Permalink
Switch branches/tags
Nothing to show
Find file Copy path
2918 lines (2873 sloc) 339 KB
<!--
sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
Master version: 50 | Date: 2017-03-02
Master author: @SwiftOnSecurity, with contributors also credited in-line or on Git.
Master project: https://github.com/SwiftOnSecurity/sysmon-config
Master license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
Fork version: 300
Fork author: ionstorm
Fork project: https://github.com/ion-storm/sysmon-config
Fork license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
REQUIRED: Sysmon version 8.00 or higher, it's recommended you stay updated.
-->
<Sysmon schemaversion="4.10">
<!--SYSMON META CONFIG-->
<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
<EventFiltering>
<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
<!--COMMENT: All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
<ProcessCreate onmatch="include">
<!--Mitre ATT&CK Rules-->
<!--MITRE TACTIC: Defense Evasion-->
<ParentImage name="Alert=Unknown Process Execution" condition="contains">unknown process</ParentImage>
<Image name="Alert=Unknown Process Execution" condition="contains">unknown process</Image>
<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="end with">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion" condition="end with">bitsadmin.exe</Image>
<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">eventvwr.exe</ParentImage>
<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="end with">fodhelper.exe</ParentImage>
<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="end with">InstallUtil.exe</Image>
<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
<Image name="MitreRef=T1191,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">MSBuild.exe</Image>
<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regsvcs.exe</Image>
<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">regasm.exe</Image>
<Image name="MitreRef=T1218,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="end with">SyncAppvPublishingServer.exe</Image>
<Image name="MitreRef=T1218,Technique=Defense Evasion/Execution" condition="end with">\control.exe</Image>
<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">control.exe /name</CommandLine>
<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution" condition="end with">mshta.exe</Image>
<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="end with">wevutil.exe</Image>
<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="contains">wevutil cl</CommandLine>
<!--MITRE TACTIC: Discovery-->
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1 localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1 localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="begin with">net1.exe group</CommandLine>
<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery" condition="end with">dsquery.exe</Image><!-- Query domain-->
<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="end with">whoami.exe</Image>
<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="end with">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery" condition="end with">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
<Image name="MitreRef=T1201/T1087,Technique=System Network Connections Discovery/Account Discovery,Tactic=Discovery" condition="end with">\net1.exe</Image> <!--Microsoft:Windows: "net use"/"net view" used by attackers to surveil and connect with file shares from command line | Credit @ion-storm -->
<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery" condition="end with">\route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery" condition="end with">\reg.exe</Image> <!--Microsoft:Windows: reads and modifies the Windows register -->
<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery" condition="end with">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
<!--MITRE TACTIC: Execution-->
<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</CommandLine>
<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="contains">COMSPEC</ParentCommandLine>
<Image name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
<ParentImage name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution" condition="end with">\cmd.exe</ParentImage> <!--Microsoft:Windows: Command prompt-->
<Image name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
<Description name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</Description> <!--Microsoft:Windows: PowerShell interface-->
<ParentImage name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="end with">powershell.exe</ParentImage> <!--Microsoft:Windows: PowerShell interface-->
<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="begin with">powershell.exe -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution,Note=Powershell Downgrade attack" condition="begin with">powershell -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexesvc.exe</ParentImage>
<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">psexec.exe</ParentImage>
<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="contains">Execute processes remotely</Description>
<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement" condition="end with">pskill.exe</ParentImage>
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</Image>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">forfiles.exe</ParentImage>
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</Image>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">pcalua.exe</ParentImage>
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</ParentImage>
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="end with">bash.exe</Image>
<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</Image>
<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">wsmprovhost.exe</ParentImage>
<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution" condition="end with">winrm.cmd</Image>
<!--MITRE TACTIC: Persistence-->
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="end with">sethc.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">utilman.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">osk.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Magnify.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">DisplaySwitch.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">Narrator.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="end with">AtBroker.exe</ParentImage>
<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation" condition="end with">sdbinst.exe</Image>
<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</Image>
<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">schtasks.exe</ParentImage>
<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks /create</CommandLine>
<CommandLine name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="contains">schtasks.exe /create</CommandLine>
<Image name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</Image>
<ParentImage name="MitreRef=T1053,Technique=Execution/Persistence/Privledge Escalation" condition="end with">\at.exe</ParentImage>
<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement" condition="contains">System.Management.Automation</CommandLine>
<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line" condition="contains">net user /add</CommandLine>
<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line" condition="contains">net localgroup administrators /add</CommandLine>
<!--MITRE TACTIC: Lateral Movement-->
<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="end with">wmiprvse.exe</ParentImage>
<!--MITRE TECHNIQUE: Obfuscation-->
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings" condition="contains">convertto-securestring</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation" condition="contains">VerbosePreference.ToString</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">runtime.interopservices.marshal</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">VerbosePreference.ToString</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyle h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyl h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowsty h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowst h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windows h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-window h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windo h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wind h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-w h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hi</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hid</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidd</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidde</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidden</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Nop</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Noni</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
<!--Native Windows tools - Living off the land-->
<Image name="MitreRef=ToDo,Technique=" condition="end with">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeratio,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="end with">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
