Skip to content
A Sysmon Config for APTs Techniques Detection
Branch: master
Clone or download

Threat Hunting with Panache_Sysmon Config

  1. Named Panache (see refreshing photo below) cuz it's a mix of a lot of APT reports, tested hacking tools, analyzed malwares, blog posts and MITRE ATT&CK framework.

  2. Sysmon schemaversion "4.1"

  3. Main_Template.xml contains configuration of the less noisy sysmon event categories (i.e. WMI EventSubscription) and can be merged with any of the other event specific configuration files (i.e. Merge Main_Template.xml with ProcessCreate_config.xm to monitor process creation only).

  4. Panache config covers more than 150 different attack techniques (including advanced ones) and also logs important and must to have events that can be processed at the SIEM end.

  5. Example of evtx that are a result of testing Panache_Sysmon can be found in the ATT&CK EVTX repository (i.e. already tested against RedCanary Atomic RedTeam automated testing framework)

  6. Remember, exclude configuration section always depend on your own environment (so make sure to add to it any observed false positives)

                                         Let's Go Hunting, Maybe it's your day
You can’t perform that action at this time.