Skip to content

Commit 9c0e37c

Browse files
SwiftOnSecuritySwiftOnSecurity
committed
Visual cleanup, no rules changes
1 parent 993d5c7 commit 9c0e37c

File tree

1 file changed

+6
-7
lines changed

1 file changed

+6
-7
lines changed

sysmonconfig-export.xml

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@
44
Master author: @SwiftOnSecurity, with contributors credited in-line or on Git.
55
Master project: https://github.com/SwiftOnSecurity/sysmon-config
66
Master license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
7-
Any additions may by incorporated by the original author (SwiftOnSecurity) into the master version, with in-line or changelog attribution.
87
98
Fork version: <N/A>
109
Fork author: <N/A>
@@ -70,8 +69,8 @@
7069
<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
7170
<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
7271
<!-- SECTION: Firefox -->
73-
<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
74-
<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
72+
<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments | Credit @Darkbat91 -->
73+
<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments | Credit @Darkbat91 -->
7574
<!--SECTION: Adobe-->
7675
<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
7776
<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
@@ -134,13 +133,13 @@
134133
<Image condition="begin with">C:\Windows\Temp</Image>
135134
<Image condition="image">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
136135
<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
137-
<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
138-
<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit: @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
139-
<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit: @arekfurt -->
136+
<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
137+
<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
138+
<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
140139
<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
141140
<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
142141
<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
143-
<Image condition="image">msiexec.exe</Image> <!--Microsoft:Windows: Can install from http:// paths | Credit: @vector-sec -->
142+
<Image condition="image">msiexec.exe</Image> <!--Microsoft:Windows: Can install from http:// paths | Credit @vector-sec -->
144143
<Image condition="image">mshta.exe</Image> <!--Microsoft:Windows: HTML application executes scripts without IE protections | Credit @ion-storm | [ https://en.wikipedia.org/wiki/HTML_Application ] -->
145144
<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT | [ https://twitter.com/FVT/status/834433734602530817 ] -->
146145
<Image condition="image">reg.exe</Image> <!--Microsoft:Windows: Remote Registry | Credit @ion-storm -->

0 commit comments

Comments
 (0)