From a5a769a010ea697dfe5817899944e7da1ecd1d82 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 12 Jul 2021 15:09:16 +0200 Subject: [PATCH 01/15] Registry key to detect definitions of Windows Defender Exclusions --- sysmonconfig-export.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index f4acf26..d072721 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -671,6 +671,7 @@ \SpynetReporting DisableRealtimeMonitoring \SubmitSamplesConsent + HKLM\Software\Microsoft\Windows Defender\Exclusions HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy @@ -1156,4 +1157,4 @@ - \ No newline at end of file + From 9c3adaacc8787cb496a45714559f32e09616d46a Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 15 Jul 2021 09:59:39 +0200 Subject: [PATCH 02/15] extra file extensions for possible webshells --- sysmonconfig-export.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index d072721..01d3081 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -515,6 +515,13 @@ .xls .ppt .rtf + + .php + .asp + .aspx + .ashx + .jsp + .pl From 29f7c959d56815dc823a69206d489a6d8d6f1ca2 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 16 Jul 2021 15:04:08 +0200 Subject: [PATCH 03/15] fix: metasploit port --- sysmonconfig-export.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 01d3081..9f407b7 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -332,7 +332,7 @@ 3389 5800 5900 - 444 + 4444 1080 3128 From 88e3a0b0cfd04d52e6e8646cce169bbbdfe8e0b6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 08:22:20 +0200 Subject: [PATCH 04/15] squashed pull requests from original repo This was necessary to allow us to 1. merge all open pull request of the original repo AND 2. allow our new repository to receive new pull requests --- README.md | 58 ++++++++-------- sysmonconfig-export.xml | 150 ++++++++++++++++++++++++++++++---------- 2 files changed, 141 insertions(+), 67 deletions(-) diff --git a/README.md b/README.md index 6e4ec41..26525c7 100644 --- a/README.md +++ b/README.md @@ -1,49 +1,45 @@ -# sysmon-config | A Sysmon configuration file for everybody to fork # +# sysmon-config | A Sysmon configuration file -This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing. +This is a forked and modified version of @SwiftOnSecurity's [sysmon config](https://github.com/SwiftOnSecurity/sysmon-config). -The file should function as a great starting point for system change monitoring in a self-contained and accessible package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation. +Currently it is simply a copy with most of the 30+ open pull requests of the original repository merged. Thus we have fixed many of the issues that are still present in the original version and extended the coverage by important new extensions that have been provided over the last year. -      **[sysmonconfig-export.xml](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)** +## Testing -Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. +This configuration is focused on detection coverage. We have only one rather small testing environment to avoid problematic expressions that trigger too often. It is recommended to test the downloaded configuration on a small set of systems in your environment in any case. -- For a far more exhaustive and detailed approach to Sysmon configuration from a different approach, see also **[sysmon-modular](https://github.com/olafhartong/sysmon-modular)** by [@olafhartong](https://twitter.com/olafhartong), which can act as a superset of sysmon-config. +## Feedback -- Sysmon is a compliment to native Windows logging abilities, not a replacement for it. For valuable advice on these configurations, see **[MalwareArchaeology Logging Cheat Sheets](https://www.malwarearchaeology.com/cheat-sheets)** by [@HackerHurricane](https://twitter.com/hackerhurricane). +Since we don't have more than one environment to test the config ourselves, we rely on feedback from the community. -Note: Exact syntax and filtering choices in the configuration are highly deliberate in what they target, and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of paths. +Please report: -      **[See other forks of this