Revert "Revert "Thehack3r4chan master""

10_process_access/include_suspicious_locations.xml

@@ -20,6 +20,7 @@
         <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\htdocs\</SourceImage>
         <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\wwwroot\</SourceImage>
         <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\Temp\</SourceImage>
+        <SourceImage name="technique_id=T1036,technique_name=Masquerading" condition="contains">\AppData\</SourceImage>
       </ProcessAccess>
     </RuleGroup>
   </EventFiltering>

11_file_create/include_system_drive.xml

@@ -0,0 +1,11 @@
+<Sysmon schemaversion="4.40">
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <FileCreate onmatch="include">
+        <TargetFilename name="technique_id=T1044,technique_name=File System Permissions Weakness" condition="begin with">C:\Windows\SysWoW64</TargetFilename>
+        <TargetFilename name="technique_id=T1047,technique_name=File System Permissions Weakness" condition="begin with">C:\Windows\System32</TargetFilename>
+        <TargetFilename name="technique_id=T1047,technique_name=File System Permissions Weakness" condition="begin with">C:\Windows\</TargetFilename>
+      </FileCreate>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>

12_13_14_registry_event/include_environment_mod.xml

@@ -0,0 +1,9 @@
+<Sysmon schemaversion="4.40">
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <RegistryEvent onmatch="include">
+        <TargetObject name="technique_id=T1015,technique_name=Accessibility Features" condition="contains">HKCU\Environment</TargetObject>
+      </RegistryEvent>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>

12_13_14_registry_event/include_office_oulook.xml

@@ -0,0 +1,12 @@
+<Sysmon schemaversion="4.30">
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <RegistryEvent onmatch="include">
+        <TargetObject condition="contains">\Microsoft\Office\Outlook\Addins</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
+        <TargetObject condition="contains">\Software\Microsoft\VSTO\Security\Inclusion</TargetObject> <!-- Uncommon place to load add-ins, especially in HKCU-->
+        <TargetObject condition="contains">\Software\Microsoft\VSTO\SolutionMetadata</TargetObject> <!--Uncommon place to declare add-in metadata, especially in HKCU-->
+        <TargetObject name="technique_name=Outlook Server 95/98 Identity Keys" condition="contains">Identities</TargetObject> 
+      </RegistryEvent>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>

12_13_14_registry_event/include_windows_uac_tampering.xml

@@ -3,10 +3,18 @@
 		<RuleGroup name="" groupRelation="or">
 			<RegistryEvent onmatch="include">
 				<!--Windows UAC tampering-->
-				<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>				<!--Detect: UAC Tampering | Credit @ion-storm -->
-				<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>				<!--Detect: UAC Tampering | Credit @ion-storm -->
+				<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
+				<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
 				<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
 				<TargetObject name="technique_id=T1548.002,technique_name=Bypass User Access Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
+				<Rule name="UACMe Dir Prep" groupRelation="and">
+					<TargetObject name="UACMe Dir Prep" condition="begin with">HKU</TargetObject>
+					<TargetObject name="UACMe Dir Prep" condition="contains">Environment</TargetObject>
+				</Rule>
+				<Rule name="UACMe Dir Prep" groupRelation="and">
+					<TargetObject name="UACMe Dir Prep" condition="begin with">HKLM</TargetObject>
+					<TargetObject name="UACMe Dir Prep" condition="contains">Environment</TargetObject>
+				</Rule>
 			</RegistryEvent>
 		</RuleGroup>
 	</EventFiltering>

15_file_create_stream_hash/include_suspicious_locations.xml

@@ -0,0 +1,13 @@
+<Sysmon schemaversion="4.30">
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <FileCreateStreamHash onmatch="include">
+        <TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
+        <TargetFilename condition="contains">AppData</TargetFilename>
+        <TargetFilename condition="contains">Temp</TargetFilename>
+        <TargetFilename condition="contains">ProgramData</TargetFilename>
+        <TargetFilename condition="contains">Users</TargetFilename>
+      </FileCreateStreamHash>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>

17_18_pipe_event/include_all.xml

@@ -0,0 +1,9 @@
+<Sysmon schemaversion="4.50">
+  <EventFiltering>
+    <RuleGroup groupRelation="or">
+        <PipeEvent onmatch="include">
+          <PipeName name="technique_id=T1033,technique_name=System Owner/User Discovery" condition="begin with">\</PipeName>
+        </PipeEvent>
+      </RuleGroup>
+  </EventFiltering>
+</Sysmon>