Sysmon v10.41 configuration, schema-4.22

qjerome · qjerome · commit 49cf8b1cc9e5 · 2019-10-02T17:47:28.000+02:00
diff --git a/tools/sysmon/v10/sysmon-v10.4x-all.xml b/tools/sysmon/v10/sysmon-v10.4x-all.xml
@@ -0,0 +1,81 @@
+<Sysmon schemaversion="4.22">
+  <!-- Capture All Hashes -->
+  <HashAlgorithms>*</HashAlgorithms>
+  <EventFiltering>
+
+      <!-- EventID: 1 -->
+      <!-- Log all process creation -->
+      <ProcessCreate onmatch="exclude"/>
+
+      <!-- EventID: 2 -->
+      <!-- Log all file creation time stamps -->
+      <FileCreateTime onmatch="exclude"/>
+
+      <!-- EventID: 3 -->
+      <!-- Log all network connections -->
+      <NetworkConnect onmatch="exclude"/>
+
+      <!-- EventID: 5 -->
+      <!-- Log all process termination -->
+      <ProcessTerminate onmatch="exclude" />
+
+      <!-- EventID: 6 -->
+      <!-- Log all Drivers Loaded -->
+      <DriverLoad onmatch="exclude" />
+
+      <!-- EventID: 7 -->
+      <!-- Log all image loaded-->
+      <!-- There is way too much image loaded by Sysmon.exe in this version -->
+      <!-- Mostly due to the new feature of File Information -->
+      <!-- This Schema needs to be adapted with the name of the service -->
+      <RuleGroup groupRelation="or">
+        <ImageLoad onmatch="exclude">
+          <Image condition="is">C:\Windows\Sysmon.exe</Image>
+          <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+        </ImageLoad>
+      </RuleGroup>
+
+
+      <!-- EventID: 8 -->
+      <!-- Log all RemoteThread created -->
+      <CreateRemoteThread onmatch="exclude" />
+
+      <!-- EventID: 9 -->
+      <!-- Log all -->
+      <RawAccessRead onmatch="exclude" />
+
+      <!-- EventID: 10 -->
+      <!-- Log all -->
+      <ProcessAccess onmatch="exclude" />
+
+      <!-- EventID: 11 -->
+      <!-- Log all -->
+      <FileCreate onmatch="exclude" />
+
+      <!-- EventID: 12/13/14 -->
+      <!-- Log all registry operations -->
+      <RuleGroup groupRelation="or">
+          <RegistryEvent onmatch="exclude">
+            <Image condition="is">C:\Windows\Sysmon.exe</Image>
+            <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+          </RegistryEvent>
+      </RuleGroup>
+
+      <!-- EventID: 15 -->
+      <!-- Log all -->
+      <FileCreateStreamHash onmatch="exclude" />
+
+      <!-- EventID: 17/18 -->
+      <!-- Log all -->
+      <PipeEvent onmatch="exclude" />
+
+      <!-- EventID: 19/20/21 -->
+      <!-- Log all -->
+      <WmiEvent onmatch="exclude" />
+
+      <!-- EventID: 22 -->
+      <!-- Log all -->
+      <DnsQuery onmatch="exclude" />
+
+  </EventFiltering>
+</Sysmon>
diff --git a/tools/sysmon/v10/sysmon-v10.4x-optimal.xml b/tools/sysmon/v10/sysmon-v10.4x-optimal.xml
@@ -0,0 +1,108 @@
+<Sysmon schemaversion="4.22">
+  <!-- Capture All Hashes -->
+  <HashAlgorithms>*</HashAlgorithms>
+  <EventFiltering>
+
+      <!-- EventID: 1 -->
+      <!-- Log all process creation -->
+      <ProcessCreate onmatch="exclude"/>
+
+      <!-- EventID: 2 -->
+      <!-- Log all file creation time stamps -->
+      <FileCreateTime onmatch="exclude"/>
+
+      <!-- EventID: 3 -->
+      <!-- Log all network connections -->
+      <NetworkConnect onmatch="exclude"/>
+
+      <!-- EventID: 5 -->
+      <!-- Log all process termination -->
+      <ProcessTerminate onmatch="exclude" />
+
+      <!-- EventID: 6 -->
+      <!-- Log all Drivers Loaded -->
+      <DriverLoad onmatch="exclude" />
+
+      <!-- EventID: 7 -->
+      <!-- Log all image loaded-->
+      <!-- There is way too much image loaded by Sysmon.exe in this version -->
+      <!-- Mostly due to the new feature of File Information -->
+      <!-- This Schema needs to be adapted with the name of the service -->
+      <RuleGroup groupRelation="or">
+        <ImageLoad onmatch="exclude">
+          <Image condition="is">C:\Windows\Sysmon.exe</Image>
+          <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+          <!-- Whitelist MS signatures -->
+          <!-- Might cause some detection rules not to work -->
+          <!-- example: checking for loading of vaultcli.dll -->
+          <Signature condition="is">Microsoft Windows Publisher</Signature>
+          <Signature condition="is">Microsoft Corporation</Signature>
+          <Signature condition="is">Microsoft Windows</Signature>
+        </ImageLoad>
+      </RuleGroup>
+
+
+      <!-- EventID: 8 -->
+      <!-- Log all RemoteThread created -->
+      <CreateRemoteThread onmatch="exclude" />
+
+      <!-- EventID: 9 -->
+      <!-- Log all -->
+      <RawAccessRead onmatch="exclude" />
+
+      <!-- EventID: 10 -->
+      <!-- Filtered out the more noisy entries -->
+      <RuleGroup groupRelation="or">
+        <ProcessAccess onmatch="exclude">
+          <!-- 0x1000    // PROCESS_QUERY_LIMITED_INFORMATION  Second most frequent -->
+          <GrantedAccess condition="is">0x1000</GrantedAccess>
+          <!-- 0x2000    // UNKNOWN rights -->
+          <GrantedAccess condition="is">0x2000</GrantedAccess>
+          <!-- 0x3000    // UNKNOWN | PROCESS_QUERY_LIMITED_INFORMATION -->
+          <GrantedAccess condition="is">0x3000</GrantedAccess>
+          <!-- 0x100000  // SYNCHRONIZE -->
+          <GrantedAccess condition="is">0x100000</GrantedAccess>
+          <!-- 0x101000  // SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION -->
+          <GrantedAccess condition="is">0x101000</GrantedAccess>
+          <!-- responsible for a lot of ProcessAccess -->
+          <SourceImage condition="is">C:\Windows\system32\wbem\wmiprvse.exe</SourceImage>
+        </ProcessAccess>
+      </RuleGroup>
+
+      <!-- EventID: 11 -->
+      <!-- Log all -->
+      <FileCreate onmatch="exclude" />
+
+      <!-- EventID: 12/13/14 -->
+      <!-- CreateKey and DeleteKey are not taken to limit the number of registry operations -->
+      <RuleGroup groupRelation="or">
+          <RegistryEvent onmatch="exclude">
+            <Image condition="is">C:\Windows\Sysmon.exe</Image>
+            <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+            <!-- CreateKey and DeleteKey not taken -->
+            <EventType condition="is not">SetValue</EventType>
+          </RegistryEvent>
+      </RuleGroup>
+
+      <!-- EventID: 15 -->
+      <!-- Log all -->
+      <FileCreateStreamHash onmatch="exclude" />
+
+      <!-- EventID: 17/18 -->
+      <!-- Log all -->
+      <PipeEvent onmatch="exclude" />
+
+      <!-- EventID: 19/20/21 -->
+      <!-- Log all -->
+      <WmiEvent onmatch="exclude" />
+
+      <!-- EventID: 22 -->
+      <RuleGroup groupRelation="or">
+        <DnsQuery onmatch="exclude">
+            <Image condition="is">C:\Windows\Sysmon.exe</Image>
+            <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+        </DnsQuery>
+      </RuleGroup>
+
+  </EventFiltering>
+</Sysmon>
diff --git a/tools/sysmon/v10/sysmon-v10.4x-vbox-optimal.xml b/tools/sysmon/v10/sysmon-v10.4x-vbox-optimal.xml
@@ -0,0 +1,109 @@
+<Sysmon schemaversion="4.22">
+  <!-- Capture All Hashes -->
+  <HashAlgorithms>*</HashAlgorithms>
+  <EventFiltering>
+
+      <!-- EventID: 1 -->
+      <!-- Log all process creation -->
+      <ProcessCreate onmatch="exclude"/>
+
+      <!-- EventID: 2 -->
+      <!-- Log all file creation time stamps -->
+      <FileCreateTime onmatch="exclude"/>
+
+      <!-- EventID: 3 -->
+      <!-- Log all network connections -->
+      <NetworkConnect onmatch="exclude"/>
