mirror of
https://github.com/norandom/log2ml.git
synced 2025-04-19 15:21:27 +00:00
1201 lines
120 KiB
XML
1201 lines
120 KiB
XML
|
<!--
|
||
|
|
sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community
|
||
|
|
Source version: 74 | Date: 2021-07-08
|
||
|
|
Source project: https://github.com/SwiftOnSecurity/sysmon-config
|
||
|
|
Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
|
||
|
|
|
||
|
|
Fork version: <N/A>
|
||
|
|
Fork author: <N/A>
|
||
|
|
Fork project: <N/A>
|
||
|
|
Fork license: <N/A>
|
||
|
|
|
||
|
|
REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes)
|
||
|
|
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
|
||
|
|
|
||
|
|
NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF | Command to allow log access to the Network Service:
|
||
|
|
wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
|
||
|
|
|
||
|
|
NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own.
|
||
|
|
This configuration is based around known, high-signal event tracing, and thus appears complicated, but it is only very
|
||
|
|
detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
|
||
|
|
client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
|
||
|
|
as possible to technicians armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
|
||
|
|
|
||
|
|
NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool.
|
||
|
|
Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
|
||
|
|
processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
|
||
|
|
|
||
|
|
NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, just remove that section.
|
||
|
|
You can remove DNS events from Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22
|
||
|
|
Additionally, if you want to monitor DNS, you should deploy client-side adblocking to reduce lookups. See the DNS section for info.
|
||
|
|
|
||
|
|
NOTE: This configuration is designed for PER-MACHINE installs of Chrome and OneDrive. That moves their binaries out of user-controlled folders.
|
||
|
|
Otherwise, attackers could imitate these common applications, and bypass your logging. Below are silent upgrades you can do, no user impact:
|
||
|
|
- https://docs.microsoft.com/en-us/onedrive/per-machine-installation
|
||
|
|
- https://cloud.google.com/chrome-enterprise/browser/download/
|
||
|
|
- As of 2021-02-16 there is no machine-level version of Microsoft Teams. The one provided copies itself to the user profile.
|
||
|
|
|
||
|
|
NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
|
||
|
|
to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader,
|
||
|
|
log-most approach. However, in the vast majority of cases, an attacker will bumble through multiple behavioral traps which
|
||
|
|
this configuration monitors, especially in the first minutes.
|
||
|
|
|
||
|
|
NOTE: If you encounter unexplainable event inclusion/exclusion, you may have a second Sysmon instance installed under a different exe filename.
|
||
|
|
To clear this, try downloading the latest version and uninstalling with -u force. If it hangs, kill the processes and run it again to cleanup.
|
||
|
|
|
||
|
|
TECHNICAL:
|
||
|
|
- Run sysmon.exe -? for a briefing on Sysmon configuration.
|
||
|
|
- Sysmon XML cannot use the AMPERSAND sign. Replace it with this: &
|
||
|
|
- Sysmon 8+ can track which rule caused an event to be logged through the "RuleName" field.
|
||
|
|
- If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
|
||
|
|
- Some Sysmon monitoring abilities are not meant for widely deployed general-purpose use due to performance impact. Depends on environment.
|
||
|
|
- Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
|
||
|
|
- All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
|
||
|
|
- In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
|
||
|
|
- "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
|
||
|
|
- "ProcessGuid" and "LoginGuid" are not random, they contain some embedded information. https://gist.github.com/mattifestation/0102042160c9a60b2b847378c0ef70b4
|
||
|
|
|
||
|
|
FILTERING: Filter conditions available for use are: is,is not,contains,contains any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image
|
||
|
|
- The "image" filter is usable on any field. Same as "is" but can either match entire string, or only the text after last "\". Credit: @mattifestation
|
||
|
|
|
||
|
|
-->
|
||
|
|
|
||
|
|
<Sysmon schemaversion="4.50">
|
||
|
|
<!--SYSMON META CONFIG-->
|
||
|
|
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms. Remove IMPHASH if you do not use DLL import fingerprinting. -->
|
||
|
|
<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
|
||
|
|
|
||
|
|
<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
|
||
|
|
<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
|
||
|
|
<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
|
||
|
|
<!-- <ArchiveDirectory> -->
|
||
|
|
|
||
|
|
<EventFiltering>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
|
||
|
|
<!--COMMENT: All processes launched will be logged, except for what matches a rule below. It's best to be as specific as possible,
|
||
|
|
to avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
|
||
|
|
Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
|
||
|
|
Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
|
||
|
|
code signatures to validate, but Sysmon does not support that. Look into AppLocker/WindowsDeviceGuard for whitelisting support. -->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine, RuleName-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ProcessCreate onmatch="exclude">
|
||
|
|
<!--SECTION: Microsoft Windows-->
|
||
|
|
<CommandLine condition="begin with"> "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" </CommandLine> <!--Windows:Windows error reporting/telemetry-->
|
||
|
|
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Windows-->
|
||
|
|
<CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</CommandLine> <!--Windows: WMI provider host-->
|
||
|
|
<CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</CommandLine> <!--Windows: WMI provider host-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\wermgr.exe -upload</CommandLine> <!--Windows:Windows error reporting/telemetry-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Windows: Search Indexer-->
|
||
|
|
<CommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</CommandLine> <!--Windows:Windows error reporting/telemetry-->
|
||
|
|
<CommandLine condition="is">\??\C:\Windows\system32\autochk.exe *</CommandLine> <!--Microsoft:Bootup: Auto Check Utility-->
|
||
|
|
<CommandLine condition="is">\SystemRoot\System32\smss.exe</CommandLine> <!--Microsoft:Bootup: Windows Session Manager-->
|
||
|
|
<CommandLine condition="is">C:\Windows\System32\RuntimeBroker.exe -Embedding</CommandLine> <!--Windows:Apps permissions [ https://fossbytes.com/runtime-broker-process-windows-10/ ] -->
|
||
|
|
<Image condition="is">C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe</Image> <!--Windows: Touch Keyboard and Handwriting Panel Helper-->
|
||
|
|
<Image condition="is">C:\Windows\System32\TokenBrokerCookies.exe</Image> <!--Windows: SSO sign-in assistant for MicrosoftOnline.com-->
|
||
|
|
<Image condition="is">C:\Windows\System32\plasrv.exe</Image> <!--Windows: Performance Logs and Alerts DCOM Server-->
|
||
|
|
<Image condition="is">C:\Windows\System32\wifitask.exe</Image> <!--Windows: Wireless Background Task-->
|
||
|
|
<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!--Windows: Customer Experience Improvement-->
|
||
|
|
<Image condition="is">C:\Windows\system32\PrintIsolationHost.exe</Image> <!--Windows: Printing-->
|
||
|
|
<Image condition="is">C:\Windows\system32\SppExtComObj.Exe</Image> <!--Windows: KMS activation-->
|
||
|
|
<Image condition="is">C:\Windows\system32\audiodg.exe</Image> <!--Windows: Launched constantly-->
|
||
|
|
<Image condition="is">C:\Windows\system32\conhost.exe</Image> <!--Windows: Command line interface host process-->
|
||
|
|
<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Windows: Network file syncing-->
|
||
|
|
<Image condition="is">C:\Windows\system32\musNotification.exe</Image> <!--Windows: Update pop-ups-->
|
||
|
|
<Image condition="is">C:\Windows\system32\musNotificationUx.exe</Image> <!--Windows: Update pop-ups-->
|
||
|
|
<Image condition="is">C:\Windows\system32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
|
||
|
|
<Image condition="is">C:\Windows\system32\sndVol.exe</Image> <!--Windows: Volume control-->
|
||
|
|
<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Windows: Software Protection Service-->
|
||
|
|
<Image condition="is">C:\Windows\system32\wbem\WmiApSrv.exe</Image> <!--Windows: WMI performance adapter host process-->
|
||
|
|
<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Windows: Don't care about sandboxed processes right now. Will need to revisit this decision.-->
|
||
|
|
<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Windows:CommandShell: Triggered when programs use the command shell, but doesn't provide attribution for what caused it-->
|
||
|
|
<ParentCommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</ParentCommandLine> <!--Windows:Windows error reporting/telemetry-->
|
||
|
|
<CommandLine condition="is">C:\WINDOWS\system32\devicecensus.exe UserCxt</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\System32\usocoreworker.exe -Embedding</CommandLine>
|
||
|
|
<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Windows:Search: Launches many uninteresting sub-processes-->
|
||
|
|
<!--SECTION: Windows:svchost-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine> <!--Windows 10-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k defragsvc</CommandLine> <!--Windows defragmentation-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k imgsvc</CommandLine> <!--Microsoft:The Windows Image Acquisition Service-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s EventSystem</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s bthserv</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService</CommandLine> <!--Win10:1903:Network Connection Broker-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV</CommandLine> <!--Windows:SSDP [ https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol ] -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc</CommandLine> <!--Microsoft:Passport-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc</CommandLine> <!--Microsoft:Passport Container-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv</CommandLine> <!--Windows:Remote desktop configuration-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine> <!--Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ] -->
|
||
|
|
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost</CommandLine> <!--Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ] -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Windows-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc</CommandLine> <!--Windows: Windows Live Sign-In Assistant [ https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ ] -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc</CommandLine> <!--Windows: Network Connectivity Assistant [ http://www.blackviper.com/windows-services/network-connectivity-assistant/ ] -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Windows:Network: BitLocker Drive Encryption-->
|
||
|
|
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC</CommandLine> <!--Microsoft:Win10:1903:Network: BitLocker Drive Encryption-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS</CommandLine> <!--Windows:Network: Background Intelligent File Transfer (BITS) -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Windows:Network: Background Intelligent File Transfer (BITS) -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc</CommandLine> <!--Windows:Network: Group Policy -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Windows: Windows Management Instrumentation (WMI) -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Windows:Network: DNS caching, other uses -->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Windows:Network: Network Location Awareness-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Windows:Network: Terminal Services (RDP)-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Windows: Network services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Windows Services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Windows 10-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Windows Services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Windows Services-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Windows: ErrorReporting-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc</CommandLine> <!--Windows: Update Medic Service [ https://www.thewindowsclub.com/windows-update-medic-service ] -->
|
||
|
|
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC</CommandLine> <!--Windows:Apps: Client License Service-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</CommandLine> <!--Windows:Apps: AppX Deployment Service-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine> <!--Windows:Apps: Client License Service-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Windows:Apps [ https://www.howtogeek.com/320261/what-is-wsappx-and-why-is-it-running-on-my-pc/ ] -->
|
||
|
|
<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine> <!--Windows: Network services: Spawns Consent.exe-->
|
||
|
|
<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine> <!--Windows-->
|
||
|
|
<CommandLine condition="is">C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM</CommandLine> <!--Windows: AzureAD device enrollment agent-->
|
||
|
|
<!--SECTION: Microsoft:Edge-->
|
||
|
|
<CommandLine condition="begin with">"C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type=</CommandLine>
|
||
|
|
<!--SECTION: Microsoft:dotNet-->
|
||
|
|
<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
|
||
|
|
<CommandLine condition="begin with">C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe</CommandLine> <!--Microsoft:DotNet-->
|
||
|
|
<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</CommandLine> <!--Microsoft:DotNet-->
|
||
|
|
<CommandLine condition="begin with">C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</CommandLine> <!--Microsoft:DotNet-->
|
||
|
|
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
|
||
|
|
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
|
||
|
|
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Windows: Font cache service-->
|
||
|
|
<ParentCommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
|
||
|
|
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
|
||
|
|
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
|
||
|
|
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
|
||
|
|
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet: Spawns thousands of ngen.exe processes-->
|
||
|
|
<!--SECTION: Microsoft:Office-->
|
||
|
|
<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
|
||
|
|
<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
|
||
|
|
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Licensing service-->
|
||
|
|
<Image condition="is">C:\Program Files\Microsoft Office\Office16\msoia.exe</Image> <!--Microsoft:Office: Telemetry collector-->
|
||
|
|
<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
|
||
|
|
<!--SECTION: Microsoft:Office:Click2Run-->
|
||
|
|
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
|
||
|
|
<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
|
||
|
|
<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
|
||
|
|
<!--SECTION: Windows: Media player-->
|
||
|
|
<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Windows: Windows Media Player Network Sharing Service Configuration Application-->
|
||
|
|
<!--SECTION: Google-->
|
||
|
|
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
|
||
|
|
<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
|
||
|
|
</ProcessCreate>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
|
||
|
|
<!--COMMENT: [ https://attack.mitre.org/wiki/Technique/T1099 ] -->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<FileCreateTime onmatch="include">
|
||
|
|
<Image name="T1099" condition="begin with">C:\Users</Image> <!--Look for timestomping in user area, usually nothing should be doing that here-->
|
||
|
|
<TargetFilename name="T1099" condition="end with">.exe</TargetFilename> <!--Look for backdated executables anywhere-->
|
||
|
|
<Image name="T1099" condition="begin with">\Device\HarddiskVolumeShadowCopy</Image> <!--Nothing should be written here | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ] -->
|
||
|
|
</FileCreateTime>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<FileCreateTime onmatch="exclude">
|
||
|
|
<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
|
||
|
|
<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
|
||
|
|
<Image condition="contains">setup</Image> <!--Ignore setups-->
|
||
|
|
<Image condition="contains">install</Image> <!--Ignore setups-->
|
||
|
|
<Image condition="contains">Update\</Image> <!--Ignore setups-->
|
||
|
|
<Image condition="end with">redist.exe</Image> <!--Ignore setups-->
|
||
|
|
<Image condition="is">msiexec.exe</Image> <!--Ignore setups-->
|
||
|
|
<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
|
||
|
|
<TargetFilename condition="contains">\NVIDIA\NvBackend\ApplicationOntology\</TargetFilename> <!--NVIDIA GeForce Experience Application Ontology, 1000's of events in user profile-->
|
||
|
|
</FileCreateTime>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
|
||
|
|
<!--COMMENT: By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
|
||
|
|
<!--COMMENT: [ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
|
||
|
|
<!--TECHNICAL: For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
|
||
|
|
<!--TECHNICAL: For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
|
||
|
|
<!--TECHNICAL: These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST-->
|
||
|
|
|
||
|
|
<!-- https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf -->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<NetworkConnect onmatch="include">
|
||
|
|
<!--Suspicious sources for network-connecting binaries-->
|
||
|
|
<Image name="Usermode" condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
|
||
|
|
<Image name="Caution" condition="begin with">C:\Recycle</Image> <!--Nothing should operate from the RecycleBin locations.-->
|
||
|
|
<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
|
||
|
|
<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
|
||
|
|
<Image name="Caution" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
|
||
|
|
<Image name="Caution" condition="begin with">C:\perflogs</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
|
||
|
|
<Image name="Caution" condition="begin with">C:\intel</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
|
||
|
|
<Image name="Caution" condition="begin with">C:\Windows\fonts</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
|
||
|
|
<Image name="Caution" condition="begin with">C:\Windows\system32\config</Image> <!-- Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ] -->
|
||
|
|
<!--Suspicious Windows tools-->
|
||
|
|
<Image condition="image">at.exe</Image> <!--Windows: Remote task scheduling, removed in Win10 | Credit @ion-storm -->
|
||
|
|
<Image condition="image">certutil.exe</Image> <!--Windows: Certificate tool can contact outbound | Credit @ion-storm @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
|
||
|
|
<Image condition="image">cmd.exe</Image> <!--Windows: Remote command prompt-->
|
||
|
|
<Image condition="image">cmstp.exe</Image> <!--Windows: Connection manager profiles can launch executables from WebDAV [ https://twitter.com/NickTyrer/status/958450014111633408 ] | Credit @NickTyrer @Oddvarmoe @KyleHanslovan @subTee -->
|
||
|
|
<Image condition="image">cscript.exe</Image> <!--WindowsScriptingHost: | Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
|
||
|
|
<Image condition="image">driverquery.exe</Image> <!--Windows: Remote recognisance of system configuration, oudated/vulnerable drivers -->
|
||
|
|
<Image condition="image">dsquery.exe</Image> <!--Microsoft: Query Active Directory -->
|
||
|
|
<Image condition="image">hh.exe</Image> <!--Windows: HTML Help Executable, opens CHM files -->
