Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
<!--
sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
Master version: 50 | Date: 2017-03-02
Master author: @SwiftOnSecurity, with contributors also credited in-line or on Git.
Master project: https://github.com/SwiftOnSecurity/sysmon-config
Master license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
Fork version: 300
Fork author: ionstorm
Fork project: https://github.com/ion-storm/sysmon-config
Fork license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
REQUIRED: Sysmon version 8.00 or higher, it's recommended you stay updated.
-->
<Sysmon schemaversion="4.10">
<!--SYSMON META CONFIG-->
<HashAlgorithms>md5,imphash,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
<EventFiltering>
<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
<!--COMMENT: All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
<ProcessCreate onmatch="include">
<!--Mitre ATT&CK Rules-->
<!--MITRE TACTIC: Defense Evasion-->
<ParentImage name="Alert=Unknown Process Execution" condition="contains">unknown process</ParentImage>
<Image name="Alert=Unknown Process Execution" condition="contains">unknown process</Image>
<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion,Alert=BitsAdmin File Transfers" condition="image">bitsadmin.exe</Image>
<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">eventvwr.exe</ParentImage>
<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="image">InstallUtil.exe</Image>
<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">MSBuild.exe</Image>
<Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regsvcs.exe</Image>
<Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regasm.exe</Image>
<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">control.exe</Image>
<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">control.exe /name</CommandLine>
<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</Image>
<ParentImage name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</ParentImage>
<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="image">wevutil.exe</Image>
<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Alert=Eventlog Removal Detected" condition="contains">wevutil cl</CommandLine>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution,Alert=Font Folder execution" condition="begin with">C:\Windows\Fonts\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\ProgramData</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Temp</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Temp</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">MpCmdRun.exe</Image>
<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">PsKill.exe</Image>
<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">DisableIOAVProtection</CommandLine>
<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">RemoveDefinitions</CommandLine>
<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">Add-MpPreference</CommandLine>
<!--MITRE TACTIC: Discovery-->
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe user</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 localgroup</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe group</CommandLine>
<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="begin with">net1.exe group</CommandLine>
<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsadd </CommandLine>
<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsmod </CommandLine>
<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=DSQuery.EXE Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod" condition="image">dsmod.exe</Image><!-- Query domain-->
<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsadd" condition="image">dsadd.exe</Image><!-- Query domain-->
<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Account Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="image">whoami.exe</Image>
<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="image">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System Information Discovery" condition="image">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=System Network Connections Discovery" condition="image">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=User enumeration/Discovery" condition="image">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Alert=Network Configureation discovery with route.exe" condition="image">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg.exe query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Network Connection Discovery with netsh" condition="image">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
<!--MITRE TACTIC: Execution-->
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</Image>
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</Image>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</ParentImage>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</ParentImage>
<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</CommandLine>
<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</ParentCommandLine>
<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell.exe</ParentImage>
<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell_ise.exe</ParentImage>
<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="begin with">powershell.exe -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
<ParentCommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</ParentCommandLine> <!--Microsoft:Windows: PowerShell interface-->
<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution,Alert=Powershell Downgrade attack" condition="begin with">powershell -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on Windows Execution" condition="image">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on windows execution" condition="image">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=Child Process of psexec" condition="image">psexesvc.exe</ParentImage>
<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="image">psexec.exe</ParentImage>
<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSKill Execution" condition="image">pskill.exe</ParentImage>
<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">forfiles.exe</Image>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect command execution child process" condition="image">forfiles.exe</ParentImage>
<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="image">pcalua.exe</ParentImage>
<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
<!--MITRE TACTIC: Persistence-->
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="image">sethc.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">utilman.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Task Scheduler execution" condition="image">schtasks.exe</Image>
<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Child process from schtasks" condition="image">schtasks.exe</ParentImage>
<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks /create</CommandLine>
<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks.exe /create</CommandLine>
<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Alert=Powershell Injection persistence bypass" condition="contains">System.Management.Automation</CommandLine>
<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=User added by Command line" condition="contains">net user /add</CommandLine>
<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line,Alert=Adminstrator added via command line" condition="contains">net localgroup administrators /add</CommandLine>
<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc create</CommandLine>
