Created
September 26, 2024 12:43
-
-
Save duzvik/ebb5288f06192179242e68f53f74c1db to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- NOTICE : This is a balanced generated output of Sysmon-modular with medium verbosity --> | |
| <!-- due to the balanced nature of this configuration there will be potential blind spots --> | |
| <!-- for more information go to https://github.com/olafhartong/sysmon-modular/wiki --> | |
| <!-- --> | |
| <!-- //** ***// --> | |
| <!-- ///#(** **%(/// --> | |
| <!-- ((&&&** **&&&(( --> | |
| <!-- (&&&** ,(((((((. **&&&( --> | |
| <!-- ((&&**(((((//(((((((/**&&(( _____ __ __ --> | |
| <!-- (&&///((////(((((((///&&( / ___/__ ___________ ___ ____ ____ ____ ___ ____ ____/ /_ __/ /___ ______ --> | |
| <!-- &////(/////(((((/(////& \__ \/ / / / ___/ __ `__ \/ __ \/ __ \______/ __ `__ \/ __ \/ __ / / / / / __ `/ ___/ --> | |
| <!-- ((// /////(///// /((( ___/ / /_/ (__ ) / / / / / /_/ / / / /_____/ / / / / / /_/ / /_/ / /_/ / / /_/ / / --> | |
| <!-- &(((((#.///////// #(((((& /____/\__, /____/_/ /_/ /_/\____/_/ /_/ /_/ /_/ /_/\____/\__,_/\__,_/_/\__,_/_/ --> | |
| <!-- &&&&((#///////((#((&&&& /____/ --> | |
| <!-- &&&&(#/***//(#(&&&& --> | |
| <!-- &&&&****///&&&& by Olaf Hartong --> | |
| <!-- (& ,&. --> | |
| <!-- .*&&*. --> | |
| <!-- --> | |
| <Sysmon schemaversion="4.90"> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <!-- This now also determines the file names of the files preserved (String) --> | |
| <CheckRevocation>False</CheckRevocation> | |
| <!-- Setting this to true might impact performance --> | |
| <DnsLookup>False</DnsLookup> | |
| <!-- Disables lookup behavior, default is True (Boolean) --> | |
| <ArchiveDirectory>Sysmon</ArchiveDirectory> | |
| <!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)--> | |
| <EventFiltering> | |
| <!-- Event ID 1 == Process Creation - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessCreate onmatch="include"> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">sethc.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">utilman.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">osk.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">Magnify.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">DisplaySwitch.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">Narrator.exe</ParentImage> | |
| <ParentImage name="technique_id=T1546.008,technique_name=Accessibility Features" condition="image">AtBroker.exe</ParentImage> | |
| <OriginalFileName condition="contains">\</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1546.011,technique_name=Application Shimming" condition="is">sdbinst.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1197,technique_name=BITS Jobs" condition="is">bitsadmin.exe</OriginalFileName> | |
| <Rule name="Eventviewer Bypass UAC" groupRelation="and"> | |
| <ParentImage name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="image">eventvwr.exe</ParentImage> | |
| <Image condition="is not">c:\windows\system32\mmc.exe</Image> | |
| </Rule> | |
| <ParentImage name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="image">fodhelper.exe</ParentImage> | |
| <Rule name="technique_id=T1021.003,technique_name=Distributed Component Object Model" groupRelation="and"> | |
| <ParentCommandLine condition="contains">-Embedding</ParentCommandLine> | |
| <ParentImage condition="is">c:\windows\system32\mmc.exe</ParentImage> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <CommandLine condition="contains">Set-MpPreference</CommandLine> | |
| <CommandLine condition="contains any">-DisableRealTimeMonitoring $true;-DisableBehaviorMonitoring $true;-DisableBlockAtFirstSeen $true;-DisableIOAVProtection $true;-DisablePrivacyMode $true;-SignatureDisableUpdateOnStartupWithoutEngine $true;-DisableArchiveScanning $true;-DisableIntrusionPreventionSystem $true;-DisableScriptScanning $true</CommandLine> | |
| </Rule> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">^</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">../../</CommandLine> | |
| <ParentCommandLine name="technique_id=T1204,technique_name=User Execution" condition="is">C:\Windows\explorer.exe</ParentCommandLine> | |
| <ParentImage name="technique_id=T1204,technique_name=User Execution" condition="is">C:\Windows\explorer.exe</ParentImage> | |
| <Rule name="Fltmc" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1562.006,technique_name=Indicator Blocking" condition="is">fltMC.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1562.006,technique_name=Indicator Blocking" condition="contains">unload;detach</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">fltMC.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="contains">misc::mflt</CommandLine> | |
| </Rule> | |
| <Rule name="InstallUtil" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">InstallUtil.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218.004,technique_name=InstallUtil" condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1546.008,technique_name=Windows Error Reporting" condition="contains">werfault.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="is">odbcconf.exe</OriginalFileName> | |
| <Rule name="technique_id=T1027.004,technique_name=Compile After Delivery" groupRelation="and"> | |
| <ParentImage condition="is">csc.exe</ParentImage> | |
| <CommandLine condition="contains">-target:library</CommandLine> | |
| <CommandLine condition="contains">.cs</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1027.004,technique_name=Compile After Delivery" groupRelation="and"> | |
| <ParentImage condition="is">csc.exe</ParentImage> | |
| <CommandLine condition="contains">-out:</CommandLine> | |
| <CommandLine condition="contains">.cs</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1564.001,technique_name=Hidden Files and Directories" condition="is">attrib.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1543.003,technique_name=Windows Service" condition="is">sc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">dnscmd.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1489,technique_name=Service Stop" condition="is">taskkill.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1074,technique_name=Data Staged" condition="is">xcopy.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1074,technique_name=Data Staged" condition="is">robocopy.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Remote File Copy" condition="is">GfxDownloadWrapper.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">update;--download</CommandLine> | |
| <CommandLine name="technique_id=T1105,technique_name=Remote File Copy" condition="contains all">squirrel;--download</CommandLine> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Remote File Copy" condition="is">expand.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1564.001,technique_name=Hidden Files and Directories" condition="is">attrib.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1543.003,technique_name=Windows Service" condition="is">sc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1040,technique_name=Network Sniffing" condition="is">PktMon.exe</OriginalFileName> | |
| <Rule name="technique_id=T1003,technique_name=Credential Dumping" groupRelation="and"> | |
| <OriginalFileName condition="is">esentutl.exe</OriginalFileName> | |
| <CommandLine condition="contains all">/y;/vss/d</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">TTTracer.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">sqldumper.exe</OriginalFileName> | |
| <Rule name="technique_id=T1003,technique_name=Credential Dumping" groupRelation="and"> | |
| <OriginalFileName condition="is">ntdsutil.exe</OriginalFileName> | |
| <CommandLine condition="contains">ifm</CommandLine> | |
| </Rule> | |
| <ParentImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">diskshadow.exe</ParentImage> | |
| <Rule name="technique_id=T1003,technique_name=Credential Dumping (Likely)" groupRelation="and"> | |
| <OriginalFileName condition="image">rpcping.exe</OriginalFileName> | |
| <CommandLine condition="contains any">\s;-s</CommandLine> | |
| <CommandLine condition="contains any">-u;\u;-t;\t</CommandLine> | |
| <CommandLine condition="contains any">NTLM;ncacn_np</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">rpcping.exe</OriginalFileName> | |
| <Rule name="Ingress Tool Transfer" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">expand</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">IEExec.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">Print.Exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">curl.exe</OriginalFileName> | |
| <ParentImage name="technique=T1105,technique_name=Ingress Tool Transfer" condition="is">ftp.exe</ParentImage> | |
| </Rule> | |
| <Rule name="technique_id=T1564.004,technique_name=NTFS File Attributes" groupRelation="and"> | |
| <OriginalFileName condition="is">print.exe</OriginalFileName> | |
| <CommandLine condition="contains">:</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1564.004,technique_name=NTFS File Attributes" groupRelation="and"> | |
| <OriginalFileName condition="is">regedit.exe</OriginalFileName> | |
| <CommandLine condition="contains">:</CommandLine> | |
| </Rule> | |
| <Rule name="NTFS File Attributes" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">esentutl.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">extrac32.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Scheduled Task/Job" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1053.005,technique_name=Scheduled Task/Job" condition="contains any">schtasks.exe;sctasks.exe</OriginalFileName> | |
| <OriginalFileName name="technique=T1053.002,technique_name=At" condition="contains any">at.exe;At.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="is">taskeng.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="File Permissions Modification" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="is">takeown.exe</OriginalFileName> | |
| <Image name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="image">forfiles.exe</Image> | |
| <OriginalFileName name="technique_id=T1222.001,technique_name=File Permissions Modification" condition="contains any">icacls.exe;cacls.exe;xcacls.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Access Token Manipulation" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1134,technique_name=Access Token Manipulation" condition="is">runas.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1134,technique_name=Access Token Manipulation" condition="contains">runas</CommandLine> | |
| </Rule> | |
| <Rule name="Bypass User Access Control" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">WSReset.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">xwizard.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">computerdefaults.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">dism.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="is">fodhelper.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">computerdefaults.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">dism.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Account Control" condition="is">fodhelper.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1490,technique_name=Inhibit System Recovery" groupRelation="and"> | |
| <OriginalFileName condition="contains any">vssadmin.exe;wbadmin.exe</OriginalFileName> | |
| <CommandLine condition="contains">delete</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1490,technique_name=Inhibit System Recovery" groupRelation="and"> | |
| <OriginalFileName condition="is">bcdedit.exe</OriginalFileName> | |
| <CommandLine condition="contains">/set</CommandLine> | |
| </Rule> | |
| <Rule name="Inhibit System Recovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">vssadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">vssadmin;delete</CommandLine> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wbadmin;delete</CommandLine> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bcedit;set</CommandLine> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">wmic;delete</CommandLine> | |
| </Rule> | |
| <Rule name="Windows Management Instrumentation" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">mofcomp.exe</OriginalFileName> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image> | |
| <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">ScrCons</OriginalFileName> | |
| <ParentImage name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="image">wmiprvse.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">wmiprvse.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Account Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1087,technique_name=Account Discovery" condition="is">klist.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1087,technique_name=Account Discovery" condition="is">cmdkey.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1087.001,technique_name=Local Account" condition="contains any">net localgroup;net user;net group</CommandLine> | |
| <CommandLine name="technique_id=T1087.001,technique_name=Local Account" condition="contains any">dir C:\users;ls C:\users;dir C:\Users;ls C:\Users</CommandLine> | |
| <OriginalFileName name="technique_id=T1078.002,technique_name=Domain Accounts" condition="is">djoin.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="System Owner/User Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="contains any">systeminfo.exe;sysinfo.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">quser.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="contains any">nltest.exe;nltestk.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="System Network Configuration Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">ipconfig.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">nslookup.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">tracert.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="is">route.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="contains any">nbtstat.exe;nbtinfo.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Security Software Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="is">netsh.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="contains">netsh advfirewall</CommandLine> | |
| </Rule> | |
| <Rule name="Remote System Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">net.exe;net1.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">ping.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">dsquery.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1018,technique_name=Remote System Discovery" condition="contains any">net view;net group</CommandLine> | |
| </Rule> | |
| <Rule name="Process Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">tasklist.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">qprocess.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">query.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">qwinsta.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="image">rwinsta.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="File and Directory Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="contains any">tree.com;findstr.exe;where.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1083,technique_name=File and Directory Discovery" condition="contains any">ls;dir</CommandLine> | |
| </Rule> | |
| <Rule name="System Network Connections Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="is">netstat.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1482,technique_name=Domain Trust Discovery" groupRelation="and"> | |
| <OriginalFileName condition="is">nltestrk.exe</OriginalFileName> | |
| <CommandLine condition="contains">/domain_trusts</CommandLine> | |
| </Rule> | |
| <Rule name="Domain Trust Discovery" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1482,technique_name=Domain Trust Discovery" condition="is">nltest.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Query Registry" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="is any">reg.exe;regedit.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1070.001,technique_name=Clear Windows Event Logs" groupRelation="and"> | |
| <OriginalFileName condition="is">wevtutil.exe</OriginalFileName> | |
| <CommandLine condition="contains any">cl;clear-log</CommandLine> | |
| </Rule> | |
| <Rule name="Indicator Removal" groupRelation="or"> | |
| <OriginalFileName name="Event Log Access" condition="is">wevtutil.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1070,technique_name=Indicator Removal" condition="is">fsutil.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="technique_id=T1112,technique_name=Modify Registry" groupRelation="and"> | |
| <OriginalFileName condition="is any">reg.exe;regedit.exe</OriginalFileName> | |
| <CommandLine condition="contains any">/i;.reg</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1112,technique_name=Modify Registry" groupRelation="and"> | |
| <OriginalFileName condition="is any">reg.exe;regedit.exe</OriginalFileName> | |
| <CommandLine condition="contains any">hklm;HKLM;hkey_local_machine</CommandLine> | |
