Velociraptor Artifact - Sysmon Process Filters

gistfile1.txt

name: Custom.Windows.System.Processes.Filtered
author: "Josh Brower - @DefensiveDepth"
description: |
  Use a sysmon configuration to filter out known-good processes.

  Note this requires syncing the sysmon config (200kb) to the host.

tools:
  - name: sysmon_config-01 # Original SwiftOnSecurity config
    url: https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
  - name: sysmon_config-02 # Florian Roth fork of SwiftOnSecurity config
    url: https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml
  #- name: sysmon_config-03 # Your own custom config
  #  url: https://raw.githubusercontent.com/TBD

precondition: SELECT OS From info() where OS = 'windows'

parameters:

sources:
  - query: |

      LET config <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
              ToolName= "sysmon_config-01")
              
      // Carve out Image_Is filters
      LET Filter_Image_Is = SELECT * FROM parse_records_with_regex(
        file=config.FullPath, regex='<Image condition="is">(.*)</Image>')
        
      // Carve out CommandLine_Is filters
      LET Filter_CmdLine_Is = SELECT * FROM parse_records_with_regex(
        file=config.FullPath, regex='<CommandLine condition="is">(.*)</CommandLine>')
        
      // Generate a process list from the endpoint
      LET processes = SELECT Name, Exe, CommandLine FROM pslist()
      
      // First pass - Filter out CommandLine_Is
      LET pass1 = SELECT * FROM processes 
        WHERE NOT lowcase(string=CommandLine) 
        in lowcase(string=Filter_CmdLine_Is.g1)
        
      // Second pass - Filter out Image_Is
      SELECT * FROM pass1 
        WHERE NOT lowcase(string=Exe) 
        in lowcase(string=Filter_Image_Is.g1)