forked from SwiftOnSecurity/sysmon-config
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsysmonconfig-export.xml
255 lines (241 loc) · 23.6 KB
/
sysmonconfig-export.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
<Sysmon schemaversion="3.20">
<HashAlgorithms>md5,IMPHASH</HashAlgorithms>
<EventFiltering>
<!--SYSMON EVENT ID 1 : PROCESS CREATION -->
<ProcessCreate onmatch="exclude">
<!--COMMENT: All process launched will be included in log, except for what mactches a rule below. It's best to be as specific as possible, to
avoid user-mode executables immitating other process names to avoid logging, or if malware drops files in an existing directory.
Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.-->
<!--SECTION: Microsoft Windows-->
<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
<Image condition="begin with">C:\Windows\SystemApps</Image> <!--Microsoft:Windows: Don't care about sandboxed processes-->
<ParentImage condition="image">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
<Image condition="image">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
<ParentImage condition="image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentImage condition="image">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine>
<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine>
<ParentCommandLine condition="begin with">%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Triggered when programs use the command shell, but without attribution so not worth time in my situation-->
<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
<Image condition="image">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
<Image condition="image">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
<!--SECTION: Microsoft Office-->
<ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
<ParentImage condition="image">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
<!--SECTION: Google-->
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Update\</CommandLine> <!--Google:Chrome: Updater-->
<!-- SECTION: Firefox -->
<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox massive command-line arguments || Contributor @Darkbat91 -->
<!--SECTION: Dell-->
<Image condition="Image">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
<Image condition="Image">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
<!--SECTION: Adobe-->
<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
<CommandLine condition="contains">AcroRd32.exe" --channel</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
<Image condition="image">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
<!-- COMMENT: Still debating about consolidating Adobe common files entries below -->
<Image condition="Image">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<Image condition="image">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<!--SECTION: Drivers-->
<Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> <!--Nvidia:Driver: routine actions-->
<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
<!-- SECTION: McAfee -->
<!-- <Image condition="begin with">C:\Program Files (x86)\McAfee\Common Framework</Image> --> <!-- McAfee:Framework Stops all framework actions from reporting || Contributor @Darkbat91 -->
<!-- <ParentImage condition="Image">C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe</ParentImage> --> <!-- McAfee:Scans Stops engine and scans from reporting || Contributor @Darkbat91 -->
</ProcessCreate>
<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM -->
<FileCreateTime onmatch="include">
<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
</FileCreateTime>
<FileCreateTime onmatch="exclude">
<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
</FileCreateTime>
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED -->
<NetworkConnect onmatch="include">
<!--COMMENT: Takes a very conservative approach to network logging.-->
<!--Suspicious sources-->
<Image condition="begin with">C:\Users</Image>
<Image condition="begin with">C:\ProgramData</Image>
<Image condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
<Image condition="end with">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
<Image condition="end with">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
<Image condition="end with">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: Credit to @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
<Image condition="end with">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: Credit to @arekfurt for reminder -->
<!--Suspicious destinations-->
<DestinationHostname condition="is">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="is">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="is">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="is">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="is">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="is">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="is">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
</NetworkConnect>
<NetworkConnect onmatch="exclude">
<Image condition="image">Spotify.exe</Image> <!--Spotify-->
<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
</NetworkConnect>
<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY -->
<!--SYSMON EVENT ID 5 : PROCESS ENDED -->
<ProcessTerminate onmatch="include">
<!--COMMENT: Useful data in building infection timelines.-->
<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
</ProcessTerminate>
<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL -->
<DriverLoad onmatch="exclude">
<!--COMMENT: Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
</DriverLoad>
<!--SYSMON EVENT ID 7 : DLL LOADED BY PROCESS -->
<ImageLoad onmatch="include">
<!--COMMENT: Can cause high system load, disabled by default, important examples included below. -->
<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
<!-- <ImageLoaded condition="image">vbscript.dll</ImageLoaded> -->
<!-- <ImageLoaded condition="image">javascript.dll</ImageLoaded> -->
<!-- <ImageLoaded condition="contains">msxml4</ImageLoaded> -->
<!-- <ImageLoaded condition="image">hal.dll</ImageLoaded> -->
<!-- <ImageLoaded condition="image">scrrun.dll</ImageLoaded> -->
<!-- <ImageLoaded condition="contains">npjpi</ImageLoaded> -->
<!-- <ImageLoaded condition="image">jp2iexp.dll</ImageLoaded> -->
</ImageLoad>
<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED -->
<CreateRemoteThread onmatch="exclude">
<!--COMMENT: Monitor for processes injecting code into other processes. Often used by malware to cloak their actions.
Exclude mostly-safe sources and log anything else.-->
<SourceImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\svchost.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\wininit.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\csrss.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\services.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\winlogon.exe</SourceImage>
<SourceImage condition="image">C:\Windows\System32\audiodg.exe</SourceImage>
<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
</CreateRemoteThread>
<!--SYSMON EVENT ID 9 : RAW DISK ACCESS -->
<RawAccessRead onmatch="include">
<!--COMMENT: Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
Encourage you to experiment with this feature yourself.-->
</RawAccessRead>
<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS -->
<ProcessAccess onmatch="include">
<!--COMMENT: Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
Disabled by default since including even one entry here activates this component. Reward/performance decision.
Encourage you to experiment with this feature yourself.-->
</ProcessAccess>
<!--SYSMON EVENT ID 11 : FILE CREATED -->
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links-->
<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Windows: Startup links-->
<!-- <TargetFilename condition="begin with">C:\Windows\Prefetch</TargetFilename> --> <!--Microsoft:Windows: Prefetch traces-->
<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
<TargetFilename condition="contains">\Temp\7z</TargetFilename> <!--7zip extractions-->
<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension-->
<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\System32\drivers</TargetFilename> <!--Microsoft: Drivers dropped here -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here -->
<TargetFilename condition="begin with">C:\Windows\System32\wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
</FileCreate>
<FileCreate onmatch="exclude">
<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
</FileCreate>
<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION -->
<RegistryEvent onmatch="include">
<!--Windows shell hijack-->
<TargetObject condition="contains">Windows\CurrentVersion\Shell Extensions</TargetObject> <!--Microsoft:Windows: http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ -->
<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ -->
<!--Windows internals monitoring-->
<TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
<!--Autorun or Startups-->
<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts -->
<TargetObject condition="contains">\Windows\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServicesOnce [Also covers terminal server] -->
<TargetObject condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location-->
<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Services [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg -->
<!--AppPaths hijacking-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
<!--Terminal service boobytraps-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
<!--File association changes-->
<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Subkey under file associations and CLSID that map to launch command-->
<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
<!--Group Policy interity-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
<!--Winsock and Winsock2-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
<!--Credential providers-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!-- https://www.malwarearchaeology.com/cheat-sheets -->
<!--AppInit-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
<TargetObject condition="begin with">\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
<!--Printers-->
<TargetObject condition="begin with">\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\</TargetObject>
<!--Office-->
<TargetObject condition="contains">\Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
<!--IE-->
<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
<!--Magic registry keys-->
<TargetObject condition="contains">\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
<!--Commonly malicious indicators-->
<!-- NOT IMPLEMENTED IN SYSMON <Details condition="begin with">rundll32.exe</Details> --> <!-- Often used to kickstart viruses [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
</RegistryEvent>
<RegistryEvent onmatch="exclude">
<!--COMMENT: Remove low-information noise-->
<Image condition="image">C:\windows\explorer.exe</Image>
<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard-->
<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
</RegistryEvent>
<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED -->
<FileCreateStreamHash onmatch="include">
<!--COMMENT: Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ -->
<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments-->
<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell-->
</FileCreateStreamHash>
</EventFiltering>
</Sysmon>