|
||
|
|
<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
|
||
|
|
<Image condition="image">java.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files | Credit @ion-storm -->
|
||
|
|
<Image condition="image">javaw.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files -->
|
||
|
|
<Image condition="image">javaws.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files -->
|
||
|
|
<Image condition="image">mmc.exe</Image> <!--Windows: -->
|
||
|
|
<Image condition="image">msbuild.exe</Image> <!--Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
|
||
|
|
<Image condition="image">mshta.exe</Image> <!--Windows: HTML application executes scripts without IE protections | Credit @ion-storm [ https://en.wikipedia.org/wiki/HTML_Application ] -->
|
||
|
|
<Image condition="image">msiexec.exe</Image> <!--Windows: Can install from http:// paths | Credit @vector-sec -->
|
||
|
|
<Image condition="image">nbtstat.exe</Image> <!--Windows: NetBIOS statistics, attackers use to enumerate local network -->
|
||
|
|
<Image condition="image">net.exe</Image> <!--Windows: Note - May not detect anything, net.exe is a front-end to lower APIs | Credit @ion-storm -->
|
||
|
|
<Image condition="image">net1.exe</Image> <!--Windows: Launched by "net.exe", but it may not detect connections either -->
|
||
|
|
<Image condition="image">notepad.exe</Image> <!--Windows: [ https://secrary.com/ReversingMalware/CoinMiner/ ] [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
|
||
|
|
<Image condition="image">nslookup.exe</Image> <!--Windows: Retrieve data over DNS -->
|
||
|
|
<Image condition="image">powershell.exe</Image> <!--Windows: PowerShell interface-->
|
||
|
|
<Image condition="image">powershell_ise.exe</Image> <!--Windows: PowerShell interface-->
|
||
|
|
<Image condition="image">qprocess.exe</Image> <!--Windows: [ https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf ] -->
|
||
|
|
<Image condition="image">qwinsta.exe</Image> <!--Windows: Query remote sessions | Credit @ion-storm -->
|
||
|
|
<Image condition="image">qwinsta.exe</Image> <!--Windows: Remotely query login sessions on a server or workstation | Credit @ion-storm -->
|
||
|
|
<Image condition="image">reg.exe</Image> <!--Windows: Remote Registry editing ability | Credit @ion-storm -->
|
||
|
|
<Image condition="image">regsvcs.exe</Image> <!--Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
|
||
|
|
<Image condition="image">regsvr32.exe</Image> <!--Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
|
||
|
|
<Image condition="image">rundll32.exe</Image> <!--Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
|
||
|
|
<Image condition="image">rwinsta.exe</Image> <!--Windows: Disconnect remote sessions | Credit @ion-storm -->
|
||
|
|
<Image condition="image">sc.exe</Image> <!--Windows: Remotely change Windows service settings | Credit @ion-storm -->
|
||
|
|
<Image condition="image">schtasks.exe</Image> <!--Windows: Command-line interface to local and remote tasks -->
|
||
|
|
<Image condition="image">taskkill.exe</Image> <!--Windows: Kill processes, has remote ability -->
|
||
|
|
<Image condition="image">tasklist.exe</Image> <!--Windows: List processes, has remote ability -->
|
||
|
|
<Image condition="image">wmic.exe</Image> <!--WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
|
||
|
|
<Image condition="image">wscript.exe</Image> <!--WindowsScriptingHost: | Credit @arekfurt -->
|
||
|
|
<!--Live of the Land Binaries and scripts (LOLBAS) -->
|
||
|
|
<Image condition="image">bitsadmin.exe</Image> <!-- Windows: Background Intelligent Transfer Service - Can download from URLs -->
|
||
|
|
<Image condition="image">esentutl.exe</Image> <!-- Windows: Database utilities for the ESE - Can fetch from UNC paths -->
|
||
|
|
<Image condition="image">expand.exe</Image> <!-- Windows: Expands one or more compressed files - Can fetch from UNC paths -->
|
||
|
|
<Image condition="image">extrac32.exe</Image> <!--Windows: Uncompress .cab files - Can fetch from UNC paths -->
|
||
|
|
<Image condition="image">findstr.exe</Image> <!-- Windows: Search for strings - Can fetch from UNC paths -->
|
||
|
|
<Image condition="image">GfxDownloadWrapper.exe</Image> <!-- Intel Graphics Control Panel: Remote file download -->
|
||
|
|
<Image condition="image">ieexec.exe</Image> <!-- Windows: Microsoft .NET Framework application - Download and execute from URLs -->
|
||
|
|
<Image condition="image">makecab.exe</Image> <!-- Windows: Packages existing files into a .cab - Can fetch from UNC paths -->
|
||
|
|
<Image condition="image">replace.exe</Image> <!-- Windows: Used to replace file with another file - Can fetch from UNC paths -->
|
||
|
|
<Image condition="image">Excel.exe</Image> <!-- Windows Office: Excel - Can download from URLs -->
|
||
|
|
<Image condition="image">Powerpnt.exe</Image> <!-- Windows Office: PowerPoint - Can download from URLs -->
|
||
|
|
<Image condition="image">Winword.exe</Image> <!-- Windows Office: Word - Can download from URLs -->
|
||
|
|
<Image condition="image">squirrel.exe</Image> <!-- Windows: Update the Nuget/Squirrel packages. Part of Teams. - Can download from URLs -->
|
||
|
|
<!--Relevant 3rd Party Tools-->
|
||
|
|
<Image condition="image">nc.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
|
||
|
|
<Image condition="image">ncat.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
|
||
|
|
<Image condition="image">psexec.exe</Image> <!--Sysinternals:PsExec client side | Credit @Cyb3rOps -->
|
||
|
|
<Image condition="image">psexesvc.exe</Image> <!--Sysinternals:PsExec server side | Credit @Cyb3rOps -->
|
||
|
|
<Image condition="image">tor.exe</Image> <!--Tor [ https://www.hybrid-analysis.com/sample/800bf028a23440134fc834efc5c1e02cc70f05b2e800bbc285d7c92a4b126b1c?environmentId=100 ] -->
|
||
|
|
<Image condition="image">vnc.exe</Image> <!-- VNC client | Credit @Cyb3rOps -->
|
||
|
|
<Image condition="image">vncservice.exe</Image> <!-- VNC server | Credit @Cyb3rOps -->
|
||
|
|
<Image condition="image">vncviewer.exe</Image> <!-- VNC client | Credit @Cyb3rOps -->
|
||
|
|
<Image condition="image">winexesvc.exe</Image> <!-- Winexe service executable | Credit @Cyb3rOps -->
|
||
|
|
<Image condition="image">nmap.exe</Image>
|
||
|
|
<Image condition="image">psinfo.exe</Image>
|
||
|
|
<!--Ports: Suspicious-->
|
||
|
|
<DestinationPort name="SSH" condition="is">22</DestinationPort> <!--SSH protocol, monitor admin connections-->
|
||
|
|
<DestinationPort name="Telnet" condition="is">23</DestinationPort> <!--Telnet protocol, monitor admin connections, insecure-->
|
||
|
|
<DestinationPort name="SMTP" condition="is">25</DestinationPort> <!--SMTP mail protocol port, insecure, used by threats-->
|
||
|
|
<DestinationPort name="IMAP" condition="is">143</DestinationPort> <!--IMAP mail protocol port, insecure, used by threats-->
|
||
|
|
<DestinationPort name="RDP" condition="is">3389</DestinationPort> <!--Windows:RDP: Monitor admin connections-->
|
||
|
|
<DestinationPort name="VNC" condition="is">5800</DestinationPort> <!--VNC protocol: Monitor admin connections, often insecure, using hard-coded admin password-->
|
||
|
|
<DestinationPort name="VNC" condition="is">5900</DestinationPort> <!--VNC protocol Monitor admin connections, often insecure, using hard-coded admin password-->
|
||
|
|
<DestinationPort name="Alert,Metasploit" condition="is">4444</DestinationPort>
|
||
|
|
<!--Ports: Proxy-->
|
||
|
|
<DestinationPort name="Proxy" condition="is">1080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
|
||
|
|
<DestinationPort name="Proxy" condition="is">3128</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
|
||
|
|
<DestinationPort name="Proxy" condition="is">8080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->
|
||
|
|
<!--Ports: Tor-->
|
||
|
|
<DestinationPort name="Tor" condition="is">1723</DestinationPort> <!--Tor protocol [ https://attack.mitre.org/wiki/Technique/T1090 ] | Credit @ion-storm-->
|
||
|
|
<DestinationPort name="Tor" condition="is">9001</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
|
||
|
|
<DestinationPort name="Tor" condition="is">9030</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
|
||
|
|
</NetworkConnect>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<NetworkConnect onmatch="exclude">
|
||
|
|
<!--SECTION: Microsoft-->
|
||
|
|
<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
|
||
|
|
<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
|
||
|
|
<DestinationHostname condition="end with">.microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
|
||
|
|
<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
|
||
|
|
<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
|
||
|
|
<!--OCSP known addresses-->
|
||
|
|
<DestinationIp condition="is">23.4.43.27</DestinationIp> <!--Digicert [ https://otx.alienvault.com/indicator/ip/23.4.43.27 ] -->
|
||
|
|
<DestinationIp condition="is">72.21.91.29</DestinationIp> <!--Digicert [ https://otx.alienvault.com/indicator/ip/72.21.91.29 ] -->
|
||
|
|
<!--Section: Loopback Addresses-->
|
||
|
|
<DestinationIp condition="is">127.0.0.1</DestinationIp> <!--Credit @ITProPaul-->
|
||
|
|
<DestinationIp condition="begin with">fe80:0:0:0</DestinationIp> <!--Credit @ITProPaul-->
|
||
|
|
</NetworkConnect>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON SERVICE STATUS MESSAGES-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, State, Version, SchemaVersion-->
|
||
|
|
<!--Cannot be filtered.-->
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
|
||
|
|
<!--COMMENT: Useful data in building infection timelines.-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ProcessTerminate onmatch="include">
|
||
|
|
<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
|
||
|
|
<Image condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
|
||
|
|
</ProcessTerminate>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ProcessTerminate onmatch="exclude">
|
||
|
|
</ProcessTerminate>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
|
||
|
|
<!--COMMENT: Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
|
||
|
|
about what you exclude from monitoring. Low event volume, little incentive to exclude.
