Last active
May 17, 2021 04:14
-
-
Save Neo23x0/f56bea38d95040b70cf5 to your computer and use it in GitHub Desktop.
Sysmon Base Configuration - Workstations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
This is a Microsoft Sysmon configuration to be used on Windows workstations | |
v0.2.1 December 2016 | |
Florian Roth (with the help and ideas of others) | |
The focus of this configuration is | |
- malware detection (execution) | |
- malware detection (network connections) | |
- exploit detection | |
It is not focussed on | |
- hacking activity on workstation (bad admin, attacker) | |
See Windows server base config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409 | |
--> | |
<Sysmon schemaversion="3.20"> | |
<!-- Capture MD5 Hashes --> | |
<HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms> | |
<EventFiltering> | |
<!-- Log all drivers except if the signature --> | |
<!-- contains Microsoft or Windows --> | |
<DriverLoad onmatch="exclude"> | |
<Signature condition="contains">microsoft</Signature> | |
<Signature condition="contains">windows</Signature> | |
</DriverLoad> | |
<!-- Exclude certain processes that have the integrity level 'System' --> | |
<ProcessCreate onmatch="exclude"> | |
<IntegrityLevel>System</IntegrityLevel> | |
</ProcessCreate> | |
<!-- Do log remote thread creation events with certain exceptions --> | |
<CreateRemoteThread onmatch="exclude"> | |
<SourceImage condition="contains">WmiPrvSE.exe</SourceImage> | |
<SourceImage condition="contains">FireSvc.exe</SourceImage> | |
</CreateRemoteThread> | |
<!-- Do not log file creation time stamps --> | |
<FileCreateTime onmatch="include" /> | |
<!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) --> | |
<RawAccessRead onmatch="include" /> | |
<!-- Do not log process termination --> | |
<ProcessTerminate onmatch="include" /> | |
<!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) --> | |
<RegistryEvent onmatch="include"> | |
<TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject> | |
<TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject> | |
<TargetObject condition="contains">CurrentControlSet\Services</TargetObject> | |
<TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject> | |
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject> | |
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject> | |
<TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject> | |
</RegistryEvent> | |
<!-- Do not log file creation events --> | |
<FileCreate onmatch="include" /> | |
<!-- Do not log if file stream is created --> | |
<FileCreateStreamHash onmatch="include" /> | |
<!-- Do only log network connections to port 8080 (proxy) of every program that is not a browser --> | |
<NetworkConnect onmatch="exclude"> | |
<Image condition="contains">chrome.exe</Image> | |
<Image condition="contains">iexplore.exe</Image> <!-- yes, malware that injects into IE will be missed --> | |
<Image condition="contains">firefox.exe</Image> | |
<DestinationPort condition="is not">8080</DestinationPort> | |
<!-- Direct access to Internet (without proxy server) --> | |
<!-- | |
<DestinationPort condition="is not">80</DestinationPort> | |
--> | |
</NetworkConnect> | |
</EventFiltering> | |
</Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For the stanza, with the comment above it, that reads as "Do only log network connections to port 8080 (proxy) of every program that is not a browser"
This is incorrect (or I'm not understanding the intent correctly - too many negatives in a sentence confuse me). Tested it in v6.02 & for the 4 lines in that stanza, it means:
Include all the network events except those matching (LINE1 OR LINE 2 OR LINE3 OR LINE4)
Using IE, FF, Chrome & Opera went to internet websites on 80/tcp, 443/tcp & 8080/tcp (from each of them) the only events logged was opera going to 8080/tcp
see config: http://imgur.com/a/C27X8
see output: http://imgur.com/a/7VFhe
To simplify, what this stanza means:
sysmon will not log any network events from chrome
sysmon will not log any network events from IE
sysmon will not log any network events from FF
sysmon will not log any network events towards ports 1-8079 (from any process)
sysmon will not log any network events towards ports 8081 - 65535 (from any process)