Updated after successful CICD run 06/21/2023 13:43:46 UTC

olafhartong · Jun 21, 2023 · 3f0dce6 · 3f0dce6
1 parent d7bc0e2
commit 3f0dce6
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 135 deletions.
diff --git a/0_custom_configuration/all_modules.txt b/0_custom_configuration/all_modules.txt
diff --git a/sysmonconfig-excludes-only.xml b/sysmonconfig-excludes-only.xml
@@ -945,10 +945,6 @@
     <RuleGroup groupRelation="or">
       <FileDelete onmatch="include" />
     </RuleGroup>
-    <!-- Event ID 23 == File Delete and overwrite events - Excludes -->
-    <RuleGroup groupRelation="or">
-      <FileDelete onmatch="exclude" />
-    </RuleGroup>
     <!-- Event ID 24 == Clipboard change events, only captures text, not files - Includes -->
     <RuleGroup groupRelation="or">
       <!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->

diff --git a/sysmonconfig-mde-augment.xml b/sysmonconfig-mde-augment.xml
@@ -1821,6 +1821,64 @@
     <!-- Event ID 23 == File Delete and overwrite events which saves a copy to the archivedir - Only use in IR -->
     <RuleGroup groupRelation="or">
       <FileDelete onmatch="include">
+        <Rule name="Executables" groupRelation="and">
+          <IsExecutable>True</IsExecutable>
+          <Image condition="is not">C:\Windows\system32\cleanmgr.exe</Image>
+          <TargetFilename condition="not end with">.mui</TargetFilename>
+        </Rule>
+        <Rule name="Office documents" groupRelation="or">
+          <TargetFilename condition="end with">.doc</TargetFilename>
+          <TargetFilename condition="end with">.dot</TargetFilename>
+          <TargetFilename condition="end with">.docx</TargetFilename>
+          <TargetFilename condition="end with">.docm</TargetFilename>
+          <TargetFilename condition="end with">.doc</TargetFilename>
+          <TargetFilename condition="end with">.dot</TargetFilename>
+          <TargetFilename condition="end with">.docx</TargetFilename>
+          <TargetFilename condition="end with">.docm</TargetFilename>
+          <TargetFilename condition="end with">.dotx</TargetFilename>
+          <TargetFilename condition="end with">.dotm</TargetFilename>
+          <TargetFilename condition="end with">.docb</TargetFilename>
+          <TargetFilename condition="end with">.xls</TargetFilename>
+          <TargetFilename condition="end with">.xlt</TargetFilename>
+          <TargetFilename condition="end with">.xlm</TargetFilename>
+          <TargetFilename condition="end with">.xlsx</TargetFilename>
+          <TargetFilename condition="end with">.xlsm</TargetFilename>
+          <TargetFilename condition="end with">.xltx</TargetFilename>
+          <TargetFilename condition="end with">.xltm</TargetFilename>
+          <TargetFilename condition="end with">.xlsb</TargetFilename>
+          <TargetFilename condition="end with">.ppt</TargetFilename>
+          <TargetFilename condition="end with">.pptx</TargetFilename>
+          <TargetFilename condition="end with">.pptm</TargetFilename>
+          <TargetFilename condition="end with">.potx</TargetFilename>
+          <TargetFilename condition="end with">.potm</TargetFilename>
+          <TargetFilename condition="end with">.odt</TargetFilename>
+          <TargetFilename condition="end with">.ods</TargetFilename>
+          <TargetFilename condition="end with">.odp</TargetFilename>
+          <TargetFilename condition="end with">.pdf</TargetFilename>
+          <TargetFilename condition="end with">.rtf</TargetFilename>
+        </Rule>
+        <Rule name="Scripts and payloads" groupRelation="or">
+          <TargetFilename condition="end with">.aspx</TargetFilename>
+          <TargetFilename condition="end with">.bat</TargetFilename>
+          <TargetFilename condition="end with">.ps1</TargetFilename>
+          <TargetFilename condition="end with">.vbs</TargetFilename>
+          <TargetFilename condition="end with">.vba</TargetFilename>
+          <TargetFilename condition="end with">.hta</TargetFilename>
+          <TargetFilename condition="end with">.jar</TargetFilename>
+          <TargetFilename condition="end with">.js</TargetFilename>
+          <TargetFilename condition="end with">.cmd</TargetFilename>
+          <TargetFilename condition="end with">.sh</TargetFilename>
+          <TargetFilename condition="end with">.sct</TargetFilename>
+          <TargetFilename condition="end with">.lnk</TargetFilename>
+        </Rule>
+        <Rule name="other interesting files" groupRelation="or">
+          <TargetFilename condition="end with">.bin</TargetFilename>
+          <TargetFilename condition="end with">.iso</TargetFilename>
+          <TargetFilename condition="end with">.7z</TargetFilename>
+          <TargetFilename condition="end with">.msi</TargetFilename>
+          <TargetFilename condition="end with">.dmp</TargetFilename>