|
||
|
|
[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
|
||
|
|
<!--TECHNICAL: Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<DriverLoad onmatch="exclude">
|
||
|
|
<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
|
||
|
|
<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
|
||
|
|
<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
|
||
|
|
</DriverLoad>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
|
||
|
|
<!--COMMENT: Can cause high system load, disabled by default.-->
|
||
|
|
<!--COMMENT: [ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ImageLoad onmatch="include">
|
||
|
|
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
|
||
|
|
</ImageLoad>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
|
||
|
|
<!--COMMENT: Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
|
||
|
|
[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<CreateRemoteThread onmatch="exclude">
|
||
|
|
<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
|
||
|
|
<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
|
||
|
|
<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
|
||
|
|
<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
|
||
|
|
<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
|
||
|
|
<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
|
||
|
|
<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
|
||
|
|
<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
|
||
|
|
<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
|
||
|
|
<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage>
|
||
|
|
</CreateRemoteThread>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
|
||
|
|
<!--EVENT 9: "RawAccessRead detected"-->
|
||
|
|
<!--COMMENT: Can cause high system load, disabled by default.-->
|
||
|
|
<!--COMMENT: Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
|
||
|
|
Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
|
||
|
|
Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
|
||
|
|
<!--COMMENT: You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<RawAccessRead onmatch="include">
|
||
|
|
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
|
||
|
|
</RawAccessRead>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
|
||
|
|
<!--EVENT 10: "Process accessed"-->
|
||
|
|
<!--COMMENT: Can cause high system load, disabled by default.-->
|
||
|
|
<!--COMMENT: Monitor for processes accessing other process' memory.-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ProcessAccess onmatch="include">
|
||
|
|
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
|
||
|
|
</ProcessAccess>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
|
||
|
|
<!--EVENT 11: "File created"-->
|
||
|
|
<!--NOTE: Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
|
||
|
|
<!--NOTE: You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<FileCreate onmatch="include">
|
||
|
|
<TargetFilename name="T1023" condition="contains">\Start Menu</TargetFilename> <!--Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ] -->
|
||
|
|
<TargetFilename name="T1165" condition="contains">\Startup\</TargetFilename> <!--Microsoft:Changes to user's auto-launched files and shortcuts-->
|
||
|
|
<TargetFilename name="OutlookAttachment" condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
|
||
|
|
<TargetFilename name="Downloads" condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
|
||
|
|
<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
|
||
|
|
<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
|
||
|
|
<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
|
||
|
|
<TargetFilename condition="end with">.chm</TargetFilename>
|
||
|
|
<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
|
||
|
|
<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
|
||
|
|
<TargetFilename name="T1176" condition="end with">.crx</TargetFilename> <!--Chrome extension-->
|
||
|
|
<TargetFilename condition="end with">.dmp</TargetFilename> <!--Process dumps [ (fr) http://blog.gentilkiwi.com/securite/mimikatz/minidump ] -->
|
||
|
|
<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
|
||
|
|
<TargetFilename name="DLL" condition="end with">.dll</TargetFilename> <!--Microsoft:Office:Word: Macro-->
|
||
|
|
<TargetFilename name="EXE" condition="end with">.exe</TargetFilename> <!--Executable-->
|
||
|
|
<TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ] -->
|
||
|
|
<TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets-->
|
||
|
|
<TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets-->
|
||
|
|
<TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] -->
|
||
|
|
<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
|
||
|
|
<TargetFilename condition="end with">.job</TargetFilename> <!--Scheduled task-->
|
||
|
|
<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
|
||
|
|
<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
|
||
|
|
<TargetFilename condition="end with">.sct</TargetFilename> <!--Scripting | Credit @bartblaze -->
|
||
|
|
<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
|
||
|
|
<TargetFilename condition="end with">.scr</TargetFilename> <!--System driver files-->
|
||
|
|
<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
|
||
|
|
<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
|
||
|
|
<TargetFilename condition="end with">.wsc</TargetFilename> <!--Scripting | Credit @bartblaze -->
|
||
|
|
<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting | Credit @bartblaze -->
|
||
|
|
<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
|
||
|
|
<TargetFilename condition="end with">.ocx</TargetFilename> <!--Microsoft:ActiveX-->
|
||
|
|
<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script: [ https://twitter.com/subTee/status/885919612969394177 ] -->
|
||
|
|
<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script: [ https://twitter.com/subTee/status/885919612969394177 ] -->
|
||
|
|
<TargetFilename condition="end with">.xls</TargetFilename><!--Microsoft [ https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 ] -->
|
||
|
|
<TargetFilename name="DefaultUserModified" condition="begin with">C:\Users\Default</TargetFilename> <!--Windows: Changes to default user profile-->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
|
||
|
|
<TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
|
||
|
|
<TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
|
||
|
|
<TargetFilename name="T1053" condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
|
||
|
|
<TargetFilename name="T1053" condition="begin with">C:\Windows\system32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
|
||
|
|
<TargetFilename name="T1053" condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
|
||
|
|
<Image condition="begin with">\Device\HarddiskVolumeShadowCopy</Image> <!--Nothing should be executing from VSC | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ] -->
|
||
|
|
<!--Windows application compatibility-->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
|
||
|
|
<TargetFilename condition="contains">VirtualStore</TargetFilename> <!--Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ] -->
|
||
|
|
<!--Exploitable file names-->
|
||
|
|
<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
|
||
|
|
<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
|
||
|
|
<TargetFilename condition="end with">.rtf</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
|
||
|
|
</FileCreate>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<FileCreate onmatch="exclude">
|
||
|
|
<!--SECTION: Microsoft-->
|
||
|
|
<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
|
||
|
|
<!--SECTION: Microsoft:Office:Click2Run-->
|
||
|
|
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
|
||
|
|
<!--SECTION: Windows-->
|
||
|
|
<Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
|
||
|
|
<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Windows: Windows 10 app, creates tons of cache files-->
|
||
|
|
<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Windows: WMI Performance updates-->
|
||
|
|
<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Windows: Network file syncing-->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Windows: Temp files by DrvInst.exe-->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename> <!-- Windows: Created in wbem by WMIADAP.exe-->
|
||
|
|
<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Windows:Installer: Ignore MSI installer files caching-->
|
||
|
|
<!--SECTION: Windows:Updates-->
|
||
|
|
<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename> <!-- Windows: Feature updates containing lots of .exe and .sys-->
|
||
|
|
<Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image> <!-- Windows: Windows update-->
|
||
|
|
</FileCreate>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
|
||
|
|
<!--EVENT 12: "Registry object added or deleted"-->
|
||
|
|
<!--EVENT 13: "Registry value set"-->
|
||
|
|
<!--EVENT 14: "Registry objected renamed"-->
|
||
|
|
|
||
|
|
<!--NOTE: Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
|
||
|
|
<!--NOTE: You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
|
||
|
|
<!--NOTE: "contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
|
||
|
|
<!--NOTE: [ https://attack.mitre.org/wiki/Technique/T1112 ] -->
|
||
|
|
|
||
|
|
<!--TECHNICAL: You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
|
||
|
|
<!--TECHNICAL: Possible prefixes are HKLM, HKCR, and HKU-->
|
||
|
|
<!--CRITICAL: Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
|
||
|
|
<!--CRITICAL: Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
|
||
|
|
<!--NOTE: Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
|
||
|
|
|
||
|
|
<!-- ! CRITICAL NOTE !: It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.
|
||
|
|
Sysmon's wildcard monitoring along with highly-tuned generic strings cuts the rulesets down immensely, compared to doing this in other tools.
