Skip to content

Instantly share code, notes, and snippets.

@leoloobeek
Created December 19, 2017 17:36
Embed
What would you like to do?
Sysmon log loading of ieproxy.dll for detecting IE COM abuse
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<ImageLoad onmatch="include">
<ImageLoaded condition="end with">ieproxy.dll</ImageLoaded>
</ImageLoad>
<ImageLoad onmatch="exclude">
<Image condition="is">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Image>
<Image condition="is">C:\Program Files\internet explorer\iexplore.exe</Image>
<Image condition="is">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Image>
<Image condition="is">C:\Program Files\internet explorer\ielowutil.exe</Image>
</ImageLoad>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment