Neo23x0/config-server.xml

## config-server.xml
<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.2.1 December 2016
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

   See Windows workstation base config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5
-->
<Sysmon schemaversion="3.20">
   <!-- Capture MD5 Hashes -->
   <HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms>
   <EventFiltering>
      <!-- Log all drivers except if the signature -->
      <!-- contains Microsoft or Windows -->
      <DriverLoad onmatch="exclude">
         <Signature condition="contains">microsoft</Signature>
         <Signature condition="contains">windows</Signature>
      </DriverLoad>
      <!-- Exclude certain processes that cause high event volumes -->
      <ProcessCreate onmatch="exclude">
         <Image condition="contains">splunk</Image>
         <Image condition="contains">btool.exe</Image>
         <Image condition="contains">SnareCore</Image>
         <Image condition="contains">nxlog</Image>
         <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
         <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
      </ProcessCreate>
      <!-- Do only log remote thread creation events with certain targets-->
      <CreateRemoteThread onmatch="include">
         <TargetImage condition="image">lsass.exe</TargetImage>
         <TargetImage condition="image">winlogon.exe</TargetImage>
         <TargetImage condition="image">svchost.exe</TargetImage>
      </CreateRemoteThread>
      <!-- Do not log file creation time stamps -->
      <FileCreateTime onmatch="include"/>
      <!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) -->
      <RawAccessRead onmatch="include"/>
      <!-- Do not log process termination -->
      <ProcessTerminate onmatch="include"/>
      <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
      <RegistryEvent onmatch="include">
         <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
         <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
         <TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
         <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
         <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject>
         <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
         <TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject>
      </RegistryEvent>
      <RegistryEvent onmatch="exclude">
         <TargetObject condition="contains">\W32Time\</TargetObject>
         <TargetObject condition="contains">\Toredo</TargetObject>
      </RegistryEvent>
      <!-- Do not log file creation events -->
      <FileCreate onmatch="include" />
      <!-- Do not log if file stream is created -->
      <FileCreateStreamHash onmatch="include" />
      <!-- Do only log network connections to web ports -->
      <NetworkConnect onmatch="include">
         <DestinationPort condition="is">80</DestinationPort>
         <DestinationPort condition="is">443</DestinationPort>
         <DestinationPort condition="is">8080</DestinationPort>
         <DestinationPort condition="is">3389</DestinationPort>
         <Image condition="contains">cmd.exe</Image>
         <Image condition="contains">PsExe</Image>
         <Image condition="contains">winexe</Image>
         <Image condition="contains">powershell</Image>
         <Image condition="contains">cscript</Image>
         <Image condition="contains">mstsc</Image>
         <Image condition="contains">RTS2App</Image>
         <Image condition="contains">RTS3App</Image>
         <Image condition="contains">wmic</Image>
      </NetworkConnect>
   </EventFiltering>
</Sysmon>
	<!--
	This is a Microsoft Sysmon configuation to be used on Windows server systems
	v0.2.1 December 2016
	Florian Roth

	The focus of this configuration is
	- hacking activity on servers / lateral movement (bad admin, attacker)
	It is not focussed on
	- malware detection (execution)
	- malware detection (network connections)

	See Windows workstation base config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5
	-->
	<Sysmon schemaversion="3.20">
	<!-- Capture MD5 Hashes -->
	<HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms>
	<EventFiltering>
	<!-- Log all drivers except if the signature -->
	<!-- contains Microsoft or Windows -->
	<DriverLoad onmatch="exclude">
	<Signature condition="contains">microsoft</Signature>
	<Signature condition="contains">windows</Signature>
	</DriverLoad>
	<!-- Exclude certain processes that cause high event volumes -->
	<ProcessCreate onmatch="exclude">
	<Image condition="contains">splunk</Image>
	<Image condition="contains">btool.exe</Image>
	<Image condition="contains">SnareCore</Image>
	<Image condition="contains">nxlog</Image>
	<Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
	<CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
	</ProcessCreate>
	<!-- Do only log remote thread creation events with certain targets-->
	<CreateRemoteThread onmatch="include">
	<TargetImage condition="image">lsass.exe</TargetImage>
	<TargetImage condition="image">winlogon.exe</TargetImage>
	<TargetImage condition="image">svchost.exe</TargetImage>
	</CreateRemoteThread>
	<!-- Do not log file creation time stamps -->
	<FileCreateTime onmatch="include"/>
	<!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) -->
	<RawAccessRead onmatch="include"/>
	<!-- Do not log process termination -->
	<ProcessTerminate onmatch="include"/>
	<!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
	<RegistryEvent onmatch="include">
	<TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
	<TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
	<TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
	<TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
	<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject>
	<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
	<TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject>
	</RegistryEvent>
	<RegistryEvent onmatch="exclude">
	<TargetObject condition="contains">\W32Time\</TargetObject>
	<TargetObject condition="contains">\Toredo</TargetObject>
	</RegistryEvent>
	<!-- Do not log file creation events -->
	<FileCreate onmatch="include" />
	<!-- Do not log if file stream is created -->
	<FileCreateStreamHash onmatch="include" />
	<!-- Do only log network connections to web ports -->
	<NetworkConnect onmatch="include">
	<DestinationPort condition="is">80</DestinationPort>
	<DestinationPort condition="is">443</DestinationPort>
	<DestinationPort condition="is">8080</DestinationPort>
	<DestinationPort condition="is">3389</DestinationPort>
	<Image condition="contains">cmd.exe</Image>
	<Image condition="contains">PsExe</Image>
	<Image condition="contains">winexe</Image>
	<Image condition="contains">powershell</Image>
	<Image condition="contains">cscript</Image>
	<Image condition="contains">mstsc</Image>
	<Image condition="contains">RTS2App</Image>
	<Image condition="contains">RTS3App</Image>
	<Image condition="contains">wmic</Image>
	</NetworkConnect>
	</EventFiltering>
	</Sysmon>