|
||
|
|
For example, most COM hijacking in CLSID's across the registry is covered by a single rule monitoring a InProcServer32 wildcard-->
|
||
|
|
|
||
|
|
<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<RegistryEvent onmatch="include">
|
||
|
|
<!--Autorun or Startups-->
|
||
|
|
<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
|
||
|
|
<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
|
||
|
|
<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
|
||
|
|
<!--ADDITIONAL REFERENCE: [ https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 ] -->
|
||
|
|
<!--ADDITIONAL REFERENCE: [ https://web.archive.org/web/20200116001643/http://scholarworks.rit.edu/cgi/viewcontent.cgi?article=1533&context=theses | Understanding malware autostart techniques - Matthew Gottlieb ] -->
|
||
|
|
<TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\Run</TargetObject> <!--Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
|
||
|
|
<TargetObject name="T1060,RunPolicy" condition="contains">Policies\Explorer\Run</TargetObject> <!--Windows: Alternate runs keys | Credit @ion-storm-->
|
||
|
|
<TargetObject name="T1484" condition="contains">Group Policy\Scripts</TargetObject> <!--Windows: Group policy scripts-->
|
||
|
|
<TargetObject name="T1484" condition="contains">Windows\System\Scripts</TargetObject> <!--Windows: Wildcard for Logon, Loggoff, Shutdown-->
|
||
|
|
<TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
|
||
|
|
<TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
|
||
|
|
<TargetObject name="T1060" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
|
||
|
|
<TargetObject name="T1060" condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject> <!--Windows: Autorun location [ https://attack.mitre.org/wiki/Technique/T1004 ] [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject> <!--Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Windows: Legacy driver loading | Credit @ion-storm -->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!--Windows: Automatic program crash debug program [ https://www.symantec.com/security_response/writeup.jsp?docid=2007-050712-5453-99&tabid=2 ] -->
|
||
|
|
<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
|
||
|
|
<TargetObject name="T1112,ChangeStartupFolderPath" condition="end with">user shell folders\startup</TargetObject> <!--Monitor changes to Startup folder location for monitoring evasion | Credit @SBousseaden-->
|
||
|
|
<!--Services-->
|
||
|
|
<TargetObject name="T1031,T1050" condition="end with">\ServiceDll</TargetObject> <!--Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
|
||
|
|
<TargetObject name="T1031,T1050" condition="end with">\ServiceManifest</TargetObject> <!--Windows: Manifest pointing to service's DLL [ https://www.geoffchappell.com/studies/windows/win32/services/svchost/index.htm ] -->
|
||
|
|
<TargetObject name="T1031,T1050" condition="end with">\ImagePath</TargetObject> <!--Windows: Points to a service's EXE [ https://attack.mitre.org/wiki/Technique/T1050 ] -->
|
||
|
|
<TargetObject name="T1031,T1050" condition="end with">\Start</TargetObject> <!--Windows: Services start mode changes (Disabled, Automatically, Manual)-->
|
||
|
|
<!--RDP-->
|
||
|
|
<TargetObject name="RDP port change" condition="end with">Control\Terminal Server\WinStations\RDP-Tcp\PortNumber</TargetObject> <!--Windows: RDP port change under Control [ https://blog.menasec.net/2019/02/of-rdp-hijacking-part1-remote-desktop.html ]-->
|
||
|
|
<TargetObject name="RDP port change" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject> <!--Windows: Allow same user to have mutliple RDP sessions, to hide from admin being impersonated-->
|
||
|
|
<TargetObject name="ModifyRemoteDesktopState" condition="end with">fDenyTSConnections</TargetObject> <!--Windows: Attacker turning on RDP-->
|
||
|
|
<TargetObject condition="end with">LastLoggedOnUser</TargetObject> <!--Windows: Changing last-logged in user-->
|
||
|
|
<TargetObject name="ModifyRemoteDesktopPort" condition="end with">RDP-tcp\PortNumber</TargetObject> <!--Windows: Changing RDP port to evade IDS-->
|
||
|
|
<TargetObject condition="end with">Services\PortProxy\v4tov4</TargetObject> <!--Windows: Changing RDP port to evade IDS-->
|
||
|
|
<!--CLSID launch commands and Default File Association changes-->
|
||
|
|
<TargetObject name="T1042" condition="contains">\command\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
|
||
|
|
<TargetObject name="T1122" condition="contains">\ddeexec\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
|
||
|
|
<TargetObject name="T1122" condition="contains">{86C86720-42A0-1069-A2E8-08002B30309D}</TargetObject> <!--Windows: Tooltip handler-->
|
||
|
|
<TargetObject name="T1042" condition="contains">exefile</TargetObject> <!--Windows Executable handler, to log any changes not already monitored-->
|
||
|
|
<!--Windows COM-->
|
||
|
|
<TargetObject name="T1122" condition="end with">\InprocServer32\(Default)</TargetObject> <!--Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
|
||
|
|
<!--Windows shell visual modifications used by malware-->
|
||
|
|
<TargetObject name="T1158" condition="end with">\Hidden</TargetObject> <!--Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event -->
|
||
|
|
<TargetObject name="T1158" condition="end with">\ShowSuperHidden</TargetObject> <!--Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
|
||
|
|
<TargetObject name="T1158" condition="end with">\HideFileExt</TargetObject> <!--Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users -->
|
||
|
|
<!--Windows shell hijack and modifications-->
|
||
|
|
<TargetObject condition="contains">Classes\*\</TargetObject> <!--Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
|
||
|
|
<TargetObject condition="contains">Classes\AllFilesystemObjects\</TargetObject> <!--Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
|
||
|
|
<TargetObject condition="contains">Classes\Directory\</TargetObject> <!--Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
|
||
|
|
<TargetObject condition="contains">Classes\Drive\</TargetObject> <!--Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
|
||
|
|
<TargetObject condition="contains">Classes\Folder\</TargetObject> <!--Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
|
||
|
|
<TargetObject condition="contains">Classes\PROTOCOLS\</TargetObject> <!--Windows:Explorer: Protocol handlers-->
|
||
|
|
<TargetObject condition="contains">ContextMenuHandlers\</TargetObject> <!--Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
|
||
|
|
<TargetObject condition="contains">CurrentVersion\Shell</TargetObject> <!--Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Windows: ShellExecuteHooks-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Windows: ShellExecuteHooks-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Windows: ShellExecuteHooks-->
|
||
|
|
<!--AppPaths hijacking-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
|
||
|
|
<!--Terminal service boobytrap-->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject> <!--Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already-->
|
||
|
|
<!--Group Policy integrity-->
|
||
|
|
<TargetObject name="T1484" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying-->
|
||
|
|
<!--Winsock and Winsock2-->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject> <!--Windows: Wildcard, includes Winsock and Winsock2-->
|
||
|
|
<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Windows: System and user proxy server-->
|
||
|
|
<!--Credential providers-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credential Providers and Credential Provider Filters-->
|
||
|
|
<TargetObject name="T1101" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1131 ] [ https://attack.mitre.org/wiki/Technique/T1101 ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders</TargetObject> <!--Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Netsh</TargetObject> <!--Windows: Netsh helper DLL [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
|
||
|
|
<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable</TargetObject> <!--Windows: Malware often disables a web proxy for 2nd stage downloads -->
|
||
|
|
<!--Networking-->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Windows: | Credit @ion-storm -->
|
||
|
|
<TargetObject name="T1089" condition="end with">\EnableFirewall</TargetObject> <!--Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
|
||
|
|
<TargetObject name="T1089" condition="end with">\DoNotAllowExceptions</TargetObject> <!--Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for all networks| Credit @ion-storm -->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for domain networks -->
|
||
|
|
<!--DLLs that get injected into every process at launch-->
|
||
|
|
<TargetObject name="T1103" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
|
||
|
|
<TargetObject name="T1103" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ] -->
|
||
|
|
<!--Office-->
|
||
|
|
<TargetObject name="T1137" condition="contains">Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues-->
|
||
|
|
<TargetObject name="T1137" condition="contains">Office Test\</TargetObject> <!-- Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
|
||
|
|
<TargetObject name="Context,ProtectedModeExitOrMacrosUsed" condition="contains">Security\Trusted Documents\TrustRecords</TargetObject> <!--Microsoft:Office: Monitor when "Enable editing" or "Enable macros" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ] -->
|
||
|
|
<TargetObject name="Context,ContactedDomain" condition="end with">\EnableBHO</TargetObject> <!--Microsoft:Office: Contacted domains stored here 'HKEY_CURRENT_USER\<SID>\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\<domain>\EnableBHO' -->
|
||
|
|
<!--IE-->
|
||
|
|
<TargetObject name="T1176" condition="contains">Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
|
||
|
|
<TargetObject name="T1176" condition="contains">Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
|
||
|
|
<TargetObject name="T1176" condition="contains">Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
|
||
|
|
<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
|
||
|
|
<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
|
||
|
|
<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
