.exe</TargetImage>
</CreateRemoteThread>
<!-- Do not log file creation time stamps -->
<FileCreateTime onmatch="include"/>
<!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) -->
<RawAccessRead onmatch="include"/>
<!-- Do not log process termination -->
<ProcessTerminate onmatch="include"/>
<!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
<RegistryEvent onmatch="include">
<TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
<TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
<TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject>
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
<TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject>
</RegistryEvent>
<RegistryEvent onmatch="exclude">
<TargetObject condition="contains">\W32Time\</TargetObject>
<TargetObject condition="contains">\Toredo</TargetObject>
</RegistryEvent>
<!-- Do not log file creation events -->
<FileCreate onmatch="include" />
<!-- Do not log if file stream is created -->
<FileCreateStreamHash onmatch="include" />
<!-- Do only log network connections to web ports -->
<NetworkConnect onmatch="include">
<DestinationPort condition="is">80</DestinationPort>
<DestinationPort condition="is">443</DestinationPort>
<DestinationPort condition="is">8080</DestinationPort>
<DestinationPort condition="is">3389</DestinationPort>
<Image condition="contains">cmd.exe</Image>
<Image condition="contains">PsExe</Image>
<Image condition="contains">winexe</Image>
<Image condition="contains">powershell</Image>
<Image condition="contains">cscript</Image>
<Image condition="contains">mstsc</Image>
<Image condition="contains">RTS2App</Image>
<Image condition="contains">RTS3App</Image>
<Image condition="contains">wmic</Image>
</NetworkConnect>
</EventFiltering>
</Sysmon>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.