| <manifest schemaversion="4.90" binaryversion="18"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
| <Sysmon schemaversion="4.82"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <FileBlockExecutable onmatch="include"> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">excel.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">winword.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">powerpnt.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">outlook.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">msaccess.exe</Image> | |
| <Image name="technique_id=T1105,technique_name=Ingress Tool Transfer" condition="image">mspub.exe</Image> |
| <Sysmon schemaversion="4.82"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <FileBlockExecutable onmatch="include"> | |
| <TargetFilename condition="contains all">C:\Users;Downloads</TargetFilename> | |
| </FileBlockExecutable> | |
| </RuleGroup> | |
| </EventFiltering> | |
| </Sysmon> |
| <manifest schemaversion="4.82" binaryversion="17"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
| <Sysmon schemaversion="4.70"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <ProcessCreate onmatch="exclude"> | |
| <Rule name="" groupRelation="and"> | |
| <Image condition="is">/usr/bin/groups</Image> | |
| <ParentImage condition="is">/usr/bin/bash</ParentImage> | |
| </Rule> | |
| <Rule name="" groupRelation="and"> | |
| <Image condition="is">/usr/bin/locale-check</Image> |
| let serverlist=DeviceInfo | |
| | where DeviceType != "Workstation" | |
| | distinct DeviceId; | |
| let suspiciousdrivers=DeviceImageLoadEvents | |
| | where DeviceId in (serverlist) | |
| | where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| | distinct SHA1 | |
| | invoke FileProfile(SHA1, 1000) | |
| | where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
| suspiciousdrivers |
| CLSID,ClassName | |
| {0000031A-0000-0000-C000-000000000046},CLSID | |
| {0000002F-0000-0000-C000-000000000046},CLSID CLSID_RecordInfo | |
| {00000100-0000-0010-8000-00AA006D2EA4},CLSID DAO.DBEngine.36 | |
| {00000101-0000-0010-8000-00AA006D2EA4},CLSID DAO.PrivateDBEngine.36 | |
| {00000103-0000-0010-8000-00AA006D2EA4},CLSID DAO.TableDef.36 | |
| {00000104-0000-0010-8000-00AA006D2EA4},CLSID DAO.Field.36 | |
| {00000105-0000-0010-8000-00AA006D2EA4},CLSID DAO.Index.36 | |
| {00000106-0000-0010-8000-00AA006D2EA4},CLSID DAO.Group.36 | |
| {00000107-0000-0010-8000-00AA006D2EA4},CLSID DAO.User.36 |
| <manifest schemaversion="4.60" binaryversion="14.0"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
| <manifest schemaversion="4.50" binaryversion="13.0"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"