configuration](https://github.com/SwiftOnSecurity/sysmon-config/network)** +1. Expressions that cause a high volume of events +2. Broken configuration elements (typos, wrong conditions) +3. Missing coverage (preferrably as a pull request) + +## Usage + +### Install -## Use ## -### Install ### Run with administrator rights -~~~~ + +```batch sysmon.exe -accepteula -i sysmonconfig-export.xml -~~~~ +``` -### Update existing configuration ### -Run with administrator rights -~~~~ -sysmon.exe -c sysmonconfig-export.xml -~~~~ +### Update existing configuration -### Uninstall ### Run with administrator rights -~~~~ -sysmon.exe -u -~~~~ - -## Required actions ## -### Prerequisites ### -Highly recommend using [Notepad++](https://notepad-plus-plus.org/) to edit this configuration. It understands UNIX newline format and does XML syntax highlighting, which makes this very understandable. I do not recommend using the built-in Notepad.exe. +```batch +sysmon.exe -c sysmonconfig-export.xml +``` -### Customization ### -You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information. +### Uninstall -The configuration is highly commented and designed to be self-explanatory to assist you in this customization to your environment. +Run with administrator rights -### Design notes ### -This configuration expects software to be installed system-wide and NOT in the C:\Users folder. Various pieces of software install themselves in User directories, which are subject to extra monitoring. Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions. +```batch +sysmon.exe -u +``` diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index f4acf26..9b2c0e7 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -1,14 +1,9 @@ - - + md5,sha256,IMPHASH @@ -82,7 +77,10 @@ + "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" -Embedding + \Machine\Scripts\Startup\ipamprovisioning.ps1 + C:\Windows\system32\cscript.exe" /nologo "MonitorKnowledgeDiscovery.vbs "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" C:\Windows\system32\DllHost.exe /Processid C:\Windows\system32\wbem\wmiprvse.exe -Embedding @@ -131,7 +129,8 @@ C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc C:\Windows\system32\svchost.exe -k localService -s nsi C:\Windows\system32\svchost.exe -k localService -s w32Time - C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc @@ -150,8 +149,8 @@ C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum - C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc - C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv @@ -180,6 +179,7 @@ C:\Windows\system32\svchost.exe -k networkService -s NlaSvc C:\Windows\system32\svchost.exe -k networkService -s TermService C:\Windows\system32\svchost.exe -k networkService + C:\Windows\system32\svchost.exe -k networkService -p C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k rPCSS C:\Windows\system32\svchost.exe -k secsvcs @@ -201,10 +201,12 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe + C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe + C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe @@ -226,7 +228,7 @@ "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= - + @@ -259,7 +261,7 @@ - + @@ -298,6 +300,7 @@ notepad.exe nslookup.exe powershell.exe + powershell_ise.exe qprocess.exe qwinsta.exe qwinsta.exe @@ -312,10 +315,29 @@ tasklist.exe wmic.exe wscript.exe + + bitsadmin.exe + esentutl.exe + expand.exe + extrac32.exe + findstr.exe + GfxDownloadWrapper.exe + ieexec.exe + makecab.exe + replace.exe + Excel.exe + Powerpnt.exe + Winword.exe + squirrel.exe + netcat.exe nc.exe + nc64.exe ncat.exe + procdump.exe + procdump64.exe psexec.exe + psexec64.exe psexesvc.exe tor.exe vnc.exe @@ -332,7 +354,9 @@ 3389 5800 5900 - 444 + 5985 + 5986 + 4444 1080 3128 @@ -349,12 +373,13 @@ C:\ProgramData\Microsoft\Windows Defender\Platform\ AppData\Local\Microsoft\Teams\current\Teams.exe + microsoft.com .microsoft.com - microsoft.com.akadns.net - microsoft.com.nsatc.net 23.4.43.27 72.21.91.29 + microsoft.com.akadns.net + .microsoft.com.nsatc.net 127.0.0.1 fe80:0:0:0 @@ -483,6 +508,8 @@ .jnlp .jse .hta + .aspx + .asp .job .pptm .ps1 @@ -515,6 +542,13 @@ .xls .ppt .rtf + + .php + .asp + .aspx + .ashx + .jsp + .pl @@ -529,6 +563,7 @@ C:\Windows\system32\CompatTelRunner.exe \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\mobsync.exe + C:\Windows\System32\WUDFHost.exe C:\Windows\system32\DriverStore\Temp\ C:\Windows\system32\wbem\Performance\ C:\Windows\Installer\ @@ -567,6 +602,7 @@ + \MiniNT CurrentVersion\Run Policies\Explorer\Run Group Policy\Scripts @@ -630,7 +666,7 @@ HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ HKLM\Software\Microsoft\Netsh Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable @@ -647,6 +683,7 @@ Microsoft\Office\Outlook\Addins\ Office Test\ + \Software\Microsoft\Office\;\Outlook\WebView\;URL Security\Trusted Documents\TrustRecords Internet Explorer\Toolbar\ @@ -671,6 +708,7 @@ \SpynetReporting DisableRealtimeMonitoring \SubmitSamplesConsent + HKLM\Software\Microsoft\Windows Defender\Exclusions HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy @@ -698,9 +736,20 @@ \DriverVerVersion \LinkDate Compatibility Assistant\Store\ + HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports + \Keyboard Layout\Preload + \Keyboard Layout\Substitutes regedit.exe \ + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ + + + Microsoft\Cryptography\OID\ + WOW6432Node\Microsoft\Cryptography\OID\ + Microsoft\Cryptography\Providers\Trust\ + WOW6432Node\Microsoft\Cryptography\Providers\Trust\ @@ -808,7 +857,7 @@ - + @@ -820,11 +869,23 @@ - - - - - + + + + paexec;remcom;csexec + + \lsadump;\cachedump;\wceservicepipe + + \isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc + \atctl;\userpipe;\iehelper;\sdlrpc;\comnap + + MSSE-;-server + \postex_ + \postex_ssh_ + \status_ + \msagent_ + + @@ -947,7 +1008,8 @@ .akadns.net .netflix.com - aspnetcdn.com + aspnetcdn.com + .aspnetcdn.com ajax.googleapis.com cdnjs.cloudflare.com fonts.googleapis.com @@ -991,7 +1053,7 @@ .criteo.net .crwdcntrl.net .demdex.net - .domdex.com + .domdex.com .dotomi.com .doubleclick.net .doubleverify.com @@ -1084,16 +1146,19 @@ ocsp.godaddy.com ocsp.int-x3.letsencrypt.org ocsp.msocsp.com - pki.goog + pki.goog + .pki.goog ocsp.godaddy.com - amazontrust.com + amazontrust.com + .amazontrust.com ocsp.sectigo.com pki-goog.l.google.com .usertrust.com ocsp.comodoca.com ocsp.verisign.com ocsp.entrust.net - ocsp.identrust.com + ocsp.identrust.com + .ocsp.identrust.com status.rapidssl.com status.thawte.com ocsp.int-x3.letsencrypt.org @@ -1101,8 +1166,11 @@ - - + @@ -1110,8 +1178,8 @@ @@ -1119,7 +1187,7 @@ - + - + - + + + + + + + - \ No newline at end of file + From bdc3fd2c784c93fc7f3c4c7f4672cf694e0d3316 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 08:34:04 +0200 Subject: [PATCH 05/15] HiveNightmare detection --- sysmonconfig-export.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 9b2c0e7..19a761a 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -549,6 +549,10 @@ .ashx .jsp .pl + \SAM-20 + \SAM-haxx + \Sam.save + \hive_sam_ From ca2ccea5e6d1fa7cb04b0e60f5d59e84c11c1c93 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 08:40:46 +0200 Subject: [PATCH 06/15] docs: give credits to the contributors of the squashed pull requests --- README.md | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/README.md b/README.md index 26525c7..0836b8f 100644 --- a/README.md +++ b/README.md @@ -43,3 +43,101 @@ Run with administrator rights ```batch sysmon.exe -u ``` + +## Credits + +Since we wanted to be able to receive new pull requests this repository, we had to squash all open(!) pull requests of the original reposiory into a single commit on this one. + +We've pull the following requests: + +Registry key to detect definitions of Windows Defender Exclusions +155 opened 12 days ago by @phantinuss + +Outlook Webview URL changes +154 opened on 14 Jun by @humpalum + +Event id 26 +153 opened on 14 Jun by @Richman711 + +Important and relevant NamedPipe names +151 opened on 27 May by @Neo23x0 + +Added named pipe used by @Cobalt Strike +150 opened on 26 May by @WojciechLesicki + +Fix FileDelete example. +149 opened on 26 May by @sigalpes + +Add exclusion for WUDFHost.exe to Event 11 +148 opened on 19 Apr by @lord-garmadon + +Corrected event name for Event ID 23 +147 opened on 16 Apr by @lord-garmadon + +Monitor for .js files for Microsoft JScript +146 opened on 7 Apr by @KevinDeNotariis + +Added WinRM ports and Service names +145 opened on 16 Mar by @tobor88 + +Add ASP files for webshells +144 opened on 8 Mar by @GossiTheDog + +Update NetworkConnect rule to fix Metasploit default port +143 opened on 6 Mar by @brokenvhs + +Ransomware artifacts added to File Creation config +140 opened on 18 Feb by @sduff + +MiniNT registry key check +130 opened on 9 Sep 2020 by @ThisIsNotTheUserYouAreLookingFor + +Added detection for CVE-2017-0199 and CVE-2017-8759. +118 opened on 21 May 2020 by @d4rk-d4nph3 + +Printer port changes as used in CVE-2020-1048 +115 opened on 15 May 2020 by @Neo23x0 + +Update sysmonconfig-export.xml +108 opened on 1 Mar 2020 by @harmonkc + +Changed the bypassable DNS hostname checks +107 opened on 5 Feb 2020 by @MaxNad + +Added most of the missing LOLBAS for downloading executables +106 opened on 5 Feb 2020 by @MaxNad + +Change Metasploit Alert port from 444 to 4444 +105 opened on 5 Feb 2020 by @ION28 + +Add exclusion for Azure MMA agent | Add exclusion for IPAM GP PS script | Add exclusion for MonitorKnowledgeDiscovery +104 opened on 29 Jan 2020 by @adrwh + +Fixed wdigest registry path +102 opened on 13 Dec 2019 by @qz8xTD + +unnecessary shout out to Alpha version for DNS logging +100 opened on 10 Dec 2019 by @itpropaul + +Add scripting filename targets +98 opened on 14 Nov 2019 by @bartblaze + +Included some of the entries from PR to sysmonconfig-export.xml +97 opened on 6 Nov 2019 by @cudeso + +Keyboard Layout Load +92 opened on 13 Oct 2019 by @Neo23x0 + +Fixed IMAP port +71 opened on 12 Jan 2019 by @esecrpm +66 opened on 21 Aug 2018 by @martboo +59 opened on 25 May 2018 by @paalbra + +Micro-improvements to monitored scenarios +53 opened on 6 Mar 2018 by @threathunting + +Corrected typo for RTF extension +50 opened on 24 Jan 2018 by @kronflux + +Add Windows Trust registry keys to log +40 opened on 4 Oct 2017 by @mdunten From fe70b878b62795cf20d8659a1f833de07c488993 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 08:42:55 +0200 Subject: [PATCH 07/15] docs: better line breaks in credits --- README.md | 60 +++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 0836b8f..7691ca6 100644 --- a/README.md +++ b/README.md @@ -50,94 +50,94 @@ Since we wanted to be able to receive new pull requests this repository, we had We've pull the following requests: -Registry key to detect definitions of Windows Defender Exclusions +Registry key to detect definitions of Windows Defender Exclusions\ 155 opened 12 days ago by @phantinuss -Outlook Webview URL changes +Outlook Webview URL changes\ 154 opened on 14 Jun by @humpalum -Event id 26 +Event id 26\ 153 opened on 14 Jun by @Richman711 -Important and relevant NamedPipe names +Important and relevant NamedPipe names\ 151 opened on 27 May by @Neo23x0 -Added named pipe used by @Cobalt Strike +Added named pipe used by @Cobalt Strike\ 150 opened on 26 May by @WojciechLesicki -Fix FileDelete example. +Fix FileDelete example.\ 149 opened on 26 May by @sigalpes -Add exclusion for WUDFHost.exe to Event 11 +Add exclusion for WUDFHost.exe to Event 11\ 148 opened on 19 Apr by @lord-garmadon -Corrected event name for Event ID 23 +Corrected event name for Event ID 23\ 147 opened on 16 Apr by @lord-garmadon -Monitor for .js files for Microsoft JScript +Monitor for .js files for Microsoft JScript\ 146 opened on 7 Apr by @KevinDeNotariis -Added WinRM ports and Service names +Added WinRM ports and Service names\ 145 opened on 16 Mar by @tobor88 -Add ASP files for webshells +Add ASP files for webshells\ 144 opened on 8 Mar by @GossiTheDog -Update NetworkConnect rule to fix Metasploit default port +Update NetworkConnect rule to fix Metasploit default port\ 143 opened on 6 Mar by @brokenvhs -Ransomware artifacts added to File Creation config +Ransomware artifacts added to File Creation config\ 140 opened on 18 Feb by @sduff -MiniNT registry key check +MiniNT registry key check\ 130 opened on 9 Sep 2020 by @ThisIsNotTheUserYouAreLookingFor -Added detection for CVE-2017-0199 and CVE-2017-8759. +Added detection for CVE-2017-0199 and CVE-2017-8759.