Skip to content

Commit 5493263

Browse files
SwiftOnSecuritySwiftOnSecurity
committed
I need to save before I do git commits
1 parent ee1fc4a commit 5493263

File tree

1 file changed

+3
-5
lines changed

1 file changed

+3
-5
lines changed

sysmonconfig-export.xml

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,8 @@
33
Master version: 44 | Date: 2017-02-22
44
Master author: @SwiftOnSecurity, with contributors credited in-line or on Git.
55
Master project: https://github.com/SwiftOnSecurity/sysmon-config
6-
Master license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, or deploy for commercial use - with attribution in the text.
7-
Any additions may by incorporated by the original author (SwiftOnSecurity) into the master version, with in-line or changelog attribution.
6+
Master license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
7+
Any additions may by incorporated by the original author (SwiftOnSecurity) into the master version, with in-line or changelog attribution.
88
99
Fork version: <N/A>
1010
Fork author: <N/A>
@@ -20,13 +20,11 @@
2020
much filtering as possible onto the client. This is to make analysis of intrusions possible by hand, and try to
2121
surface anomalous activity as quickly as possible to any technician armed only with Event Viewer.
2222
23-
NOTE: Sysmon is not hardened against a determined attacker with admin rights. This configuration offers an attacker, willing
23+
NOTE: Sysmon is not hardened against a determined attacker with admin rights. Also, this configuration offers an attacker, willing
2424
to study it closely, several ways to evade some of the alerting. If you are in a high-threat environment and have significant
2525
security staff, you should consider a much broader log-all approach. However, in the vast majority of cases, an attacker
2626
will bumble along through multiple behavioral traps which this configuration monitors, especially in the first minutes.
2727
28-
NOTE: There is best-effort support for 32-bit systems, but it's not a test scenario and will require your own tuning.
29-
3028
NOTE: "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
3129
"ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches.
3230
"LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions.

0 commit comments

Comments
 (0)