|
129 | 129 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc</CommandLine> |
130 | 130 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine> |
131 | 131 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine> |
132 | | - <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Windows: Network services--> |
| 132 | + <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Windows: Network services--> |
133 | 133 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p</CommandLine> <!--Windows: Network services--> |
134 | 134 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine> <!--Windows: Network services--> |
135 | 135 | <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine> |
|
342 | 342 | <Image condition="image">nc64.exe</Image> <!-- 64-bit version of nc that can be used on 64-bit Windows Architectures https://github.com/DarrenRainey/netcat--> |
343 | 343 | <Image condition="image">ncat.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] --> |
344 | 344 | <Image condition="image">procdump.exe</Image> <!-- Sysinternals Suite client side that can be used to dump clear text passwords from memory --> |
345 | | - <Image condition="image">procdump64.exe</Image> <!-- Sysinternals Suite client side 64-bit version that can be used to dump clear text passwords from memory --> |
| 345 | + <Image condition="image">procdump64.exe</Image> <!-- Sysinternals Suite client side 64-bit version that can be used to dump clear text passwords from memory --> |
346 | 346 | <Image condition="image">psexec.exe</Image> <!--Sysinternals:PsExec client side | Credit @Cyb3rOps --> |
347 | 347 | <Image condition="image">psexec64.exe</Image> <!-- Sysinernals:PsExec64 client side | 64-bit version of psexec.exe --> |
348 | 348 | <Image condition="image">psexesvc.exe</Image> <!--Sysinternals:PsExec server side | Credit @Cyb3rOps --> |
|
534 | 534 | <TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro--> |
535 | 535 | <TargetFilename name="DLL" condition="end with">.dll</TargetFilename> <!--Microsoft:Office:Word: Macro--> |
536 | 536 | <TargetFilename name="EXE" condition="end with">.exe</TargetFilename> <!--Executable--> |
537 | | - <TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ] --> |
| 537 | + <TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ] --> |
538 | 538 | <TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets--> |
539 | 539 | <TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets--> |
540 | 540 | <TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] --> |
|
639 | 639 | <!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] --> |
640 | 640 | <!--ADDITIONAL REFERENCE: [ https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 ] --> |
641 | 641 | <!--ADDITIONAL REFERENCE: [ https://web.archive.org/web/20200116001643/http://scholarworks.rit.edu/cgi/viewcontent.cgi?article=1533&context=theses | Understanding malware autostart techniques - Matthew Gottlieb ] --> |
642 | | - <TargetObject name="T1562.002" condition="end with">\MiniNT</TargetObject> <!--Windows: Disable eventlog by acting like WinPE [https://twitter.com/0gtweet/status/1182516740955226112] --> |
| 642 | + <TargetObject name="T1562.002" condition="end with">\MiniNT</TargetObject> <!--Windows: Disable eventlog by acting like WinPE [https://twitter.com/0gtweet/status/1182516740955226112] --> |
643 | 643 | <TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\Run</TargetObject> <!--Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] --> |
644 | 644 | <TargetObject name="T1060,RunPolicy" condition="contains">Policies\Explorer\Run</TargetObject> <!--Windows: Alternate runs keys | Credit @ion-storm--> |
645 | 645 | <TargetObject name="T1484" condition="contains">Group Policy\Scripts</TargetObject> <!--Windows: Group policy scripts--> |
|
1230 | 1230 | <!--SYSMON EVENT ID 23 : FILE DELETE [FileDelete]--> |
1231 | 1231 | <!--EVENT 23: "File Delete"--> |
1232 | 1232 | <!--COMMENT: Sandbox usage. When a program signals to Windows a file should be deleted or wiped, Sysmon may be able to capture it. |
1233 | | - Tries to save a copy of the deleted file in the archivedirectory which defaults to C:\Sysmon (to view uncheck "Hide protected |
| 1233 | + Tries to save a copy of the deleted file in the archivedirectory which defaults to C:\Sysmon (to view uncheck "Hide protected |
1234 | 1234 | operating system files (Recommended)" from Folder Options). Can quickly fill the available drive space with copies of files. |
1235 | 1235 | Use EVENT ID 26 if a copy is not needed. |
1236 | 1236 | [ https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/ ] |
|
1247 | 1247 |
|
1248 | 1248 | <!--SYSMON EVENT ID 24 : CLIPBOARD EVENT MONITORING [ClipboardChange]--> |
1249 | 1249 | <!--EVENT 24: "Clipboard changed"--> |
1250 | | - <!--COMMENT: Sandbox usage. Sysmon can capture the contents of clipboard events. |
1251 | | - An example of what could be a production usage on restricted desktops is provided below, but it is commented-out. --> |
| 1250 | + <!--COMMENT: Sandbox usage. Sysmon can capture the contents of clipboard events. |
| 1251 | + An example of what could be a production usage on restricted desktops is provided below, but it is commented-out. --> |
1252 | 1252 |
|
1253 | 1253 | <!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, Session, ClientInfo, Hashes, Archived --> |
1254 | 1254 |
|
|
1282 | 1282 | <!--SYSMON EVENT ID 26 : FILE DELETE LOGGED [FileDeleteDetected]--> |
1283 | 1283 | <!--EVENT 26: "File Delete logged"--> |
1284 | 1284 | <!--COMMENT: This event is generated when a program signals to Windows a file should be deleted or wiped, Sysmon may be able to capture it. |
1285 | | - Unlike event ID 23 it does not archive a copy of the file deleted allowing for more widespread use outside of a sandbox or IR triage without |
| 1285 | + Unlike event ID 23 it does not archive a copy of the file deleted allowing for more widespread use outside of a sandbox or IR triage without |
1286 | 1286 | risk of filling up the storage space with deleted archives. |
1287 | 1287 | [ https://medium.com/falconforce/sysmon-13-10-filedeletedetected-fe2475cb419e ] |
1288 | 1288 | --> |
|
0 commit comments