<Image name="MitreRef=ToDo,Technique=" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
<Image name="MitreRef=T1134,Technique=Access Token Manipulation" condition="end with">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
<Image name="MitreRef=ToDo,Technique=" condition="end with">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
<Image name="MitreRef=ToDo,Technique=" condition="end with">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
<Image name="MitreRef=ToDo,Technique=" condition="end with">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land" condition="end with">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land" condition="end with">attrib.exe</Image>
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">nltest.exe</Image>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">nltest.exe</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">ExtExport</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash.exe -c</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey.exe /list</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil -urlcache -split -f</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -out:</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmd.exe /k</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp.exe /ni /s</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp /ni /s</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl.exe /y \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl /y \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec.exe http</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec http</CommandLine>
<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">diskshadow</ParentImage>
<!--LoLBin Applocker bypasses-->
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">advpack.dll,LaunchINFSection</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">/s /n /u /i:http:</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bginfo.bgi /popup /nolicprompt</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">popd</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">subst</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">ren </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">move </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">md </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">find.exe</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="end with">\cls.exe</Image>
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="end with">doskey.exe</Image>
<!-- -->
<!--Mavinject -->
<Image name="MitreRef=T1218,Technique=Mavinject" condition="end with">Mavinject.exe</Image>
<Image name="MitreRef=T1191,Technique=Mavinject" condition="end with">CMSTP.exe</Image>
<!-- -->
<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
<!-- -->
<!--Detect Spawned Adobe Parent Processes-->
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="end with">acrobat.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="end with">acrord32.exe</ParentImage>
<!-- -->
<!--Detect Spawned Browser Parent Processes-->
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="end with">chrome.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="end with">firefox.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="end with">iexplore.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdgeCP.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="end with">MicrosoftEdge.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="end with">vivaldi.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="end with">waterfox.exe</ParentImage>
<!-- -->
<!--Detect Spawned Java Parent Processes-->
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">java.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">javaw.exe</ParentImage>
<!-- -->
<!--Detect Spawned Office Parent Processes & Abuse-->
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">word.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">excel.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">POWERPNT.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">outlook.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">visio.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">msaccess.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">lync.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="end with">skype.exe</ParentImage>
<!-- -->
<!--Detect Output Redirection-->
<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
<CommandLine name="Alert=Output Redirection" condition="contains">></CommandLine>
<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
<!-- -->
<!--Detect Multiple Commands-->
<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
<CommandLine name="Alert=Multiple Commands" condition="contains">;</CommandLine>
<CommandLine name="Alert=Command Pipe" condition="contains">|</CommandLine>
<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
<!--Hacking Command Line Events-->
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wmic shadowcopy delete</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wbadmin delete catalog</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation,Note=BCDEdit disabling auto repair" condition="contains">/set {default} recoveryenabled no</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">telnet</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-dumpcr</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">putty</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">bash.exe</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">pssh</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sdelete</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">shareenum</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sekurlsa</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">reg SAVE</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Shellcode</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WmiCommand</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-TimedScreenshot</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-CredentialInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimikatz</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">VolumeShadowCopyTools</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-UserHunter</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-GPOLocation</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ACLScanner</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DowngradeAccount</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceUnquoted</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceFilePermission</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServicePermission</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ServiceAbuse</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-ServiceBinary</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAutoLogon</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnAutoRun</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnSchTask</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-UnattendedInstallFile</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-WebConfig</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ApplicationHost</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAlwaysInstallElevated</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Unconstrained</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-RegBackdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-ScrnSaveBackdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Gupt-Backdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ADSBackdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Enabled-DuplicateToken</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsUaCme</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Remove-Update</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Check-VM</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-LSASecret</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-PassHashes</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Show-TargetScreen</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Port-Scan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">netscan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">psscan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PoshRatHttp</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellTCP</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellWMI</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Exfiltration</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Persistence</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Do-Exfiltration</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Start-CaptureServer</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ShellCode</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ChromeDump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ClipboardContents</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-FoxDump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-IndexedItem</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Screenshot</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Inveigh</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NetRipper</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-EgressCheck</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PSInject</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-RunAs</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">MailRaider</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">New-HoneyHash</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-MacAttribute</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DCSync</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerDump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Exploit-Jboss</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ThunderStruck</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-VoiceTroll</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-Wallpaper</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-InveighRelay</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsExec</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-SSHCommand</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SecurityPackages</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-SSP</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-BackdoorLNK</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerBreach</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SiteListPassword</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-System</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">BypassUAC</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Tater</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerUp</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerView</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RickAstley</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-Fruit</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">HTTP-Login</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-TrustedDocuments</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Paranoia</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WinEnum</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ARPScan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReverseDNSLookup</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">smbscanner</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-FruityC2</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Stager</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">process call create</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\default</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">FilterToConsumerBinding</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\subscription</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">stratum+tcp</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-donate-level=</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Wmiclass</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">WmiCl'+'as'+'s</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ntdsutil</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">AdjustTokenPrivileges</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">IMAGE_NT_OPTIONAL_HDR64_MAGIC</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Management.Automation.RuntimeException</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Microsoft.Win32.UnsafeNativeMethods</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">ReadProcessMemory.Invoke</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Runtime.InteropServices</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SE_PRIVILEGE_ENABLED</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Security.Cryptography</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Runtime.InteropServices</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">LSA_UNICODE_STRING</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">MiniDumpWriteDump</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">PAGE_EXECUTE_READ</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Net.Sockets.SocketFlags</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Reflection.Assembly</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SECURITY_DELEGATION</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ADJUST_PRIVILEGES</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ALL_ACCESS</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ASSIGN_PRIMARY</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_DUPLICATE</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ELEVATION</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_IMPERSONATE</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_INFORMATION_CLASS</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_PRIVILEGES</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_QUERY</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Metasploit</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Mimikatz</CommandLine>
<!--Malware IOC's-->
<CommandLine name="Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">^h^t^t^p</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">h"t"t"p</CommandLine>
<!--Suspicious Windows tools-->
<Image name="MitreRef=T1001,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
<Image condition="image">mshta.exe</Image>
<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
<Image condition="contains">psservice</Image><!--Detect PsService-->
<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
<Image name="Alert=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
<Image name="Alert=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell Execution" condition="image">kitty.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell Execution" condition="image">kitty_portable.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell FTP Execution" condition="image">psftp.exe</Image><!-- SFTP -->
<Image condition="image">tftp.exe</Image><!-- TFTP -->
<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
<Image condition="image">curl.exe</Image>
<Image condition="image">wget.exe</Image>
<Image condition="image">www.exe</Image>
<Image condition="image">awk.exe</Image>
<Image condition="image">sed.exe</Image>
<!--SECTION: Crypto Currency Miners-->
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">stratum+tcp</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">coinhive</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">minergate</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ccminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">cgminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">sgminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">rainbowminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">xmrMiner</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolpassword</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolurl</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ahashpool</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blazepool</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasters</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">nicehash</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">yiimp</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpool</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zpool</CommandLine>
<!--Tor-->
<Image condition="image">tor.exe</Image><!-- Tor-->
<!-- -->
<!--Suspicious Command Line Locations-->
<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
<ParentImage condition="end with">explorer.exe</ParentImage>
<Image condition="end with">control.exe</Image>
<Image condition="end with">acrord32.exe</Image>
<Image condition="end with">installutil.exe</Image>
<Image name="Info=Registry modification/queries" condition="end with">\reg.exe</Image>
<Image name="Info=ipconfig discovery" condition="end with">ipconfig.exe</Image>
<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
<Image condition="contains">\programdata\</Image>
<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
<Image condition="contains">\ProgramData</Image>
<Image condition="contains">\Windows\</Image>
<Image condition="contains">\Perflogs\</Image>
<Image condition="contains">\config\systemprofile\</Image>
<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
<CommandLine name="Note=Windows Firewall Modifications" condition="contains">netsh advfirewall firewall</CommandLine>
<Image condition="contains">\</Image>
</ProcessCreate>
<ProcessCreate onmatch="exclude">
<!--SECTION: Microsoft Windows-->
<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
<CommandLine condition="contains">net.exe use</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net1 use</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net.exe time</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net time</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net1 time</CommandLine> <!-- Silence domain login scripts -->
<!--SECTION: Microsoft:Windows:Defender-->
<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine><!--Microsoft:Windows: Search Indexer-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine><!--Microsoft:Windows Defrag-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k RPCSS</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k DcomLaunch</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k tapisrv</CommandLine><!--Microsoft:Windows Network Services-->
<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
<ParentImage condition="is">C:\Windows\System32\taskeng.exe</ParentImage><!--Microsoft:Scheduled Task noise, we already detect creation-->
<!--SECTION: Microsoft dotNet-->
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
<!--SECTION: Microsoft Office-->
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
<Image condition="is">C:\Windows\splwow64.exe</Image> <!--Microsoft:Office: Print Driver Host spam -->
<!--SECTION: Microsoft:Windows: Media player-->
<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
<!--SECTION: Microsoft Exchange-->
<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
<!--SECTION: Microsoft Misc-->
<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
<!--SECTION: Google-->
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
<!--SECTION: Firefox-->
<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
<!--SECTION: Adobe-->
<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
<!--SECTION: Adobe:Acrobat DC-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
<!--SECTION: Adobe:Acrobat 2015-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
<!--SECTION: Adobe:Acrobat Reader DC-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
<!--SECTION: Adobe:Flash-->
<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
<!--SECTION: Adobe:Updater-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<!--SECTION: Adobe:Supporting processes-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
<!--SECTION: Adobe:Creative Cloud-->
<!--SECTION: Cisco-->
<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
<!--SECTION: Drivers-->
<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
<!--SECTION: Dropbox-->
<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
<!--SECTION: Dell-->
<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>
<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
<!--SECTION: Lenovo-->
<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
<!--SECTION: MSI: Micro-Star International Computers-->
<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
<!--SECTION: Intel-->
<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
<!--SECTION: Antivirus-->
<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
<!--SECTION: Synaptics Touchpad-->
<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
<!--SECTION: Custom Apps-->
<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
<CommandLine condition="contains">interface tcp show global</CommandLine>
<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
<!--Exclude: MSPaint.exe-->
<Hashes condition="contains">56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900</Hashes>
<!--Exclude: Sysmon Auto-Update-->
<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
<!--Exclude: Netlogon scripts-->
<ParentCommandLine condition="contains">\netlogon\</ParentCommandLine>
<CommandLine condition="contains">\netlogon\</CommandLine>
<CommandLine condition="contains">net use</CommandLine>
<CommandLine condition="contains">net.exe use</CommandLine>
<CommandLine condition="contains">net1 use</CommandLine>
<CommandLine condition="contains">net1.exe use</CommandLine>
<CommandLine condition="contains">net time</CommandLine>
<CommandLine condition="contains">net.exe time</CommandLine>
<CommandLine condition="contains">net1 time</CommandLine>
<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe</ParentImage>
<CommandLine condition="contains">chrome.nativeMessaging.out</CommandLine>
</ProcessCreate>
<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
<!--COMMENT: [ https://attack.mitre.org/wiki/Technique/T1099 ] -->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
<FileCreateTime onmatch="include">
<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
<Image condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
<Image condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
</FileCreateTime>
<FileCreateTime onmatch="exclude">
<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Chrome constantly changes file times-->
<Image condition="contains">setup</Image> <!--Ignore setups-->
</FileCreateTime>
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
<!--COMMENT: By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
<!--COMMENT: [ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
<!--TECHNICAL: For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
<!--TECHNICAL: For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
<!--TECHNICAL: These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
<NetworkConnect onmatch="include">
<!--Suspicious sources for network-connecting binaries-->
<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
<Image condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
<Image condition="contains">$RECYCLE.BIN</Image> <!--Network Connection in Temp Directories-->
<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
<Image condition="begin with">C:\Perflogs\</Image>
<Image condition="contains">config\systemprofile\</Image>
<Image condition="contains">\Windows\Fonts\</Image>
<Image condition="contains">\Windows\IME\</Image>
<Image condition="contains">\Windows\addins\</Image>
<Image condition="contains">chrome.exe</Image>
<Image condition="contains">iexplore.exe</Image>
<Image condition="contains">firefox.exe</Image>
<Image condition="contains">MicrosoftEdgeCP.exe</Image>
<Image condition="contains">MicrosoftEdge.exe</Image>
<Image condition="contains">explorer.exe</Image>
<!--<Image name="Alert=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
<Image name="Alert=Unknown Process Connecting to network" condition="contains">unknown process</Image>
<!--Suspicious Windows tools-->
<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
<Image condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
<Image condition="image">mshta.exe</Image>
<Image condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
<Image condition="contains">pskill</Image><!--Detect pskill-->
<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
<Image condition="contains">psservice</Image><!--Detect PsService-->
<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
<Image condition="image">java.exe</Image>
<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
<Image condition="image">installutil.exe</Image>
<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
<Image condition="image">reg.exe</Image><!-- Remote Registry -->
<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
<Image condition="image">telnet.exe</Image><!-- Telnet -->
<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
<Image condition="image">ssh.exe</Image><!-- SSH -->
<Image condition="image">putty.exe</Image><!-- SSH -->
<Image condition="image">kitty.exe</Image><!-- SSH -->
<Image condition="image">kitty_portable.exe</Image><!-- SSH -->
<Image condition="image">psftp.exe</Image><!-- SFTP -->
<Image condition="image">tftp.exe</Image><!-- TFTP -->
<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
<Image condition="image">net.exe</Image><!-- net use/net view-->
<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
<Image condition="image">dsquery.exe</Image><!-- Query domain-->
<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
<!--Tor-->
<Image condition="image">tor.exe</Image><!-- Tor-->
<!--Hack tools hosting-->
<DestinationHostname condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
<DestinationHostname condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
<!--Suspicious destinations-->
<DestinationHostname condition="contains">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname condition="contains">goo.gl</DestinationHostname>
<DestinationHostname condition="contains">git.io</DestinationHostname>
<DestinationHostname condition="contains">bit.ly</DestinationHostname>
<DestinationHostname condition="contains">t.co</DestinationHostname>
<DestinationHostname condition="contains">ow.ly</DestinationHostname>
<DestinationHostname condition="contains">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
<!--Dynamic DNS Providers-->
<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<!--Tor2Web Providers-->
<DestinationHostname condition="contains">onion.to</DestinationHostname>
<DestinationHostname condition="contains">onion.cab</DestinationHostname>
<DestinationHostname condition="contains">onion.sh</DestinationHostname>
<DestinationHostname condition="contains">onion.nu</DestinationHostname>
<DestinationHostname condition="contains">onion.direct</DestinationHostname>
<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
<DestinationHostname condition="contains">tor2web.io</DestinationHostname>
<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
<!--Public Port Scan Detection-->
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shodan</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shadow</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">researchscan</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">census</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">sl-reverse</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">scanhub</DestinationHostname>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">.edu</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">71.6.216.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">137.226.113.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">138.246.252.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">128.32.30.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">208.93.152.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">162.216.46.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">169.229.3.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.254.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">98.143.148.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.222.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">134.147.203.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">69.170.62.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">159.203.213.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">209.236.120.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6</DestinationIp>
<!--Crypto Currency Mining pools-->
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blazepool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasters</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nicehash</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">yiimp</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">slushpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minexmr</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minergate</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">dwarfpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nanopool.org</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">viaxmr.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashvault.pro</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">moriaxmr.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">suprnova.cc</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">usxmrpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">xmrpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">poolto.be</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash.net</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mine.bz</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mypool.online</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">bohemianpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">iwanttoearn.money</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">pool.xmr</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">crypto-pool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miners.pro</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minercircle.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero.lindon-pool.win</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">teracycle.net</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">ratchetmining.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">cryptmonero</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
<!--Ports-->
<DestinationPort name="Service=HTTP Connection" condition="is">80</DestinationPort>
<DestinationPort name="Service=HTTPS Connection" condition="is">443</DestinationPort>
<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort>
<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
<DestinationPort name="Service=SSH Connection" condition="is">22</DestinationPort>
<DestinationPort name="Service=Telnet" condition="is">23</DestinationPort>
<DestinationPort name="Service=SMTP" condition="is">25</DestinationPort>
<DestinationPort name="Service=SMB" condition="is">139</DestinationPort>
<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
<DestinationPort name="Service=VNC" condition="is">5800</DestinationPort>
<DestinationPort name="Service=VNC" condition="is">5900</DestinationPort>
<DestinationPort name="Service=OpenVPN" condition="is">1194</DestinationPort>
<DestinationPort name="Service=L2TP" condition="is">1701</DestinationPort>
<DestinationPort name="Service=TOR" condition="is">1723</DestinationPort>
<DestinationPort name="Service=IPSec" condition="is">1293</DestinationPort>
<DestinationPort name="Service=Tor" condition="is">4500</DestinationPort>
<DestinationPort name="Service=Socks Proxy Port" condition="is">1080</DestinationPort>
<DestinationPort name="Service=Socks Proxy Port" condition="is">8080</DestinationPort>
<DestinationPort name="Service=Socks Proxy Port" condition="is">3128</DestinationPort>
<DestinationPort name="Service=Tor" condition="is">9001</DestinationPort>
<DestinationPort name="Service=Tor" condition="is">9030</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4443</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">2448</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">8143</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1777</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1443</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">243</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">65535</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13506</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3360</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">200</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">198</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">49180</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13507</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3360</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">6625</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4444</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4438</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1904</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13505</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13504</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12102</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">9631</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5445</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">2443</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">777</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13394</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">13145</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12103</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5552</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3939</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">3675</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">666</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">473</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">5649</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4455</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4433</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1817</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">100</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">65520</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1960</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">1515</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">743</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">700</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14154</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14103</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">14102</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">12322</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">10101</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">7210</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">4040</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" condition="is">9943</DestinationPort>
<!--Ports: Threats-->
<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:7777" condition="is">7777</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:9943" condition="is">9943</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:666" condition="is">666</DestinationPort>
</NetworkConnect>
<NetworkConnect onmatch="exclude">
<!--SECTION: Microsoft -->
<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
<Image condition="is">C:\Windows\System32\find.exe</Image><!-- Oddly find.exe connects to localhost and creates spam -->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
<Image condition="image">Spotify.exe</Image> <!--Spotify-->
<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
<SourcePort condition="is">135</SourcePort> <!--epmap Port-->
<DestinationPort condition="is">135</DestinationPort> <!--epmap Port-->
<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
<DestinationPort condition="is">53</DestinationPort> <!--DNS Lookups-->
</NetworkConnect>
<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
<!--DATA: UtcTime, State, Version, SchemaVersion-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
<!--COMMENT: Useful data in building infection timelines.-->
<!--DATA: Rulename, UtcTime, ProcessGuid, ProcessId, Image-->
<ProcessTerminate onmatch="include">
<!--COMMENT: Useful data in building infection timelines.-->
<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
<Image condition="contains">\Temp\</Image> <!--Process terminations in temp directories-->
<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
<Image condition="end with">Sysmon64.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
</ProcessTerminate>
<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
<!--COMMENT: Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
about what you exclude from monitoring. Low event volume, little incentive to exclude.
[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
<!--TECHNICAL: Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
<!--DATA: RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<DriverLoad onmatch="exclude">
<!--COMMENT: Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
<Signature condition="contains">Fortinet</Signature> <!--Exclude signed Fortinet drivers-->
<Signature condition="contains">Webroot</Signature> <!--Exclude signed Webroot drivers-->
<Signature condition="is">NoVirusThanks Company Srl</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Invincea</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">ShoreTel</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Synology</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Citrix</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">SonicWall</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Sophos</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
</DriverLoad>
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
<!--COMMENT: Can cause high system load, disabled by default.-->
<!--COMMENT: [ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<ImageLoad onmatch="include">
<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
<ImageLoaded condition="contains">\Temp\</ImageLoaded>
</ImageLoad>
<ImageLoad onmatch="exclude">
<SignatureStatus condition="is">Valid</SignatureStatus>
<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
<Company condition="contains">Microsoft</Company>
<Product condition="contains">Microsoft</Product>
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Image condition="is">C:\Windows\System32\mmc.exe</Image>
<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
<Image condition="is">C:\Windows\sysmon64.exe</Image>
<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
<!-- Custom App Exclusions -->
<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
<Image condition="is">C:\Windows\System32\VSSVC.</Image>
<Image condition="is">C:\Windows\System32\conhost.exe</Image>
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
<Image condition="is">C:\Windows\System32\NETSTAT.EXE</Image>
<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
<Image condition="is">C:\Windows\System32\tasklist.exe</Image>
<Image condition="is">C:\Windows\System32\nslookup.exe</Image>
<Image condition="is">C:\Windows\System32\find.exe</Image>
<Image condition="is">C:\cs\tools\php\php-cgi.exe</Image>
<Image condition="is">C:\Windows\System32\nbtstat.exe</Image>
<Image condition="is">C:\Windows\System32\dsquery.exe</Image>
<Image condition="is">C:\Windows\System32\netsh.exe</Image>
<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image>
<Image condition="contains">SQL Server</Image>
<ImageLoaded condition="contains">SQL Server</ImageLoaded>
<Image condition="contains">Exchange Server</Image>
<ImageLoaded condition="contains">Exchange Server</ImageLoaded>
</ImageLoad>
<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
<!--COMMENT: Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
<CreateRemoteThread onmatch="include">
<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion" condition="contains">LoadLibrary</StartFunction>
<SourceImage condition="contains">\</SourceImage>
</CreateRemoteThread>
<CreateRemoteThread onmatch="exclude">
<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
<SourceImage condition="contains">FireSvc.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
<SourceImage condition="is">C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\Remote Debugger\x64\msvsmon.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\rdpclip.exe</SourceImage>
<SourceImage condition="is">C:\Windows\sysmon64.exe</SourceImage>
<SourceImage condition="is">C:\Windows\sysmon.exe</SourceImage>
</CreateRemoteThread>
<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
<!--EVENT 9: "RawAccessRead detected"-->
<!--COMMENT: Can cause high system load, disabled by default.-->
<!--COMMENT: Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
<!--COMMENT: You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, Device-->
<RawAccessRead onmatch="include">
</RawAccessRead>
<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
<!--EVENT 10: "Process accessed"-->
<!--COMMENT: Can cause high system load, disabled by default.-->
<!--COMMENT: Monitor for processes accessing other process' memory.-->
<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
<ProcessAccess onmatch="include">
<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
<SourceImage condition="contains">powershell.exe</SourceImage>
<TargetImage condition="contains">verclsid.exe</TargetImage>
<CallTrace condition="contains">VBE7.dll</CallTrace>
<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
<!--COMMENT: Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
Disabled by default since including even one entry here activates this component. Reward/performance decision.
Encourage you to experiment with this feature yourself.
Uses 4mbs+ IO -->
</ProcessAccess>
<ProcessAccess onmatch="exclude">
<!-- Filter out common access masks
A reference is available here for the mask: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880%28v=vs.85%29.aspx
Ideally an access mask with any of the following is useful:
PROCESS_VM_WRITE (0x0020)
PROCESS_VM_READ (0x0010)
PROCESS_VM_OPERATION (0x0008)
0x1410 (potential memory read) is common activity. E.g. by taskmgr.exe. We only want to capture this against lsass.exe and winlogon.exe, but this logic is in the subscription.