<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc.exe create</CommandLine>
<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">new-service</CommandLine>
<!--MITRE TACTIC: Lateral Movement-->
<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="image">wmiprvse.exe</ParentImage>
<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow Alert" condition="contains">/shadow</CommandLine>
<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">/noConsentPrompt</CommandLine>
<!--MITRE TECHNIQUE: Obfuscation-->
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings,Alert=Powershell Secure String creation" condition="contains">convertto-securestring</CommandLine>
<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation,Alert=Powershell Obfuscation with VerbosePreference" condition="contains">VerbosePreference.ToString</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">runtime.interopservices.marshal</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">VerbosePreference.ToString</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyle h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyl h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowsty h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowst h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windows h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-window h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windo h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wind h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-w h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hi</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hid</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidd</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidde</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidden</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Nop</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Noni</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-encodedc</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
<!--Native Windows tools - Living off the land-->
<Image name="MitreRef=ToDo,Technique=,Alert=Process/Session/User Query with query.exe" condition="image">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration,Alert=Traceroute Enumeration,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="image">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
<Image name="MitreRef=ToDo,Technique=,Alert=tree of directory structure disclosure" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
<Image name="MitreRef=T1134,Technique=Access Token Manipulation,Alert=Token Manipulation with runas.exe" condition="image">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
<Image name="MitreRef=ToDo,Technique=,Alert=Command Line task kill" condition="image">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure with klist" condition="image">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure" condition="image">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible driver load with odbcconf" condition="image">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Program Compatibility bypass" condition="image">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land,Alert=Attrib bypass" condition="image">attrib.exe</Image>
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible credential modification or disclosure with cmdkey" condition="image">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,AlertNLTest=" condition="image">nltest.exe</Image>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=NLTest" condition="contains">nltest.exe</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">ExtExport</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash.exe -c</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey /list</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey.exe /list</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil -urlcache -split -f</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=csc compile output" condition="contains">csc -out:</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmd.exe /k</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp.exe /ni /s</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp /ni /s</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl.exe /y \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl /y \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec.exe http</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec http</CommandLine>
<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">diskshadow</ParentImage>
<!--LoLBin Applocker bypasses-->
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">advpack.dll,LaunchINFSection</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">/s /n /u /i:http:</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bginfo.bgi /popup /nolicprompt</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">popd</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">subst</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">ren </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">move </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">md </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">find.exe</CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="image">cls.exe</Image>
<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="image">doskey.exe</Image>
<!-- -->
<!--Mavinject -->
<Image name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="image">Mavinject.exe</Image>
<CommandLine name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="contains">/INJECTRUNNING</CommandLine>
<Image name="MitreRef=T1191,Technique=Mavinject" condition="image">CMSTP.exe</Image>
<!-- -->
<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
<!-- -->
<!--Detect Spawned Adobe Parent Processes-->
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
<!-- -->
<!--Detect Spawned Browser Parent Processes-->
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="image">chrome.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="image">firefox.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="image">iexplore.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdgeCP.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdge.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="image">vivaldi.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="image">waterfox.exe</ParentImage>
<!-- -->
<!--Detect Spawned Java Parent Processes-->
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">java.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">javaw.exe</ParentImage>
<!-- -->
<!--Detect Spawned Office Parent Processes & Abuse-->
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">word.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">excel.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">POWERPNT.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">outlook.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">visio.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">msaccess.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">lync.exe</ParentImage>
<ParentImage name="MitreRef=ToDo,Technique=" condition="image">skype.exe</ParentImage>
<!-- -->
<!--Detect Output Redirection-->
<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
<CommandLine name="Alert=Output Redirection" condition="contains">&gt;</CommandLine>
<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
<!-- -->
<!--Detect Multiple Commands-->
<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
