rhjLauZ3

1<!--
2  sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community
3  Master version:	64 | Date: 2018-01-30
4  Master author:	@SwiftOnSecurity, other contributors also credited in-line or on Git
5  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
6  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
7
8  Fork version:	<N/A>
9  Fork author:	<N/A>
10  Fork project:	<N/A>
11  Fork license:	<N/A>
12
13  REQUIRED: Sysmon version 7.01 or higher (due to changes in registry syntax and bug-fixes)
14	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
15	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
16
17  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. Command to allow log access to the Network Service:
18	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
19
20  NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own.
21	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very
22	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
23	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
24	as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
25
26  NOTE: Sysmon is NOT a whitelist solution or HIDS engine, it is a computer change and event logging tool with very basic exclude rules.
27	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
28	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
29
30  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
31	to study it, many ways to evade some of the logging. If you are in a high-threat environment, you should consider a much broader
32	log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which
33	this configuration monitors, especially in the first minutes.
34
35  TECHNICAL:
36  - Run sysmon.exe -? for a briefing on Sysmon configuration.
37  - Other languages may require localization. Registry and Filesystem paths can change. For example, \shell\open\command\, where "open" is localized.
38  - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules.
39  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
40  - Some Sysmon monitoring abilities are not meant for widely deployed general-purpose use due to performance impact. Depends on environment.
41  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
42  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
43  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
44  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
45  - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart.
46  - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart.
47  - Sysmon does not track which rule caused an event to be logged.
48
49  FILTERING: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image
50  - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation
51
52  PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
53-->
54
55<Sysmon schemaversion="4.21">
56	<!--SYSMON META CONFIG-->
57	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
58	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
59
60	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
61	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
62	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
63
64	<EventFiltering>
65	<DnsQuery onmatch="exclude" />
66
67	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
68		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
69			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
70			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
71			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
72			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
73
74		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
75		<ProcessCreate onmatch="exclude" />
76
77	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
78		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
79
80		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
81
82		<FileCreateTime onmatch="exclude" />
83
84	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
85		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
86		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
87		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
88		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
89		<!--TECHNICAL:	These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST-->
90		
91		<!-- https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf -->
92
93		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
94		<NetworkConnect onmatch="exclude" />
95			
96
97	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
98
99		<!--DATA: UtcTime, State, Version, SchemaVersion-->
100		<!--Cannot be filtered.-->
101
102	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
103		<!--COMMENT:	Useful data in building infection timelines.-->
104
105		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
106		<ProcessTerminate onmatch="exclude" />
107
108
109	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
110		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
111			about what you exclude from monitoring. Low event volume, little incentive to exclude.
112			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
113		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
114
115		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
116		<DriverLoad onmatch="exclude">
117			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
118			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
119			<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
120		</DriverLoad>
121
122	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
123		<!--COMMENT:	Can cause high system load, disabled by default.-->
124		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
125
126		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
127		<ImageLoad onmatch="include">
128		</ImageLoad>
129
130	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
131		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
132		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
133
134		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
135		<CreateRemoteThread onmatch="exclude" />
136
137	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
138		<!--EVENT 9: "RawAccessRead detected"-->
139		<!--COMMENT:	Can cause high system load, disabled by default.-->
140		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
141			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
142			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
143		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
144
145		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
146		<RawAccessRead onmatch="include">
147		</RawAccessRead>
148
149	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
150		<!--EVENT 10: "Process accessed"-->
151		<!--COMMENT:	Can cause high system load, disabled by default.-->
152		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
153
154		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
155		<ProcessAccess onmatch="include" />
156
157	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
158		<!--EVENT 11: "File created"-->
159		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
160		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
161
162		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
163		<FileCreate onmatch="exclude" />
164
165	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
166		<!--EVENT 12: "Registry object added or deleted"-->
167		<!--EVENT 13: "Registry value set-->
168		<!--EVENT 14: "Registry objected renamed"-->
169
170		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
171		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
172		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
173		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->
174
175		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
176		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
177		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
178		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
179		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
180
181		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->
182
183		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
184		<RegistryEvent onmatch="exclude"/>
185
186	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
187		<!--EVENT 15: "File stream created"-->
188		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
189			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
190			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
191			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
192		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
193
194		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
195		<FileCreateStreamHash onmatch="include">
196			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
197			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
198			<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
199			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
200			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->
201			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
202			<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file | Credit @ion-storm -->
203			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell-->
204			<TargetFilename condition="end with">.ps2</TargetFilename> <!--PowerShell-->
205			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
206			<TargetFilename condition="end with">.jse</TargetFilename> <!--Registry File-->
207			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
208			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
209			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
210		</FileCreateStreamHash>
211
212		<FileCreateStreamHash onmatch="exclude">
213		</FileCreateStreamHash>
214
215	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
216		<!--EVENT 16: "Sysmon config state changed"-->
217		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
218		
219		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
220		<!--Cannot be filtered.-->
221
222	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
223		<!--EVENT 17: "Pipe Created"-->
224		<!--EVENT 18: "Pipe Connected"-->
225
226		<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
227		<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
228
229		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
230		<PipeEvent onmatch="exclude" />
231
232	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
233		<!--EVENT 19: "WmiEventFilter activity detected"-->
234		<!--EVENT 20: "WmiEventConsumer activity detected"-->
235		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
236
237		<!--ADDITIONAL REFERENCE: [ https://www.darkoperator.com/blog/2017/10/15/sysinternals-sysmon-610-tracking-of-permanent-wmi-events ] -->
238		<!--ADDITIONAL REFERENCE: [ https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ ] -->
239
240		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
241		<WmiEvent onmatch="exclude" />
242
243	<!--SYSMON EVENT ID 255 : ERROR-->
244		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
245			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
246			Sysinternals forum or over Twitter (@markrussinovich)."-->
247		<!--Cannot be filtered.-->
248
249	</EventFiltering>
250</Sysmon>