| <CommandLine condition="contains any">\system;\sam;\security</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1202,technique_name=Indirect Command Execution" groupRelation="and"> | |
| <ParentImage condition="is">hh.exe</ParentImage> | |
| <CommandLine condition="contains">.exe</CommandLine> | |
| </Rule> | |
| <Rule name="Indirect Command Execution" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">cscript.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wscript.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</ParentImage> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">cscript.exe</ParentImage> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">wscript.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">bash.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">certutil.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">winrs.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">control.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">desktopimgdownldr.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wsl.exe</ParentImage> | |
| </Rule> | |
| <Rule name="System Script Proxy Execution" groupRelation="or"> | |
| <CommandLine name="technique_id=T1216.001,technique_name=PubPrn" condition="contains">pubprn</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">slmgr</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">manage-bde</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">CL_Invocation</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">CL_Mutexverifiers</CommandLine> | |
| <CommandLine name="technique_id=T1216,technique_name=System Script Proxy Execution" condition="contains">winrm</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1216,technique_name=System Script Proxy Execution" groupRelation="and"> | |
| <OriginalFileName condition="is">cscript.exe</OriginalFileName> | |
| <CommandLine condition="contains">.js</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1218.001,technique_name=Compiled HTML File" condition="is">hh.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1218.001,technique_name=Compiled HTML File" condition="is">hh.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">installutil.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1218.005,technique_name=Mshta" condition="is">mshta.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218.010,technique_name=Regsvr32" condition="is">regsvr32.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218.011,technique_name=rundll32.exe" condition="contains">rundll32.exe</OriginalFileName> | |
| <Rule name="System Binary Proxy Execution" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">InfDefaultInstall.EXE</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">extexport.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msconfig.EXE</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msiexec.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">odbcconf.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">PresentationHost.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasdlui.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider2.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">ScriptRunner.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">verclsid.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</ParentImage> | |
| <ParentImage name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wsreset.exe</ParentImage> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">xwizard RunWizard</CommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Appvlp.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">bginfo</CommandLine> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">bginfo</ParentCommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">cbd</CommandLine> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">csi.exe</ParentCommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">csi.exe</OriginalFileName> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">devtoolslauncher.exe LaunchForDeploy</ParentCommandLine> | |
| <ParentImage name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">devtoolslauncher.exe</ParentImage> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">runscripthelper.exe surfacecheck</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">Scriptrunner.exe -appvscript</CommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">Scriptrunner.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">tttracer.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msdt.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasautou.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Register-cimprovider.exe</OriginalFileName> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">diskshadow.exe</Image> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains all">diskshadow.exe;/s</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains all">diskshadow.exe;-s</CommandLine> | |
| <OriginalFileName name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">replace.exe</OriginalFileName> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">jjs.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">appcmd.exe</Image> | |
| <CommandLine name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">ieexec.exe http</CommandLine> | |
| </Rule> | |
| <Rule name="Trusted Developer Utilities Proxy Execution" groupRelation="or"> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vbc.exe /target:exe</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vbc.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">dnx.exe</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">csc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dfsvc.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">msdeploy.exe -verb:sync -source:RunCommand</CommandLine> | |
| <ParentImage name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">mftrace.exe</ParentImage> | |
| <ParentImage name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dxcap.exe</ParentImage> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">dxcap.exe;-c</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">dxcap.exe;/c</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">ilasm.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vbc.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vsjitdebugger.exe</ParentImage> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vsjitdebugger</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">update.exe;--update</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">update.exe;--ProcessStart</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">tracker.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">te.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">rcsi.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains all">squirrel.exe;--update</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">rundll32.exe dfshim.dll,ShOpenVerbApplication http://</CommandLine> | |
| <CommandLine name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">ilasm</CommandLine> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</OriginalFileName> | |
| </Rule> | |
| <Rule name="Mavinject" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="contains">/INJECTRUNNING</CommandLine> | |
| </Rule> | |
| <Rule name="CMSTP" groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1218.003,technique_name=CMSTP" condition="is">CMSTP.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1218.003,technique_name=CMSTP" condition="contains all">/ni;/s</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">MSBuild.exe</OriginalFileName> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">excel.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">winword.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">powerpnt.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">outlook.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">msaccess.exe</ParentImage> | |
| <ParentImage name="technique_id=T1137,technique_name=Office Application Startup" condition="image">mspub.exe</ParentImage> | |
| <OriginalFileName name="technique_id=T1218.009,technique_name=Regsvcs/Regasm" condition="contains any">regsvcs.exe;regasm.exe</OriginalFileName> | |
| <Rule name="Windows Command Shell" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="is">cmd.exe</OriginalFileName> | |
| <Image name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="image">cmd.exe</Image> | |
| </Rule> | |
| <Rule name="PowerShell" groupRelation="or"> | |
| <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell_ise.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">Sqlps.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">pester</CommandLine> | |
| </Rule> | |
| <Rule name="technique_id=T1218,technique_name=System Binary Proxy Execution" groupRelation="and"> | |
| <OriginalFileName condition="is">ATBroker.exe</OriginalFileName> | |
| <CommandLine condition="contains">start</CommandLine> | |
| </Rule> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">FromBase64</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">gzip</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">decompress</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">http</CommandLine> | |
| <CommandLine name="technique_id=T1027,technique_name=Obfuscated Files or Information" condition="contains">replace</CommandLine> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">SyncAppvPublishingServer.exe</Image> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PsList.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1007,technique_name=System Service Discovery" condition="is">PsService.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">PsExec.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1569.002,technique_name=Service Execution" condition="is">PsExec.c</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">PsGetSID.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="is">PsKill.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="is">PKill.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">ProcDump</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">PsLoggedOn.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">PsFile.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">ShellRunas</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PipeList.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="is">AccessChk.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1083,technique_name=File and Directory Discovery" condition="is">AccessEnum.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="is">LogonSessions.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1005,technique_name=Data from Local System" condition="is">PsLogList.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1057,technique_name=Process Discovery" condition="is">PsInfo.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1007,technique_name=System Service Discovery" condition="contains">LoadOrd</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1098,technique_name=Account Manipulation" condition="is">PsPasswd.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="is">ru.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1012,technique_name=Query Registry" condition="contains">Regsize</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1003,technique_name=Credential Dumping" condition="is">ProcDump</OriginalFileName> | |
| <CommandLine name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">-ma lsass.exe</CommandLine> | |
| <CommandLine name="technique_id=T1036,technique_name=Process Evasion" condition="contains">-accepteula -ma</CommandLine> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">vssadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">delete;shadow</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">vssadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">resize;shadowstorage</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">wmic.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">delete;shadowcopy</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">wbadmin.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">delete;catalog</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">bcdedit.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">recoveryenabled;no</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <OriginalFileName name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="is">bcdedit.exe</OriginalFileName> | |
| <CommandLine name="technique_id=T1490,technique_name=Inhibit System Recovery" condition="contains all">bootstatuspolicy;ignoreallfailures</CommandLine> | |
| </Rule> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\PerfLogs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\$Recycle.bin\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Intel\Logs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Default\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Public\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\NetworkService\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Fonts\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Debug\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Media\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Help\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\addins\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\repair\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\security\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">VolumeShadowCopy</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Temp\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Downloads\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Desktop\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Appdata\Local\</Image> | |
| <Rule name="Control Panel Items" groupRelation="or"> | |
| <CommandLine name="technique_id=T1218.002,technique_name=Control Panel Items" condition="contains all">control;/name</CommandLine> | |
| <CommandLine name="technique_id=T1218.002,technique_name=Control Panel Items" condition="contains all">rundll32.exe;shell32.dll;Control_RunDLL</CommandLine> | |
| </Rule> | |
| <Rule name="Windows Defender tampering" groupRelation="and"> | |
| <Image name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="image">MpCmdRun.exe</Image> | |
| <CommandLine name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine> | |
| </Rule> | |
| <OriginalFileName name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">wsmprovhost.exe</OriginalFileName> | |
| <OriginalFileName name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">winrshost.exe</OriginalFileName> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="image">winrm.cmd</Image> | |
| <ParentImage name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="is">wsl.exe</ParentImage> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;-e</ParentCommandLine> | |
| <ParentCommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;/e</ParentCommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;-e</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;/e</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;-u root</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;/u root</CommandLine> | |
| <CommandLine name="technique_id=T1218,technique_name=Trusted Binary Proxy Execution" condition="contains all">wsl.exe;--exec bash</CommandLine> | |
| <Rule name="Remote Copy via wsl" groupRelation="and"> | |
| <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">wsl.exe;--exec bash</CommandLine> | |
| <CommandLine name="technique_id=T1202,technique_name=Remote File Copy" condition="contains all">/dev/tcp</CommandLine> | |
| </Rule> | |
| </ProcessCreate> | |
| </RuleGroup> | |
| <!-- Event ID 1 == Process Creation - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessCreate onmatch="exclude"> | |
| <Rule groupRelation="and"> | |
| <Image condition="end with">AcroRd32.exe</Image> | |
| <CommandLine condition="contains any">/CR;channel=</CommandLine> | |
| </Rule> | |
| <Rule groupRelation="or"> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> | |
| </Rule> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage> | |
| <Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image> | |
| <ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage> | |
| <ParentCommandLine condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" -Embedding</ParentCommandLine> | |
| <Rule groupRelation="and"> | |
| <ParentImage condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"</ParentImage> | |
| <CommandLine condition="is">"C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs"</CommandLine> | |
| </Rule> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> | |
| <Image condition="begin with">C:\program files (x86)\desktopcentral_agent\bin\</Image> | |
| <Image condition="begin with">C:\program files\desktopcentral_server\bin\</Image> | |
| <CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> | |
| <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> | |
| <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> | |
| <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> | |
