Skip to content

Instantly share code, notes, and snippets.

@duzvik

duzvik/log_nothing.xml

Forked from mgraeber-rc/log_nothing.xml
Created March 16, 2021 15:12
Show Gist options
  • Save duzvik/a904de03fd288121bcff6ade2dba4c39 to your computer and use it in GitHub Desktop.
Save duzvik/a904de03fd288121bcff6ade2dba4c39 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @mgraeber-rc mgraeber-rc created this gist Mar 16, 2021.
    46 changes: 46 additions & 0 deletions log_nothing.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,46 @@
    <Sysmon schemaversion="4.50">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <EventFiltering>
    <!--Event ID 1: Process creation-->
    <ProcessCreate onmatch="include"></ProcessCreate>
    <!--Event ID 2: A process changed a file creation time-->
    <FileCreateTime onmatch="include"></FileCreateTime>
    <!--Event ID 3: Network connection-->
    <NetworkConnect onmatch="include"></NetworkConnect>
    <!--Event ID 5: Process terminated-->
    <ProcessTerminate onmatch="include"></ProcessTerminate>
    <!--Event ID 6: Driver loaded-->
    <DriverLoad onmatch="include"></DriverLoad>
    <!--Event ID 7: Image loaded-->
    <ImageLoad onmatch="include"></ImageLoad>
    <!--Event ID 8: CreateRemoteThread-->
    <CreateRemoteThread onmatch="include"></CreateRemoteThread>
    <!--Event ID 9: RawAccessRead-->
    <RawAccessRead onmatch="include"></RawAccessRead>
    <!--Event ID 10: ProcessAccess-->
    <ProcessAccess onmatch="include"></ProcessAccess>
    <!--Event ID 11: FileCreate-->
    <FileCreate onmatch="include"></FileCreate>
    <!--Event ID 12: RegistryEvent (Object create and delete)-->
    <!--Event ID 13: RegistryEvent (Value Set)-->
    <!--Event ID 14: RegistryEvent (Key and Value Rename)-->
    <RegistryEvent onmatch="include"></RegistryEvent>
    <!--Event ID 15: FileCreateStreamHash-->
    <FileCreateStreamHash onmatch="include"></FileCreateStreamHash>
    <!--Event ID 17: PipeEvent (Pipe Created)-->
    <!--Event ID 18: PipeEvent (Pipe Connected)-->
    <PipeEvent onmatch="include"></PipeEvent>
    <!--Event ID 19: WmiEvent (WmiEventFilter activity detected)-->
    <!--Event ID 20: WmiEvent (WmiEventConsumer activity detected)-->
    <!--Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)-->
    <WmiEvent onmatch="include"></WmiEvent>
    <!--Event ID 22: DNSEvent (DNS query)-->
    <DnsQuery onmatch="include"></DnsQuery>
    <!--Event ID 23: FileDelete (A file delete was detected)-->
    <FileDelete onmatch="include"></FileDelete>
    <!--Event ID 24: ClipboardChange (New content in the clipboard)-->
    <ClipboardChange onmatch="include"></ClipboardChange>
    <!--Event ID 25: ProcessTampering (Process image change)-->
    <ProcessTampering onmatch="include"></ProcessTampering>
    </EventFiltering>
    </Sysmon>