+          <TargetFilename condition="end with">.reg</TargetFilename>
+        </Rule>
         <TargetFilename condition="contains all">C:\Program Files\Microsoft SQL Server;\Shared\ErrorDumps</TargetFilename>
         <TargetFilename condition="contains all">C:\Program Files\Microsoft SQL Server;\DataDumps</TargetFilename>
         <TargetFilename condition="contains all">C:\Program Files (X86)\Microsoft SQL Server\;Shared\ErrorDumps</TargetFilename>
@@ -2017,64 +2075,6 @@
           <TargetFilename condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename>
           <TargetFilename condition="contains any">.com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct</TargetFilename>
         </Rule>
-        <Rule name="Executables" groupRelation="and">
-          <IsExecutable>True</IsExecutable>
-          <Image condition="is not">C:\Windows\system32\cleanmgr.exe</Image>
-          <TargetFilename condition="not end with">.mui</TargetFilename>
-        </Rule>
-        <Rule name="Office documents" groupRelation="or">
-          <TargetFilename condition="end with">.doc</TargetFilename>
-          <TargetFilename condition="end with">.dot</TargetFilename>
-          <TargetFilename condition="end with">.docx</TargetFilename>
-          <TargetFilename condition="end with">.docm</TargetFilename>
-          <TargetFilename condition="end with">.doc</TargetFilename>
-          <TargetFilename condition="end with">.dot</TargetFilename>
-          <TargetFilename condition="end with">.docx</TargetFilename>
-          <TargetFilename condition="end with">.docm</TargetFilename>
-          <TargetFilename condition="end with">.dotx</TargetFilename>
-          <TargetFilename condition="end with">.dotm</TargetFilename>
-          <TargetFilename condition="end with">.docb</TargetFilename>
-          <TargetFilename condition="end with">.xls</TargetFilename>
-          <TargetFilename condition="end with">.xlt</TargetFilename>
-          <TargetFilename condition="end with">.xlm</TargetFilename>
-          <TargetFilename condition="end with">.xlsx</TargetFilename>
-          <TargetFilename condition="end with">.xlsm</TargetFilename>
-          <TargetFilename condition="end with">.xltx</TargetFilename>
-          <TargetFilename condition="end with">.xltm</TargetFilename>
-          <TargetFilename condition="end with">.xlsb</TargetFilename>
-          <TargetFilename condition="end with">.ppt</TargetFilename>
-          <TargetFilename condition="end with">.pptx</TargetFilename>
-          <TargetFilename condition="end with">.pptm</TargetFilename>
-          <TargetFilename condition="end with">.potx</TargetFilename>
-          <TargetFilename condition="end with">.potm</TargetFilename>
-          <TargetFilename condition="end with">.odt</TargetFilename>
-          <TargetFilename condition="end with">.ods</TargetFilename>
-          <TargetFilename condition="end with">.odp</TargetFilename>
-          <TargetFilename condition="end with">.pdf</TargetFilename>
-          <TargetFilename condition="end with">.rtf</TargetFilename>
-        </Rule>
-        <Rule name="Scripts and payloads" groupRelation="or">
-          <TargetFilename condition="end with">.aspx</TargetFilename>
-          <TargetFilename condition="end with">.bat</TargetFilename>
-          <TargetFilename condition="end with">.ps1</TargetFilename>
-          <TargetFilename condition="end with">.vbs</TargetFilename>
-          <TargetFilename condition="end with">.vba</TargetFilename>
-          <TargetFilename condition="end with">.hta</TargetFilename>
-          <TargetFilename condition="end with">.jar</TargetFilename>
-          <TargetFilename condition="end with">.js</TargetFilename>
-          <TargetFilename condition="end with">.cmd</TargetFilename>
-          <TargetFilename condition="end with">.sh</TargetFilename>
-          <TargetFilename condition="end with">.sct</TargetFilename>
-          <TargetFilename condition="end with">.lnk</TargetFilename>
-        </Rule>
-        <Rule name="other interesting files" groupRelation="or">
-          <TargetFilename condition="end with">.bin</TargetFilename>
-          <TargetFilename condition="end with">.iso</TargetFilename>
-          <TargetFilename condition="end with">.7z</TargetFilename>
-          <TargetFilename condition="end with">.msi</TargetFilename>
-          <TargetFilename condition="end with">.dmp</TargetFilename>
-          <TargetFilename condition="end with">.reg</TargetFilename>
-        </Rule>
       </FileDelete>
     </RuleGroup>
     <!-- Event ID 24 == Clipboard change events, only captures text, not files - Only use in IR -->

diff --git a/sysmonconfig.xml b/sysmonconfig.xml
@@ -2330,66 +2330,7 @@
     <!-- Event ID 23 == File Delete and overwrite events which saves a copy to the archivedir - Includes -->
     <!-- Default set to disabled due to disk space implications, enable with care!-->