| <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> | |
| <ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> | |
| <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> | |
| <Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> | |
| <Image condition="begin with">C:\Program Files\Realtek\</Image> | |
| <ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> | |
| <Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage> | |
| <Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image> | |
| <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> | |
| <CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> | |
| <Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> | |
| <ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\RES Software\Workspace Manager\respesvc.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe</ParentImage> | |
| <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe</Image> | |
| <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe</Image> | |
| <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe</Image> | |
| <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> | |
| <ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> | |
| <Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> | |
| <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> | |
| <CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> | |
| <CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe</Image> | |
| <Image condition="begin with">C:\Program Files\Splunk\bin\</Image> | |
| <ParentImage condition="is">C:\Program Files\Splunk\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\Splunk\bin\splunk.exe</ParentImage> | |
| <Image condition="begin with">D:\Program Files\Splunk\bin\</Image> | |
| <ParentImage condition="is">D:\Program Files\Splunk\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">D:\Program Files\Splunk\bin\splunk.exe</ParentImage> | |
| <Image condition="begin with">C:\Program Files\SplunkUniversalForwarder\bin\</Image> | |
| <ParentImage condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</ParentImage> | |
| <Image condition="begin with">D:\Program Files\SplunkUniversalForwarder\bin\</Image> | |
| <ParentImage condition="is">D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</ParentImage> | |
| <ParentImage condition="is">D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</ParentImage> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k defragsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k imgsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s EventSystem</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s bthserv</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k swprv</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC</CommandLine> | |
| <CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> | |
| <ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine> | |
| <ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe</Image> | |
| <Image condition="is">C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe</Image> | |
| <Image condition="begin with">C:\Program Files\Windows Defender\</Image> | |
| <Image condition="is">C:\Windows\system32\MpSigStub.exe</Image> | |
| <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_</Image> | |
| <Image condition="is">C:\Program Files\Microsoft Security Client\MpCmdRun.exe</Image> | |
| <CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> | |
| <CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> | |
| <Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> | |
| <Image condition="is">C:\Windows\System32\MusNotification.exe</Image> | |
| <Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> | |
| <Image condition="is">C:\Windows\System32\audiodg.exe</Image> | |
| <Image condition="is">C:\Windows\System32\conhost.exe</Image> | |
| <Image condition="is">C:\Windows\System32\powercfg.exe</Image> | |
| <Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> | |
| <Image condition="is">C:\Windows\System32\wermgr.exe</Image> | |
| <Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> | |
| <Image condition="is">C:\Windows\system32\sppsvc.exe</Image> | |
| <IntegrityLevel condition="is">AppContainer</IntegrityLevel> | |
| <ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> | |
| <ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> | |
| </ProcessCreate> | |
| </RuleGroup> | |
| <!-- Event ID 2 == File Creation Time - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreateTime onmatch="include"> | |
| <TargetFilename name="technique_id=T1099,technique_name=Timestomp" condition="end with">.exe</TargetFilename> | |
| <Image name="technique_id=T1070.006,technique_name=Timestomp" condition="begin with">C:\Temp</Image> | |
| <Image name="technique_id=T1070.006,technique_name=Timestomp" condition="begin with">C:\Windows\Temp</Image> | |
| <Image name="technique_id=T1070.006,technique_name=Timestomp" condition="begin with">C:\Tmp</Image> | |
| <Image name="technique_id=T1070.006,technique_name=Timestomp" condition="begin with">C:\Users</Image> | |
| <Image name="technique_id=T1099,technique_name=Timestomp" condition="begin with">\Device\HarddiskVolumeShadowCopy</Image> | |
| </FileCreateTime> | |
| </RuleGroup> | |
| <!-- Event ID 2 == File Creation Time - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreateTime onmatch="exclude"> | |
| <Image condition="end with">AppData\Local\Google\Chrome\Application\chrome.exe</Image> | |
| <Image condition="end with">Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe</Image> | |
| <TargetFilename condition="contains">\NVIDIA\NvBackend\ApplicationOntology\</TargetFilename> | |
| <Image condition="image">OneDrive.exe</Image> | |
| <Image condition="contains">setup</Image> | |
| <Image condition="end with">slack.exe</Image> | |
| <Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> | |
| </FileCreateTime> | |
| </RuleGroup> | |
| <!-- Event ID 3 == Network Connection - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <NetworkConnect onmatch="include"> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">vnc.exe</Image> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">vncviewer.exe</Image> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">vncservice.exe</Image> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">winexesvc.exe</Image> | |
| <Image name="technique_id=T1197,technique_name=BITS Jobs" condition="image">bitsadmin.exe</Image> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">4444</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">31337</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">6667</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">5555</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">5353</DestinationPort> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">omniinet.exe</Image> | |
| <Image name="technique_id=T1021,technique_name=Remote Services" condition="image">hpsmhd.exe</Image> | |
| <Image name="technique_id=T1102,technique_name=Web Service" condition="begin with">C:\Program Files\Microsoft\HybridConnectionManager</Image> | |
| <Rule name="Unusual Connection" groupRelation="or"> | |
| <Image condition="image">dllhost.exe</Image> | |
| <Image condition="image">hh.exe</Image> | |
| <Image condition="image">klist.exe</Image> | |
| <Image condition="image">schtasks.exe</Image> | |
| <Image condition="image">taskkill.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</Image> | |
| <Image name="technique_id=T1218.010,technique_name=Regsvr32" condition="image">regsvr32.exe</Image> | |
| <Image name="technique_id=T1518.001,technique_name=Security Software Discovery" condition="image">netsh.exe</Image> | |
| <Image name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="image">xwizard.exe</Image> | |
| <Image name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="image">esentutl.exe</Image> | |
| <Image name="technique_id=T1112,technique_name=Modify Registry" condition="image">reg.exe</Image> | |
| <Image name="technique_id=T1134,technique_name=Access Token Manipulation" condition="image">runas.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">net1.exe</Image> | |
| <Image name="technique_id=T1070,technique_name=Indicator Removal on Host" condition="image">wevtutil.exe</Image> | |
| </Rule> | |
| <Image name="technique_id=T1003,technique_name=Credential Dumping" condition="image">RpcPing.exe</Image> | |
| <Rule name="Discovery" groupRelation="or"> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">ipconfig.exe</Image> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">nbtstat.exe</Image> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">nslookup.exe</Image> | |
| <Image name="technique_id=T1018,technique_name=Remote System Discovery" condition="image">net.exe</Image> | |
| <Image name="technique_id=T1018,technique_name=Remote System Discovery" condition="image">nslookup.exe</Image> | |
| <Image name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="image">nltest.exe</Image> | |
| <Image name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="image">quser.exe</Image> | |
| <Image name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="image">netstat.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qprocess.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">query.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qwinsta.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">rwinsta.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">tasklist.exe</Image> | |
| </Rule> | |
| <Rule name="Ingress Tool Transfer" groupRelation="or"> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">expand.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">extrac32.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">IEExec.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">Print.Exe</Image> | |
| </Rule> | |
| <Rule name="Execution" groupRelation="or"> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">cscript.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">desktopimgdownldr.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">winrs.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">wscript.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">Msdt.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">msiexec.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">RegisterCimProvider.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">ScriptRunner.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="image">dfsvc.exe</Image> | |
| </Rule> | |
| <Rule name="Services" groupRelation="or"> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">dnscmd.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="image">sc.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="image">taskeng.exe</Image> | |
| </Rule> | |
| <Rule name="Shells and Terminals" groupRelation="or"> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">OpenConsole.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">WindowsTerminal.exe</Image> | |
| <Image name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="image">cmd.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">bash.exe</Image> | |
| </Rule> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">Mavinject.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task" condition="image">at.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">certutil.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Script Proxy Execution" condition="image">cscript.exe</Image> | |
| <Image condition="image">java.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">msiexec.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">net.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">notepad.exe</Image> | |
| <Image name="technique_id=T1012,technique_name=Query Registry" condition="image">reg.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Regsvr32" condition="image">regsvr32.exe</Image> | |
| <Image name="technique_id=T1218.011,technique_name=Rundll32" condition="image">rundll32.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="image">sc.exe</Image> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="image">wmic.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Script Proxy Execution" condition="image">wscript.exe</Image> | |
| <Image condition="image">driverquery.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">dsquery.exe</Image> | |
| <Image name="technique_id=T1069,technique_name=Permission Groups Discovery" condition="image">AdFind.exe</Image> | |
| <Image condition="image">hh.exe</Image> | |
| <Image condition="image">infDefaultInstall.exe</Image> | |
| <Image condition="image">javaw.exe</Image> | |
| <Image condition="image">javaws.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="image">mmc.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">msbuild.exe</Image> | |
| <Image name="technique_id=T1016,technique_name=System Network Configuration Discovery" condition="image">nbtstat.exe</Image> | |
| <Image name="technique_id=T1018,technique_name=Remote System Discovery" condition="image">nslookup.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qprocess.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">qwinsta.exe</Image> | |
| <Image name="technique_id=T1218.009,technique_name=Regsvcs/Regasm" condition="image">regsvcs.exe</Image> | |
| <Image name="technique_id=T1057,technique_name=Process Discovery" condition="image">rwinsta.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="image">schtasks.exe</Image> | |
| <Image name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="image">taskkill.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">replace.exe</Image> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">1080</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">3128</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">8080</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">22</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">23</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">25</DestinationPort> | |
| <Rule groupRelation="and"> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">88</DestinationPort> | |
| <Image condition="is not">C:\Windows\System32\lsass.exe</Image> | |
| </Rule> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">3389</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5800</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5900</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5985</DestinationPort> | |
| <DestinationPort name="technique_id=T1021,technique_name=Remote Services" condition="is">5986</DestinationPort> | |
| <DestinationPort name="technique_id=T1087.002,technique_name=Account Discovery: Domain Account" condition="is">9389</DestinationPort> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexec.exe</Image> | |
| <Image name="technique_id=T1569.002,technique_name=Service Execution" condition="image">psexesvc.exe</Image> | |
| <Rule groupRelation="and"> | |
| <SourcePort name="technique_id=T1557,technique_name=Adversary-in-the-Middle" condition="is any">445;389;8492;636;3268;3269</SourcePort> | |
| <Image condition="is not">C:\Windows\System32\lsass.exe</Image> | |
| <Image condition="is not">c:\Windows\System32\dsamain.exe</Image> | |
| <ProcessId condition="is not">4</ProcessId> | |
| </Rule> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\ProgramData</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Temp</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Temp</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\PerfLogs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\$Recycle.bin\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Intel\Logs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Default\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\Public\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Users\NetworkService\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Fonts\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Debug\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Media\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\Help\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\addins\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\repair\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\security\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\Local\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\Local\Temp\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\Roaming\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\LocalLow\</Image> | |
| <Image name="technique_id=T1036,technique_name=Masquerading" condition="contains">C:\Windows\SysWOW64</Image> | |
| <Image name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="image">SyncAppvPublishingServer.exe</Image> | |
| <Image condition="image">tor.exe</Image> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">1723</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">4500</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">9001</DestinationPort> | |
| <DestinationPort name="technique_id=T1571,technique_name=Non-Standard Port" condition="is">9030</DestinationPort> | |
| <DestinationPort name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">5985</DestinationPort> | |
| <DestinationPort name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">5986</DestinationPort> | |
| </NetworkConnect> | |
| </RuleGroup> | |
| <!-- Event ID 3 == Network Connection - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <NetworkConnect onmatch="exclude"> | |
| <Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> | |
| <Image condition="end with">winlogbeat.exe</Image> | |
| <Image condition="end with">packetbeat.exe</Image> | |
| <Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\lsass.exe</Image> | |
| <DestinationPort condition="is">88</DestinationPort> | |
| </Rule> | |
| <Image condition="image">OneDrive.exe</Image> | |
| <Image condition="image">OneDriveStandaloneUpdater.exe</Image> | |
| <Image condition="end with">ownCloud\owncloud.exe</Image> | |
| <Image condition="is">C:\Program Files\Palo Alto Networks\Traps\cyserver.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Protocol condition="is">udp</Protocol> | |
| <DestinationPort condition="is">3389</DestinationPort> | |
| </Rule> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image> | |
| <Image condition="is">C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe</Image> | |
| <Image condition="end with">AppData\Roaming\Spotify\Spotify.exe</Image> | |
| <Image condition="end with">AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-ui.exe</Image> | |
| <Image condition="end with">AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe</Image> | |
| <Image condition="is">C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image> | |
| <DestinationHostname condition="end with">.windowsupdate.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">.windowsupdate.com</DestinationHostname> | |
| <DestinationHostname condition="end with">wustat.windows.com</DestinationHostname> | |
| <DestinationHostname condition="end with">go.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">.update.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">download.microsoft.com</DestinationHostname> | |
| <DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> | |
| <DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> | |
| </NetworkConnect> | |
| </RuleGroup> | |
| <!-- Event ID 5 == Process Terminated - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessTerminate onmatch="include"> | |
| <Image condition="begin with">C:\Users</Image> | |
| <Image condition="begin with">C:\Temp</Image> | |
| <Image condition="begin with">C:\Windows\Temp</Image> | |
| </ProcessTerminate> | |
| </RuleGroup> | |
| <!-- Event ID 6 == Driver Loaded - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <!--Default to log all and exclude only valid signed Microsoft or Intel drivers--> | |
| <DriverLoad onmatch="exclude"> | |
| <Rule groupRelation="and"> | |
| <Signature condition="begin with">Intel </Signature> | |
| <SignatureStatus condition="is">Valid</SignatureStatus> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Signature condition="contains">Microsoft</Signature> | |
| <SignatureStatus condition="is">Valid</SignatureStatus> | |
| </Rule> | |
| </DriverLoad> | |
| </RuleGroup> | |
| <!-- Event ID 7 == Image Loaded - Excludes --> | |
| <ImageLoad onmatch="exclude"></ImageLoad> | |
| <!-- Event ID 8 == CreateRemoteThread - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <!--Default to log all and exclude a few common processes--> | |
| <CreateRemoteThread onmatch="exclude"> | |
| <SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage> | |
| <SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage> | |
| <Rule groupRelation="and"> | |
| <SourceImage condition="is">C:\Windows\System32\dwm.exe</SourceImage> | |
| <TargetImage condition="is">C:\Windows\System32\csrss.exe</TargetImage> | |
| </Rule> | |
| <TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage> | |
| <SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage> | |
| </CreateRemoteThread> | |
| </RuleGroup> | |
| <!-- Event ID 9 == RawAccessRead - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <RawAccessRead onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 10 == ProcessAccess - Excludes --> | |
| <ProcessAccess onmatch="exclude"></ProcessAccess> | |
| <!-- Event ID 11 == FileCreate - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreate onmatch="include"> | |
| <TargetFilename name="technique_id=T1546.011,technique_name=Application Shimming" condition="contains">C:\Windows\AppPatch\Custom</TargetFilename> | |
| <TargetFilename condition="end with">.bat</TargetFilename> | |
| <TargetFilename condition="end with">.cmd</TargetFilename> | |
| <TargetFilename name="technique_id=T1059,technique_name=Command and Scripting Interpreter" condition="end with">.chm</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Users\;\.azure\accesstokens.json</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Users\;\.aws\credentials</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Users\;\config\gcloud</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Users\;\.alibabacloud\credentials</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Users\;\.kube\config</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Users\;\.ssh\</TargetFilename> | |
| <Rule groupRelation="and"> | |
| <Image condition="end with">\WINWORD.EXE</Image> | |
| <TargetFilename condition="contains any">.cab;.inf</TargetFilename> | |
| </Rule> | |
| <TargetFilename condition="begin with">C:\Users\Default</TargetFilename> | |
| <TargetFilename condition="contains">Desktop</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="contains">AppData\Local\Microsoft\CLR_v2.0\UsageLogs\</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename> | |
| <TargetFilename name="technique_id=T1218,technique_name=Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename> | |
| <TargetFilename condition="contains">\Downloads\</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="end with">.js</TargetFilename> | |
| <TargetFilename condition="contains">Appdata\Local\whatsapp\</TargetFilename> | |
| <Image condition="excludes">Appdata\Local\whatsapp\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="end with">.js</TargetFilename> | |
| <TargetFilename condition="contains">Appdata\Local\Microsoft\Teams\</TargetFilename> | |
| <Image condition="excludes">Appdata\Local\Microsoft\Teams\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="end with">.js</TargetFilename> | |
| <TargetFilename condition="contains">Appdata\Local\slack\</TargetFilename> | |
| <Image condition="excludes">Appdata\Local\slack\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="end with">.js</TargetFilename> | |
| <TargetFilename condition="contains">Appdata\Local\discord\</TargetFilename> | |
| <Image condition="excludes">Appdata\Local\discord\</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="end with">.js</TargetFilename> | |
| <TargetFilename condition="contains">Appdata\Local\signal\</TargetFilename> | |
| <Image condition="excludes">Appdata\Local\signal\</Image> | |
| </Rule> | |
| <TargetFilename condition="end with">.exe</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> | |
| <TargetFilename name="technique_id=T1218.005,technique_name=Mshta" condition="end with">.hta</TargetFilename> | |
| <TargetFilename condition="end with">.iso</TargetFilename> | |
| <TargetFilename condition="end with">.img</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.007,technique_name=JavaScript" condition="end with">.js</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.007,technique_name=JavaScript" condition="end with">.javascript</TargetFilename> | |
| <TargetFilename condition="end with">.kirbi</TargetFilename> | |
| <TargetFilename name="technique_id=T1187,technique_name=Forced Authentication" condition="end with">.lnk</TargetFilename> | |
| <TargetFilename name="technique_id=T1187,technique_name=Forced Authentication" condition="end with">.scf</TargetFilename> | |
| <TargetFilename condition="end with">.application</TargetFilename> | |
| <TargetFilename condition="end with">.appref-ms</TargetFilename> | |
| <TargetFilename name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="end with">.*proj</TargetFilename> | |
| <TargetFilename name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="end with">.sln</TargetFilename> | |
| <TargetFilename condition="end with">.settingcontent-ms</TargetFilename> | |
| <TargetFilename condition="end with">.docm</TargetFilename> | |
| <TargetFilename condition="end with">.pptm</TargetFilename> | |
| <TargetFilename condition="end with">.xlsm</TargetFilename> | |
| <TargetFilename condition="end with">.xlm</TargetFilename> | |
| <TargetFilename condition="end with">.dotm</TargetFilename> | |
| <TargetFilename condition="end with">.xltm</TargetFilename> | |
| <TargetFilename condition="end with">.potm</TargetFilename> | |
| <TargetFilename condition="end with">.ppsm</TargetFilename> | |
| <TargetFilename condition="end with">.sldm</TargetFilename> | |
| <TargetFilename condition="end with">.xlam</TargetFilename> | |
| <TargetFilename condition="end with">.xla</TargetFilename> | |
| <TargetFilename condition="end with">.iqy</TargetFilename> | |
| <TargetFilename condition="end with">.slk</TargetFilename> | |
| <TargetFilename condition="contains">\Content.Outlook\</TargetFilename> | |
| <TargetFilename condition="contains">Roaming\Microsoft\Outlook\VbaProject.OTM</TargetFilename> | |
| <TargetFilename condition="end with">.rwz</TargetFilename> | |
| <TargetFilename condition="contains">Roaming\Microsoft\Outlook\Outlook.xml</TargetFilename> | |
| <TargetFilename condition="end with">.rft</TargetFilename> | |
| <TargetFilename condition="end with">.jsp</TargetFilename> | |
| <TargetFilename condition="end with">.jspx</TargetFilename> | |
| <TargetFilename condition="end with">.asp</TargetFilename> | |
| <TargetFilename condition="end with">.aspx</TargetFilename> | |
| <TargetFilename condition="end with">.php</TargetFilename> | |
| <TargetFilename condition="end with">.war</TargetFilename> | |
| <TargetFilename condition="end with">.ace</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">.ps1</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">.ps2</TargetFilename> | |
| <TargetFilename condition="end with">.py</TargetFilename> | |
| <TargetFilename condition="end with">.pyc</TargetFilename> | |
| <TargetFilename condition="end with">.pyw</TargetFilename> | |
| <TargetFilename condition="end with">.rdp</TargetFilename> | |
| <Image condition="image">rundll32.exe</Image> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> | |
| <TargetFilename condition="contains">\Start Menu</TargetFilename> | |
| <TargetFilename condition="contains">\Startup</TargetFilename> | |
| <TargetFilename name="technique_id=T1574.010,technique_name=Services File Permissions Weakness" condition="begin with">C:\Windows\SysWoW64</TargetFilename> | |
| <TargetFilename name="technique_id=T1574.010,technique_name=Services File Permissions Weakness" condition="begin with">C:\Windows\System32</TargetFilename> | |
| <TargetFilename name="technique_id=T1574.010,technique_name=Services File Permissions Weakness" condition="begin with">C:\Windows\</TargetFilename> | |
| <TargetFilename condition="end with">.sys</TargetFilename> | |
| <Rule name="technique_id=T1003.001,technique_name=OS Credential Dumping: LSASS Memory" groupRelation="and"> | |
| <TargetFilename condition="contains">lsass</TargetFilename> | |
| <TargetFilename condition="contains any">dmp;DMP</TargetFilename> | |
| <Image condition="image">taskmgr.exe</Image> | |
| </Rule> | |
| <TargetFilename condition="end with">.url</TargetFilename> | |
| <TargetFilename condition="end with">.vb</TargetFilename> | |
| <TargetFilename condition="end with">.vbe</TargetFilename> | |
| <TargetFilename condition="end with">.vbs</TargetFilename> | |
| <Rule groupRelation="and"> | |
| <TargetFilename name="technique_id=T1562.001,technique_name=Disable or Modify tools" condition="begin with">C:\Windows\System32\CodeIntegrity\CIPolicies\Active\</TargetFilename> | |
| <TargetFilename name="technique_id=T1562.001,technique_name=Disable or Modify tools" condition="end with">.cip</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename name="technique_id=T1562.001,technique_name=Disable or Modify tools" condition="begin with">C:\Windows\System32\CodeIntegrity\</TargetFilename> | |
| <TargetFilename name="technique_id=T1562.001,technique_name=Disable or Modify tools" condition="end with">.p7b</TargetFilename> | |
| </Rule> | |
| <TargetFilename name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="begin with">C:\Windows\System32\Wbem</TargetFilename> | |
| <TargetFilename name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image> | |
| <TargetFilename name="technique_id=T1546.008,technique_name=Services File Permissions Weakness" condition="begin with">C:\Windows\Temp\</TargetFilename> | |
| <TargetFilename name="technique_id=T1546.008,technique_name=Services File Permissions Weakness" condition="begin with">C:\Program\</TargetFilename> | |
| <TargetFilename name="technique_id=T1047,technique_name=File System Permissions Weakness" condition="begin with">C:\Temp\</TargetFilename> | |
| <TargetFilename name="technique_id=T1047,technique_name=File System Permissions Weakness" condition="begin with">C:\PerfLogs\</TargetFilename> | |
| <TargetFilename name="technique_id=T1047,technique_name=File System Permissions Weakness" condition="begin with">C:\Users\Public\</TargetFilename> | |
| <TargetFilename name="technique_id=T1047,technique_name=File System Permissions Weakness" condition="contains">\AppData\Temp\</TargetFilename> | |
| </FileCreate> | |
| </RuleGroup> | |
| <!-- Event ID 11 == FileCreate - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreate onmatch="exclude"> | |
| <Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe</Image> | |
| <TargetFilename condition="is">C:\Program Files\Elastic\Endpoint\state\last-document-id.json</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="begin with">C:\Program Files\Elastic\Agent\data\</Image> | |
| <TargetFilename condition="contains all">C:\Program Files\Elastic\Agent\data\;.ndjson</TargetFilename> | |
| </Rule> | |
| <Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe</Image> | |
| <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> | |
| <TargetFilename condition="contains all">C:\Windows\Prefetch;.pf</TargetFilename> | |
| <Image condition="is">C:\Windows\System32\smss.exe</Image> | |
| <Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> | |
| <Image condition="is">C:\Windows\system32\wbem\WMIADAP.EXE</Image> | |
| <TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> | |
| <TargetFilename condition="end with">WRITABLE.TST</TargetFilename> | |
| <TargetFilename condition="contains">\AppData\Roaming\Microsoft\Windows\Recent\</TargetFilename> | |
| <TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> | |
| <Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> | |
| <Image condition="is">c:\Program Files\Microsoft Security Client\MsMpEng.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="image">Outlook.exe</Image> | |
| <TargetFilename condition="contains">Roaming\Microsoft\Outlook\Outlook.xml</TargetFilename> | |
| </Rule> | |
| <Image condition="is">c:\windows\system32\provtool.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\system32\wsmprovhost.exe</Image> | |
| <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp;__PSScriptPolicyTest;.ps1</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> | |
| <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename> | |
| <User condition="is">NT AUTHORITY\SYSTEM</User> | |
| </Rule> | |
| <Image condition="is">C:\WINDOWS\CCM\CcmExec.exe</Image> | |
| <TargetFilename condition="begin with">C:\Windows\CCM</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant</TargetFilename> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| <TargetFilename condition="is">C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| <TargetFilename condition="is">C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat</TargetFilename> | |
| </Rule> | |
| </FileCreate> | |
| </RuleGroup> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <RegistryEvent onmatch="include"> | |
| <TargetObject name="technique_id=T1546.011,technique_name=Application Shimming" condition="contains">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> | |
| <TargetObject name="technique_id=T1546.011,technique_name=Application Shimming" condition="contains">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> | |
| <TargetObject name="technique_id=T1547.002,technique_name=Authentication Package" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication</TargetObject> | |
| <TargetObject name="technique_id=T1547.002,technique_name=Authentication Package" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject> | |
| <TargetObject name="technique_id=T1547.002,technique_name=Authentication Package" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains">\CurrentVersion\Run</TargetObject> | |
| <TargetObject condition="contains">\Group Policy\Scripts</TargetObject> | |
| <TargetObject name="technique_id=T1037,technique_name=Boot or Logon Initialization Scripts" condition="contains">\Windows\System\Scripts</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains">\Policies\Explorer\Run</TargetObject> | |
| <TargetObject condition="end with">\ServiceDll</TargetObject> | |
| <TargetObject condition="end with">\ImagePath</TargetObject> | |
| <TargetObject condition="end with">\Start</TargetObject> | |
| <TargetObject name="technique_id=T1547.004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject> | |
| <TargetObject name="technique_id=T1547.004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject> | |
| <TargetObject name="technique_id=T1547.004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> | |
| <TargetObject name="technique_id=T1547.004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> | |
| <TargetObject name="technique_id=T1547.004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Specialaccounts\userlist</TargetObject> | |
| <TargetObject name="technique_id=T1547.004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Uihostl</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">HKLM\SYSTEM\;Control\Session Manager\BootExecute</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">HKLM\SYSTEM\;Control\Session Manager\excludefromknowndlls</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">HKLM\SYSTEM\;Control\Session Manager\safedllsearchmode</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">HKLM\SYSTEM\;Control\Session Manager\setupexecute</TargetObject> | |
| <TargetObject name="technique_id=T1546.001,technique_name=Change Default File Association" condition="contains">\Explorer\FileExts</TargetObject> | |
| <TargetObject condition="contains">\shell\install\command</TargetObject> | |
| <TargetObject condition="contains">\shell\open\command</TargetObject> | |
| <TargetObject condition="contains">\shell\open\ddeexec</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains">Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains all">software\microsoft\windows nt\currentversion\accessibility\ATs\;\StartExe</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains">software\microsoft\windows nt\currentversion\windows\run\</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains">Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains">software\microsoft\windows\currentversion\explorer\shell folders\common startup</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="contains">software\microsoft\windows\currentversion\explorer\shell folders\startup</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="begin with">hklm\software\microsoft\command processor\autorun</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">\mscfile\shell\open\command</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">ms-settings\shell\open\command</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> | |
| <TargetObject name="technique_id=T1546.015,technique_name=Component Object Model Hijacking" condition="contains all">Software\Classes\CLSID;inprocserver32</TargetObject> | |
| <TargetObject name="technique_id=T1546.015,technique_name=Component Object Model Hijacking" condition="contains all">Software\Classes\CLSID;localserver32</TargetObject> | |
| <TargetObject name="technique_id=T1546.015,technique_name=Component Object Model Hijacking" condition="contains all">Classes\CLSID\;TreatAs</TargetObject> | |
| <TargetObject name="technique_id=T1003.002,technique_name=Security Account Manager" condition="contains">System\CurrentControlSet\Services\VSS</TargetObject> | |
| <TargetObject name="technique_id=T1098,technique_name=Account Manipulation" condition="contains">\services\Netlogon\Parameters\DisablePasswordChange</TargetObject> | |
| <TargetObject name="technique_id=T1546.010,technique_name=Appinit DLLs" condition="contains all">HKLM\SOFTWARE\;Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject> | |
| <TargetObject name="technique_id=T1546.010,technique_name=Appinit DLLs" condition="contains all">HKLM\SOFTWARE\;Microsoft\Windows NT\CurrentVersion\Windows\loadappinit_dlls</TargetObject> | |
| <TargetObject name="technique_id=T1546.010,technique_name=Appinit DLLs" condition="contains all">\SYSTEM\;\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> | |
| <TargetObject name="technique_id=T1562.006,technique_name=Impair Defenses - Indicator Blocking" condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject> | |
| <TargetObject name="technique_id=T1546.008,technique_name=Accessibility Features" condition="contains">\Environment\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\setup\cmdline</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\setup\upgrade</TargetObject> | |
| <TargetObject condition="contains all">Software\microsoft\ctf\langbaraddin\;\Enable</TargetObject> | |
| <TargetObject condition="contains all">Software\microsoft\ctf\langbaraddin\;\FilePath</TargetObject> | |
| <TargetObject condition="contains">Software\policies\microsoft\windows\control panel\desktop\scrnsave.exe</TargetObject> | |
| <TargetObject condition="begin with">HKLM\Software\Classes\protocols\filter\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\Software\Classes\protocols\handler\</TargetObject> | |
| <TargetObject name="technique_id=T1562.002,technique_name=Disable Windows Event Logging" condition="contains all">\SYSTEM\;\Service\EventLog;Retention</TargetObject> | |
| <TargetObject name="technique_id=T1562.002,technique_name=Disable Windows Event Logging" condition="contains all">\SYSTEM\;\Service\EventLog;MaxSize</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions</TargetObject> | |
| <TargetObject name="technique_id=T1546.012,technique_name=Image File Execution Options Injection" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject> | |
| <TargetObject name="technique_id=T1546.012,technique_name=Image File Execution Options Injection" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject> | |
| <TargetObject condition="contains">\Internet Explorer\Toolbar</TargetObject> | |
| <TargetObject condition="contains">\Internet Explorer\Extensions</TargetObject> | |
| <TargetObject condition="contains">\Browser Helper Objects</TargetObject> | |
| <TargetObject condition="contains">\software\microsoft\internet explorer\desktop\components\Source</TargetObject> | |
| <TargetObject condition="contains">\software\microsoft\internet explorer\explorer bars\</TargetObject> | |
| <TargetObject condition="contains">\software\microsoft\internet explorer\Styles\MaxScriptStatements</TargetObject> | |
| <TargetObject condition="contains">\software\microsoft\internet explorer\toolbar\WebBrowser\ITBarLayout</TargetObject> | |
| <TargetObject condition="contains">\software\wow6432node\microsoft\internet explorer\toolbar\WebBrowser\ITBarLayout</TargetObject> | |
| <TargetObject condition="contains">\software\microsoft\internet explorer\urlsearchhooks\</TargetObject> | |
| <TargetObject condition="contains">HKLM\software\wow6432node\microsoft\internet explorer\urlsearchhooks\</TargetObject> | |
| <TargetObject name="technique_id=T1547.010,technique_name=Port Monitors" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> | |
| <TargetObject condition="begin with">hklm\system\mounteddevices\</TargetObject> | |
| <TargetObject condition="contains all">hklm\system\;\enum\usb\</TargetObject> | |
| <TargetObject name="technique_id=T1546.007,technique_name=Netsh Helper DLL" condition="contains">SOFTWARE\Microsoft\Netsh</TargetObject> | |
| <TargetObject name="technique_id=T1137.006,technique_name=Office Add-ins" condition="contains all">\Microsoft\Office;\Outlook\Addins</TargetObject> | |
| <TargetObject name="technique_id=T1137.006,technique_name=Office Add-ins" condition="contains">\Software\Microsoft\VSTO\Security\Inclusion</TargetObject> | |
| <TargetObject name="technique_id=T1137.006,technique_name=Office Add-ins" condition="contains">\Software\Microsoft\VSTO\SolutionMetadata</TargetObject> | |
| <TargetObject name="technique_name=Outlook Server 95/98 Identity Keys" condition="contains">Identities</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Account Name</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Display Name</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\Email</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP Password</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\HTTP User</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP Password</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\IMAP User</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\MAPI Provider</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 Password</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\POP3 User</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP Password</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE\Microsoft\Office\;\Outlook\Profiles\;\9375CFF0413111d3B88A00104B2A6676\;\SMTP User</TargetObject> | |
| <TargetObject name="technique_id=T1137.004,technique_name=Outlook Home Page" condition="contains all">software\microsoft\office\;\outlook\security\</TargetObject> | |
| <TargetObject name="technique_id=T1137.004,technique_name=Outlook Home Page" condition="contains all">software\microsoft\office\;\outlook\today\</TargetObject> | |
| <TargetObject name="technique_id=T1137.004,technique_name=Outlook Home Page" condition="contains all">software\microsoft\office\;\outlook\webview\;\</TargetObject> | |
| <TargetObject condition="contains all">software\microsoft\office\;\word\options\globaldotname</TargetObject> | |
| <TargetObject condition="contains all">software\microsoft\office\;\common\internet\server cache\</TargetObject> | |
| <TargetObject condition="contains all">software\;microsoft\office\;\addins\</TargetObject> | |
| <TargetObject condition="contains all">software\;microsoft\office\;\Common\COM Compatibility</TargetObject> | |
| <TargetObject condition="contains">\Security\Trusted Documents\TrustRecords</TargetObject> | |
| <TargetObject condition="contains">\Security\Trusted Documents\</TargetObject> | |
| <TargetObject condition="end with">\UrlUpdateInfo</TargetObject> | |
| <TargetObject condition="contains">software\microsoft\windows\currentversion\explorer\recentdocs\.docx\</TargetObject> | |
| <TargetObject condition="contains">software\microsoft\windows\currentversion\explorer\recentdocs\.xlsx\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\DllPath</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\DllPathEx</TargetObject> | |
| <TargetObject condition="contains">software\microsoft\Office test\special\perf\</TargetObject> | |
| <TargetObject condition="contains all">software\microsoft\office\;\Options\OPEN</TargetObject> | |
| <TargetObject name="technique_id=T1137.006,technique_name=Office Add-ins" condition="contains all">\Microsoft\Office;\PowerPoint\Addins</TargetObject> | |
| <TargetObject name="T1559.002,office" condition="end with">\Word\Security\AllowDDE</TargetObject> | |
| <TargetObject name="T1559.002,office" condition="end with">\Excel\Security\DisableDDEServerLaunch</TargetObject> | |
| <TargetObject name="T1559.002,office" condition="end with">\Excel\Security\DisableDDEServerLookup</TargetObject> | |
| <TargetObject name="T1562,office" condition="end with">\VBAWarnings</TargetObject> | |
| <TargetObject name="T1562,office" condition="end with">\DisableInternetFilesInPV</TargetObject> | |
| <TargetObject name="T1562,office" condition="end with">\DisableUnsafeLocationsInPV</TargetObject> | |
| <TargetObject name="T1562,office" condition="end with">\DisableAttachementsInPV</TargetObject> | |
| <TargetObject name="technique_id=T1021.001,technique_name=Remote Desktop Protocol" condition="is">HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount</TargetObject> | |
| <TargetObject name="technique_id=T1021.001,technique_name=Remote Desktop Protocol" condition="is">HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RaunSolicit</TargetObject> | |
| <TargetObject name="technique_id=T1112,technique_name=Modify Registry" condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\TermService\Parameters\ServiceDll</TargetObject> | |
| <TargetObject name="technique_id=T1112,technique_name=Modify Registry" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser</TargetObject> | |
| <TargetObject name="technique_id=T1112,technique_name=Modify Registry" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections</TargetObject> | |
| <TargetObject name="technique_id=T1112,technique_name=Modify Registry" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Shadow</TargetObject> | |
| <TargetObject name="technique_id=T1053,technique_name=Scheduled Task" condition="contains all">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks;Actions</TargetObject> | |
| <TargetObject name="technique_id=T1053,technique_name=Scheduled Task" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject> | |
| <TargetObject name="technique_id=T1053,technique_name=Scheduled Task" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</TargetObject> | |
| <TargetObject name="technique_id=T1547.005,technique_name=Security Support Provider" condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services</TargetObject> | |
| <TargetObject name="technique_id=T1553.003,technique_name=SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> | |
| <TargetObject name="technique_id=T1553.003,technique_name=SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject> | |
| <TargetObject name="technique_id=T1553.003,technique_name=SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject> | |
| <TargetObject name="technique_id=T1553.003,technique_name=SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject> | |
| <TargetObject name="technique_id=T1553.003,technique_name=SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Offload\ExpoOffload</TargetObject> | |
| <TargetObject name="technique_id=T1569.002,technique_name=Service Execution" condition="end with">\PsExec\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="end with">\PsFile\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="end with">\PsGetSID\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1057,technique_name=Process Discovery" condition="end with">\PsInfo\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="end with">\PsKill\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1057,technique_name=Process Discovery" condition="end with">\PsList\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="end with">\PsLoggedOn\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1569.002,technique_name=Service Execution" condition="end with">\PsLogList\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1098,technique_name=Account Manipulation" condition="end with">\PsPasswd\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1569.002,technique_name=Service Execution" condition="end with">\PsService\EulaAccepted</TargetObject> | |
| <TargetObject name="undefined" condition="end with">\PsShutDown\EulaAccepted</TargetObject> | |
| <TargetObject name="undefined" condition="end with">\PsSuspend\EulaAccepted</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="contains">SYSTEM\CurrentControlSet\services\SysmonDrv</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="contains">SYSTEM\CurrentControlSet\services\Sysmon</TargetObject> | |
| <TargetObject name="technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject> | |
| <TargetObject name="technique_id=T1547.003,technique_name=Time Providers" condition="contains">HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders</TargetObject> | |
| <TargetObject name="technique_id=T1218,technique_name=Signed Binary Proxy Execution" condition="begin with">HKLM\Software\Microsoft\WAB\DLLPath</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Control.exe</TargetObject> | |
| <TargetObject name="technique_id=T1546.009,technique_name=AppCert DLLs" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls</TargetObject> | |
| <TargetObject name="technique_id=T1546.015,technique_name=Component Object Model Hijacking" condition="contains">software\classes\clsid\{083863f1-70de-11d0-bd40-00a0c911ce86}\instance</TargetObject> | |
| <TargetObject name="technique_id=T1546.015,technique_name=Component Object Model Hijacking" condition="contains">software\classes\clsid\{7ed96837-96f0-4812-b211-f13c24117ed3}\instance</TargetObject> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1125,technique_name=Video Capture" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam</TargetObject> | |
| <Image condition="excludes any">Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1123,technique_name=Audio Capture" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone</TargetObject> | |
| <Image condition="excludes any">Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1123,technique_name=Audio Capture" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetooth</TargetObject> | |