<CommandLine name="Alert=Multiple Commands" condition="contains">;</CommandLine>
<CommandLine name="Alert=Command Pipe" condition="contains">|</CommandLine>
<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
<!--Hacking Command Line Events-->
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wmic shadowcopy delete</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wbadmin delete catalog</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation,Note=BCDEdit disabling auto repair" condition="contains">/set {default} recoveryenabled no</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">telnet</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-dumpcr</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">putty</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">bash.exe</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">pssh</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sdelete</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">shareenum</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sekurlsa</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">reg SAVE</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Shellcode</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WmiCommand</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-TimedScreenshot</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-CredentialInjection</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimikatz</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">VolumeShadowCopyTools</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-UserHunter</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-GPOLocation</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ACLScanner</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DowngradeAccount</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceUnquoted</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceFilePermission</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServicePermission</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ServiceAbuse</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-ServiceBinary</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAutoLogon</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnAutoRun</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnSchTask</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-UnattendedInstallFile</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-WebConfig</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ApplicationHost</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAlwaysInstallElevated</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Unconstrained</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-RegBackdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-ScrnSaveBackdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Gupt-Backdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ADSBackdoor</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Enabled-DuplicateToken</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsUaCme</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Remove-Update</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Check-VM</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-LSASecret</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-PassHashes</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Show-TargetScreen</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Port-Scan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">netscan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">psscan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PoshRatHttp</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellTCP</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellWMI</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Exfiltration</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Persistence</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Do-Exfiltration</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Start-CaptureServer</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ShellCode</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ChromeDump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ClipboardContents</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-FoxDump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-IndexedItem</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Screenshot</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Inveigh</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NetRipper</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-EgressCheck</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PSInject</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-RunAs</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">MailRaider</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">New-HoneyHash</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-MacAttribute</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DCSync</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerDump</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Exploit-Jboss</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ThunderStruck</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-VoiceTroll</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-Wallpaper</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-InveighRelay</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsExec</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-SSHCommand</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SecurityPackages</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-SSP</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-BackdoorLNK</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerBreach</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SiteListPassword</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-System</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">BypassUAC</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Tater</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerUp</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerView</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RickAstley</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-Fruit</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">HTTP-Login</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-TrustedDocuments</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Paranoia</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WinEnum</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ARPScan</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReverseDNSLookup</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">smbscanner</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-FruityC2</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Stager</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">process call create</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call set priority</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call terminate</CommandLine>
<CommandLine name="Alert=Hacking Command Line events/WMIC product listing,Tactic=Privilege Escalation" condition="contains">product get name</CommandLine>
<CommandLine name="Alert=Hacking Command Line events/WMIC bios serial query,Tactic=Privilege Escalation" condition="contains">bios, get serialNumber</CommandLine>
<CommandLine name="Alert=Hacking Command Line events/WMIC query vmware,Tactic=Privilege Escalation" condition="contains">onboarddevice get</CommandLine>
