Sysmon Base Configuration - Windows Server
<!-- | |
This is a Microsoft Sysmon configuation to be used on Windows server systems | |
v0.2.1 December 2016 | |
Florian Roth | |
The focus of this configuration is | |
- hacking activity on servers / lateral movement (bad admin, attacker) | |
It is not focussed on | |
- malware detection (execution) | |
- malware detection (network connections) | |
See Windows workstation base config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5 | |
--> | |
<Sysmon schemaversion="3.20"> | |
<!-- Capture MD5 Hashes --> | |
<HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms> | |
<EventFiltering> | |
<!-- Log all drivers except if the signature --> | |
<!-- contains Microsoft or Windows --> | |
<DriverLoad onmatch="exclude"> | |
<Signature condition="contains">microsoft</Signature> | |
<Signature condition="contains">windows</Signature> | |
</DriverLoad> | |
<!-- Exclude certain processes that cause high event volumes --> | |
<ProcessCreate onmatch="exclude"> | |
<Image condition="contains">splunk</Image> | |
<Image condition="contains">btool.exe</Image> | |
<Image condition="contains">SnareCore</Image> | |
<Image condition="contains">nxlog</Image> | |
<Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image> | |
<CommandLine condition="contains">ClearMyTracksByProcess</CommandLine> | |
</ProcessCreate> | |
<!-- Do only log remote thread creation events with certain targets--> | |
<CreateRemoteThread onmatch="include"> | |
<TargetImage condition="image">lsass.exe</TargetImage> | |
<TargetImage condition="image">winlogon.exe</TargetImage> | |
<TargetImage condition="image">svchost.exe</TargetImage> | |
</CreateRemoteThread> | |
<!-- Do not log file creation time stamps --> | |
<FileCreateTime onmatch="include"/> | |
<!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) --> | |
<RawAccessRead onmatch="include"/> | |
<!-- Do not log process termination --> | |
<ProcessTerminate onmatch="include"/> | |
<!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) --> | |
<RegistryEvent onmatch="include"> | |
<TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject> | |
<TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject> | |
<TargetObject condition="contains">CurrentControlSet\Services</TargetObject> | |
<TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject> | |
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject> | |
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject> | |
<TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject> | |
</RegistryEvent> | |
<RegistryEvent onmatch="exclude"> | |
<TargetObject condition="contains">\W32Time\</TargetObject> | |
<TargetObject condition="contains">\Toredo</TargetObject> | |
</RegistryEvent> | |
<!-- Do not log file creation events --> | |
<FileCreate onmatch="include" /> | |
<!-- Do not log if file stream is created --> | |
<FileCreateStreamHash onmatch="include" /> | |
<!-- Do only log network connections to web ports --> | |
<NetworkConnect onmatch="include"> | |
<DestinationPort condition="is">80</DestinationPort> | |
<DestinationPort condition="is">443</DestinationPort> | |
<DestinationPort condition="is">8080</DestinationPort> | |
<DestinationPort condition="is">3389</DestinationPort> | |
<Image condition="contains">cmd.exe</Image> | |
<Image condition="contains">PsExe</Image> | |
<Image condition="contains">winexe</Image> | |
<Image condition="contains">powershell</Image> | |
<Image condition="contains">cscript</Image> | |
<Image condition="contains">mstsc</Image> | |
<Image condition="contains">RTS2App</Image> | |
<Image condition="contains">RTS3App</Image> | |
<Image condition="contains">wmic</Image> | |
</NetworkConnect> | |
</EventFiltering> | |
</Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment