This repository has been archived by the owner on Feb 12, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 19
/
sysmon-verbose.xml
124 lines (88 loc) · 4.9 KB
/
sysmon-verbose.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<Sysmon schemaversion="4.00">
<!--SYSMON META CONFIG-->
<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
<EventFiltering>
<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
<ProcessCreate onmatch="exclude">
</ProcessCreate>
<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
<FileCreateTime onmatch="exclude">
</FileCreateTime>
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
<NetworkConnect onmatch="exclude">
</NetworkConnect>
<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
<!--DATA: UtcTime, State, Version, SchemaVersion-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
<ProcessTerminate onmatch="exclude">
</ProcessTerminate>
<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<DriverLoad onmatch="exclude">
</DriverLoad>
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<ImageLoad onmatch="exclude">
</ImageLoad>
<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
<CreateRemoteThread onmatch="exclude">
</CreateRemoteThread>
<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
<RawAccessRead onmatch="exclude">
</RawAccessRead>
<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
<!--EVENT 10: "Process accessed"-->
<!--COMMENT: Can cause high system load, disabled by default.-->
<!--COMMENT: Monitor for processes accessing other process' memory.-->
<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
<ProcessAccess onmatch="exclude">
</ProcessAccess>
<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
<FileCreate onmatch="exclude">
</FileCreate>
<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
<!--EVENT 12: "Registry object added or deleted"-->
<!--EVENT 13: "Registry value set-->
<!--EVENT 14: "Registry objected renamed"-->
<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
<RegistryEvent onmatch="exclude">
</RegistryEvent>
<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
<!--EVENT 15: "File stream created"-->
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
<FileCreateStreamHash onmatch="exclude">
</FileCreateStreamHash>
<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
<!--EVENT 16: "Sysmon config state changed"-->
<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
<!--EVENT 17: "Pipe Created"-->
<!--EVENT 18: "Pipe Connected"-->
<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
<PipeEvent onmatch="include">
</PipeEvent>
<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
<!--EVENT 19: "WmiEventFilter activity detected"-->
<!--EVENT 20: "WmiEventConsumer activity detected"-->
<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
<!--ADDITIONAL REFERENCE: [ https://www.darkoperator.com/blog/2017/10/15/sysinternals-sysmon-610-tracking-of-permanent-wmi-events ] -->
<!--ADDITIONAL REFERENCE: [ https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ ] -->
<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
<WmiEvent onmatch="exclude">
</WmiEvent>
<!--SYSMON EVENT ID 255 : ERROR-->
<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
Sysinternals forum or over Twitter (@markrussinovich)."-->
<!--Cannot be filtered.-->
</EventFiltering>
</Sysmon>