-->
<GrantedAccess condition="is">0x40</GrantedAccess>
<GrantedAccess condition="is">0x101000</GrantedAccess>
<GrantedAccess condition="is">0x1000</GrantedAccess>
<GrantedAccess condition="is">0x1400</GrantedAccess>
<GrantedAccess condition="is">0x100000</GrantedAccess>
<GrantedAccess condition="is">0x3200</GrantedAccess>
<GrantedAccess condition="is">0x101400</GrantedAccess>
<GrantedAccess condition="is">0x101001</GrantedAccess>
<!-- These binaries appear to access lsass legitimately -->
<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
<SourceImage condition="contains">taskmgr</SourceImage>
<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
<SourceImage condition="end with">\EMET_GUI.exe</SourceImage>
<SourceImage condition="end with">\procexp64.exe</SourceImage>
<SourceImage condition="contains">processhacker</SourceImage>
<SourceImage condition="end with">\Bin\FMS.exe</SourceImage> <!-- Exchange Process -->
<SourceImage condition="contains">\Exchange Server\</SourceImage>
<SourceImage condition="contains">SQL</SourceImage>
<SourceImage condition="end with">:\Windows\System32\smss.exe</SourceImage>
<SourceImage condition="end with">:\Windows\system32\csrss.exe</SourceImage>
<SourceImage condition="end with">:\Windows\system32\wininit.exe</SourceImage>
<SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
<!-- ScreenConnect Querying lsass/winlogon SPAM -->
<SourceImage condition="contains">ScreenConnect</SourceImage>
<!-- These binaries get or access processes running .NET -->
<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
<SourceImage condition="contains">ShadowProtect</SourceImage>
<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
<SourceImage condition="end with">Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
<SourceImage condition="end with">Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
<SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage>
<SourceImage condition="end with">Adobe\AdobeGCClient\AGMService.exe</SourceImage>
<SourceImage condition="end with">NT-ware Shared\MomAdmSvc\MomAdmSvc.exe</SourceImage>
<SourceImage condition="end with">\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe</SourceImage>
</ProcessAccess>
<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
<!--EVENT 11: "File created"-->
<!--NOTE: Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
<!--NOTE: You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
<TargetFilename name="MitreRef=T1060,Technique=Autorun Folder Entries,Tactic=Persistence" condition="contains">\Programs\Startup</TargetFilename> <!--Microsoft:Windows: Autorun Startup Folder-->
<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
<TargetFilename condition="end with">.ocx</TargetFilename>
<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
<TargetFilename condition="end with">.com</TargetFilename> <!--Batch scripting: Batch scripts can also use the .com extension -->
<TargetFilename condition="end with">.btm</TargetFilename> <!--Batch scripting: Batch scripts can also use the .btm extension -->
<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
<TargetFilename condition="end with">.msc</TargetFilename> <!--Executable-->
<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.ws</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.wsh</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
<TargetFilename condition="end with">.ps1xml</TargetFilename> <!--PowerShell's other file extensions: -->
<TargetFilename condition="end with">.psc1</TargetFilename> <!--PowerShell's other file extensions: -->
<TargetFilename condition="end with">.psd1</TargetFilename> <!--PowerShell's other file extensions: -->
<TargetFilename condition="end with">.psm1</TargetFilename> <!--PowerShell's other file extensions: -->
<TargetFilename condition="end with">.pssc</TargetFilename> <!--PowerShell's other file extensions: -->
<TargetFilename condition="end with">.cdxml</TargetFilename> <!--PowerShell's other file extensions: -->
<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.vbsript</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.js</TargetFilename> <!--Java Scripting-->
<TargetFilename condition="end with">.jse</TargetFilename> <!--Java Scripting-->
<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
<TargetFilename condition="end with">.SettingContent-ms</TargetFilename> <!--More info: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39-->
<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
<TargetFilename condition="contains">\Desktop</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
<TargetFilename condition="contains">\Documents</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
<!--SECTION: Other suspicious file types to monitor-->
<TargetFilename condition="end with">.ICL</TargetFilename>
<TargetFilename condition="end with">.FON</TargetFilename>
<TargetFilename condition="end with">.FOT</TargetFilename>
<TargetFilename condition="end with">.ico</TargetFilename>
<TargetFilename condition="end with">.lnk</TargetFilename>
<TargetFilename condition="end with">.eml</TargetFilename>
<TargetFilename condition="end with">.msg</TargetFilename>
<TargetFilename condition="end with">.SCT</TargetFilename>
<TargetFilename condition="end with">.SCR</TargetFilename>
<TargetFilename condition="end with">.SHB</TargetFilename>
<TargetFilename condition="end with">.SHS</TargetFilename>
<TargetFilename condition="end with">.PAF</TargetFilename>
<TargetFilename condition="end with">.JSE</TargetFilename>
<TargetFilename condition="end with">.gadget</TargetFilename>
<TargetFilename condition="end with">.cpl</TargetFilename>
<TargetFilename condition="end with">.inf</TargetFilename>
<!--SECTION: Ransomware-->
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_file_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_decrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_Files</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRAB</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cerber</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_decrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-decrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt-</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore_files</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_File_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptAllFiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_File</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+ recoveryfile_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoverfile_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_+</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.zzzzz </TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">aeroware</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "howrecover+</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!READ_TO_UNLOCK!!!.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">openforyou@india.com</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.warn_wallet</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">hacks.at.sigaint.org</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.MATRIX</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Crytp0l0cker</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypted_files.dat</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">padcrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Vape Launcher.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_ME_!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.enjey</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Aescrypt.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PINGY@INDIA.COM</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WORMKILLER@INDIA.COM.XTBL</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CEBER3</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IF_WANT_FILES_BACK_PLS_READ.html</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zXz.html</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_ME_PLEASE.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_RECOVERY_HELP_!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT.html</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.filegofprencrp</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COME_RIPRISTINARE_I_FILE.</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">fattura_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_steaveiwalker@india.com_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_ABRIR_ARQUIVOS.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">info@kraken.cc_worldcza@email.cz</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_RESTAURAR_ARCHIVOS</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">What happen to my files.