-
-
Save minkione/6ad9def158705d7f8621357e699b9c29 to your computer and use it in GitHub Desktop.
Sysmon Base Configuration - Workstations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| This is a Microsoft Sysmon configuration to be used on Windows workstations | |
| v0.2.1 December 2016 | |
| Florian Roth (with the help and ideas of others) | |
| The focus of this configuration is | |
| - malware detection (execution) | |
| - malware detection (network connections) | |
| - exploit detection | |
| It is not focussed on | |
| - hacking activity on workstation (bad admin, attacker) | |
| See Windows server base config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409 | |
| --> | |
| <Sysmon schemaversion="3.20"> | |
| <!-- Capture MD5 Hashes --> | |
| <HashAlgorithms>MD5,SHA1,SHA256</HashAlgorithms> | |
| <EventFiltering> | |
| <!-- Log all drivers except if the signature --> | |
| <!-- contains Microsoft or Windows --> | |
| <DriverLoad onmatch="exclude"> | |
| <Signature condition="contains">microsoft</Signature> | |
| <Signature condition="contains">windows</Signature> | |
| </DriverLoad> | |
| <!-- Exclude certain processes that have the integrity level 'System' --> | |
| <ProcessCreate onmatch="exclude"> | |
| <IntegrityLevel>System</IntegrityLevel> | |
| </ProcessCreate> | |
| <!-- Do log remote thread creation events with certain exceptions --> | |
| <CreateRemoteThread onmatch="exclude"> | |
| <SourceImage condition="contains">WmiPrvSE.exe</SourceImage> | |
| <SourceImage condition="contains">FireSvc.exe</SourceImage> | |
| </CreateRemoteThread> | |
| <!-- Do not log file creation time stamps --> | |
| <FileCreateTime onmatch="include" /> | |
| <!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) --> | |
| <RawAccessRead onmatch="include" /> | |
| <!-- Do not log process termination --> | |
| <ProcessTerminate onmatch="include" /> | |
| <!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) --> | |
| <RegistryEvent onmatch="include"> | |
| <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject> | |
| <TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject> | |
| <TargetObject condition="contains">CurrentControlSet\Services</TargetObject> | |
| <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject> | |
| <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject> | |
| <TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject> | |
| <TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject> | |
| </RegistryEvent> | |
| <!-- Do not log file creation events --> | |
| <FileCreate onmatch="include" /> | |
| <!-- Do not log if file stream is created --> | |
| <FileCreateStreamHash onmatch="include" /> | |
| <!-- Do only log network connections to port 8080 (proxy) of every program that is not a browser --> | |
| <NetworkConnect onmatch="exclude"> | |
| <Image condition="contains">chrome.exe</Image> | |
| <Image condition="contains">iexplore.exe</Image> <!-- yes, malware that injects into IE will be missed --> | |
| <Image condition="contains">firefox.exe</Image> | |
| <DestinationPort condition="is not">8080</DestinationPort> | |
| <!-- Direct access to Internet (without proxy server) --> | |
| <!-- | |
| <DestinationPort condition="is not">80</DestinationPort> | |
| --> | |
| </NetworkConnect> | |
| </EventFiltering> | |
| </Sysmon> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment