|
1 | | -<!-- |
| 1 | +<!-- |
2 | 2 | sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community |
3 | 3 | Source version: 71 | Date: 2020-01-16 |
4 | 4 | Source project: https://github.com/SwiftOnSecurity/sysmon-config |
|
131 | 131 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc</CommandLine> |
132 | 132 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine> |
133 | 133 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine> |
134 | | - <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Windows: Network services--> |
| 134 | + <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Windows: Network services--> |
| 135 | + <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p</CommandLine> <!--Windows: Network services--> |
135 | 136 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine> <!--Windows: Network services--> |
136 | 137 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine> |
137 | 138 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine> |
|
150 | 151 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine> |
151 | 152 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine> |
152 | 153 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine> |
153 | | - <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc</CommandLine> <!--Microsoft:Passport--> |
154 | | - <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc</CommandLine> <!--Microsoft:Passport Container--> |
| 154 | + <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc</CommandLine> <!--Microsoft:Passport--> |
| 155 | + <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc</CommandLine> <!--Microsoft:Passport Container--> |
155 | 156 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr</CommandLine> |
156 | 157 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</CommandLine> |
157 | 158 | <CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv</CommandLine> <!--Windows:Remote desktop configuration--> |
|
180 | 181 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Windows:Network: Network Location Awareness--> |
181 | 182 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Windows:Network: Terminal Services (RDP)--> |
182 | 183 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Windows: Network services--> |
| 184 | + <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p</CommandLine> <!--Windows: Network services--> |
183 | 185 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Windows: Network services--> |
184 | 186 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Windows Services--> |
185 | 187 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine> |
|
201 | 203 | <!--SECTION: Microsoft:dotNet--> |
202 | 204 | <CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet--> |
203 | 205 | <CommandLine condition="begin with">C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe</CommandLine> <!--Microsoft:DotNet--> |
| 206 | + <CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</CommandLine> <!--Microsoft:DotNet--> |
| 207 | + <CommandLine condition="begin with">C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</CommandLine> <!--Microsoft:DotNet--> |
204 | 208 | <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet--> |
205 | 209 | <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet--> |
206 | 210 | <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Windows: Font cache service--> |
207 | | - <ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine> |
| 211 | + <ParentCommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine> |
208 | 212 | <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet--> |
209 | 213 | <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet--> |
210 | 214 | <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet--> |
|
226 | 230 | <CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments--> |
227 | 231 | </ProcessCreate> |
228 | 232 | </RuleGroup> |
229 | | - |
| 233 | + |
230 | 234 | <!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]--> |
231 | 235 | <!--COMMENT: [ https://attack.mitre.org/wiki/Technique/T1099 ] --> |
232 | 236 |
|
|
258 | 262 | <!--TECHNICAL: For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.--> |
259 | 263 | <!--TECHNICAL: For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.--> |
260 | 264 | <!--TECHNICAL: These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST--> |
261 | | - |
| 265 | + |
262 | 266 | <!-- https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf --> |
263 | 267 |
|
264 | 268 | <!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName--> |
|
311 | 315 | <Image condition="image">tasklist.exe</Image> <!--Windows: List processes, has remote ability --> |
312 | 316 | <Image condition="image">wmic.exe</Image> <!--WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] --> |
313 | 317 | <Image condition="image">wscript.exe</Image> <!--WindowsScriptingHost: | Credit @arekfurt --> |
| 318 | + <!--Live of the Land Binaries and scripts (LOLBAS) --> |
| 319 | + <Image condition="image">bitsadmin.exe</Image> <!-- Windows: Background Intelligent Transfer Service - Can download from URLs --> |
| 320 | + <Image condition="image">esentutl.exe</Image> <!-- Windows: Database utilities for the ESE - Can fetch from UNC paths --> |
| 321 | + <Image condition="image">expand.exe</Image> <!-- Windows: Expands one or more compressed files - Can fetch from UNC paths --> |
| 322 | + <Image condition="image">extrac32.exe</Image> <!--Windows: Uncompress .cab files - Can fetch from UNC paths --> |
| 323 | + <Image condition="image">findstr.exe</Image> <!-- Windows: Search for strings - Can fetch from UNC paths --> |
| 324 | + <Image condition="image">GfxDownloadWrapper.exe</Image> <!-- Intel Graphics Control Panel: Remote file download --> |
| 325 | + <Image condition="image">ieexec.exe</Image> <!-- Windows: Microsoft .NET Framework application - Download and execute from URLs --> |
| 326 | + <Image condition="image">makecab.exe</Image> <!-- Windows: Packages existing files into a .cab - Can fetch from UNC paths --> |
| 327 | + <Image condition="image">replace.exe</Image> <!-- Windows: Used to replace file with another file - Can fetch from UNC paths --> |
| 328 | + <Image condition="image">Excel.exe</Image> <!-- Windows Office: Excel - Can download from URLs --> |
| 329 | + <Image condition="image">Powerpnt.exe</Image> <!-- Windows Office: PowerPoint - Can download from URLs --> |
| 330 | + <Image condition="image">Winword.exe</Image> <!-- Windows Office: Word - Can download from URLs --> |
| 331 | + <Image condition="image">squirrel.exe</Image> <!-- Windows: Update the Nuget/Squirrel packages. Part of Teams. - Can download from URLs --> |
314 | 332 | <!--Relevant 3rd Party Tools--> |
315 | 333 | <Image condition="image">nc.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] --> |
316 | 334 | <Image condition="image">ncat.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] --> |
|
799 | 817 | <!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE--> |
800 | 818 | <!--EVENT 16: "Sysmon config state changed"--> |
801 | 819 | <!--COMMENT: This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16--> |
802 | | - |
| 820 | + |
803 | 821 | <!--DATA: UtcTime, Configuration, ConfigurationFileHash--> |
804 | 822 | <!--Cannot be filtered.--> |
805 | 823 |
|
|
969 | 987 | <QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] --> |
970 | 988 | <QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] --> |
971 | 989 | <QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion--> |
972 | | - <QueryName condition="end with">.domdex.com</QueryName> |
| 990 | + <QueryName condition="end with">.domdex.com</QueryName> |
973 | 991 | <QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion--> |
974 | 992 | <QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] --> |
975 | 993 | <QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google--> |
|
0 commit comments