-
Notifications
You must be signed in to change notification settings - Fork 0
/
SysmonSimulator.xml
250 lines (198 loc) · 9.91 KB
/
SysmonSimulator.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
<!--
FILTERING: Filter conditions available for use are: is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,not begin with,end with,not end with,less than,more than,image
COMPOUND RULE GROUP EXAMPLE:
<Rule groupRelation="and" name="">
<ID condition="contains">SomeValue</ID>
<Description condition="contains">SomeValue</Description>
</Rule>
-->
<Sysmon schemaversion="4.81">
<HashAlgorithms>*</HashAlgorithms>
<DnsLookup>False</DnsLookup>
<CheckRevocation>False</CheckRevocation>
<EventFiltering>
<!--SYSMON EVENT ID 255 : Error report []-->
<!--DATA: UtcTime, ID, Description-->
<!--SYSMON EVENT ID 1 : Process Create [ProcessCreate]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, FileVersion, Description, Product, Company, OriginalFileName, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine, ParentUser-->
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
<ParentImage condition="end with">SysmonSimulator.exe</ParentImage>
</Rule>
</ProcessCreate>
</RuleGroup>
<!--SYSMON EVENT ID 2 : File creation time changed [FileCreateTime]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime, User-->
<RuleGroup name="" groupRelation="or">
<FileCreateTime onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</FileCreateTime>
</RuleGroup>
<!--SYSMON EVENT ID 3 : Network connection detected [NetworkConnect]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</NetworkConnect>
</RuleGroup>
<!--SYSMON EVENT ID 4 : Sysmon service state changed []-->
<!--DATA: UtcTime, State, Version, SchemaVersion-->
<!--SYSMON EVENT ID 5 : Process terminated [ProcessTerminate]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, User-->
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</ProcessTerminate>
</RuleGroup>
<!--SYSMON EVENT ID 6 : Driver loaded [DriverLoad]-->
<!--DATA: RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<RuleGroup name="" groupRelation="or">
<DriverLoad onmatch="exclude">
</DriverLoad>
</RuleGroup>
<!--SYSMON EVENT ID 7 : Image loaded [ImageLoad]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, FileVersion, Description, Product, Company, OriginalFileName, Hashes, Signed, Signature, SignatureStatus, User-->
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<Rule groupRelation="and" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
<ImageLoaded condition="end with">crypt32.dll</ImageLoaded>
</Rule>
</ImageLoad>
</RuleGroup>
<!--SYSMON EVENT ID 8 : CreateRemoteThread detected [CreateRemoteThread]-->
<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction, SourceUser, TargetUser-->
<RuleGroup name="" groupRelation="or">
<CreateRemoteThread onmatch="include">
<Rule groupRelation="or" name="">
<SourceImage condition="end with">SysmonSimulator.exe</SourceImage>
</Rule>
</CreateRemoteThread>
</RuleGroup>
<!--SYSMON EVENT ID 9 : RawAccessRead detected [RawAccessRead]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, Device, User-->
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</RawAccessRead>
</RuleGroup>
<!--SYSMON EVENT ID 10 : Process accessed [ProcessAccess]-->
<!--DATA: RuleName, UtcTime, SourceProcessGUID, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGUID, TargetProcessId, TargetImage, GrantedAccess, CallTrace, SourceUser, TargetUser-->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include">
<Rule groupRelation="or" name="">
<SourceImage condition="end with">SysmonSimulator.exe</SourceImage>
</Rule>
</ProcessAccess>
</RuleGroup>
<!--SYSMON EVENT ID 11 : File created [FileCreate]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, User-->
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</FileCreate>
</RuleGroup>
<!--SYSMON EVENT ID 12 : Registry object added or deleted [RegistryEvent]-->
<!--DATA: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, User-->
<!--SYSMON EVENT ID 13 : Registry value set [RegistryEvent]-->
<!--DATA: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details, User-->
<!--SYSMON EVENT ID 14 : Registry object renamed [RegistryEvent]-->
<!--DATA: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, NewName, User-->
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</RegistryEvent>
</RuleGroup>
<!--SYSMON EVENT ID 15 : File stream created [FileCreateStreamHash]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash, Contents, User-->
<RuleGroup name="" groupRelation="or">
<FileCreateStreamHash onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</FileCreateStreamHash>
</RuleGroup>
<!--SYSMON EVENT ID 16 : Sysmon config state changed []-->
<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
<!--SYSMON EVENT ID 17 : Pipe Created [PipeEvent]-->
<!--DATA: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image, User-->
<!--SYSMON EVENT ID 18 : Pipe Connected [PipeEvent]-->
<!--DATA: RuleName, EventType, UtcTime, ProcessGuid, ProcessId, PipeName, Image, User-->
<RuleGroup name="" groupRelation="or">
<PipeEvent onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</PipeEvent>
</RuleGroup>
<!--SYSMON EVENT ID 19 : WmiEventFilter activity detected [WmiEvent]-->
<!--DATA: RuleName, EventType, UtcTime, Operation, User, EventNamespace, Name, Query-->
<!--SYSMON EVENT ID 20 : WmiEventConsumer activity detected [WmiEvent]-->
<!--DATA: RuleName, EventType, UtcTime, Operation, User, Name, Type, Destination-->
<!--SYSMON EVENT ID 21 : WmiEventConsumerToFilter activity detected [WmiEvent]-->
<!--DATA: RuleName, EventType, UtcTime, Operation, User, Consumer, Filter-->
<RuleGroup name="" groupRelation="or">
<WmiEvent onmatch="exclude">
</WmiEvent>
</RuleGroup>
<!--SYSMON EVENT ID 22 : Dns query [DnsQuery]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryStatus, QueryResults, Image, User-->
<RuleGroup name="" groupRelation="or">
<DnsQuery onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</DnsQuery>
</RuleGroup>
<!--SYSMON EVENT ID 23 : File Delete archived [FileDelete]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable, Archived-->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</FileDelete>
</RuleGroup>
<!--SYSMON EVENT ID 24 : Clipboard changed [ClipboardChange]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, Session, ClientInfo, Hashes, Archived, User-->
<RuleGroup name="" groupRelation="or">
<ClipboardChange onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</ClipboardChange>
</RuleGroup>
<!--SYSMON EVENT ID 25 : Process Tampering [ProcessTampering]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, Type, User-->
<RuleGroup name="" groupRelation="or">
<ProcessTampering onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</ProcessTampering>
</RuleGroup>
<!--SYSMON EVENT ID 26 : File Delete logged [FileDeleteDetected]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable-->
<RuleGroup name="" groupRelation="or">
<FileDeleteDetected onmatch="include">
<Rule groupRelation="or" name="">
<Image condition="end with">SysmonSimulator.exe</Image>
</Rule>
</FileDeleteDetected>
</RuleGroup>
</EventFiltering>
</Sysmon>