| <Image condition="excludes any">Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1005,technique_name=Data from Local System" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\usb</TargetObject> | |
| <Image condition="excludes any">Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1005,technique_name=Data from Local System" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location</TargetObject> | |
| <Image condition="excludes any">Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1005,technique_name=Data from Local System" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts</TargetObject> | |
| <Image condition="excludes any">Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1056.001,technique_name=Input Capture - Keylogging" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\humanInterfaceDevice</TargetObject> | |
| <Image condition="excludes any">Google\Chrome\Application\chrome.exe;Zoom\bin\Zoom.exe;slack\slack.exe;Mozilla Firefox\firefox.exe</Image> | |
| </Rule> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Plap Providers</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa</TargetObject> | |
| <TargetObject name="technique_id=T1003,technique_name=Credential Dumping" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\</TargetObject> | |
| <TargetObject name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">\Control\SecurityProviders\WDigest</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="contains all">HKLM\software\microsoft\microsoft antimalware\exclusions\</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\software\microsoft\Windows Advanced Threat Protection\TelLib</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\software\policies\microsoft\windows advanced threat protection\</TargetObject> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Sense</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinDefend</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\MsMpSvc</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\NisSrv</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WdBoot</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\wscsvc</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\wuauserv</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc</TargetObject> | |
| <Details condition="contains">DWORD (0x00000004)</Details> | |
| </Rule> | |
| <TargetObject condition="begin with">hklm\software\microsoft\windows script\settings\amsienable</TargetObject> | |
| <TargetObject condition="contains">\software\microsoft\windows script\settings\amsienable</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\software\policies\microsoft\windowsfirewall\;\authorizedapplications</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\software\policies\microsoft\windowsfirewall\;\authorizedapplications\list</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\software\policies\microsoft\windowsfirewall\;\globallyopenports</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon</TargetObject> | |
| <TargetObject condition="end with">\FriendlyName</TargetObject> | |
| <TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</TargetObject> | |
| <Image condition="is not">C:\Windows\System32\svchost.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</TargetObject> | |
| <Image condition="is not">C:\Windows\System32\svchost.exe</Image> | |
| </Rule> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> | |
| <TargetObject name="technique_id=T1547.010,technique_name=Boot or Logon Autostart Execution - Port Monitors" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports</TargetObject> | |
| <TargetObject name="technique_id=T1547.010,technique_name=Boot or Logon Autostart Execution - Port Monitors" condition="contains">\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="contains all">software\microsoft\powershell\;\shellids\microsoft.powershell\executionpolicy</TargetObject> | |
| <TargetObject name="technique_id=T1553.004,technique_name=Install Root Certificate" condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</TargetObject> | |
| <TargetObject name="technique_id=T1553.004,technique_name=Install Root Certificate" condition="contains">\Microsoft\SystemCertificates\Root\Certificates</TargetObject> | |
| <TargetObject name="technique_id=T1553.004,technique_name=Install Root Certificate" condition="contains">\Microsoft\SystemCertificates\CA\Certificates</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject> | |
| <TargetObject name="technique_id=T1562.001,technique_name=Disable or Modify Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject> | |
| <TargetObject condition="contains">\Classes\AllFilesystemObjects</TargetObject> | |
| <TargetObject condition="contains">\Classes\Directory</TargetObject> | |
| <TargetObject condition="contains">\Classes\Drive</TargetObject> | |
| <TargetObject condition="contains">\Classes\Folder</TargetObject> | |
| <TargetObject condition="contains">\ShellEx\ContextMenuHandlers</TargetObject> | |
| <TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> | |
| <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> | |
| <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObject</TargetObject> | |
| <TargetObject name="technique_id=T1210,technique_name=Exploitation of Remote Services" condition="contains all">HKLM\SOFTWARE\Microsoft\Windows;\CurrentVersion\Print\Connections</TargetObject> | |
| <TargetObject name="technique_id=T1210,technique_name=Exploitation of Remote Services" condition="contains all">HKLM\System;\control\print\monitors</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="contains">\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command</TargetObject> | |
| <TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> | |
| <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUsername</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject> | |
| <TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject> | |
| <TargetObject name="UACMe Dir Prep" condition="contains all">HKU;Environment</TargetObject> | |
| <TargetObject name="UACMe Dir Prep" condition="contains all">HKLM;Environment</TargetObject> | |
| <TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject> | |
| <TargetObject condition="end with">\ProxyServer</TargetObject> | |
| <TargetObject name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains">SYSTEM\CurrentControlSet\Control\CrashControl</TargetObject> | |
| <TargetObject name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains all">HKLM\SYSTEM\;Control\WMI\autologger\senseauditlogger</TargetObject> | |
| <TargetObject name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains all">HKLM\SYSTEM\;Control\WMI\autologger\senseeventlog</TargetObject> | |
| <TargetObject name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains all">HKLM\SYSTEM\;Control\WMI\EtwMaxLoggers</TargetObject> | |
| <TargetObject name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains all">HKLM\SYSTEM\;Control\WMI\Security</TargetObject> | |
| </RegistryEvent> | |
| </RuleGroup> | |
| <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <RegistryEvent onmatch="exclude"> | |
| <Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</Image> | |
| <Image condition="is">C:\Program Files\Cylance\Optics\CyOptics.exe</Image> | |
| <Image condition="is">C:\Program Files\Cylance\Desktop\CylanceSvc.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="image">svchost.exe</Image> | |
| <TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters</TargetObject> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="image">svchost.exe</Image> | |
| <TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</TargetObject> | |
| </Rule> | |
| <TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> | |
| <TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> | |
| <TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> | |
| <TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> | |
| <TargetObject condition="end with">ShellBrowser</TargetObject> | |
| <Image condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe</Image> | |
| <Image condition="is">C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe</Image> | |
| <Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security </Image> | |
| <Image condition="begin with">C:\Program Files\Kaspersky Lab\Kaspersky Internet Security </Image> | |
| <Image condition="is">C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe</Image> | |
| <Image condition="is">C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe</Image> | |
| <Image condition="is">C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe</Image> | |
| <Image condition="is">C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe</Image> | |
| <Image condition="is">C:\Program Files\McAfee\Agent\masvc.exe</Image> | |
| <Image condition="is">C:\Program Files\McAfee\Agent\x86\mfemactl.exe</Image> | |
| <Image condition="is">C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe</Image> | |
| <Image condition="is">C:\Program Files\McAfee\Agent\x86\macompatsvc.exe</Image> | |
| <Image condition="is">C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe</Image> | |
| <Image condition="begin with">C:\Program Files\Common Files\McAfee\Engine\scanners</Image> | |
| <Image condition="is">C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe</Image> | |
| <Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</Image> | |
| <Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe</Image> | |
| <Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</Image> | |
| <TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\HealthService\Parameters\Management Groups</TargetObject> | |
| </Rule> | |
| <TargetObject condition="contains">\{CAFEEFAC-</TargetObject> | |
| <EventType condition="is">CreateKey</EventType> | |
| <TargetObject condition="begin with">HKLM\COMPONENTS</TargetObject> | |
| <Image condition="is">C:\Program Files\ownCloud\owncloud.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\ownCloud\owncloud.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="image">svchost.exe</Image> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks</TargetObject> | |
| </Rule> | |
| <Image condition="begin with">C:\Program Files\SentinelOne\Sentinel Agent</Image> | |
| <Image condition="is">System</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> | |
| <TargetObject condition="is">HKLM\System\CurrentControlSet\Services\Tcpip\Parameters</TargetObject> | |
| </Rule> | |
| <Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image> | |
| <Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> | |
| <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> | |
| <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> | |
| <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> | |
| <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> | |
| <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> | |
| <TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> | |
| <TargetObject condition="contains">\OpenWithProgids</TargetObject> | |
| <TargetObject condition="end with">\OpenWithList</TargetObject> | |
| <TargetObject condition="end with">\UserChoice</TargetObject> | |
| <TargetObject condition="end with">\UserChoice\ProgId</TargetObject> | |
| <TargetObject condition="end with">\UserChoice\Hash</TargetObject> | |
| <TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> | |
| <TargetObject condition="end with">} 0xFFFF</TargetObject> | |
| <Image condition="end with">Office\root\integration\integrator.exe</Image> | |
| <Image condition="is">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> | |
| <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> | |
| <Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image> | |
| <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> | |
| <Image condition="is">C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe</Image> | |
| <TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> | |
| <TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> | |
| <TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> | |
| <TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> | |
| <TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> | |
| <TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> | |
| <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> | |
| <TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> | |
| <TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> | |
| <TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> | |
| <TargetObject condition="end with">\Components\Wlansvc</TargetObject> | |
| <TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> | |
| <TargetObject condition="end with">\Directory\shellex</TargetObject> | |
| <TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> | |
| <TargetObject condition="end with">\Drive\shellex</TargetObject> | |
| <TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> | |
| <TargetObject condition="contains">_Classes\AppX</TargetObject> | |
| <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE;\Microsoft\EnterpriseCertificates\Disallowed</TargetObject> | |
| <TargetObject condition="contains all">SOFTWARE;\Microsoft\SystemCertificates\Disallowed</TargetObject> | |
| <TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing</TargetObject> | |
| <TargetObject condition="is">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates</TargetObject> | |
| <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> | |
| <Image condition="begin with">C:\$WINDOWS.~BT\</Image> | |
| <TargetObject condition="is">HKLM\System\CurrentControlSet\Services\Tcpip\Parameters</TargetObject> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\Windows\system32\lsass.exe</Image> | |
| <TargetObject condition="contains">HKLM\System\CurrentControlSet\Services</TargetObject> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization</TargetObject> | |
| <Image condition="is">C:\Windows\System32\svchost.exe</Image> | |
| </Rule> | |
| <TargetObject condition="is">HKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTime</TargetObject> | |
| <TargetObject condition="is">HKLM\System\CurrentControlSet\Services\SmsRouter\State\Registration\Ids</TargetObject> | |
| <TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> | |
| <TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> | |
| <TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> | |
| <TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> | |
| <TargetObject condition="end with">\services\DeviceAssociationService\Start</TargetObject> | |
| <TargetObject condition="end with">\services\BITS\Start</TargetObject> | |
| <TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> | |
| <TargetObject condition="end with">\services\tunnel\Start</TargetObject> | |
| <TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> | |
| </RegistryEvent> | |
| </RuleGroup> | |
| <!-- Event ID 15 == FileStream Created - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileCreateStreamHash onmatch="include"> | |
| <TargetFilename condition="contains">Temp\7z</TargetFilename> | |
| <TargetFilename condition="end with">.bat</TargetFilename> | |
| <TargetFilename condition="end with">.cmd</TargetFilename> | |
| <TargetFilename condition="end with">Temp\debug.bin</TargetFilename> | |
| <TargetFilename condition="end with">.dll</TargetFilename> | |
| <TargetFilename condition="end with">.exe</TargetFilename> | |
| <TargetFilename condition="end with">.hta</TargetFilename> | |
| <Rule name="technique_id=T1189,technique_name=Drive-by Compromise" groupRelation="and"> | |
| <TargetFilename condition="end with">:Zone.Identifier</TargetFilename> | |
| <Contents condition="contains any">blob:;about:internet</Contents> | |
| </Rule> | |
| <TargetFilename condition="end with">.lnk</TargetFilename> | |
| <TargetFilename condition="contains">Content.Outlook</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">.ps1</TargetFilename> | |
| <TargetFilename name="technique_id=T1059.001,technique_name=PowerShell" condition="end with">.ps2</TargetFilename> | |
| <TargetFilename condition="end with">.reg</TargetFilename> | |
| <TargetFilename condition="contains">Downloads</TargetFilename> | |
| <TargetFilename condition="contains">AppData</TargetFilename> | |
| <TargetFilename condition="contains">Temp</TargetFilename> | |
| <TargetFilename condition="contains">ProgramData</TargetFilename> | |
| <TargetFilename condition="contains">Users</TargetFilename> | |
| <TargetFilename condition="end with">.vb</TargetFilename> | |
| <TargetFilename condition="end with">.vbe</TargetFilename> | |
| <TargetFilename condition="end with">.vbs</TargetFilename> | |
| </FileCreateStreamHash> | |
| </RuleGroup> | |
| <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <PipeEvent onmatch="include"> | |
| <Rule groupRelation="and"> | |
| <PipeName condition="begin with">\</PipeName> | |
| <EventType>CreatePipe</EventType> | |
| </Rule> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\atsvc</PipeName> | |
