-
-
Notifications
You must be signed in to change notification settings - Fork 145
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sysmon v10.41 configuration, schema-4.22
- Loading branch information
Showing
3 changed files
with
298 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| <Sysmon schemaversion="4.22"> | ||
| <!-- Capture All Hashes --> | ||
| <HashAlgorithms>*</HashAlgorithms> | ||
| <EventFiltering> | ||
|
|
||
| <!-- EventID: 1 --> | ||
| <!-- Log all process creation --> | ||
| <ProcessCreate onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 2 --> | ||
| <!-- Log all file creation time stamps --> | ||
| <FileCreateTime onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 3 --> | ||
| <!-- Log all network connections --> | ||
| <NetworkConnect onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 5 --> | ||
| <!-- Log all process termination --> | ||
| <ProcessTerminate onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 6 --> | ||
| <!-- Log all Drivers Loaded --> | ||
| <DriverLoad onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 7 --> | ||
| <!-- Log all image loaded--> | ||
| <!-- There is way too much image loaded by Sysmon.exe in this version --> | ||
| <!-- Mostly due to the new feature of File Information --> | ||
| <!-- This Schema needs to be adapted with the name of the service --> | ||
| <RuleGroup groupRelation="or"> | ||
| <ImageLoad onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| </ImageLoad> | ||
| </RuleGroup> | ||
|
|
||
|
|
||
| <!-- EventID: 8 --> | ||
| <!-- Log all RemoteThread created --> | ||
| <CreateRemoteThread onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 9 --> | ||
| <!-- Log all --> | ||
| <RawAccessRead onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 10 --> | ||
| <!-- Log all --> | ||
| <ProcessAccess onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 11 --> | ||
| <!-- Log all --> | ||
| <FileCreate onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 12/13/14 --> | ||
| <!-- Log all registry operations --> | ||
| <RuleGroup groupRelation="or"> | ||
| <RegistryEvent onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| </RegistryEvent> | ||
| </RuleGroup> | ||
|
|
||
| <!-- EventID: 15 --> | ||
| <!-- Log all --> | ||
| <FileCreateStreamHash onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 17/18 --> | ||
| <!-- Log all --> | ||
| <PipeEvent onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 19/20/21 --> | ||
| <!-- Log all --> | ||
| <WmiEvent onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 22 --> | ||
| <!-- Log all --> | ||
| <DnsQuery onmatch="exclude" /> | ||
|
|
||
| </EventFiltering> | ||
| </Sysmon> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| <Sysmon schemaversion="4.22"> | ||
| <!-- Capture All Hashes --> | ||
| <HashAlgorithms>*</HashAlgorithms> | ||
| <EventFiltering> | ||
|
|
||
| <!-- EventID: 1 --> | ||
| <!-- Log all process creation --> | ||
| <ProcessCreate onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 2 --> | ||
| <!-- Log all file creation time stamps --> | ||
| <FileCreateTime onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 3 --> | ||
| <!-- Log all network connections --> | ||
| <NetworkConnect onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 5 --> | ||
| <!-- Log all process termination --> | ||
| <ProcessTerminate onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 6 --> | ||
| <!-- Log all Drivers Loaded --> | ||
| <DriverLoad onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 7 --> | ||
| <!-- Log all image loaded--> | ||
| <!-- There is way too much image loaded by Sysmon.exe in this version --> | ||
| <!-- Mostly due to the new feature of File Information --> | ||
| <!-- This Schema needs to be adapted with the name of the service --> | ||
| <RuleGroup groupRelation="or"> | ||
| <ImageLoad onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| <!-- Whitelist MS signatures --> | ||
| <!-- Might cause some detection rules not to work --> | ||
| <!-- example: checking for loading of vaultcli.dll --> | ||
| <Signature condition="is">Microsoft Windows Publisher</Signature> | ||
| <Signature condition="is">Microsoft Corporation</Signature> | ||
| <Signature condition="is">Microsoft Windows</Signature> | ||
| </ImageLoad> | ||
| </RuleGroup> | ||
|
|
||
|
|
||
| <!-- EventID: 8 --> | ||
| <!-- Log all RemoteThread created --> | ||
| <CreateRemoteThread onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 9 --> | ||
| <!-- Log all --> | ||
| <RawAccessRead onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 10 --> | ||
| <!-- Filtered out the more noisy entries --> | ||
| <RuleGroup groupRelation="or"> | ||
| <ProcessAccess onmatch="exclude"> | ||
| <!-- 0x1000 // PROCESS_QUERY_LIMITED_INFORMATION Second most frequent --> | ||
| <GrantedAccess condition="is">0x1000</GrantedAccess> | ||
| <!-- 0x2000 // UNKNOWN rights --> | ||
| <GrantedAccess condition="is">0x2000</GrantedAccess> | ||
| <!-- 0x3000 // UNKNOWN | PROCESS_QUERY_LIMITED_INFORMATION --> | ||
| <GrantedAccess condition="is">0x3000</GrantedAccess> | ||
| <!-- 0x100000 // SYNCHRONIZE --> | ||
| <GrantedAccess condition="is">0x100000</GrantedAccess> | ||
| <!-- 0x101000 // SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION --> | ||
| <GrantedAccess condition="is">0x101000</GrantedAccess> | ||
