Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| <Sysmon schemaversion="3.20"> | |
| <HashAlgorithms>md5,imphash</HashAlgorithms> | |
| <EventFiltering> | |
| <FileCreate onmatch="include"> | |
| <TargetFilename condition="contains">\Startup\</TargetFilename> | |
| </FileCreate> | |
| <RegistryEvent onmatch="include"> | |
| <TargetObject condition="contains">\CurrentVersion\Run</TargetObject> | |
| <TargetObject condition="end with">\ImagePath</TargetObject> | |
| <TargetObject condition="end with">\ServiceDll</TargetObject> | |
| </RegistryEvent> | |
| <DriverLoad onmatch="exclude"> | |
| <Signature condition="contains">microsoft</Signature> | |
| <Signature condition="contains">windows</Signature> | |
| </DriverLoad> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">System32\backgroundTaskHost.exe</Image> | |
| <Image condition="contains">McAfee</Image> | |
| <Image condition="contains">Symantec</Image> | |
| <Image condition="contains">TrendMicro</Image> | |
| <Image condition="contains">Tanium</Image> | |
| <CurrentDirectory condition="contains">Tanium</CurrentDirectory> | |
| <Image condition="contains">Cortana</Image> | |
| <Image condition="contains">Cisco</Image> | |
| <Image condition="contains">Splunk</Image> | |
| <Image condition="contains">NVIDIA Corporation</Image> | |
| <Image condition="end with">System32\BackgroundTransferHost.exe</Image> | |
| <Image condition="end with">Microsoft.ActiveDirectory.WebServices.exe</Image> | |
| <Image condition="end with">System32\dllhost.exe</Image> | |
| <Image condition="end with">System32\smartscreen.exe</Image> | |
| <Image condition="end with">System32\SearchFilterHost.exe</Image> | |
| <Image condition="end with">System32\audiodg.exe</Image> | |
| <Image condition="end with">System32\conhost.exe</Image> | |
| <Image condition="end with">System32\SearchProtocolHost.exe</Image> | |
| <Image condition="end with">SysWOW64\msiexec.exe</Image> | |
| <Image condition="end with">system32\msiexec.exe</Image> | |
| <Image condition="end with">Drive\googledrivesync.exe</Image> | |
| <Image condition="contains">\slack\</Image> | |
| <Image condition="end with">microsoft shared\ClickToRun\OfficeClickToRun.exe</Image> | |
| <Image condition="end with">System32\consent.exe</Image> | |
| <Image condition="end with">System32\LogonUI.exe</Image> | |
| <Image condition="end with">System32\taskhostw.exe</Image> | |
| <Image condition="end with">System32\LockAppHost.exe</Image> | |
| <Image condition="end with">ink\TabTip.exe</Image> | |
| <Image condition="end with">LockApp.exe</Image> | |
| <Image condition="end with">Chrome\Application\chrome.exe</Image> | |
| <Image condition="end with">Internet Explorer\iexplorer.exe</Image> | |
| <Image condition="end with">Mozilla Firefox\firefox.exe</Image> | |
| <Image condition="end with">System32\wsqmcons.exe</Image> | |
| <Image condition="end with">System32\slui.exe</Image> | |
| <CommandLine condition="contains">chrome.exe" --type=renderer</CommandLine> | |
| <CommandLine condition="contains">Splunk</CommandLine> | |
| <CommandLine condition="contains"> btool server </CommandLine> | |
| <CommandLine condition="contains">wmiprvse.exe -Embedding</CommandLine> | |
| <CommandLine condition="contains">wermgr.exe -queuereporting</CommandLine> | |
| <CommandLine condition="contains">wmiprvse.exe -secured -Embedding</CommandLine> | |
| <User condition="is">NT AUTHORITY\NETWORK SERVICE</User> | |
| <ParentImage condition="contains">Tanium</ParentImage> | |
| </ProcessCreate> | |
| <ProcessTerminate onmatch="include" /> | |
| <FileCreateTime onmatch="include" /> | |
| <NetworkConnect onmatch="exclude"> | |
| <Image condition="end with">Internet Explorer\iexplorer.exe</Image> | |
| <Image condition="end with">Skype\Phone\Skype.exe</Image> | |
| <Image condition="end with">Chrome\Application\chrome.exe</Image> | |
| <Image condition="end with">Mozilla Firefox\firefox.exe</Image> | |
| <Image condition="contains">\slack\</Image> | |
| <Image condition="end with">spotify.exe</Image> | |
| <Image condition="end with">System32\lsass.exe</Image> | |
| <Image condition="end with">OneDrive\OneDrive.exe</Image> | |
| <Image condition="end with">Bonjour\mDNSResponder.exe</Image> | |
| <Image condition="end with">opera.exe</Image> | |
| <Image condition="end with">g2mcomm.exe</Image> | |
| <Image condition="end with">Drive\googledrivesync.exe</Image> | |
| <Image condition="end with">System32\backgroundTaskHost.exe</Image> | |
| <Image condition="end with">System32\BackgroundTransferHost.exe</Image> | |
| <Image condition="end with">OLicenseHeartbeat.exe</Image> | |
| <Image condition="contains">Splunk</Image> | |
| <Image condition="contains">McAfee</Image> | |
| <Image condition="contains">Symantec</Image> | |
| <Image condition="contains">TrendMicro</Image> | |
| <Image condition="contains">Tanium</Image> | |
| <Image condition="contains">Microsoft.Windows.Cortana</Image> | |
| <Image condition="is">System</Image> | |
| <Image condition="end with">OfficeClickToRun.exe</Image> | |
| <DestinationIp condition="begin with">172.</DestinationIp> | |
| <DestinationIp condition="begin with">10.</DestinationIp> | |
| <DestinationIp condition="begin with">192.</DestinationIp> | |
| <DestinationIp condition="is">224.0.0.253</DestinationIp> | |
| <DestinationIp condition="is">94.245.121.251</DestinationIp> | |
| <DestinationIp condition="is">0:0:0:0:0:0:0:1</DestinationIp> | |
| <DestinationIp condition="is">127.0.0.1</DestinationIp> | |
| <User condition="is">NT AUTHORITY\NETWORK SERVICE</User> | |
| <User condition="is">NT AUTHORITY\LOCAL SERVICE</User> | |
| </NetworkConnect> | |
| </EventFiltering> | |
| </Sysmon> |