| <Rule groupRelation="and"> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msse-</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="end with">-server</PipeName> | |
| </Rule> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msagent_</PipeName> | |
| <PipeName name="technique_id=T1055; Possible Cobalt Strike post-exploitation jobs." condition="begin with">\postex_</PipeName> | |
| <PipeName name="technique_id=T1021.004,technique_name=Remote Services: SSH" condition="begin with">\postex_ssh_</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\status_</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\gruntsvc</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\svcctl</PipeName> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\msf-pipe</PipeName> | |
| <Rule groupRelation="and"> | |
| <PipeName name="technique_id=T1059.001,technique_name=PowerShell" condition="begin with">\PSHost</PipeName> | |
| <Image condition="is not">powershell.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <PipeName name="technique_id=T1059.001,technique_name=PowerShell" condition="begin with">\PSHost</PipeName> | |
| <Image condition="is not">powershell_ise.exe</Image> | |
| </Rule> | |
| <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\PSEXESVC</PipeName> | |
| <PipeName name="technique_id=T1049,technique_name=System Network Connections Discovery" condition="begin with">\srvsvc</PipeName> | |
| <Rule groupRelation="and"> | |
| <PipeName condition="begin with">\TSVCPIPE</PipeName> | |
| </Rule> | |
| <PipeName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="begin with">\winreg</PipeName> | |
| </PipeEvent> | |
| </RuleGroup> | |
| <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <PipeEvent onmatch="exclude"> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> | |
| <PipeName condition="begin with">\32B6B37A-4A7D-4e00-95F2-</PipeName> | |
| <PipeName condition="end with">thsnYaVieBoda</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> | |
| <PipeName condition="begin with">\com.adobe.reader.rna.;\mojo</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Common Files\Adobe\AdobeGCClient\AGMService.exe</Image> | |
| <PipeName condition="begin with">\gc_pipe_</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Common Files\Adobe\Creative Cloud Libraries\libs\node.exe</Image> | |
| <PipeName condition="begin with">\uv\</PipeName> | |
| </Rule> | |
| <Image condition="is">"C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe"</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all"> C:\Users\;\AppData\Local\Programs\Call Manager\Call Manager.exe</Image> | |
| <PipeName condition="begin with">\crashpad_;\mojo.;\uv\</PipeName> | |
| </Rule> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\SelfServicePlugin\SelfService.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\Receiver\Receiver.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\wfcrun32.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Citrix\ICA Client\concentr.exe</Image> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</Image> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\SelfServicePlugin\SelfService.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Google\Update\Install\;setup.exe</Image> | |
| <PipeName condition="begin with">\crashpad_</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Google\Chrome\Application\chrome.exe</Image> | |
| <PipeName condition="begin with">\mojo.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Google\Chrome\Application\;\Installer\chrmstp.exe</Image> | |
| <PipeName condition="begin with">\crashpad_</PipeName> | |
| </Rule> | |
| <PipeName condition="begin with">\Vivisimo Velocity</PipeName> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image> | |
| <PipeName condition="begin with">\LOCAL\mojo.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image> | |
| <PipeName condition="begin with">\LOCAL\chrome.sync.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image> | |
| <PipeName condition="begin with">\LOCAL\crashpad_</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office16\OUTLOOK.EXE</Image> | |
| <PipeName condition="is">\MsFteWds</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</Image> | |
| <PipeName condition="begin with">\mojo.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</Image> | |
| <PipeName condition="begin with">\chrome.sync.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image> | |
| <PipeName condition="begin with">\cubeb-pipe-</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image> | |
| <PipeName condition="begin with">\chrome.</PipeName> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image> | |
| <PipeName condition="begin with">\gecko-crash-server-pipe.</PipeName> | |
| </Rule> | |
| <PipeName condition="is">\SQLLocal\MSSQLSERVER</PipeName> | |
| <PipeName condition="is">\SQLLocal\INSTANCE01</PipeName> | |
| <PipeName condition="is">\SQLLocal\SQLEXPRESS</PipeName> | |
| <PipeName condition="is">\SQLLocal\COMMVAULT</PipeName> | |
| <PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName> | |
| <PipeName condition="is">\SQLLocal\RTC</PipeName> | |
| <PipeName condition="is">\SQLLocal\TMSM</PipeName> | |
| <Image condition="is">Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe</Image> | |
| <Image condition="end with">PostgreSQL\9.6\bin\postgres.exe</Image> | |
| <PipeName condition="contains">\pgsignal_</PipeName> | |
| <Image condition="is">Program Files\Qlik\Sense\Engine\Engine.exe</Image> | |
| <Image condition="contains all">C:\Program Files;\Qualys\QualysAgent\QualysAgent.exe</Image> | |
| <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image> | |
| <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image> | |
| <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe</Image> | |
| <Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc.exe</Image> | |
| <Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc64.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe</Image> | |
| <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe</Image> | |
| <PipeName condition="is">\Trend Micro OSCE Command Handler Manager</PipeName> | |
| <PipeName condition="is">\Trend Micro OSCE Command Handler2 Manager</PipeName> | |
| <PipeName condition="is">\Trend Micro Endpoint Encryption ToolBox Command Handler Manager</PipeName> | |
| <PipeName condition="is">\OfcServerNamePipe</PipeName> | |
| <PipeName condition="is">\ntapvsrq</PipeName> | |
| <PipeName condition="is">\srvsvc</PipeName> | |
| <PipeName condition="is">\wkssvc</PipeName> | |
| <PipeName condition="is">\lsass</PipeName> | |
| <PipeName condition="is">\winreg</PipeName> | |
| <PipeName condition="is">\spoolss</PipeName> | |
| <PipeName condition="contains">Anonymous Pipe</PipeName> | |
| <Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image> | |
| </PipeEvent> | |
| </RuleGroup> | |
| <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <WmiEvent onmatch="include"> | |
| <Operation name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">Created</Operation> | |
| </WmiEvent> | |
| </RuleGroup> | |
| <!-- Event ID 22 == DNS Queries and their results Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <!--Default to log all and exclude a few common processes--> | |
| <DnsQuery onmatch="exclude"> | |
| <QueryName condition="end with">.1rx.io</QueryName> | |
| <QueryName condition="end with">.2mdn.net</QueryName> | |
| <QueryName condition="end with">.adadvisor.net</QueryName> | |
| <QueryName condition="end with">.adap.tv</QueryName> | |
| <QueryName condition="end with">.addthis.com</QueryName> | |
| <QueryName condition="end with">.adform.net</QueryName> | |
| <QueryName condition="end with">.adnxs.com</QueryName> | |
| <QueryName condition="end with">.adroll.com</QueryName> | |
| <QueryName condition="end with">.adrta.com</QueryName> | |
| <QueryName condition="end with">.adsafeprotected.com</QueryName> | |
| <QueryName condition="end with">.adsrvr.org</QueryName> | |
| <QueryName condition="end with">.advertising.com</QueryName> | |
| <QueryName condition="end with">.amazon-adsystem.com</QueryName> | |
| <QueryName condition="end with">.amazon-adsystem.com</QueryName> | |
| <QueryName condition="end with">.analytics.yahoo.com</QueryName> | |
| <QueryName condition="end with">.aol.com</QueryName> | |
| <QueryName condition="end with">.betrad.com</QueryName> | |
| <QueryName condition="end with">.bidswitch.net</QueryName> | |
| <QueryName condition="end with">.casalemedia.com</QueryName> | |
| <QueryName condition="end with">.chartbeat.net</QueryName> | |
| <QueryName condition="end with">.cnn.com</QueryName> | |
| <QueryName condition="end with">.convertro.com</QueryName> | |
| <QueryName condition="end with">.criteo.com</QueryName> | |
| <QueryName condition="end with">.criteo.net</QueryName> | |
| <QueryName condition="end with">.crwdcntrl.net</QueryName> | |
| <QueryName condition="end with">.demdex.net</QueryName> | |
| <QueryName condition="end with">.domdex.com</QueryName> | |
| <QueryName condition="end with">.dotomi.com</QueryName> | |
| <QueryName condition="end with">.doubleclick.net</QueryName> | |
| <QueryName condition="end with">.doubleverify.com</QueryName> | |
| <QueryName condition="end with">.emxdgt.com</QueryName> | |
| <QueryName condition="end with">.exelator.com</QueryName> | |
| <QueryName condition="end with">.google-analytics.com</QueryName> | |
| <QueryName condition="end with">.googleadservices.com</QueryName> | |
| <QueryName condition="end with">.googlesyndication.com</QueryName> | |
| <QueryName condition="end with">.googletagmanager.com</QueryName> | |
| <QueryName condition="end with">.googlevideo.com</QueryName> | |
| <QueryName condition="end with">.gstatic.com</QueryName> | |
| <QueryName condition="end with">.gvt1.com</QueryName> | |
| <QueryName condition="end with">.gvt2.com</QueryName> | |
| <QueryName condition="end with">.ib-ibi.com</QueryName> | |
| <QueryName condition="end with">.jivox.com</QueryName> | |
| <QueryName condition="end with">.mathtag.com</QueryName> | |
| <QueryName condition="end with">.moatads.com</QueryName> | |
| <QueryName condition="end with">.moatpixel.com</QueryName> | |
| <QueryName condition="end with">.mookie1.com</QueryName> | |
| <QueryName condition="end with">.myvisualiq.net</QueryName> | |
| <QueryName condition="end with">.netmng.com</QueryName> | |
| <QueryName condition="end with">.nexac.com</QueryName> | |
| <QueryName condition="end with">.openx.net</QueryName> | |
| <QueryName condition="end with">.optimizely.com</QueryName> | |
| <QueryName condition="end with">.outbrain.com</QueryName> | |
| <QueryName condition="end with">.pardot.com</QueryName> | |
| <QueryName condition="end with">.phx.gbl</QueryName> | |
| <QueryName condition="end with">.pinterest.com</QueryName> | |
| <QueryName condition="end with">.pubmatic.com</QueryName> | |
| <QueryName condition="end with">.quantcount.com</QueryName> | |
| <QueryName condition="end with">.quantserve.com</QueryName> | |
| <QueryName condition="end with">.revsci.net</QueryName> | |
| <QueryName condition="end with">.rfihub.net</QueryName> | |
| <QueryName condition="end with">.rlcdn.com</QueryName> | |
| <QueryName condition="end with">.rubiconproject.com</QueryName> | |
| <QueryName condition="end with">.scdn.co</QueryName> | |
| <QueryName condition="end with">.scorecardresearch.com</QueryName> | |
| <QueryName condition="end with">.serving-sys.com</QueryName> | |
| <QueryName condition="end with">.sharethrough.com</QueryName> | |
| <QueryName condition="end with">.simpli.fi</QueryName> | |
| <QueryName condition="end with">.sitescout.com</QueryName> | |
| <QueryName condition="end with">.smartadserver.com</QueryName> | |
| <QueryName condition="end with">.snapads.com</QueryName> | |
| <QueryName condition="end with">.spotxchange.com</QueryName> | |
| <QueryName condition="end with">.taboola.com</QueryName> | |
| <QueryName condition="end with">.taboola.map.fastly.net</QueryName> | |
| <QueryName condition="end with">.tapad.com</QueryName> | |
| <QueryName condition="end with">.tidaltv.com</QueryName> | |
| <QueryName condition="end with">.trafficmanager.net</QueryName> | |
| <QueryName condition="end with">.tremorhub.com</QueryName> | |
| <QueryName condition="end with">.tribalfusion.com</QueryName> | |
| <QueryName condition="end with">.turn.com</QueryName> | |
| <QueryName condition="end with">.twimg.com</QueryName> | |
| <QueryName condition="end with">.tynt.com</QueryName> | |
| <QueryName condition="end with">.w55c.net</QueryName> | |
| <QueryName condition="end with">.ytimg.com</QueryName> | |
| <QueryName condition="end with">.zorosrv.com</QueryName> | |
| <QueryName condition="is">1rx.io</QueryName> | |
| <QueryName condition="is">adservice.google.com</QueryName> | |
| <QueryName condition="is">ampcid.google.com</QueryName> | |
| <QueryName condition="is">clientservices.googleapis.com</QueryName> | |
| <QueryName condition="is">googleadapis.l.google.com</QueryName> | |
| <QueryName condition="is">imasdk.googleapis.com</QueryName> | |
| <QueryName condition="is">l.google.com</QueryName> | |
| <QueryName condition="is">ml314.com</QueryName> | |
| <QueryName condition="is">mtalk.google.com</QueryName> | |
| <QueryName condition="is">update.googleapis.com</QueryName> | |
| <QueryName condition="is">www.googletagservices.com</QueryName> | |
| <QueryName condition="end with">.mozaws.net</QueryName> | |
| <QueryName condition="end with">.mozilla.com</QueryName> | |
| <QueryName condition="end with">.mozilla.net</QueryName> | |
| <QueryName condition="end with">.mozilla.org</QueryName> | |
| <QueryName condition="is">clients1.google.com</QueryName> | |
| <QueryName condition="is">clients2.google.com</QueryName> | |
| <QueryName condition="is">clients3.google.com</QueryName> | |
| <QueryName condition="is">clients4.google.com</QueryName> | |
| <QueryName condition="is">clients5.google.com</QueryName> | |
| <QueryName condition="is">clients6.google.com</QueryName> | |
| <QueryName condition="is">safebrowsing.googleapis.com</QueryName> | |
| <QueryName condition="end with">.akadns.net</QueryName> | |
| <QueryName condition="end with">.netflix.com</QueryName> | |
| <QueryName condition="end with">.aspnetcdn.com</QueryName> | |
| <QueryName condition="is">ajax.googleapis.com</QueryName> | |
| <QueryName condition="is">cdnjs.cloudflare.com</QueryName> | |
| <QueryName condition="is">fonts.googleapis.com</QueryName> | |
| <QueryName condition="end with">.typekit.net</QueryName> | |
| <QueryName condition="is">cdnjs.cloudflare.com</QueryName> | |
| <QueryName condition="end with">.stackassets.com</QueryName> | |
| <QueryName condition="end with">.steamcontent.com</QueryName> | |
| <QueryName condition="end with">.arpa.</QueryName> | |
| <QueryName condition="end with">.arpa</QueryName> | |
| <QueryName condition="end with">.msftncsi.com</QueryName> | |
| <QueryName condition="end with">.localmachine</QueryName> | |
| <QueryName condition="is">localhost</QueryName> | |
| <Rule groupRelation="and"> | |
| <Image condition="is">C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe</Image> | |
| <QueryName condition="end with">.logitech.com</QueryName> | |
| </Rule> | |
| <Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</Image> | |
| <QueryName condition="end with">-pushp.svc.ms</QueryName> | |
| <QueryName condition="end with">.b-msedge.net</QueryName> | |
| <QueryName condition="end with">.bing.com</QueryName> | |
| <QueryName condition="end with">.hotmail.com</QueryName> | |
| <QueryName condition="end with">.live.com</QueryName> | |
| <QueryName condition="end with">.live.net</QueryName> | |
| <QueryName condition="end with">.s-microsoft.com</QueryName> | |
| <QueryName condition="end with">.microsoft.com</QueryName> | |
| <QueryName condition="end with">.microsoftonline.com</QueryName> | |
| <QueryName condition="end with">.microsoftstore.com</QueryName> | |
| <QueryName condition="end with">.ms-acdc.office.com</QueryName> | |
| <QueryName condition="end with">.msedge.net</QueryName> | |
| <QueryName condition="end with">.msn.com</QueryName> | |
| <QueryName condition="end with">.msocdn.com</QueryName> | |
| <QueryName condition="end with">.skype.com</QueryName> | |
| <QueryName condition="end with">.skype.net</QueryName> | |
| <QueryName condition="end with">.windows.com</QueryName> | |
| <QueryName condition="end with">.windows.net.nsatc.net</QueryName> | |
| <QueryName condition="end with">.windowsupdate.com</QueryName> | |
| <QueryName condition="end with">.xboxlive.com</QueryName> | |
| <QueryName condition="is">login.windows.net</QueryName> | |
| <QueryName condition="is">outlook.office.com</QueryName> | |
| <QueryName condition="is">statics.teams.cdn.office.net</QueryName> | |
| <QueryName condition="is">acdc-direct.office.com</QueryName> | |
| <QueryName condition="end with">.fp.measure.office.com</QueryName> | |
| <QueryName condition="end with">office365.com</QueryName> | |
| <QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> | |
| <QueryName condition="end with">.aria.microsoft.com</QueryName> | |