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ASSISTANCE_IN_RECOVERY</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_ASSISTANCE_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BTC_DECRYPT_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.TheTrumpLocker</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weencedufiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.powned</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">[KASISKI]</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_USE_TO_FIX_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.happydayzz</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">001-READ-FOR-DECRYPT-FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INFORMATION</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Rans0m_N0te_Read_ME</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowwhereismyfiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptional</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowreadfordecryp</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HERMES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_szesnl</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-IF-YOU-WANT-DEC-FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.evillock</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.letmetrydecfiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.yourransom</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lambda_l0cked</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gefickt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.sigaint.org</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.HakunaMatata</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRYPTOSHIELD</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weareyourfriends</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MERRY_I_LOVE_YOU_BRUCE.hta</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How decrypt files.hta</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">unCrypte</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decipher_ne</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.paytounlock</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">protonmail.ch</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">LEER_INMEDIATAMENTE</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.killedXXX</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.doomed</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-No-PROBLEM-WE-DEC-FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.noproblemwedecfiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">powerfulldecrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">opensourcemail.org</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "READ_ME_TO_DECRYPT_YOU_INFORMA</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">file0locked</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CryptoRansomware</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VBRANSOM</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_Recover_Files_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.oops</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.deria</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.RMCM1</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Locked-by-Mafia</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-filesencrypted</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_Globe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.hnumkhotep</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.decrypt2017</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptFile</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.L0CKED</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">1025-7152.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">firstransomware.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">helpmeencedfiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">EdgeLocker</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.XBTL</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.firecrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_DEAD</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.airacropencrypted!</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">mail.ru</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WHERE-YOUR-FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Whereisyourfiles</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">india.com</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.hta</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.jpg</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_OPEN_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gangbang</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GJENOPPRETTING_AV_FILER</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!! HOW TO DECRYPT FILES !!!</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.braincrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTION RESTORE FILE</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Survey Locker.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Receipt.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WindowsApplication1.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HWID Lock.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">VIP72.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DALE_FILES.TXT</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_YOUR_DATA</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_CORUPTED_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Cyber SpLiTTer Vbs.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-PLEASE-READ-WE-HELP</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VforVendetta</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">popcorn_time.exe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OSIRIS-</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DesktopOsiris</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">inbox.ru</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.no_more_ransom</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lovewindows</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.osiris</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.R.i.P</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Important!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_HOW_TO_RESTORE_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ThxForYurTyme</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOW_TO_Decrypt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_RECOVER_INSTRUCTIONS</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION INSTRUCTIONS.</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt explanations.</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_WHAT_is.html</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_liesmich_encryptor_raas</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Adatok_visszaallitasahoz_utasitasok</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_TO_RECURE_YOUR_FILES</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files encrypted by our friends !!!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README HOW TO DECRYPT YOUR FILES.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_IT.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION.url</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README!!!</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">email-salazar_slytherin10</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">._AiraCropEncrypted!</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_RECOVER_FILES_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.bmp</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zzzzzzzzzzzzzzzzzyyy</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zycrypt.</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt your file</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_H_e_l_p_RECOVER_INSTRUCTIONS+</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW-TO-DECRYPT-FILES.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">exit.hhr.obleep</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UnblockFiles.vbs</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_HYDRA_ID_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_Readme.TXT.ReadMe</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt All Files</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowDecrypt.gif</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOURFILES.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW TO DECRYPT FILES.HTML</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BitCryptorFileList.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_decrypt_your_files.jpg</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_restore_files.hta</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Como descriptografar seus arquivos.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Read_this_file.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION!!!.txt</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.lnk</TargetFilename>
<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to decrypt aes files.lnk</TargetFilename>
<TargetFilename name="