Skip to content

Instantly share code, notes, and snippets.

@Neo23x0

Neo23x0/config-server.xml

Last active March 11, 2024 14:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Neo23x0/a4b4af9481e01e749409 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Neo23x0/a4b4af9481e01e749409 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Neo23x0 revised this gist Mar 5, 2017. 1 changed file with 4 additions and 0 deletions.
    4 changes: 4 additions & 0 deletions config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -52,6 +52,10 @@
    <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
    <TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject>
    </RegistryEvent>
    <RegistryEvent onmatch="exclude">
    <TargetObject condition="contains">\W32Time\</TargetObject>
    <TargetObject condition="contains">\Toredo</TargetObject>
    </RegistryEvent>
    <!-- Do not log file creation events -->
    <FileCreate onmatch="include" />
    <!-- Do not log if file stream is created -->
  2. Neo23x0 revised this gist Dec 23, 2016. 1 changed file with 7 additions and 3 deletions.
    10 changes: 7 additions & 3 deletions config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,6 @@
    <!--
    This is a Microsoft Sysmon configuation to be used on Windows server systems
    v0.2 December 2016
    v0.2.1 December 2016
    Florian Roth
    The focus of this configuration is
    @@ -45,8 +45,12 @@
    <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
    <RegistryEvent onmatch="include">
    <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
    <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
    <TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
    <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
    <TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
    <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
    <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject>
    <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
    <TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject>
    </RegistryEvent>
    <!-- Do not log file creation events -->
    <FileCreate onmatch="include" />
  3. Neo23x0 revised this gist Dec 15, 2016. No changes.
  4. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 11 additions and 11 deletions.
    22 changes: 11 additions & 11 deletions config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -30,7 +30,7 @@
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
    </ProcessCreate>
    <!-- Do only log remote thread creation events with certain targets -->
    <!-- Do only log remote thread creation events with certain targets-->
    <CreateRemoteThread onmatch="include">
    <TargetImage condition="image">lsass.exe</TargetImage>
    <TargetImage condition="image">winlogon.exe</TargetImage>
    @@ -42,16 +42,16 @@
    <RawAccessRead onmatch="include"/>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include"/>
    <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
    <RegistryEvent onmatch="include">
    <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
    <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
    <TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
    </RegistryEvent>
    <!-- Do not log file creation events -->
    <FileCreate onmatch="include" />
    <!-- Do not log if file stream is created -->
    <FileCreateStreamHash onmatch="include" />
    <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
    <RegistryEvent onmatch="include">
    <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
    <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
    <TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
    </RegistryEvent>
    <!-- Do not log file creation events -->
    <FileCreate onmatch="include" />
    <!-- Do not log if file stream is created -->
    <FileCreateStreamHash onmatch="include" />
    <!-- Do only log network connections to web ports -->
    <NetworkConnect onmatch="include">
    <DestinationPort condition="is">80</DestinationPort>
  5. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -30,7 +30,7 @@
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
    </ProcessCreate>
    <!-- Do only log events with certain targets of remote thread creation -->
    <!-- Do only log remote thread creation events with certain targets -->
    <CreateRemoteThread onmatch="include">
    <TargetImage condition="image">lsass.exe</TargetImage>
    <TargetImage condition="image">winlogon.exe</TargetImage>
  6. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 5 additions and 1 deletion.
    6 changes: 5 additions & 1 deletion config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -42,12 +42,16 @@
    <RawAccessRead onmatch="include"/>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include"/>
    <!-- Do log registry events to certain keys only -->
    <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
    <RegistryEvent onmatch="include">
    <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
    <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
    <TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
    </RegistryEvent>
    <!-- Do not log file creation events -->
    <FileCreate onmatch="include" />
    <!-- Do not log if file stream is created -->
    <FileCreateStreamHash onmatch="include" />
    <!-- Do only log network connections to web ports -->
    <NetworkConnect onmatch="include">
    <DestinationPort condition="is">80</DestinationPort>
  7. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 6 additions and 0 deletions.