<CommandLine name="Alert=Hacking Command Line events/WMIC User Modifications,Tactic=Privilege Escalation" condition="contains">useraccount where name</CommandLine>
<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">nteventlog where filename</CommandLine>
<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">cleareventlog</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\default</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">FilterToConsumerBinding</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\subscription</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">stratum+tcp</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-donate-level=</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Wmiclass</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">WmiCl'+'as'+'s</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ntdsutil</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-ma lsass.exe</CommandLine>
<Image name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ProcDump.exe</Image>
<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">AdjustTokenPrivileges</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">IMAGE_NT_OPTIONAL_HDR64_MAGIC</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Management.Automation.RuntimeException</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Microsoft.Win32.UnsafeNativeMethods</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">ReadProcessMemory.Invoke</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Runtime.InteropServices</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SE_PRIVILEGE_ENABLED</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Security.Cryptography</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Runtime.InteropServices</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">LSA_UNICODE_STRING</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">MiniDumpWriteDump</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">PAGE_EXECUTE_READ</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Net.Sockets.SocketFlags</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Reflection.Assembly</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SECURITY_DELEGATION</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ADJUST_PRIVILEGES</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ALL_ACCESS</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ASSIGN_PRIMARY</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_DUPLICATE</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ELEVATION</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_IMPERSONATE</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_INFORMATION_CLASS</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_PRIVILEGES</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_QUERY</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Metasploit</CommandLine>
<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Mimikatz</CommandLine>
<!--Malware IOC's-->
<CommandLine name="Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">^h^t^t^p</CommandLine>
<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">h"t"t"p</CommandLine>
<!--Suspicious Windows tools-->
<CommandLine name="MitreRef=T1216,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="contains">script:http</CommandLine> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
<Image condition="image">mshta.exe</Image>
<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
<Image name="Alert=Sysinternals PSService" condition="contains">psservice</Image><!--Detect PsService-->
<Image name="Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
<Image name="Note=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
<Image name="Note=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell Execution" condition="image">kitty.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell Execution" condition="image">kitty_portable.exe</Image><!-- SSH -->
<Image name="Alert=Secure Shell FTP Execution" condition="image">psftp.exe</Image><!-- SFTP -->
<Image name="Alert=TFTP Execution" condition="image">tftp.exe</Image><!-- TFTP -->
<Image name="Note=WMI Querying" condition="image">wmic.exe</Image><!-- wmic /node logging -->
<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
<Image name="Alert=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
<Image name="Alert=Linux tools installed on windows" condition="image">curl.exe</Image>
<Image name="Alert=Linux tools installed on windows" condition="image">wget.exe</Image>
<Image name="Alert=Linux tools installed on windows" condition="image">www.exe</Image>
<Image name="Alert=Linux tools installed on windows" condition="image">awk.exe</Image>
<Image name="Alert=Linux tools installed on windows" condition="image">sed.exe</Image>
<!--SECTION: Crypto Currency Miners-->
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">stratum+tcp</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">coinhive</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">minergate</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ccminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">cgminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">sgminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">rainbowminer</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">xmrMiner</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolpassword</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolurl</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ahashpool</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blazepool</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasters</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">nicehash</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">yiimp</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpool</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</CommandLine>
<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zpool</CommandLine>
<!--Tor-->
<Image condition="image">tor.exe</Image><!-- Tor-->
<!-- -->
<!--Suspicious Command Line Locations-->
<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
<ParentImage condition="image">explorer.exe</ParentImage>
<Image condition="image">control.exe</Image>
<Image condition="image">acrord32.exe</Image>
<Image condition="image">installutil.exe</Image>
<Image name="Info=Registry modification/queries" condition="image">\reg.exe</Image>
<Image name="Info=ipconfig discovery" condition="image">ipconfig.exe</Image>
<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
<Image condition="contains">\programdata\</Image>
<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
<Image condition="contains">\ProgramData</Image>
<Image condition="contains">\Windows\</Image>
<Image condition="contains">\Perflogs\</Image>
<Image condition="contains">\config\systemprofile\</Image>
<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
<CommandLine name="Note=Windows Firewall Modifications" condition="contains">netsh advfirewall firewall</CommandLine>
<Image condition="contains">\</Image>
<CommandLine name="Alert=Windows Defender Disabled" condition="contains">DisableRealtimeMonitoring </CommandLine>
<CommandLine name="Alert=Ramnit Banker Malware!" condition="contains">--disable-http2 --disable-quic</CommandLine>
<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">291ff87948e45914424cec9510c297da</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">304772c80b157a916c7041f2f15939fb</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
<Hashes name="Alert=Docusign Spam/Phishing!" condition="contains">5E022694C0DBD1FBBC263D608E577949</Hashes><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">71345b139166482acaa568ac8816c7bc</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">1b60021baedc3f9201bcdb40e9b87f62</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">c7c8d584758854bbe0d8e64ef53ae1a8</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
</ProcessCreate>
<ProcessCreate onmatch="exclude">
<!--SECTION: Microsoft Windows-->
<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
<CommandLine condition="contains">net.exe use</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net1 use</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net.exe time</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net time</CommandLine> <!-- Silence domain login scripts -->
<CommandLine condition="contains">net1 time</CommandLine> <!-- Silence domain login scripts -->
<!--SECTION: Microsoft:Windows:Defender-->
<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine><!--Microsoft:Windows: Search Indexer-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine><!--Microsoft:Windows Defrag-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k RPCSS</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k DcomLaunch</CommandLine><!--Microsoft:Windows Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
<CommandLine condition="is">C:\Windows\System32\svchost.exe -k tapisrv</CommandLine><!--Microsoft:Windows Network Services-->
<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
<ParentImage condition="is">C:\Windows\System32\taskeng.exe</ParentImage><!--Microsoft:Scheduled Task noise, we already detect creation-->
<!--SECTION: Microsoft dotNet-->
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
<!--SECTION: Microsoft Office-->
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
<Image condition="is">C:\Windows\splwow64.exe</Image> <!--Microsoft:Office: Print Driver Host spam -->
<!--SECTION: Microsoft:Windows: Media player-->
<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
<!--SECTION: Microsoft Exchange-->
<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
<!--SECTION: Microsoft Misc-->
<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
<!--SECTION: Google-->
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
<!--SECTION: Firefox-->
<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
<!--SECTION: Adobe-->
<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
<CommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
<CommandLine condition="contains">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /ac /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
<ParentCommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id</ParentCommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
<!--SECTION: Adobe:Acrobat DC-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
<!--SECTION: Adobe:Acrobat 2015-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
<!--SECTION: Adobe:Acrobat Reader DC-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
<!--SECTION: Adobe:Flash-->
<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
<!--SECTION: Adobe:Updater-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
<!--SECTION: Adobe:Supporting processes-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
<!--SECTION: Adobe:Creative Cloud-->
<!--SECTION: Cisco-->
<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
<!--SECTION: Drivers-->
<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
<!--SECTION: Dropbox-->
<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
<!--SECTION: Dell-->
<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>
<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
<!--SECTION: Lenovo-->
<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
<!--SECTION: MSI: Micro-Star International Computers-->
<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
<!--SECTION: Intel-->
<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
<!--SECTION: Antivirus-->
<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
<!--SECTION: Synaptics Touchpad-->
<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
<!--SECTION: Custom Apps-->
<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
<!--Exclude: MSPaint.exe-->
<Hashes condition="contains">56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900</Hashes>
<!--Exclude: N-Able/N-Central-->
<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
<ParentCommandLine condition="contains">N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentCommandLine>
<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</ParentImage>
<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>
<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\installer\installer.exe </ParentImage>
<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe</ParentImage>
<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe</ParentImage>
<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
<!--Exclude: Sysmon Auto-Update-->
<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
<!--Exclude: Netlogon scripts-->
<ParentCommandLine name="MitreRef=T1037,Technique=Logon Scripts,Tactic=Lateral Movement Persistence" condition="contains">\netlogon\</ParentCommandLine>
<CommandLine condition="contains">\netlogon\</CommandLine>
<ParentImage condition="is">C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE</ParentImage>
<!--Exclude: Too noisy in a domain environment with legacy logon scripts-->
<CommandLine condition="contains">net use</CommandLine>
<CommandLine condition="contains">net.exe use</CommandLine>
<CommandLine condition="contains">net1 use</CommandLine>
<CommandLine condition="contains">net1.exe use</CommandLine>
<CommandLine condition="contains">net time</CommandLine>
<CommandLine condition="contains">net.exe time</CommandLine>
<CommandLine condition="contains">net1 time</CommandLine>
<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe</ParentImage>
<CommandLine condition="contains">chrome.nativeMessaging.out</CommandLine>
</ProcessCreate>
<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
<!--COMMENT: [ https://attack.mitre.org/wiki/Technique/T1099 ] -->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
<FileCreateTime onmatch="include">
<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
</FileCreateTime>
<FileCreateTime onmatch="exclude">
<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Chrome constantly changes file times-->
<Image condition="contains">setup</Image> <!--Ignore setups-->
</FileCreateTime>
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
<!--COMMENT: By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
<!--COMMENT: [ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
<!--TECHNICAL: For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
<!--TECHNICAL: For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
<!--TECHNICAL: These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
<NetworkConnect onmatch="include">
<!--Suspicious sources for network-connecting binaries-->
<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
<Image name="Alert=Temp file location network connection,suspicious_net_event=True" condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
<Image name="Alert=Network connection in Recycle Bin,suspicious_net_event=True" condition="contains">$RECYCLE.BIN</Image> <!--Network Connection in Temp Directories-->
<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
<Image condition="begin with">C:\Perflogs\</Image>
<Image condition="contains">config\systemprofile\</Image>
<Image condition="contains">\Windows\Fonts\</Image>
<Image condition="contains">\Windows\IME\</Image>
<Image name="Alert=Network connection in addins,suspicious_net_event=True" condition="contains">\Windows\addins\</Image>
<Image condition="contains">chrome.exe</Image>
<Image condition="contains">iexplore.exe</Image>
<Image condition="contains">firefox.exe</Image>
<Image condition="contains">MicrosoftEdgeCP.exe</Image>
<Image condition="contains">MicrosoftEdge.exe</Image>
<Image condition="contains">explorer.exe</Image>
<!--<Image name="Info=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
<Image name="Info=Unknown Process Connecting to network" condition="contains">unknown process</Image>
<!--Suspicious Windows tools-->
<Image name="Alert=AT.EXE Task Scheduler Network Connection,suspicious_net_event=True" condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
<Image name="Alert=SCHTasks.exe Task Scheduler Network Connection,suspicious_net_event=True" condition="image">schtasks.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
<Image name="Alert=Certutil Connecting to network,suspicious_net_event=True" condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
<Image name="Alert=CMD Prompt network Connection,suspicious_net_event=True" condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
<Image name="Alert=Cscript network Connection,suspicious_net_event=True" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
<Image name="Alert=WSCRIPT Network connection,suspicious_net_event=True" condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
<Image name="Alert=MSHTA Network Connection,suspicious_net_event=True" condition="image">mshta.exe</Image>
<Image name="Info=Powershell Network Connection,suspicious_net_event=True" condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
<Image condition="contains">pskill</Image><!--Detect pskill-->
<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
<Image condition="contains">psservice</Image><!--Detect PsService-->
<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
<Image condition="image">java.exe</Image>
<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
<Image condition="image">installutil.exe</Image>
<Image name="Alert=MSIExec Network connection,suspicious_net_event=True" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
<Image name="Alert=REG.EXE Network Connection,suspicious_net_event=True" condition="image">reg.exe</Image><!-- Remote Registry -->
<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
<Image name="Alert=Telnet Connection,suspicious_net_event=True" condition="image">telnet.exe</Image><!-- Telnet -->
<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
<Image name="Alert=SSH Connection with ssh.exe,suspicious_net_event=True" condition="image">ssh.exe</Image><!-- SSH -->
<Image name="Alert=SSH Connection with Putty,suspicious_net_event=True" condition="image">putty.exe</Image><!-- SSH -->
<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty.exe</Image><!-- SSH -->
<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty_portable.exe</Image><!-- SSH -->
<Image name="Alert=PSFTP Connection" condition="image">psftp.exe</Image><!-- SFTP -->
<Image name="Alert=PSFTP Connection" condition="image">tftp.exe</Image><!-- TFTP -->
<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
<Image condition="image">net.exe</Image><!-- net use/net view-->
<Image name="Alert=NBTSTAT Query" condition="image">nbtstat.exe</Image><!-- Netbios stat-->
<Image condition="image">dsquery.exe</Image><!-- Query domain-->
<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
<Image name="Alert=SC.exe Network Connection,suspicious_net_event=True" condition="image">sc.exe</Image><!-- Service Control Manager-->
<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
<Image name="Alert=User enumeration,suspicious_net_event=True" condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
<!--Tor-->
<Image name="Alert=Tor Connection" condition="image">tor.exe</Image>
<DestinationIp name="Alert=Tor Connection" condition="is">185.41.154.130</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">37.252.190.176</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">82.118.17.235</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">83.163.164.15</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">69.163.34.173</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">159.89.151.231</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">212.47.246.229</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">84.40.112.70</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">2.137.16.245</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">199.249.223.62</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">185.22.172.237</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">88.99.216.194</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">185.13.39.197</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">162.247.72.201</DestinationIp>
<DestinationIp name="Alert=Tor Connection" condition="is">174.127.217.73</DestinationIp>
<!-- Tor-->
<!--Hack tools hosting-->
<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
<!--Suspicious destinations-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ident.me</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">www.myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip.anysrc.net</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">wtfismyip.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipecho.net</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.amazonaws.com</DestinationHostname> <!--Malware uses to get external IP address-->
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">goo.gl</DestinationHostname>
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">git.io</DestinationHostname>
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">bit.ly</DestinationHostname>
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">t.co</DestinationHostname>
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ow.ly</DestinationHostname>
<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
<!--Dynamic DNS Providers-->
<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<DestinationHostname condition="contains">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
<!--Tor2Web Providers-->
<DestinationHostname condition="contains">onion.to</DestinationHostname>
<DestinationHostname condition="contains">onion.cab</DestinationHostname>
<DestinationHostname condition="contains">onion.sh</DestinationHostname>
<DestinationHostname condition="contains">onion.nu</DestinationHostname>
<DestinationHostname condition="contains">onion.direct</DestinationHostname>
<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
<DestinationHostname condition="contains">tor2web.io</DestinationHostname>
<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
<!--Public Port Scan Detection-->
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shodan</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shadow</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">researchscan</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">census</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">sl-reverse</DestinationHostname>