| <!-- responsible for a lot of ProcessAccess --> | ||
| <SourceImage condition="is">C:\Windows\system32\wbem\wmiprvse.exe</SourceImage> | ||
| </ProcessAccess> | ||
| </RuleGroup> | ||
|
|
||
| <!-- EventID: 11 --> | ||
| <!-- Log all --> | ||
| <FileCreate onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 12/13/14 --> | ||
| <!-- CreateKey and DeleteKey are not taken to limit the number of registry operations --> | ||
| <RuleGroup groupRelation="or"> | ||
| <RegistryEvent onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| <!-- CreateKey and DeleteKey not taken --> | ||
| <EventType condition="is not">SetValue</EventType> | ||
| </RegistryEvent> | ||
| </RuleGroup> | ||
|
|
||
| <!-- EventID: 15 --> | ||
| <!-- Log all --> | ||
| <FileCreateStreamHash onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 17/18 --> | ||
| <!-- Log all --> | ||
| <PipeEvent onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 19/20/21 --> | ||
| <!-- Log all --> | ||
| <WmiEvent onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 22 --> | ||
| <RuleGroup groupRelation="or"> | ||
| <DnsQuery onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| </DnsQuery> | ||
| </RuleGroup> | ||
|
|
||
| </EventFiltering> | ||
| </Sysmon> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| <Sysmon schemaversion="4.22"> | ||
| <!-- Capture All Hashes --> | ||
| <HashAlgorithms>*</HashAlgorithms> | ||
| <EventFiltering> | ||
|
|
||
| <!-- EventID: 1 --> | ||
| <!-- Log all process creation --> | ||
| <ProcessCreate onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 2 --> | ||
| <!-- Log all file creation time stamps --> | ||
| <FileCreateTime onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 3 --> | ||
| <!-- Log all network connections --> | ||
| <NetworkConnect onmatch="exclude"/> | ||
|
|
||
| <!-- EventID: 5 --> | ||
| <!-- Log all process termination --> | ||
| <ProcessTerminate onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 6 --> | ||
| <!-- Log all Drivers Loaded --> | ||
| <DriverLoad onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 7 --> | ||
| <!-- Log all image loaded--> | ||
| <!-- There is way too much image loaded by Sysmon.exe in this version --> | ||
| <!-- Mostly due to the new feature of File Information --> | ||
| <!-- This Schema needs to be adapted with the name of the service --> | ||
| <RuleGroup groupRelation="or"> | ||
| <ImageLoad onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| <!-- Whitelist MS signatures --> | ||
| <!-- Might cause some detection rules not to work --> | ||
| <!-- example: checking for loading of vaultcli.dll --> | ||
| <Signature condition="is">Microsoft Windows Publisher</Signature> | ||
| <Signature condition="is">Microsoft Corporation</Signature> | ||
| <Signature condition="is">Microsoft Windows</Signature> | ||
| </ImageLoad> | ||
| </RuleGroup> | ||
|
|
||
|
|
||
| <!-- EventID: 8 --> | ||
| <!-- Log all RemoteThread created --> | ||
| <CreateRemoteThread onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 9 --> | ||
| <!-- Log all --> | ||
| <RawAccessRead onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 10 --> | ||
| <!-- Filtered out the more noisy entries --> | ||
| <RuleGroup groupRelation="or"> | ||
| <ProcessAccess onmatch="exclude"> | ||
| <!-- 0x1000 // PROCESS_QUERY_LIMITED_INFORMATION Second most frequent --> | ||
| <GrantedAccess condition="is">0x1000</GrantedAccess> | ||
| <!-- 0x2000 // UNKNOWN rights --> | ||
| <GrantedAccess condition="is">0x2000</GrantedAccess> | ||
| <!-- 0x3000 // UNKNOWN | PROCESS_QUERY_LIMITED_INFORMATION --> | ||
| <GrantedAccess condition="is">0x3000</GrantedAccess> | ||
| <!-- 0x100000 // SYNCHRONIZE --> | ||
| <GrantedAccess condition="is">0x100000</GrantedAccess> | ||
| <!-- 0x101000 // SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION --> | ||
| <GrantedAccess condition="is">0x101000</GrantedAccess> | ||
| <!-- responsible for a lot of ProcessAccess --> | ||
| <SourceImage condition="is">C:\Windows\system32\wbem\wmiprvse.exe</SourceImage> | ||
| <SourceImage condition="is">C:\Windows\System32\VBoxService.exe</SourceImage> | ||
| </ProcessAccess> | ||
| </RuleGroup> | ||
|
|
||
| <!-- EventID: 11 --> | ||
| <!-- Log all --> | ||
| <FileCreate onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 12/13/14 --> | ||
| <!-- CreateKey and DeleteKey are not taken to limit the number of registry operations --> | ||
| <RuleGroup groupRelation="or"> | ||
| <RegistryEvent onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| <!-- CreateKey and DeleteKey not taken --> | ||
| <EventType condition="is not">SetValue</EventType> | ||
| </RegistryEvent> | ||
| </RuleGroup> | ||
|
|
||
| <!-- EventID: 15 --> | ||
| <!-- Log all --> | ||
| <FileCreateStreamHash onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 17/18 --> | ||
| <!-- Log all --> | ||
| <PipeEvent onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 19/20/21 --> | ||
| <!-- Log all --> | ||
| <WmiEvent onmatch="exclude" /> | ||
|
|
||
| <!-- EventID: 22 --> | ||
| <RuleGroup groupRelation="or"> | ||
| <DnsQuery onmatch="exclude"> | ||
| <Image condition="is">C:\Windows\Sysmon.exe</Image> | ||
| <Image condition="is">C:\Windows\Sysmon64.exe</Image> | ||
| </DnsQuery> | ||
| </RuleGroup> | ||
|
|
||
| </EventFiltering> | ||
| </Sysmon> |