Created
September 20, 2021 19:19
-
-
Save defensivedepth/09a6c91a593bdc62b63f2d40b1bc2f84 to your computer and use it in GitHub Desktop.
Velociraptor Artifact - Sysmon Process Filters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.System.Processes.Filtered | |
author: "Josh Brower - @DefensiveDepth" | |
description: | | |
Use a sysmon configuration to filter out known-good processes. | |
Note this requires syncing the sysmon config (200kb) to the host. | |
tools: | |
- name: sysmon_config-01 # Original SwiftOnSecurity config | |
url: https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml | |
- name: sysmon_config-02 # Florian Roth fork of SwiftOnSecurity config | |
url: https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml | |
#- name: sysmon_config-03 # Your own custom config | |
# url: https://raw.githubusercontent.com/TBD | |
precondition: SELECT OS From info() where OS = 'windows' | |
parameters: | |
sources: | |
- query: | | |
LET config <= SELECT * FROM Artifact.Generic.Utils.FetchBinary( | |
ToolName= "sysmon_config-01") | |
// Carve out Image_Is filters | |
LET Filter_Image_Is = SELECT * FROM parse_records_with_regex( | |
file=config.FullPath, regex='<Image condition="is">(.*)</Image>') | |
// Carve out CommandLine_Is filters | |
LET Filter_CmdLine_Is = SELECT * FROM parse_records_with_regex( | |
file=config.FullPath, regex='<CommandLine condition="is">(.*)</CommandLine>') | |
// Generate a process list from the endpoint | |
LET processes = SELECT Name, Exe, CommandLine FROM pslist() | |
// First pass - Filter out CommandLine_Is | |
LET pass1 = SELECT * FROM processes | |
WHERE NOT lowcase(string=CommandLine) | |
in lowcase(string=Filter_CmdLine_Is.g1) | |
// Second pass - Filter out Image_Is | |
SELECT * FROM pass1 | |
WHERE NOT lowcase(string=Exe) | |
in lowcase(string=Filter_Image_Is.g1) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment