Skip to content

Instantly share code, notes, and snippets.

@Samirbous

Samirbous/sysmon PROCESS_TERMINATE sequence

Created April 14, 2022 22:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Samirbous/a76c4aa24cfe2a07af4319dfa97756e8 to your computer and use it in GitHub Desktop.
Save Samirbous/a76c4aa24cfe2a07af4319dfa97756e8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sysmon PROCESS_TERMINATE sequence
sequence by host.id with maxspan=5s
[process where event.code : "10" and winlog.event_data.GrantedAccess:"0x1"] by winlog.event_data.TargetProcessGUID
[process where event.code : "5" /* you can add process.name : ("seecurity-proc1", "security-proc2") */] by process.entity_id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment