introduce new conditions to config and make use of 'not begin with' in ProcessAccess

Author: phantinuss

sysmonconfig-export.xml

@@ -50,7 +50,7 @@
   - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
   - "ProcessGuid" and "LoginGuid" are not random, they contain some embedded information. https://gist.github.com/mattifestation/0102042160c9a60b2b847378c0ef70b4
 
-  FILTERING: Filter conditions available for use are: is,is not,contains,contains any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image
+  FILTERING: Filter conditions available for use are: is,is any,is not,contains,contains any,contains all,excludes,excludes any,excludes all,begin with,end with,not begin with,not end with,less than,more than,image
   - The "image" filter is usable on any field. Same as "is" but can either match entire string, or only the text after last "\". Credit: @mattifestation
 
 -->
@@ -485,14 +485,27 @@
 		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
 	<RuleGroup name="" groupRelation="or">
 		<ProcessAccess onmatch="include">
-			<CallTrace condition="begin with">UNKNOWN</CallTrace> <!-- CobaltStrike BOF using NtOpenProcess Ref: https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 -->
+			<!-- CobaltStrike BOF using OpenProcess/NtOpenProcess Ref: https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 -->
 			<Rule groupRelation="and">
-				<TargetImage name="lsass.exe access" condition="end with">lsass.exe</TargetImage>
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
+				<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
+			</Rule>
+			<CallTrace condition="begin with">UNKNOWN</CallTrace>
+			<!-- lsass.exe access with critical permission -->
+			<Rule groupRelation="and">
+				<TargetImage condition="end with">lsass.exe</TargetImage>
 				<GrantedAccess condition="contains any">0x40,0x1000,0x1010,0x1038,0x1410,0x1418,0x1438,0x143a,0x100000,0x1f0fff,0x1f1fff,0x1f2fff,0x1f3fff,0x1fffff</GrantedAccess> <!--0x1400 too noisy-->
 			</Rule>
 		</ProcessAccess>
 	</RuleGroup>
 
+	<RuleGroup name="" groupRelation="or">
+		<ProcessAccess onmatch="exclude">
+			<!-- NOTE: Potentially noisy PorcessAccess Events in your environment can be excluded here -->
+		</ProcessAccess>
+	</RuleGroup>
+
 	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
 		<!--EVENT 11: "File created"-->
 		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->