+
+      <!-- EventID: 5 -->
+      <!-- Log all process termination -->
+      <ProcessTerminate onmatch="exclude" />
+
+      <!-- EventID: 6 -->
+      <!-- Log all Drivers Loaded -->
+      <DriverLoad onmatch="exclude" />
+
+      <!-- EventID: 7 -->
+      <!-- Log all image loaded-->
+      <!-- There is way too much image loaded by Sysmon.exe in this version -->
+      <!-- Mostly due to the new feature of File Information -->
+      <!-- This Schema needs to be adapted with the name of the service -->
+      <RuleGroup groupRelation="or">
+        <ImageLoad onmatch="exclude">
+          <Image condition="is">C:\Windows\Sysmon.exe</Image>
+          <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+          <!-- Whitelist MS signatures -->
+          <!-- Might cause some detection rules not to work -->
+          <!-- example: checking for loading of vaultcli.dll -->
+          <Signature condition="is">Microsoft Windows Publisher</Signature>
+          <Signature condition="is">Microsoft Corporation</Signature>
+          <Signature condition="is">Microsoft Windows</Signature>
+        </ImageLoad>
+      </RuleGroup>
+
+
+      <!-- EventID: 8 -->
+      <!-- Log all RemoteThread created -->
+      <CreateRemoteThread onmatch="exclude" />
+
+      <!-- EventID: 9 -->
+      <!-- Log all -->
+      <RawAccessRead onmatch="exclude" />
+
+      <!-- EventID: 10 -->
+      <!-- Filtered out the more noisy entries -->
+      <RuleGroup groupRelation="or">
+        <ProcessAccess onmatch="exclude">
+          <!-- 0x1000    // PROCESS_QUERY_LIMITED_INFORMATION  Second most frequent -->
+          <GrantedAccess condition="is">0x1000</GrantedAccess>
+          <!-- 0x2000    // UNKNOWN rights -->
+          <GrantedAccess condition="is">0x2000</GrantedAccess>
+          <!-- 0x3000    // UNKNOWN | PROCESS_QUERY_LIMITED_INFORMATION -->
+          <GrantedAccess condition="is">0x3000</GrantedAccess>
+          <!-- 0x100000  // SYNCHRONIZE -->
+          <GrantedAccess condition="is">0x100000</GrantedAccess>
+          <!-- 0x101000  // SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION -->
+          <GrantedAccess condition="is">0x101000</GrantedAccess>
+          <!-- responsible for a lot of ProcessAccess -->
+          <SourceImage condition="is">C:\Windows\system32\wbem\wmiprvse.exe</SourceImage>
+          <SourceImage condition="is">C:\Windows\System32\VBoxService.exe</SourceImage>
+        </ProcessAccess>
+      </RuleGroup>
+
+      <!-- EventID: 11 -->
+      <!-- Log all -->
+      <FileCreate onmatch="exclude" />
+
+      <!-- EventID: 12/13/14 -->
+      <!-- CreateKey and DeleteKey are not taken to limit the number of registry operations -->
+      <RuleGroup groupRelation="or">
+          <RegistryEvent onmatch="exclude">
+            <Image condition="is">C:\Windows\Sysmon.exe</Image>
+            <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+            <!-- CreateKey and DeleteKey not taken -->
+            <EventType condition="is not">SetValue</EventType>
+          </RegistryEvent>
+      </RuleGroup>
+
+      <!-- EventID: 15 -->
+      <!-- Log all -->
+      <FileCreateStreamHash onmatch="exclude" />
+
+      <!-- EventID: 17/18 -->
+      <!-- Log all -->
+      <PipeEvent onmatch="exclude" />
+
+      <!-- EventID: 19/20/21 -->
+      <!-- Log all -->
+      <WmiEvent onmatch="exclude" />
+
+      <!-- EventID: 22 -->
+      <RuleGroup groupRelation="or">
+        <DnsQuery onmatch="exclude">
+            <Image condition="is">C:\Windows\Sysmon.exe</Image>
+            <Image condition="is">C:\Windows\Sysmon64.exe</Image>
+        </DnsQuery>
+      </RuleGroup>
+
+  </EventFiltering>
+</Sysmon>