<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">scanhub</DestinationHostname>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">.edu</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">71.6.216.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">137.226.113.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">138.246.252.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">128.32.30.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">208.93.152.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">162.216.46.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">169.229.3.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.254.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">98.143.148.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.222.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">134.147.203.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">69.170.62.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">159.203.213.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">209.236.120.</DestinationIp>
<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6</DestinationIp>
<!--Crypto Currency Mining pools-->
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blazepool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasters</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nicehash</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">yiimp</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">slushpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minexmr</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minergate</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">dwarfpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nanopool.org</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">viaxmr.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashvault.pro</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">moriaxmr.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">suprnova.cc</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">usxmrpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">xmrpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">poolto.be</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash.net</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mine.bz</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mypool.online</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">bohemianpool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">iwanttoearn.money</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">pool.xmr</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">crypto-pool</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miners.pro</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minercircle.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero.lindon-pool.win</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">teracycle.net</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">ratchetmining.com</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">cryptmonero</DestinationHostname>
<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
<!--Ports-->
<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">80</DestinationPort>
<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">443</DestinationPort>
<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort>
<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">22</DestinationPort>
<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">23</DestinationPort>
<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">25</DestinationPort>
<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">139</DestinationPort>
<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
<DestinationPort name="Service=VNC" condition="is">5800</DestinationPort>
<DestinationPort name="Service=VNC" condition="is">5900</DestinationPort>
<DestinationPort name="Service=OpenVPN,suspicious_net_event=True" condition="is">1194</DestinationPort>
<DestinationPort name="Service=L2TP,suspicious_net_event=True" condition="is">1701</DestinationPort>
<DestinationPort name="Service=TOR,suspicious_net_event=True" condition="is">1723</DestinationPort>
<DestinationPort name="Service=IPSec" condition="is">1293</DestinationPort>
<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">4500</DestinationPort>
<DestinationPort name="Service=Socks Proxy Port" condition="is">1080</DestinationPort>
<DestinationPort name="Service=Socks Proxy Port" condition="is">8080</DestinationPort>
<DestinationPort name="Service=Socks Proxy Port" condition="is">3128</DestinationPort>
<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9001</DestinationPort>
<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9030</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4443</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2448</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">8143</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1777</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1443</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">243</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65535</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13506</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">200</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">198</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">49180</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13507</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">6625</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4444</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4438</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1904</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13505</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13504</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12102</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9631</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5445</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2443</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">777</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13394</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13145</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12103</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5552</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3939</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3675</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">666</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">473</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5649</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4455</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4433</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1817</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">100</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65520</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1960</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1515</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">743</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">700</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14154</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14103</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14102</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12322</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">10101</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">7210</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4040</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9943</DestinationPort>
<!--Ports: Threats-->
<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:7777,suspicious_net_event=True" condition="is">7777</DestinationPort>
