Last active
May 17, 2021 04:14
-
-
Save Neo23x0/f56bea38d95040b70cf5 to your computer and use it in GitHub Desktop.
Revisions
-
Neo23x0 revised this gist
Dec 23, 2016 . 1 changed file with 5 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ <!-- This is a Microsoft Sysmon configuration to be used on Windows workstations v0.2.1 December 2016 Florian Roth (with the help and ideas of others) The focus of this configuration is @@ -42,6 +42,10 @@ <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject> <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject> <TargetObject condition="contains">CurrentControlSet\Services</TargetObject> <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject> <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject> <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject> <TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject> </RegistryEvent> <!-- Do not log file creation events --> <FileCreate onmatch="include" /> -
Dec 23, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ <!-- This is a Microsoft Sysmon configuration to be used on Windows workstations v0.2 December 2016 Florian Roth (with the help and ideas of others) -
Dec 15, 2016 . 1 changed file with 4 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,11 +26,10 @@ <ProcessCreate onmatch="exclude"> <IntegrityLevel>System</IntegrityLevel> </ProcessCreate> <!-- Do log remote thread creation events with certain exceptions --> <CreateRemoteThread onmatch="exclude"> <SourceImage condition="contains">WmiPrvSE.exe</SourceImage> <SourceImage condition="contains">FireSvc.exe</SourceImage> </CreateRemoteThread> <!-- Do not log file creation time stamps --> <FileCreateTime onmatch="include" /> -
Dec 14, 2016 . 1 changed file with 43 additions and 37 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,42 +16,48 @@ <!-- Capture MD5 Hashes --> <HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> </DriverLoad> <!-- Exclude certain processes that have the integrity level 'System' --> <ProcessCreate onmatch="exclude"> <IntegrityLevel>System</IntegrityLevel> </ProcessCreate> <!-- Do only log remote thread creation events with certain targets--> <CreateRemoteThread onmatch="include"> <TargetImage condition="image">lsass.exe</TargetImage> <TargetImage condition="image">winlogon.exe</TargetImage> <TargetImage condition="image">svchost.exe</TargetImage> </CreateRemoteThread> <!-- Do not log file creation time stamps --> <FileCreateTime onmatch="include" /> <!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) --> <RawAccessRead onmatch="include" /> <!-- Do not log process termination --> <ProcessTerminate onmatch="include" /> <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) --> <RegistryEvent onmatch="include"> <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject> <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject> <TargetObject condition="contains">CurrentControlSet\Services</TargetObject> </RegistryEvent> <!-- Do not log file creation events --> <FileCreate onmatch="include" /> <!-- Do not log if file stream is created --> <FileCreateStreamHash onmatch="include" /> <!-- Do only log network connections to port 8080 (proxy) of every program that is not a browser --> <NetworkConnect onmatch="exclude"> <Image condition="contains">chrome.exe</Image> <Image condition="contains">iexplore.exe</Image> <!-- yes, malware that injects into IE will be missed --> <Image condition="contains">firefox.exe</Image> <DestinationPort condition="is not">8080</DestinationPort> <!-- Direct access to Internet (without proxy server) --> <!-- <DestinationPort condition="is not">80</DestinationPort> --> </NetworkConnect> </EventFiltering> </Sysmon> -
Dec 14, 2016 . 1 changed file with 12 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ <!-- This is a Microsoft Sysmon configuation to be used on Windows workstations v0.2 December 2016 Florian Roth (with the help and ideas of others) The focus of this configuration is @@ -14,7 +14,7 @@ --> <Sysmon schemaversion="3.20"> <!-- Capture MD5 Hashes --> <HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> @@ -32,6 +32,16 @@ <RawAccessRead onmatch="include" /> <!-- Do not log process termination --> <ProcessTerminate onmatch="include" /> <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) --> <RegistryEvent onmatch="include"> <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject> <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject> <TargetObject condition="contains">CurrentControlSet\Services</TargetObject> </RegistryEvent> <!-- Do not log file creation events --> <FileCreate onmatch="include" /> <!-- Do not log if file stream is created --> <FileCreateStreamHash onmatch="include" /> <!-- Do only log network connections to port 8080 (proxy) of every program that is not a browser --> <NetworkConnect onmatch="exclude"> <Image condition="contains">chrome.exe</Image> -
Dec 14, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,7 +12,7 @@ See Windows server base config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409 --> <Sysmon schemaversion="3.20"> <!-- Capture MD5 Hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> -
Feb 24, 2016 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,6 +9,8 @@ - exploit detection It is not focussed on - hacking activity on workstation (bad admin, attacker) See Windows server base config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409 --> <Sysmon schemaversion="2.01"> <!-- Capture MD5 Hashes --> -
Feb 24, 2016 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Feb 18, 2016 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,7 +35,6 @@ <Image condition="contains">chrome.exe</Image> <Image condition="contains">iexplore.exe</Image> <!-- yes, malware that injects into IE will be missed --> <Image condition="contains">firefox.exe</Image> <DestinationPort condition="is not">8080</DestinationPort> <!-- Direct access to Internet (without proxy server) --> <!-- -
Feb 18, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,7 +30,7 @@ <RawAccessRead onmatch="include" /> <!-- Do not log process termination --> <ProcessTerminate onmatch="include" /> <!-- Do only log network connections to port 8080 (proxy) of every program that is not a browser --> <NetworkConnect onmatch="exclude"> <Image condition="contains">chrome.exe</Image> <Image condition="contains">iexplore.exe</Image> <!-- yes, malware that injects into IE will be missed --> -
Feb 18, 2016 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,9 +33,14 @@ <!-- Do only log network connections to port 8080 (proxy) from every program that is not a browser --> <NetworkConnect onmatch="exclude"> <Image condition="contains">chrome.exe</Image> <Image condition="contains">iexplore.exe</Image> <!-- yes, malware that injects into IE will be missed --> <Image condition="contains">firefox.exe</Image> <!-- Proxy is used by legitimate programs - often ignored by malware --> <DestinationPort condition="is not">8080</DestinationPort> <!-- Direct access to Internet (without proxy server) --> <!-- <DestinationPort condition="is not">80</DestinationPort> --> </NetworkConnect> </EventFiltering> </Sysmon> -
Feb 18, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,41 @@ <!-- This is a Microsoft Sysmon configuation to be used on Windows workstations v0.1 Florian Roth (with the help and ideas of others) The focus of this configuration is - malware detection (execution) - malware detection (network connections) - exploit detection It is not focussed on - hacking activity on workstation (bad admin, attacker) --> <Sysmon schemaversion="2.01"> <!-- Capture MD5 Hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> </DriverLoad> <!-- Exclude certain processes that have the integrity level 'System' --> <ProcessCreate onmatch="exclude"> <IntegrityLevel>System</IntegrityLevel> </ProcessCreate> <!-- Do not log file creation time stamps --> <FileCreateTime onmatch="include" /> <!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) --> <RawAccessRead onmatch="include" /> <!-- Do not log process termination --> <ProcessTerminate onmatch="include" /> <!-- Do only log network connections to port 8080 (proxy) from every program that is not a browser --> <NetworkConnect onmatch="exclude"> <Image condition="contains">chrome.exe</Image> <Image condition="contains">iexplore.exe</Image> <Image condition="contains">firefox.exe</Image> <DestinationPort condition="is not">8080</DestinationPort> </NetworkConnect> </EventFiltering> </Sysmon>