| <QueryName condition="end with">.msauth.net</QueryName> | |
| <QueryName condition="end with">.msftauth.net</QueryName> | |
| <QueryName condition="end with">.opinsights.azure.com</QueryName> | |
| <QueryName condition="is">management.azure.com</QueryName> | |
| <QueryName condition="is">outlook.office365.com</QueryName> | |
| <QueryName condition="is">portal.azure.com</QueryName> | |
| <QueryName condition="is">substrate.office.com</QueryName> | |
| <QueryName condition="is">osi.office.net</QueryName> | |
| <QueryName condition="end with">.digicert.com</QueryName> | |
| <QueryName condition="end with">.globalsign.com</QueryName> | |
| <QueryName condition="end with">.globalsign.net</QueryName> | |
| <QueryName condition="is">msocsp.com</QueryName> | |
| <QueryName condition="is">ocsp.msocsp.com</QueryName> | |
| <QueryName condition="is">pki.goog</QueryName> | |
| <QueryName condition="end with">.pki.goog</QueryName> | |
| <QueryName condition="is">ocsp.godaddy.com</QueryName> | |
| <QueryName condition="is">amazontrust.com</QueryName> | |
| <QueryName condition="end with">.amazontrust.com</QueryName> | |
| <QueryName condition="is">ocsp.sectigo.com</QueryName> | |
| <QueryName condition="is">pki-goog.l.google.com</QueryName> | |
| <QueryName condition="end with">.usertrust.com</QueryName> | |
| <QueryName condition="is">ocsp.comodoca.com</QueryName> | |
| <QueryName condition="is">ocsp.verisign.com</QueryName> | |
| <QueryName condition="is">ocsp.entrust.net</QueryName> | |
| <QueryName condition="end with">ocsp.identrust.com</QueryName> | |
| <QueryName condition="is">status.rapidssl.com</QueryName> | |
| <QueryName condition="is">status.thawte.com</QueryName> | |
| <QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName> | |
| <QueryName condition="is">subca.ocsp-certum.com</QueryName> | |
| <QueryName condition="is">cscasha2.ocsp-certum.com</QueryName> | |
| <QueryName condition="is">crl.verisign.com</QueryName> | |
| <Image condition="contains all">C:\Program Files\SentinelOne\Sentinel Agent;\SentinelAgent.exe</Image> | |
| <QueryName condition="end with">.spotify.com</QueryName> | |
| <QueryName condition="end with">.spotify.map.fastly.net</QueryName> | |
| <Image condition="contains all">C:\Windows\SystemApps\Microsoft.Windows.Search;SearchApp.exe</Image> | |
| </DnsQuery> | |
| </RuleGroup> | |
| <!-- Event ID 23 == File Delete and overwrite events which saves a copy to the archivedir - Includes --> | |
| <!-- Default set to disabled due to disk space implications, enable with care!--> | |
| <RuleGroup groupRelation="or"> | |
| <FileDelete onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 24 == Clipboard change events, only captures text, not files - Includes --> | |
| <!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!--> | |
| <RuleGroup groupRelation="or"> | |
| <ClipboardChange onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 25 == Process tampering events - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <ProcessTampering onmatch="exclude"> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\updater.exe</Image> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\default-browser-agent.exe</Image> | |
| <Image condition="is">C:\Program Files\Mozilla Firefox\pingsender.exe</Image> | |
| <Image condition="is">C:\Program Files\Git\cmd\git.exe</Image> | |
| <Image condition="is">C:\Program Files\Git\mingw64\bin\git.exe</Image> | |
| <Image condition="is">C:\Program Files\Git\mingw64\libexec\git-core\git.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image> | |
| <Rule groupRelation="and"> | |
| <Image condition="begin with">C:\Program Files (x86)\Microsoft\Edge\Application\</Image> | |
| <Image condition="end with">\BHO\ie_to_edge_stub.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="begin with">C:\Program Files (x86)\Microsoft\Edge\Application\</Image> | |
| <Image condition="end with">\identity_helper.exe</Image> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <Image condition="begin with">C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\</Image> | |
| <Image condition="contains">\MicrosoftEdge_X64_</Image> | |
| </Rule> | |
| <Image condition="is">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\XDelta64\xdelta3.exe</Image> | |
| <Image condition="contains">unknown process</Image> | |
| <Image condition="is">C:\Program Files\Microsoft VS Code\Code.exe</Image> | |
| <Image condition="is">C:\Windows\System32\wbem\WMIADAP.exe</Image> | |
| </ProcessTampering> | |
| </RuleGroup> | |
| <!-- Event ID 26 == File Delete and overwrite events, does NOT save the file - Includes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileDeleteDetected onmatch="include"> | |
| <TargetFilename condition="contains all">C:\Program Files\Microsoft SQL Server;\Shared\ErrorDumps</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Program Files\Microsoft SQL Server;\DataDumps</TargetFilename> | |
| <TargetFilename condition="contains all">C:\Program Files (X86)\Microsoft SQL Server\;Shared\ErrorDumps</TargetFilename> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="contains all">C:\PS-Transcripts\;PowerShell_transcript</TargetFilename> | |
| <TargetFilename condition="contains">.txt</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Program Files\Qualys\QualysAgent</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="contains">\Downloads\</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="contains">\Appdata\Local\Temp\</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="contains">\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\chocolatey\logs</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER\ReportQueue</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER\Temp</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Intel</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Mozilla</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\chocolatey\logs</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\DeviceSync</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\PlayReady</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\User Account Pictures</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\Office\Heartbeat</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\Windows\WER\ReportArchive</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\Windows\WER\ReportQueue</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Users\All Users\Microsoft\Windows\WER\Temp</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Windows\Tasks</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Windows\tracing</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Windows\Registration\CRMLog</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Windows\System32\spool\drivers\color</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| <Rule groupRelation="and"> | |
| <TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename> | |
| <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename> | |
| </Rule> | |
| </FileDeleteDetected> | |
| </RuleGroup> | |
| <!-- Event ID 27 == File Block Executable and overwrite events - Includes --> | |
| <!-- Default set to disabled due to potential unwanted blocks, enable with care!--> | |
| <RuleGroup groupRelation="or"> | |
| <FileBlockExecutable onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 28 == Fileblock Shredding events - Includes --> | |
| <!-- Default set to disabled due to disk space implications, enable with care!--> | |
| <RuleGroup groupRelation="or"> | |
| <FileBlockShredding onmatch="include" /> | |
| </RuleGroup> | |
| <!-- Event ID 29 == File Executable Detected events - Excludes --> | |
| <RuleGroup groupRelation="or"> | |
| <FileExecutableDetected onmatch="exclude" /> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <CreateRemoteThread onmatch="include"> | |
| <SourceImage name="technique_id=T1055,technique_name=Process Injection" condition="begin with">C:\</SourceImage> | |
| <SourceImage name="technique_id=T1055,technique_name=Process Injection" condition="begin with">\\</SourceImage> | |
| </CreateRemoteThread> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <WmiEvent onmatch="exclude" /> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <FileDeleteDetected onmatch="exclude"> | |
| <Image condition="contains all">C:\WindowsAzure\GuestAgent;\WindowsAzureGuestAgent.exe</Image> | |
| <Image condition="contains all">C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\;\AMAExtHealthMonitor.exe</Image> | |
| <TargetFilename condition="begin with">C:\WindowsAzure\Logs\AggregateStatus\aggregatestatus</TargetFilename> | |
| <Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> | |
| <TargetFilename condition="contains all">C:\Windows\Prefetch;.pf</TargetFilename> | |
| <User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User> | |
| </FileDeleteDetected> | |
| </RuleGroup> | |
| <RuleGroup groupRelation="or"> | |
| <FileExecutableDetected onmatch="include"> | |
| <Image name="technique_id=T1546.008,technique_name=Windows Error Reporting" condition="contains">werfault.exe</Image> | |
| <Image name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="is">odbcconf.exe</Image> | |
| <Image name="technique_id=T1027.004,technique_name=Compile After Delivery" condition="is">csc.exe</Image> | |
| <Image name="technique_id=T1543.003,technique_name=Windows Service" condition="is">sc.exe</Image> | |
| <Image name="technique_id=T1489,technique_name=Service Stop" condition="is">taskkill.exe</Image> | |
| <Image name="technique_id=T1074,technique_name=Data Staged" condition="is">xcopy.exe</Image> | |
| <Image name="technique_id=T1074,technique_name=Data Staged" condition="is">robocopy.exe</Image> | |
| <Image name="technique_id=T,technique_name=" condition="is">makecab.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Remote File Copy" condition="is">GfxDownloadWrapper.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Remote File Copy" condition="is">expand.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="is">curl.exe</Image> | |
| <Image name="technique=T1105,technique_name=Ingress Tool Transfer" condition="is">ftp.exe</Image> | |
| <Image name="technique_id=T1564.004,technique_name=NTFS File Attributes" condition="is">extrac32.exe</Image> | |
| <Image name="technique_id=T1053.005,technique_name=Scheduled Task/Job" condition="contains any">schtasks.exe;sctasks.exe</Image> | |
| <Image name="technique=T1053.002,technique_name=At" condition="contains any">at.exe;At.exe</Image> | |
| <Image name="technique_id=T1053,technique_name=Scheduled Task/Job" condition="is">taskeng.exe</Image> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image> | |
| <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="is">wmiprvse.exe</Image> | |
| <Image condition="is">wevtutil.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">pcalua.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">cscript.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wscript.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">bash.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">certutil.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">winrs.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="image">control.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">desktopimgdownldr.exe</Image> | |
| <Image name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">wsl.exe</Image> | |
| <Image name="technique_id=T1218.001,technique_name=Compiled HTML File" condition="is">hh.exe</Image> | |
| <Image name="technique_id=T1218.004,technique_name=InstallUtil" condition="is">installutil.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="image">mshta.exe</Image> | |
| <Image name="technique_id=T1218.005,technique_name=Mshta" condition="is">mshta.exe</Image> | |
| <Image name="technique_id=T1218.010,technique_name=Regsvr32" condition="is">regsvr32.exe</Image> | |
| <Image name="technique_id=T1218.011,technique_name=rundll32.exe" condition="contains">rundll32.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">InfDefaultInstall.EXE</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">extexport.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msconfig.EXE</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msiexec.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">odbcconf.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">PresentationHost.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasdlui.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider2.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">RegisterCimProvider.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">ScriptRunner.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">verclsid.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wab.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">wsreset.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Appvlp.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">csi.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">devtoolslauncher.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="contains">Scriptrunner.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">tttracer.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">msdt.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">rasautou.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">Register-cimprovider.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">diskshadow.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="is">replace.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">jjs.exe</Image> | |
| <Image name="technique_id=T1218,technique_name=System Binary Proxy Execution" condition="image">appcmd.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="contains">vbc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">csc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dfsvc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">mftrace.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">dxcap.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">ilasm.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vbc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">vsjitdebugger.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">tracker.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">te.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">rcsi.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">Microsoft.Workflow.Compiler.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">jsc.exe</Image> | |
| <Image name="technique_id=T1127,technique_name=Trusted Developer Utilities Proxy Execution" condition="is">MSBuild.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">excel.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">winword.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">powerpnt.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">outlook.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">msaccess.exe</Image> | |
| <Image name="technique_id=T1137,technique_name=Office Application Startup" condition="image">mspub.exe</Image> | |
| <TargetFilename condition="begin with">C:\Program Files\Qualys\QualysAgent</TargetFilename> | |
| <Image name="technique_id=T1059.003,technique_name=Windows Command Shell" condition="is">cmd.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">pwsh.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="image">powershell_ise.exe</Image> | |
| <Image name="technique_id=T1059.001,technique_name=PowerShell" condition="contains">Sqlps.exe</Image> | |
| <TargetFilename condition="contains">\Downloads\</TargetFilename> | |
| <TargetFilename condition="contains">\Appdata\Local\Temp\</TargetFilename> | |
| <TargetFilename condition="contains">\Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\</TargetFilename> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">wsmprovhost.exe</Image> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="is">winrshost.exe</Image> | |
| <Image name="technique_id=T1021.006,technique_name=Windows Remote Management" condition="image">winrm.cmd</Image> | |
| <TargetFilename condition="begin with">C:\ProgramData\Intel</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Mozilla</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\chocolatey\</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\DeviceSync</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\PlayReady</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\User Account Pictures</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Office\Heartbeat</TargetFilename> | |
| <TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Users\All Users\</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\Tasks</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\tracing</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\System32\spool\drivers\color</TargetFilename> | |
| <TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename> | |
| </FileExecutableDetected> | |
| </RuleGroup> | |
| </EventFiltering> | |
| </Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment