|
117 | 117 | <!--SECTION: Microsoft:Windows:svchost--> |
118 | 118 | <!--COMMENT: These generally don't exclude sub-processes, which may be important. Do not exclude RemoteRegistry or Schedule.--> |
119 | 119 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine> |
| 120 | + <CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k appmodel -p -s camsvc</CommandLine> |
120 | 121 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine> <!--Microsoft:Windows 10--> |
121 | 122 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine> |
122 | 123 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine> |
|
695 | 696 | <RegistryEvent onmatch="exclude"> |
696 | 697 | <!--COMMENT: Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently.--> |
697 | 698 |
|
698 | | - <!--NOTE: A lot of noise can be removed by excluding CreateKey events, which are largely innocuous and account for many entries below. |
699 | | - However, I won't make that decision on your behalf. If you want to do that, uncomment this line: --> |
| 699 | + <!--NOTE: A lot of noise can be removed by excluding CreateKey events, which are largely innocuous--> |
700 | 700 |
|
701 | | - <!-- <CreateKey condition="is">CreateKey</CreateKey> --> |
| 701 | + <EventType condition="is">CreateKey</EventType> |
702 | 702 |
|
703 | 703 | <!--SECTION: Microsoft binaries--> |
704 | 704 | <Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client--> |
|
714 | 714 | <TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity--> |
715 | 715 | <TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity--> |
716 | 716 | <TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise--> |
717 | | - <TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard--> |
718 | | - <TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard--> |
719 | | - <TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard--> |
720 | | - <TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard--> |
721 | | - <TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard--> |
722 | | - <TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard--> |
723 | 717 | <TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe--> |
724 | 718 | <TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"--> |
725 | 719 | <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"--> |
726 | 720 | <TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join--> |
727 | | - <TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon--> |
728 | | - <TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon--> |
729 | | - <TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon--> |
730 | | - <TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon--> |
731 | 721 | <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system--> |
732 | | - <TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes--> |
733 | | - <TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes--> |
734 | | - <TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes--> |
735 | | - <TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes--> |
736 | 722 | <TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+--> |
737 | 723 | <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise--> |
738 | 724 | <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10--> |
739 | 725 | <Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</Image> |
740 | 726 | <!--Bootup Control noise--> |
741 | | - <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+--> |
742 | | - <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+--> |
743 | | - <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+--> |
744 | 727 | <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> |
745 | 728 | <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+--> |
746 | 729 | <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+--> |
747 | | - <TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+--> |
748 | 730 | <!--Services startup settings noise, some low-risk services routinely change it and this can be ignored--> |
749 | 731 | <TargetObject condition="end with">\Services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"--> |
750 | 732 | <TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7--> |
|
767 | 749 | <TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+--> |
768 | 750 | <!--Group Policy noise--> |
769 | 751 | <TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log--> |
770 | | - <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
771 | | - <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
772 | | - <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
773 | 752 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
774 | 753 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
775 | 754 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
776 | 755 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
777 | 756 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
778 | | - <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
779 | | - <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
780 | 757 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
781 | 758 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
782 | 759 | <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building--> |
|
867 | 844 | It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2. |
868 | 845 | This section of Sysmon configuration will require your full judgement and knowledge of your org's priorities. There is no correct answer.--> |
869 | 846 |
|
| 847 | + <!--OPERATIONS: Chrome and Firefox often prefetch DNS lookups it sees on a page, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off. |
| 848 | + Search for Group Policy for these browsers to configure this.--> |
| 849 | + |
870 | 850 | <!--OPERATIONS: Most DNS traffic is web advertising. To significantly reduce DNS queries and malware ads, enable client-side advertising filtering via Group Policy. This is easy. |
871 | 851 | Internet Explorer: https://decentsecurity.com/adblocking-for-internet-explorer-deployment/ |
872 | 852 | Chrome: https://decentsecurity.com/ublock-for-google-chrome-deployment/ |
|
891 | 871 | <!-- Rejected: .googleapis.com, customer content [ https://www.zdnet.com/article/this-business-email-scam-spreads-trojans-through-google-cloud-storage/ ]--> |
892 | 872 | <!-- Rejected: .cloudfront.net, customer content --> |
893 | 873 | <!-- Rejected: .windows.net, customer content --> |
| 874 | + <!-- Rejected: *github.com, customer content--> |
894 | 875 |
|
895 | 876 | <RuleGroup name="Dns" groupRelation="or"> |
896 | 877 | <DnsQuery onmatch="exclude"> |
|
911 | 892 | <QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion--> |
912 | 893 | <QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion--> |
913 | 894 | <QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft--> |
| 895 | + <QueryName condition="end with">.windows.com</QueryName> <!--Microsoft--> |
914 | 896 | <!--Microsoft:Office365/AzureAD--> |
915 | 897 | <QueryName condition="end with">.msauth.net</QueryName> |
916 | 898 | <QueryName condition="end with">.msftauth.net</QueryName> |
917 | 899 | <QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS--> |
918 | 900 | <QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD--> |
919 | 901 | <QueryName condition="end with">oms.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring--> |
920 | 902 | <QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint--> |
921 | | - <QueryName condition="end with">.management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune--> |
| 903 | + <QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune--> |
| 904 | + <QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune--> |
922 | 905 | <!--3rd-party applications--> |
923 | 906 | <QueryName condition="end with">.spotify.com</QueryName> |
| 907 | + <!--Goodlist CDN--> |
| 908 | + <QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries--> |
924 | 909 | <!--Misc--> |
925 | 910 | <QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] --> |
926 | 911 | <QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] --> |
|
935 | 920 | <QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion--> |
936 | 921 | <QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion--> |
937 | 922 | <QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion--> |
| 923 | + <QueryName condition="end with">.pardot.com</QueryName> |
938 | 924 | <QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest--> |
| 925 | + <QueryName condition="end with">.outbrain.com</QueryName> |
939 | 926 | <QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion--> |
| 927 | + <QueryName condition="end with">.gvt1.com</QueryName> <!--Google--> |
940 | 928 | <QueryName condition="end with">.gvt2.com</QueryName> <!--Google--> |
| 929 | + <QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion--> |
941 | 930 | <QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts--> |
| 931 | + <QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google--> |
| 932 | + <QueryName condition="is">update.googleapis.com</QueryName> <!--Google--> |
| 933 | + <QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google--> |
942 | 934 | <QueryName condition="end with">.jivox.com</QueryName> <!--Ads--> |
943 | 935 | <QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads--> |
944 | 936 | <QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads--> |
|
0 commit comments