|
||
|
|
<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
|
||
|
|
<!--Magic registry keys-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\</TargetObject> <!--Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\</TargetObject> <!--Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\</TargetObject> <!--Windows: DirectX instances-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\</TargetObject> <!--Windows: DirectX instances-->
|
||
|
|
<!--Install/Run artifacts-->
|
||
|
|
<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
|
||
|
|
<TargetObject condition="end with">\InstallSource</TargetObject> <!--Windows: Source folder for certain program and component installations-->
|
||
|
|
<TargetObject name="Alert,Sysinternals Tool Used" condition="end with">\EulaAccepted</TargetObject> <!--Sysinternals tool launched. Lots of useful abilities for attackers -->
|
||
|
|
<!--Antivirus tampering-->
|
||
|
|
<TargetObject name="T1089,Tamper-Defender" condition="end with">\DisableAntiSpyware</TargetObject> <!--Windows:Defender: State modified via registry-->
|
||
|
|
<TargetObject name="T1089,Tamper-Defender" condition="end with">\DisableAntiVirus</TargetObject> <!--Windows:Defender: State modified via registry-->
|
||
|
|
<TargetObject name="T1089,Tamper-Defender" condition="end with">\SpynetReporting</TargetObject> <!--Windows:Defender: State modified via registry-->
|
||
|
|
<TargetObject name="T1089,Tamper-Defender" condition="end with">DisableRealtimeMonitoring</TargetObject> <!--Windows:Defender: State modified via registry-->
|
||
|
|
<TargetObject name="T1089,Tamper-Defender" condition="end with">\SubmitSamplesConsent</TargetObject> <!--Windows:Defender: State modified via registry-->
|
||
|
|
<TargetObject name="T1562,Tamper-Defender" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\</TargetObject> <!--Windows:Defender: Exclusions in policy key-->
|
||
|
|
<!--Windows UAC tampering-->
|
||
|
|
<TargetObject name="T1088" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
|
||
|
|
<TargetObject name="T1088" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
|
||
|
|
<!--Microsoft Security Center tampering | Credit @ion-storm -->
|
||
|
|
<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\Software\Microsoft\Security Center\</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
|
||
|
|
<TargetObject name="T1089,Tamper-SecCenter" condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth</TargetObject> <!--Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
|
||
|
|
<!--Windows application compatibility-->
|
||
|
|
<TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
|
||
|
|
<TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ] -->
|
||
|
|
<TargetObject condition="contains">VirtualStore</TargetObject> <!--Windows: Registry virtualization, something's wrong if it's in use [ https://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx ] -->
|
||
|
|
<!--Windows internals integrity monitoring-->
|
||
|
|
<TargetObject name="T1183,IFEO" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Windows: Event log system integrity and ACLs-->
|
||
|
|
<TargetObject name="Tamper-Safemode" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Windows: Services approved to load in safe mode. Almost nothing should ever modify this.-->
|
||
|
|
<TargetObject name="Tamper-Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Windows: Providers notified by WinLogon-->
|
||
|
|
<TargetObject name="Context,DeviceConnectedOrUpdated" condition="end with">\FriendlyName</TargetObject> <!--Windows: New devices connected and remembered-->
|
||
|
|
<TargetObject name="Context,MsiInstallerStarted" condition="is">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
|
||
|
|
<TargetObject name="Tamper-Tracing" condition="begin with">HKLM\Software\Microsoft\Tracing\RASAPI32</TargetObject> <!--Windows: Malware sometimes disables tracing to obfuscate tracks-->
|
||
|
|
<TargetObject name="Context,ProcessAccessedPrivateResource" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject> <!-- Windows: Win10 tracks when and what process uses webcam/microphone/location etc [ https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 ] -->
|
||
|
|
<TargetObject condition="contains">\Keyboard Layout\Preload</TargetObject> <!--Microsoft:Windows: Keyboard layout loaded into user session [ https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index ] | Credit @cyb3rops -->
|
||
|
|
<TargetObject condition="contains">\Keyboard Layout\Substitutes</TargetObject> <!--Microsoft:Windows: Keyboard layout loaded into user session [ https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index ] | Credit @cyb3rops -->
|
||
|
|
<!--Windows inventory events-->
|
||
|
|
<TargetObject name="InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject> <!-- [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ] -->
|
||
|
|
<TargetObject name="InvDB-Pub" condition="end with">\Publisher</TargetObject> <!-- [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ] -->
|
||
|
|
<TargetObject name="InvDB-Ver" condition="end with">\BinProductVersion</TargetObject> <!-- [ https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709 ] -->
|
||
|
|
<TargetObject name="InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject> <!-- [ https://df-stream.com/2015/02/leveraging-devicecontainers-key/ ] -->
|
||
|
|
<TargetObject name="InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject> <!-- [ https://df-stream.com/2015/02/leveraging-devicecontainers-key/ ] -->
|
||
|
|
<TargetObject name="InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject> <!-- Compile time of EXE, may not be reliable [ https://en.wikipedia.org/wiki/Link_time ] -->
|
||
|
|
<TargetObject name="InvDB" condition="contains">Compatibility Assistant\Store\</TargetObject> <!-- Inventory -->
|
||
|
|
<!--Suspicious sources-->
|
||
|
|
<Image name="Suspicious,ImageBeginWithBackslash" condition="end with">regedit.exe</Image> <!--Users and helpdesk staff making system modifications -->
|
||
|
|
<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
|
||
|
|
</RegistryEvent>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<RegistryEvent onmatch="exclude">
|
||
|
|
<!--COMMENT: Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently.-->
|
||
|
|
<!--NOTE: A lot of noise can be removed by excluding CreateKey events, which are largely innocuous-->
|
||
|
|
<TargetObject condition="contains">\{CAFEEFAC-</TargetObject>
|
||
|
|
<EventType condition="is">CreateKey</EventType>
|
||
|
|
<TargetObject condition="begin with">HKLM\COMPONENTS</TargetObject>
|
||
|
|
<!--Inventory noise-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache</TargetObject>
|
||
|
|
<!--Misc-->
|
||
|
|
<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
|
||
|
|
<TargetObject condition="end with">Browser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity, covers ShellBrowser and WebBrowser-->
|
||
|
|
<TargetObject condition="end with">Browser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
|
||
|
|
<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Windows:Explorer: Extraneous activity-->
|
||
|
|
<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Windows:Explorer: Extraneous activity-->
|
||
|
|
<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
|
||
|
|
<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
|
||
|
|
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
|
||
|
|
<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Windows: Sensitive value during domain join-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Windows: Remove noise monitoring installations run as system-->
|
||
|
|
<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
|
||
|
|
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Windows: SvcHost Noise-->
|
||
|
|
<!--Bootup Control noise-->
|
||
|
|
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid</TargetObject> <!--Windows:lsass.exe: Boot noise-->
|
||
|
|
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Windows:lsass.exe: Boot noise--> <!--Win8+-->
|
||
|
|
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Windows:lsass.exe: Boot noise--> <!--Win8+-->
|
||
|
|
<!--Services startup settings noise, some low-risk services routinely change it and this can be ignored-->
|
||
|
|
<TargetObject condition="end with">\Services\BITS\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
|
||
|
|
<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
|
||
|
|
<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
|
||
|
|
<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
|
||
|
|
<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
|
||
|
|
<TargetObject condition="end with">\services\deviceAssociationService\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
|
||
|
|
<TargetObject condition="end with">\services\fhsvc\Start</TargetObject> <!--Windows: File History Service-->
|
||
|
|
<TargetObject condition="end with">\services\nal\Start</TargetObject> <!--Intel: Network adapter diagnostic driver-->
|
||
|
|
<TargetObject condition="end with">\services\trustedInstaller\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
|
||
|
|
<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
|
||
|
|
<TargetObject condition="end with">\services\usoSvc\Start</TargetObject> <!--Windows: Remove noise from monitoring "\Start"-->
|
||
|
|
<!--FileExts noise filtering-->
|
||
|
|
<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
|
||
|
|
<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
|
||
|
|
<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Windows: Remove noise from monitoring "FileExts"-->
|
||
|
|
<TargetObject condition="contains">Shell Extentions\Cached</TargetObject> <!--Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
|
||
|
|
<!--Group Policy noise-->
|
||
|
|
<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Windows: Routinely set through Group Policy, not especially important to log-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Windows:Group Policy: Noise below the actual key while building-->
|
||
|
|
<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it-->
|
||
|
|
<!--SECTION: Office C2R-->
|
||
|
|