    6 changes: 6 additions & 0 deletions config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -42,6 +42,12 @@
    <RawAccessRead onmatch="include"/>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include"/>
    <!-- Do log registry events to certain keys only -->
    <RegistryEvent onmatch="include">
    <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
    <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
    <TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
    </RegistryEvent>
    <!-- Do only log network connections to web ports -->
    <NetworkConnect onmatch="include">
    <DestinationPort condition="is">80</DestinationPort>
  8. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 0 additions and 9 deletions.
    9 changes: 0 additions & 9 deletions config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -11,15 +11,6 @@
    See Windows workstation base config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5
    -->
    <Sysmon schemaversion="3.20">
    <!-- Capture MD5 Hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
    <Signature condition="contains">microsoft</Signature>
    <Signature condition="contains">windows</Signature>
    <Sysmon schemaversion="3.20">
    <!-- Capture MD5 Hashes -->
    <HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms>
  9. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -39,6 +39,7 @@
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
    </ProcessCreate>
    <!-- Do only log events with certain targets of remote thread creation -->
    <CreateRemoteThread onmatch="include">
    <TargetImage condition="image">lsass.exe</TargetImage>
    <TargetImage condition="image">winlogon.exe</TargetImage>
  10. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 17 additions and 2 deletions.
    19 changes: 17 additions & 2 deletions config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,6 @@
    <!--
    This is a Microsoft Sysmon configuation to be used on Windows server systems
    v0.1
    v0.2 December 2016
    Florian Roth
    The focus of this configuration is
    @@ -14,6 +14,15 @@
    <Sysmon schemaversion="3.20">
    <!-- Capture MD5 Hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
    <Signature condition="contains">microsoft</Signature>
    <Signature condition="contains">windows</Signature>
    <Sysmon schemaversion="3.20">
    <!-- Capture MD5 Hashes -->
    <HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms>
    <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    @@ -30,6 +39,11 @@
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
    </ProcessCreate>
    <CreateRemoteThread onmatch="include">
    <TargetImage condition="image">lsass.exe</TargetImage>
    <TargetImage condition="image">winlogon.exe</TargetImage>
    <TargetImage condition="image">svchost.exe</TargetImage>
    </CreateRemoteThread>
    <!-- Do not log file creation time stamps -->
    <FileCreateTime onmatch="include"/>
    <!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) -->
    @@ -42,10 +56,11 @@
    <DestinationPort condition="is">443</DestinationPort>
    <DestinationPort condition="is">8080</DestinationPort>
    <DestinationPort condition="is">3389</DestinationPort>
    <Image condition="contains">cmd.exe</Image>
    <Image condition="contains">PsExe</Image>
    <Image condition="contains">winexe</Image>
    <Image condition="contains">powershell</Image>
    <Image condition="contains">wscript</Image>
    <Image condition="contains">cscript</Image>
    <Image condition="contains">mstsc</Image>
    <Image condition="contains">RTS2App</Image>
    <Image condition="contains">RTS3App</Image>
  11. Neo23x0 revised this gist Dec 14, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion config-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -11,7 +11,7 @@
    See Windows workstation base config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5
    -->
    <Sysmon schemaversion="2.01">
    <Sysmon schemaversion="3.20">
    <!-- Capture MD5 Hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
  12. Neo23x0 renamed this gist Jun 28, 2016. 1 changed file with 0 additions and 0 deletions.
    0 confix-server.xml → config-server.xml
    View file
    File renamed without changes.
  13. Neo23x0 revised this gist May 3, 2016. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions confix-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -27,6 +27,7 @@
    <Image condition="contains">btool.exe</Image>
    <Image condition="contains">SnareCore</Image>
    <Image condition="contains">nxlog</Image>
    <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image>
    <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
    </ProcessCreate>
    <!-- Do not log file creation time stamps -->
  14. Neo23x0 revised this gist Feb 24, 2016. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions confix-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -40,6 +40,7 @@
    <DestinationPort condition="is">80</DestinationPort>
    <DestinationPort condition="is">443</DestinationPort>
    <DestinationPort condition="is">8080</DestinationPort>
    <DestinationPort condition="is">3389</DestinationPort>
    <Image condition="contains">PsExe</Image>
    <Image condition="contains">winexe</Image>
    <Image condition="contains">powershell</Image>
  15. Neo23x0 revised this gist Feb 24, 2016. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions confix-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -47,6 +47,7 @@
    <Image condition="contains">mstsc</Image>
    <Image condition="contains">RTS2App</Image>
    <Image condition="contains">RTS3App</Image>
    <Image condition="contains">wmic</Image>
    </NetworkConnect>
    </EventFiltering>
    </Sysmon>
  16. Neo23x0 revised this gist Feb 24, 2016. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions confix-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -8,6 +8,8 @@
    It is not focussed on
    - malware detection (execution)
    - malware detection (network connections)
    See Windows workstation base config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5
    -->
    <Sysmon schemaversion="2.01">
    <!-- Capture MD5 Hashes -->
  17. Neo23x0 revised this gist Feb 24, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion confix-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -4,7 +4,7 @@
    Florian Roth
    The focus of this configuration is
    - hacking activity on workstation (bad admin, attacker)
    - hacking activity on servers / lateral movement (bad admin, attacker)
    It is not focussed on
    - malware detection (execution)
    - malware detection (network connections)
  18. Neo23x0 revised this gist Feb 24, 2016. 1 changed file with 11 additions and 0 deletions.
    11 changes: 11 additions & 0 deletions confix-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -1,3 +1,14 @@
    <!--
    This is a Microsoft Sysmon configuation to be used on Windows server systems
    v0.1
    Florian Roth
    The focus of this configuration is
    - hacking activity on workstation (bad admin, attacker)
    It is not focussed on
    - malware detection (execution)
    - malware detection (network connections)
    -->
    <Sysmon schemaversion="2.01">
    <!-- Capture MD5 Hashes -->
    <HashAlgorithms>*</HashAlgorithms>
  19. Neo23x0 created this gist Feb 24, 2016.
    39 changes: 39 additions & 0 deletions confix-server.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,39 @@
    <Sysmon schemaversion="2.01">
    <!-- Capture MD5 Hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
    <Signature condition="contains">microsoft</Signature>
    <Signature condition="contains">windows</Signature>
    </DriverLoad>
    <!-- Exclude certain processes that cause high event volumes -->
    <ProcessCreate onmatch="exclude">
    <Image condition="contains">splunk</Image>
    <Image condition="contains">btool.exe</Image>
    <Image condition="contains">SnareCore</Image>
    <Image condition="contains">nxlog</Image>
    <CommandLine condition="contains">ClearMyTracksByProcess</CommandLine>
    </ProcessCreate>
    <!-- Do not log file creation time stamps -->
    <FileCreateTime onmatch="include"/>
    <!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) -->
    <RawAccessRead onmatch="include"/>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include"/>
    <!-- Do only log network connections to web ports -->
    <NetworkConnect onmatch="include">
    <DestinationPort condition="is">80</DestinationPort>
    <DestinationPort condition="is">443</DestinationPort>
    <DestinationPort condition="is">8080</DestinationPort>
    <Image condition="contains">PsExe</Image>
    <Image condition="contains">winexe</Image>
    <Image condition="contains">powershell</Image>
    <Image condition="contains">wscript</Image>
    <Image condition="contains">mstsc</Image>
    <Image condition="contains">RTS2App</Image>
    <Image condition="contains">RTS3App</Image>
    </NetworkConnect>
    </EventFiltering>
    </Sysmon>