You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: sysmonconfig-export.xml
+3-1Lines changed: 3 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -508,7 +508,7 @@
508
508
509
509
<RuleGroupname=""groupRelation="or">
510
510
<ProcessAccessonmatch="exclude">
511
-
<!-- NOTE: Potentially noisy PorcessAccess Events in your environment can be excluded here -->
511
+
<!-- NOTE: Potentially noisy ProcessAccess Events in your environment can be excluded here -->
512
512
</ProcessAccess>
513
513
</RuleGroup>
514
514
@@ -673,6 +673,8 @@
673
673
<TargetObjectcondition="end with">LastLoggedOnUser</TargetObject> <!--Windows: Changing last-logged in user-->
674
674
<TargetObjectname="ModifyRemoteDesktopPort"condition="end with">RDP-tcp\PortNumber</TargetObject> <!--Windows: Changing RDP port to evade IDS-->
675
675
<TargetObjectcondition="end with">Services\PortProxy\v4tov4</TargetObject> <!--Windows: Changing RDP port to evade IDS-->
676
+
<TargetObjectcondition="contains">\Microsoft\Terminal Server Client\Default\MRU</TargetObject> <!-- MSTSC Connection History -->
677
+
<TargetObjectcondition="contains">\Microsoft\Terminal Server Client\Servers\</TargetObject> <!-- MSTSC Connection History -->
676
678
<!--CLSID launch commands and Default File Association changes-->
677
679
<TargetObjectname="T1042"condition="contains">\command\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
678
680
<TargetObjectname="T1122"condition="contains">\ddeexec\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
0 commit comments