Skip to content

Commit fadf537

Browse files
phantinussphantinuss
committed
fix: revert to schema version 4.50. Newer schema versions are put on an other branch until adaption of newer sysmon version should be higher
1 parent b818d1f commit fadf537

1 file changed

Lines changed: 2 additions & 7 deletions

File tree

sysmonconfig-export.xml

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -50,12 +50,12 @@
5050
- "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
5151
- "ProcessGuid" and "LoginGuid" are not random, they contain some embedded information. https://gist.github.com/mattifestation/0102042160c9a60b2b847378c0ef70b4
5252
53-
FILTERING: Filter conditions available for use are: is,is any,is not,contains,contains any,contains all,excludes,excludes any,excludes all,begin with,end with,not begin with,not end with,less than,more than,image
53+
FILTERING: Filter conditions available for use are: is,is not,contains,contains any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image
5454
- The "image" filter is usable on any field. Same as "is" but can either match entire string, or only the text after last "\". Credit: @mattifestation
5555
5656
-->
5757

58-
<Sysmon schemaversion="4.70">
58+
<Sysmon schemaversion="4.50">
5959
<!--SYSMON META CONFIG-->
6060
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms. Remove IMPHASH if you do not use DLL import fingerprinting. -->
6161
<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
@@ -486,11 +486,6 @@
486486
<RuleGroup name="" groupRelation="or">
487487
<ProcessAccess onmatch="include">
488488
<!-- CobaltStrike BOF using OpenProcess/NtOpenProcess Ref: https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 -->
489-
<Rule groupRelation="and">
490-
<CallTrace condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>
491-
<CallTrace condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
492-
<CallTrace condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
493-
</Rule>
494489
<CallTrace condition="begin with">UNKNOWN</CallTrace>
495490
<!-- Inject AMSI Bypass via CobaltStrike BOF Ref: https://github.com/boku7/injectAmsiBypass -->
496491
<Rule groupRelation="and">

0 commit comments

Comments
 (0)