     <RuleGroup groupRelation="or">
-      <FileDelete onmatch="include">
-        <Rule name="Executables" groupRelation="and">
-          <IsExecutable>True</IsExecutable>
-          <Image condition="is not">C:\Windows\system32\cleanmgr.exe</Image>
-          <TargetFilename condition="not end with">.mui</TargetFilename>
-        </Rule>
-        <Rule name="Office documents" groupRelation="or">
-          <TargetFilename condition="end with">.doc</TargetFilename>
-          <TargetFilename condition="end with">.dot</TargetFilename>
-          <TargetFilename condition="end with">.docx</TargetFilename>
-          <TargetFilename condition="end with">.docm</TargetFilename>
-          <TargetFilename condition="end with">.doc</TargetFilename>
-          <TargetFilename condition="end with">.dot</TargetFilename>
-          <TargetFilename condition="end with">.docx</TargetFilename>
-          <TargetFilename condition="end with">.docm</TargetFilename>
-          <TargetFilename condition="end with">.dotx</TargetFilename>
-          <TargetFilename condition="end with">.dotm</TargetFilename>
-          <TargetFilename condition="end with">.docb</TargetFilename>
-          <TargetFilename condition="end with">.xls</TargetFilename>
-          <TargetFilename condition="end with">.xlt</TargetFilename>
-          <TargetFilename condition="end with">.xlm</TargetFilename>
-          <TargetFilename condition="end with">.xlsx</TargetFilename>
-          <TargetFilename condition="end with">.xlsm</TargetFilename>
-          <TargetFilename condition="end with">.xltx</TargetFilename>
-          <TargetFilename condition="end with">.xltm</TargetFilename>
-          <TargetFilename condition="end with">.xlsb</TargetFilename>
-          <TargetFilename condition="end with">.ppt</TargetFilename>
-          <TargetFilename condition="end with">.pptx</TargetFilename>
-          <TargetFilename condition="end with">.pptm</TargetFilename>
-          <TargetFilename condition="end with">.potx</TargetFilename>
-          <TargetFilename condition="end with">.potm</TargetFilename>
-          <TargetFilename condition="end with">.odt</TargetFilename>
-          <TargetFilename condition="end with">.ods</TargetFilename>
-          <TargetFilename condition="end with">.odp</TargetFilename>
-          <TargetFilename condition="end with">.pdf</TargetFilename>
-          <TargetFilename condition="end with">.rtf</TargetFilename>
-        </Rule>
-        <Rule name="Scripts and payloads" groupRelation="or">
-          <TargetFilename condition="end with">.aspx</TargetFilename>
-          <TargetFilename condition="end with">.bat</TargetFilename>
-          <TargetFilename condition="end with">.ps1</TargetFilename>
-          <TargetFilename condition="end with">.vbs</TargetFilename>
-          <TargetFilename condition="end with">.vba</TargetFilename>
-          <TargetFilename condition="end with">.hta</TargetFilename>
-          <TargetFilename condition="end with">.jar</TargetFilename>
-          <TargetFilename condition="end with">.js</TargetFilename>
-          <TargetFilename condition="end with">.cmd</TargetFilename>
-          <TargetFilename condition="end with">.sh</TargetFilename>
-          <TargetFilename condition="end with">.sct</TargetFilename>
-          <TargetFilename condition="end with">.lnk</TargetFilename>
-        </Rule>
-        <Rule name="other interesting files" groupRelation="or">
-          <TargetFilename condition="end with">.bin</TargetFilename>
-          <TargetFilename condition="end with">.iso</TargetFilename>
-          <TargetFilename condition="end with">.7z</TargetFilename>
-          <TargetFilename condition="end with">.msi</TargetFilename>
-          <TargetFilename condition="end with">.dmp</TargetFilename>
-          <TargetFilename condition="end with">.reg</TargetFilename>
-        </Rule>
-      </FileDelete>
+      <FileDelete onmatch="include" />
     </RuleGroup>
     <!-- Event ID 24 == Clipboard change events, only captures text, not files - Includes -->
     <!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
@@ -2598,18 +2539,5 @@
     <RuleGroup groupRelation="or">
       <WmiEvent onmatch="exclude" />
     </RuleGroup>
-    <RuleGroup groupRelation="or">
-      <FileDelete onmatch="exclude">
-        <TargetFilename condition="begin with">C:\ProgramData\Sophos</TargetFilename>
-        <Rule groupRelation="and">
-          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
-          <TargetFilename condition="end with">.tmp</TargetFilename>
-        </Rule>
-        <Rule groupRelation="and">
-          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
-          <TargetFilename condition="end with">.tmp</TargetFilename>
-        </Rule>
-      </FileDelete>
-    </RuleGroup>
   </EventFiltering>
 </Sysmon>