<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:9943,suspicious_net_event=True" condition="is">9943</DestinationPort>
<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:666,suspicious_net_event=True" condition="is">666</DestinationPort>
</NetworkConnect>
<NetworkConnect onmatch="exclude">
<!--SECTION: Microsoft -->
<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
<Image condition="is">C:\Windows\System32\find.exe</Image><!-- Oddly find.exe connects to localhost and creates spam -->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
<!--Ignore Microsoft Connections-->
<!--Microsoft Net Connections-->
<!--Microsoft ASN IP Block-->
<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
<DestinationHostname condition="end with">bing.com</DestinationHostname>
<DestinationHostname condition="end with">cdn.onenote.net</DestinationHostname>
<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
<DestinationHostname condition="end with">g.live.com</DestinationHostname>
<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">msedge.net</DestinationHostname>
<DestinationHostname condition="end with">windows.net</DestinationHostname>
<DestinationHostname condition="end with">msn.com</DestinationHostname>
<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
<DestinationHostname condition="end with">outlook.com</DestinationHostname>
<DestinationHostname condition="end with">lync.com</DestinationHostname>
<DestinationHostname condition="end with">cloudapp.net</DestinationHostname>
<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">ec2-34-204-73-148.compute-1.amazonaws.com</DestinationHostname>
<DestinationHostname condition="end with">ec2-52-201-35-219.compute-1.amazonaws.com</DestinationHostname>
<DestinationHostname condition="end with">ec2-34-230-137-236.compute-1.amazonaws.com</DestinationHostname>
<DestinationHostname condition="end with">ec2-52-45-9-47.compute-1.amazonaws.com</DestinationHostname>
<DestinationHostname condition="end with">ec2-52-71-74-246.compute-1.amazonaws.com</DestinationHostname>
<DestinationHostname condition="end with">ec2-54-89-54-171.compute-1.amazonaws.com</DestinationHostname>
<DestinationHostname condition="end with">eset.com</DestinationHostname>
<DestinationHostname condition="end with">n-able.com</DestinationHostname>
<DestinationHostname condition="end with">www.agentexchange.com</DestinationHostname>
<DestinationHostname condition="end with">map2.hwcdn.net</DestinationHostname>
<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
<Image condition="image">Spotify.exe</Image> <!--Spotify-->
<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
<SourcePort condition="is">135</SourcePort> <!--epmap Port-->
<DestinationPort condition="is">135</DestinationPort> <!--epmap Port-->
<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
<DestinationPort condition="is">53</DestinationPort> <!--DNS Lookups-->
<SourcePort condition="is">53</SourcePort> <!--DNS Lookups-->
<SourcePort condition="is">67</SourcePort> <!--Bootp Lookups-->
<DestinationPort condition="is">67</DestinationPort> <!--Bootp Lookups-->
<SourcePort condition="is">1812</SourcePort> <!--Radius-->
<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
<SourcePort condition="is">49154</SourcePort> <!--DFRS/ADFS Replication spam-->
<DestinationPort condition="is">49154</DestinationPort> <!--DFRS/ADFS Replication spam-->
<SourcePort condition="is">59241</SourcePort> <!--DFRS/ADFS Replication spam-->
<DestinationPort condition="is">59241</DestinationPort> <!--DFRS/ADFS Replication spam-->
<SourcePort condition="is">52176</SourcePort> <!--DFRS/ADFS Replication spam-->
<DestinationPort condition="is">52176</DestinationPort> <!--DFRS/ADFS Replication spam-->
<SourcePort condition="is">49209</SourcePort> <!--DFRS/ADFS Replication spam-->
<DestinationPort condition="is">49209</DestinationPort> <!--DFRS/ADFS Replication spam-->
<SourcePort condition="is">6007</SourcePort> <!--Exchange WMI Spam-->
<DestinationPort condition="is">6007</DestinationPort> <!--Exchange WMI Spam-->
<Image condition="end with">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
<Image condition="end with">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
<Image condition="end with">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
<Image condition="end with">C:\Windows\LTSvc\LTSVC.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
<DestinationPort condition="is">53</DestinationPort> <!--DNS Lookups-->
</NetworkConnect>
<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
<!--DATA: UtcTime, State, Version, SchemaVersion-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
<!--COMMENT: Useful data in building infection timelines.-->
<!--DATA: Rulename, UtcTime, ProcessGuid, ProcessId, Image-->
<ProcessTerminate onmatch="include">
<!--COMMENT: Useful data in building infection timelines.-->
<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
<Image condition="contains">\Temp\</Image> <!--Process terminations in temp directories-->
<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
<Image condition="end with">Sysmon64.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
</ProcessTerminate>
<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
<!--COMMENT: Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
about what you exclude from monitoring. Low event volume, little incentive to exclude.
[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
<!--TECHNICAL: Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
<!--DATA: RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<DriverLoad onmatch="exclude">
<!--COMMENT: Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
<Signature condition="contains">Fortinet</Signature> <!--Exclude signed Fortinet drivers-->
<Signature condition="contains">Webroot</Signature> <!--Exclude signed Webroot drivers-->
<Signature condition="is">NoVirusThanks Company Srl</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Invincea</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">ShoreTel</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Synology</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Citrix</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">SonicWall</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">Sophos</Signature> <!--Exclude signed drivers-->
<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
</DriverLoad>
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
<!--COMMENT: Can cause high system load, disabled by default.-->
<!--COMMENT: [ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
<ImageLoad onmatch="include">
<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
<ImageLoaded condition="contains">\Temp\</ImageLoaded>
<ImageLoaded name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence,Alert=Cobalt Strike Netsh Helper Beacon" condition="contains">NetshHelperBeacon</ImageLoaded>
<Image name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence" condition="contains">netsh.exe</Image>
<ImageLoaded name="Alert=Ramnit Banker Malware!" condition="contains">rmnsoft.dll</ImageLoaded>
</ImageLoad>
<ImageLoad onmatch="exclude">
<SignatureStatus condition="is">Valid</SignatureStatus>
<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
<Company condition="contains">Microsoft</Company>
<Product condition="contains">Microsoft</Product>
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Image condition="is">C:\Windows\System32\mmc.exe</Image>
<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
<Image condition="is">C:\Windows\sysmon64.exe</Image>
<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->