UserUnknownFactor · May 5, 2023 04:22
diff --git a/config-dnsquery.xml b/config-dnsquery.xml
 <Sysmon schemaversion="4.83">
    <!-- 
    Sysmon (https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
    config to only monitor DNS requests from specific processes.
    Install it like this:
        sysmon -accepteula -i config-dnsquery.xml
    or reconfigure, if it's already installed before:
        sysmon -c config-dnsquery.xml
    To check events run:
        mmc eventvwr.msc
    and then check "Application and Services Logs/Microsoft/Windows/Sysmon/Operational" 
    log and match "ProcessId" from there to pID of processes in Task Manager if needed. 
    Uninstallation later:
        sysmon -u
    -->
    <HashAlgorithms>sha256</HashAlgorithms>
    <EventFiltering>
        <RuleGroup name="" groupRelation="or">
            <DnsQuery onmatch="include">
                    <Image condition="contains">processname.exe</Image>
            </DnsQuery>
        </RuleGroup>
        <!-- Don't need anything else. -->
        <ProcessCreate onmatch="include" />
        <FileCreateTime onmatch="include" />
        <NetworkConnect onmatch="include" />
        <ProcessTerminate onmatch="include" />
        <DriverLoad onmatch="include" />
        <ImageLoad onmatch="include" />
        <CreateRemoteThread onmatch="include" />
        <RawAccessRead onmatch="include" />
        <ProcessAccess onmatch="include" />
        <FileCreate onmatch="include" />
        <RegistryEvent onmatch="include" />
        <FileCreateStreamHash onmatch="include" />
        <PipeEvent onmatch="include" />
        <WmiEvent onmatch="include" />
        <FileDelete onmatch="include" />
        <ClipboardChange onmatch="include" />
        <ProcessTampering onmatch="include" />
        <FileDeleteDetected onmatch="include" />
        <FileBlockExecutable onmatch="include" />
        <FileBlockShredding onmatch="include" />
    </EventFiltering>
 </Sysmon>
	<Sysmon schemaversion="4.83">
	<!--
	Sysmon (https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)
	config to only monitor DNS requests from specific processes.
	Install it like this:
	sysmon -accepteula -i config-dnsquery.xml
	or reconfigure, if it's already installed before:
	sysmon -c config-dnsquery.xml
	To check events run:
	mmc eventvwr.msc
	and then check "Application and Services Logs/Microsoft/Windows/Sysmon/Operational"
	log and match "ProcessId" from there to pID of processes in Task Manager if needed.
	Uninstallation later:
	sysmon -u
	-->
	<HashAlgorithms>sha256</HashAlgorithms>
	<EventFiltering>
	<RuleGroup name="" groupRelation="or">
	<DnsQuery onmatch="include">
	<Image condition="contains">processname.exe</Image>
	</DnsQuery>
	</RuleGroup>
	<!-- Don't need anything else. -->
	<ProcessCreate onmatch="include" />
	<FileCreateTime onmatch="include" />
	<NetworkConnect onmatch="include" />
	<ProcessTerminate onmatch="include" />
	<DriverLoad onmatch="include" />
	<ImageLoad onmatch="include" />
	<CreateRemoteThread onmatch="include" />
	<RawAccessRead onmatch="include" />
	<ProcessAccess onmatch="include" />
	<FileCreate onmatch="include" />
	<RegistryEvent onmatch="include" />
	<FileCreateStreamHash onmatch="include" />
	<PipeEvent onmatch="include" />
	<WmiEvent onmatch="include" />
	<FileDelete onmatch="include" />
	<ClipboardChange onmatch="include" />
	<ProcessTampering onmatch="include" />
	<FileDeleteDetected onmatch="include" />
	<FileBlockExecutable onmatch="include" />
	<FileBlockShredding onmatch="include" />
	</EventFiltering>
	</Sysmon>