<TargetObject condition="contains">VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject> <!--Microsoft: SearchProtocolHost writes to OfficeC2R registry for Outlook, seemingly regarding mail indexing-->
|
||
|
|
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject> <!--Microsoft: Virtual registry for Office-->
|
||
|
|
<!--SECTION: 3rd party-->
|
||
|
|
<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
|
||
|
|
<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
|
||
|
|
<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
|
||
|
|
<!--WINEVT publishers noise-->
|
||
|
|
<TargetObject condition="is">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658}</TargetObject> <!--Windows update-->
|
||
|
|
</RegistryEvent>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
|
||
|
|
<!--EVENT 15: "File stream created"-->
|
||
|
|
<!--COMMENT: Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
|
||
|
|
[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
|
||
|
|
ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
|
||
|
|
[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
|
||
|
|
<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
|
||
|
|
<FileCreateStreamHash onmatch="include">
|
||
|
|
<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
|
||
|
|
<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
|
||
|
|
<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
|
||
|
|
<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
|
||
|
|
<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->
|
||
|
|
<TargetFilename condition="end with">.doc</TargetFilename> <!--Office doc potentially with macro -->
|
||
|
|
<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
|
||
|
|
<TargetFilename condition="end with">.jse</TargetFilename> <!--Registry File-->
|
||
|
|
<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file | Credit @ion-storm -->
|
||
|
|
<TargetFilename condition="end with">.ppt</TargetFilename> <!--Office doc potentially with macros-->
|
||
|
|
<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell-->
|
||
|
|
<TargetFilename condition="end with">.ps2</TargetFilename> <!--PowerShell-->
|
||
|
|
<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
|
||
|
|
<TargetFilename condition="end with">.sct</TargetFilename> <!--Scripting | Credit @bartblaze -->
|
||
|
|
<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
|
||
|
|
<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
|
||
|
|
<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
|
||
|
|
<TargetFilename condition="end with">.wsc</TargetFilename> <!--Scripting | Credit @bartblaze -->
|
||
|
|
<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting | Credit @bartblaze -->
|
||
|
|
</FileCreateStreamHash>
|
||
|
|
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<FileCreateStreamHash onmatch="exclude">
|
||
|
|
</FileCreateStreamHash>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
|
||
|
|
<!--EVENT 16: "Sysmon config state changed"-->
|
||
|
|
<!--COMMENT: This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
|
||
|
|
<!--Cannot be filtered.-->
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
|
||
|
|
<!--EVENT 17: "Pipe Created"-->
|
||
|
|
<!--EVENT 18: "Pipe Connected"-->
|
||
|
|
|
||
|
|
<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
|
||
|
|
<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
|
||
|
|
|
||
|
|
<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<PipeEvent onmatch="include">
|
||
|
|
<!-- Remote Command Execution Tools -->
|
||
|
|
<PipeName condition="contains any">paexec;remcom;csexec</PipeName>
|
||
|
|
<!-- Password or Credential Dumpers -->
|
||
|
|
<PipeName condition="contains any">\lsadump;\cachedump;\wceservicepipe</PipeName>
|
||
|
|
<!-- Malware -->
|
||
|
|
<PipeName condition="contains any">\isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc</PipeName>
|
||
|
|
<PipeName condition="contains any">\atctl;\userpipe;\iehelper;\sdlrpc;\comnap</PipeName>
|
||
|
|
<!-- Cobalt Strike Pipe Names -->
|
||
|
|
<PipeName condition="contains all">MSSE-;-server</PipeName>
|
||
|
|
<PipeName condition="begin with">\postex_</PipeName>
|
||
|
|
<PipeName condition="begin with">\postex_ssh_</PipeName>
|
||
|
|
<PipeName condition="begin with">\status_</PipeName>
|
||
|
|
<PipeName condition="begin with">\msagent_</PipeName>
|
||
|
|
</PipeEvent>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
|
||
|
|
<!--EVENT 19: "WmiEventFilter activity detected"-->
|
||
|
|
<!--EVENT 20: "WmiEventConsumer activity detected"-->
|
||
|
|
<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
|
||
|
|
|
||
|
|
<!--ADDITIONAL REFERENCE: [ https://www.darkoperator.com/blog/2017/10/15/sysinternals-sysmon-610-tracking-of-permanent-wmi-events ] -->
|
||
|
|
<!--ADDITIONAL REFERENCE: [ https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ ] -->
|
||
|
|
|
||
|
|
<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<WmiEvent onmatch="exclude">
|
||
|
|
<!--NOTE: Using exclude with no rules means everything will be logged-->
|
||
|
|
</WmiEvent>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 22 : DNS QUERY [DnsQuery]-->
|
||
|
|
<!--EVENT 22: "Dns query"-->
|
||
|
|
|
||
|
|
<!--NOTE: Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover. -->
|
||
|
|
|
||
|
|
<!--COMMENT: DNS logging is a very nuanced challenge in monitoring due to event volume. Legitimate domains can be used to host malware/C2, but lookup itself is not very informative.
|
||
|
|
It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2.
|
||
|
|
This section of Sysmon configuration will require your full judgement and knowledge of your org's priorities. There is no correct answer.-->
|
||
|
|
|
||
|
|
<!--OPERATIONS: Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
|
||
|
|
Search for Group Policy for these browsers to configure this.-->
|
||
|
|
|
||
|
|
<!--OPERATIONS: Most DNS traffic is web advertising. To significantly reduce DNS queries and malware ads, enable client-side advertising filtering via Group Policy. This is easy.
|
||
|
|
Internet Explorer: https://decentsecurity.com/adblocking-for-internet-explorer-deployment/
|
||
|
|
Chrome: https://decentsecurity.com/ublock-for-google-chrome-deployment/
|
||
|
|
Firefox: ToDo
|
||
|
|
Also note, this configuration is designed for United States computers. Your country's users will may need customization to reduce noise.
|
||
|
|
-->
|
||
|
|
|
||
|
|
<!--CONFIG: DNS poisoning is an issue during threat investigations. Try to only exclude ROUTINE system-level queries you know are strongly validated with HTTPS or code signing.-->
|
||
|
|
<!--CONFIG: If you exclude microsoft.com, someone could register malware-microsoft.com and it wouldn't be logged. Use "END WITH" with leading . or "IS" operators.-->
|
||
|
|
<!--CONFIG: Be very specific in exclusions. Threat actors use legitimate services, too. Dont exclude all of AWS or Azure or Google or CDNs!-->
|
||
|
|
<!--CONFIG: Popularity data: [ http://s3-us-west-1.amazonaws.com/umbrella-static/index.html ] [ https://better.fyi/trackers/alexa-top-500-news/ ] -->
|
||
|
|
|
||
|
|
<!--CRITICAL: Do NOT exclude "wpad" lookups. This is a MitM vector routinely used by attackers. Disable WPAD or enforce client-side DNSSEC for AD domain lookups.-->
|
||
|
|
<!--CRITICAL: Do NOT exclude IPv6 lookups.-->
|
||
|
|
|
||
|
|
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryType, QueryStatus, QueryResults (can't filter on)-->
|
||
|
|
|
||
|
|
<!--BELOW: These domains should not be excluded at the top level. Be specific if you want to reduce noise under them.-->
|
||
|
|
<!-- Rejected: .cloudapp.net, customer content [ https://blogs.technet.microsoft.com/ptsblog/2012/06/18/security-consideration-when-using-cloudapp-net-domain-as-production-environment-in-windows-azure/ ] -->
|
||
|
|
<!-- Rejected: .googleapis.com, customer content [ https://www.zdnet.com/article/this-business-email-scam-spreads-trojans-through-google-cloud-storage/ ] -->
|
||
|
|
<!-- Rejected: .cloudfront.net, customer content -->
|
||
|
|
<!-- Rejected: .windows.net, customer content -->
|
||
|
|
<!-- Rejected: *github.com, customer content, including open-source malware components -->
|
||
|
|
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<DnsQuery onmatch="exclude">
|
||
|
|
<!--Network noise-->
|
||
|
|
<QueryName condition="end with">.arpa.</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
|
||
|
|
<QueryName condition="end with">.arpa</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
|
||
|
|
<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="is">..localmachine</QueryName>
|
||
|
|
<QueryName condition="is">localhost</QueryName>
|
||
|
|
<!--Microsoft-->
|
||
|
|
<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
|
||
|
|
<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
|
||
|
|
<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
|
||
|
|
<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
|
||
|
|
<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
|
||
|
|
<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
|
||
|
|
<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
|
||
|
|
<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
|
||
|
|
<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
|
||
|
|
<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
|
||
|
|
<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
|
||
|
|
<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
|
||
|
|
<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image> <!--Microsoft: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection -->
|
||
|
|
<!--Microsoft:Office365/AzureAD-->
|
||
|
|
<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
|
||
|
|
<QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint-->
|
||
|
|
<QueryName condition="end with">.msauth.net</QueryName>
|
||
|
|
<QueryName condition="end with">.msftauth.net</QueryName>
|
||
|
|
<QueryName condition="end with">.office.net</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
|
||
|
|
<QueryName condition="end with">.res.office365.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="is">acdc-direct.office.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="is">atm-fp-direct.office.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="is">loki.delve.office.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
|
||
|
|
<QueryName condition="is">messaging.office.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
|
||
|
|
<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
|
||
|
|
<QueryName condition="is">protection.outlook.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="is">substrate.office.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<QueryName condition="end with">.measure.office.com</QueryName> <!--Microsoft: Office-->
|
||
|
|
<!--3rd-party applications-->
|
||
|
|
<QueryName condition="end with">.adobe.com</QueryName> <!--Adobe-->
|
||
|
|
<QueryName condition="end with">.adobe.io</QueryName> <!--Adobe-->
|
||
|
|
<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
|
||
|
|
<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
|
||
|
|
<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
|
||
|
|
<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
|
||
|
|
<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
|
||
|
|
<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
|
||
|
|
<QueryName condition="end with">.wbx2.com</QueryName> <!--Webex-->
|
||
|
|
<QueryName condition="end with">.webex.com</QueryName> <!--Webex-->
|
||
|
|
<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
|
||
|
|
<!--Goodlist CDN-->
|
||
|
|
<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.netflix.com</QueryName>
|
||
|
|
<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
|
||
|
|
<QueryName condition="is">ajax.googleapis.com</QueryName>
|
||
|
|
<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
|
||
|
|
<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
|
||
|
|
<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
|
||
|
|
<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
|
||
|
|
<QueryName condition="end with">.stackassets.com</QueryName> <!--Stack Overflow-->
|
||
|
|
<QueryName condition="end with">.steamcontent.com</QueryName>
|
||
|
|
<QueryName condition="is">play.google.com</QueryName>
|
||
|
|
<QueryName condition="is">content-autofill.googleapis.com</QueryName>
|
||
|
|
<!--Web resources-->
|
||
|
|
<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.fontawesome.com</QueryName>
|
||
|
|
<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
|
||
|
|
<!--Ads-->
|
||
|
|
<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.3lift.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
|
||
|
|
<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
|
||
|
|
<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
|
||
|
|
<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.adsymptotic.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.agkn.com</QueryName> <!--Ads | [ https://www.home.neustar/privacy ] -->
|
||
|
|
<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
|
||
|
|
<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
|
||
|
|
<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
|
||
|
|
<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
|
||
|
|
<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
|
||
|
|
<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
|
||
|
|
<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
|
||
|
|
<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.domdex.com</QueryName>
|
||
|
|
<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
|
||
|
|
<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
|
||
|
|
<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
|
||
|
|
<QueryName condition="end with">.everesttech.net</QueryName> <!--Ads | [ https://better.fyi/trackers/everesttech.net/ ] -->
|
||
|
|
<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
|
||
|
|
<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
|
||
|
|
<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
|
||
|
|
<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.krxd.net</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.lijit.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
|
||
|
|
<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.quantcount.com</QueryName>
|
||
|
|
<QueryName condition="end with">.quantserve.com</QueryName>
|
||
|
|
<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
|
||
|
|
<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
|
||
|
|
<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
|
||
|
|
<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.simpli.fi</QueryName>
|
||
|
|
<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
|
||
|
|
<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
|
||
|
|
<QueryName condition="end with">.tapad.com</QueryName>
|
||
|
|
<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
|
||
|
|
<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
|
||
|
|
<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
|
||
|
|
<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
|
||
|
|
<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
|
||
|
|
<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
|
||
|
|
<QueryName condition="is">1rx.io</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
|
||
|
|
<QueryName condition="is">l.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
|
||
|
|
<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
|
||
|
|
<QueryName condition="is">www.googletagservices.com</QueryName> <!--Google-->
|
||
|
|
<!--SocialNet-->
|
||
|
|
<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
|
||
|
|
<!--OSCP/CRL Common-->
|
||
|
|
<QueryName condition="end with">.amazontrust.com</QueryName>
|
||
|
|
<QueryName condition="end with">.digicert.com</QueryName>
|
||
|
|
<QueryName condition="end with">.globalsign.com</QueryName>
|
||
|
|
<QueryName condition="end with">.globalsign.net</QueryName>
|
||
|
|
<QueryName condition="end with">.intel.com</QueryName>
|
||
|
|
<QueryName condition="end with">.symcb.com</QueryName> <!--Digicert-->
|
||
|
|
<QueryName condition="end with">.symcd.com</QueryName> <!--Digicert-->
|
||
|
|
<QueryName condition="end with">.thawte.com</QueryName>
|
||
|
|
<QueryName condition="end with">.usertrust.com</QueryName>
|
||
|
|
<QueryName condition="end with">.verisign.com</QueryName>
|
||
|
|
<QueryName condition="end with">ocsp.identrust.com</QueryName>
|
||
|
|
<QueryName condition="end with">pki.goog</QueryName>
|
||
|
|
<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
|
||
|
|
<QueryName condition="is">ocsp.comodoca.com</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.entrust.net</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.godaddy.com</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
|
||
|
|
<QueryName condition="end with">pki.goog</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.godaddy.com</QueryName>
|
||
|
|
<QueryName condition="end with">amazontrust.com</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.sectigo.com</QueryName>
|
||
|
|
<QueryName condition="is">pki-goog.l.google.com</QueryName>
|
||
|
|
<QueryName condition="end with">.usertrust.com</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.comodoca.com</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.verisign.com</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.entrust.net</QueryName>
|
||
|
|
<QueryName condition="end with">ocsp.identrust.com</QueryName>
|
||
|
|
<QueryName condition="is">status.rapidssl.com</QueryName>
|
||
|
|
<QueryName condition="is">status.thawte.com</QueryName>
|
||
|
|
<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
|
||
|
|
</DnsQuery>
|
||
|
|
</RuleGroup>
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 23 : FILE DELETE [FileDelete]-->
|
||
|
|
<!--EVENT 22: "File Delete"-->
|
||
|
|
<!--COMMENT: Sandbox usage. When a program signals to Windows a file should be deleted or wiped, Sysmon may be able to capture it.
|
||
|
|
[ https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/ ]
|
||
|
|
-->
|
||
|
|
|
||
|
|
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable, Archived -->
|
||
|
|
|
||
|
|
<!--
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ClipboardChange onmatch="include">
|
||
|
|
</ClipboardChange>
|
||
|
|
</RuleGroup>
|
||
|
|
-->
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 24 : CLIPBOARD EVENT MONITORING [ClipboardChange]-->
|
||
|
|
<!--EVENT 24: "Clipboard changed"-->
|
||
|
|
<!--COMMENT: Sandbox usage. Sysmon can capture the contents of clipboard events.
|
||
|
|
An example of what could be a production usage on restricted desktops is provided below, but it is commented-out. -->
|
||
|
|
|
||
|
|
<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, Session, ClientInfo, Hashes, Archived -->
|
||
|
|
|
||
|
|
<!--
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ClipboardChange onmatch="include">
|
||
|
|
<Image condition="end with">wscript.exe</Image>
|
||
|
|
<Image condition="end with">cscript.exe</Image>
|
||
|
|
<Image condition="end with">powershell.exe</Image>
|
||
|
|
<Image condition="end with">rdpclip.exe</Image>
|
||
|
|
</ClipboardChange>
|
||
|
|
</RuleGroup>
|
||
|
|
-->
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 25 : PROCESS TAMPERING [ProcessTampering]-->
|
||
|
|
<!--EVENT 25: "Process Tampering"-->
|
||
|
|
<!--COMMENT: This event is generated when a process image is changed from an external source, such as a different process.
|
||
|
|
This may or may not provide value in your environment as it requires tuning and a SIEM to correlate the ProcessGuids.
|
||
|
|
[ https://medium.com/falconforce/sysmon-13-process-tampering-detection-820366138a6c ] -->
|
||
|
|
|
||
|
|
<!--DATA: EventType, RuleName, UtcTime, ProcessGuid, ProcessId, Image, Type -->
|
||
|
|
|
||
|
|
<!--
|
||
|
|
<RuleGroup name="" groupRelation="or">
|
||
|
|
<ProcessTampering onmatch="exclude">
|
||
|
|
<Image condition="begin with">C:\Program Files (x86)\Microsoft\Edge\Application\</Image>
|
||
|
|
</ProcessTampering>
|
||
|
|
</RuleGroup>
|
||
|
|
-->
|
||
|
|
|
||
|
|
<!--SYSMON EVENT ID 255 : ERROR-->
|
||
|
|
<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
|
||
|
|
and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
|
||
|
|
Sysinternals forum or over Twitter (@markrussinovich)."-->
|
||
|
|
<!--Cannot be filtered.-->
|
||
|
|
|
||
|
|
</EventFiltering>
|
||
|
|
</Sysmon>
|