\ 118 opened on 21 May 2020 by @d4rk-d4nph3 -Printer port changes as used in CVE-2020-1048 +Printer port changes as used in CVE-2020-1048\ 115 opened on 15 May 2020 by @Neo23x0 -Update sysmonconfig-export.xml +Update sysmonconfig-export.xml\ 108 opened on 1 Mar 2020 by @harmonkc -Changed the bypassable DNS hostname checks +Changed the bypassable DNS hostname checks\ 107 opened on 5 Feb 2020 by @MaxNad -Added most of the missing LOLBAS for downloading executables +Added most of the missing LOLBAS for downloading executables\ 106 opened on 5 Feb 2020 by @MaxNad -Change Metasploit Alert port from 444 to 4444 +Change Metasploit Alert port from 444 to 4444\ 105 opened on 5 Feb 2020 by @ION28 -Add exclusion for Azure MMA agent | Add exclusion for IPAM GP PS script | Add exclusion for MonitorKnowledgeDiscovery +Add exclusion for Azure MMA agent | Add exclusion for IPAM GP PS script | Add exclusion for MonitorKnowledgeDiscovery\ 104 opened on 29 Jan 2020 by @adrwh -Fixed wdigest registry path +Fixed wdigest registry path\ 102 opened on 13 Dec 2019 by @qz8xTD -unnecessary shout out to Alpha version for DNS logging +unnecessary shout out to Alpha version for DNS logging\ 100 opened on 10 Dec 2019 by @itpropaul -Add scripting filename targets +Add scripting filename targets\ 98 opened on 14 Nov 2019 by @bartblaze -Included some of the entries from PR to sysmonconfig-export.xml +Included some of the entries from PR to sysmonconfig-export.xml\ 97 opened on 6 Nov 2019 by @cudeso -Keyboard Layout Load +Keyboard Layout Load\ 92 opened on 13 Oct 2019 by @Neo23x0 -Fixed IMAP port +Fixed IMAP port\ 71 opened on 12 Jan 2019 by @esecrpm 66 opened on 21 Aug 2018 by @martboo 59 opened on 25 May 2018 by @paalbra -Micro-improvements to monitored scenarios +Micro-improvements to monitored scenarios\ 53 opened on 6 Mar 2018 by @threathunting -Corrected typo for RTF extension +Corrected typo for RTF extension\ 50 opened on 24 Jan 2018 by @kronflux -Add Windows Trust registry keys to log +Add Windows Trust registry keys to log\ 40 opened on 4 Oct 2017 by @mdunten From 23af2b46f1a8e81e61688f8000ceecd8617e412e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 08:57:57 +0200 Subject: [PATCH 08/15] PrinterNightmare coverage --- sysmonconfig-export.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 19a761a..240dc9e 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -754,6 +754,7 @@ WOW6432Node\Microsoft\Cryptography\OID\ Microsoft\Cryptography\Providers\Trust\ WOW6432Node\Microsoft\Cryptography\Providers\Trust\ + Control\Print\Environments\Windows x64\Drivers From f893c68a5238d33a4626daf8cfb5fd0409202724 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 09:11:13 +0200 Subject: [PATCH 09/15] feat: more PrinterNightmare coverage --- sysmonconfig-export.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 240dc9e..2193333 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -553,6 +553,7 @@ \SAM-haxx \Sam.save \hive_sam_ + C:\Windows\System32\spool\drivers\x64 From 510e4eda990b52ea0912dbff8873869ad017dc41 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 09:59:55 +0200 Subject: [PATCH 10/15] docs: info on extended coverage --- README.md | 6 ++ sysmonconfig-export.xml | 161 +--------------------------------------- 2 files changed, 8 insertions(+), 159 deletions(-) diff --git a/README.md b/README.md index 7691ca6..d363ce7 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,12 @@ This is a forked and modified version of @SwiftOnSecurity's [sysmon config](http Currently it is simply a copy with most of the 30+ open pull requests of the original repository merged. Thus we have fixed many of the issues that are still present in the original version and extended the coverage by important new extensions that have been provided over the last year. +## Additional coverage includes + +- Cobalt Strike named pipes +- PrinterNightmare +- HiveNightmare + ## Testing This configuration is focused on detection coverage. We have only one rather small testing environment to avoid problematic expressions that trigger too often. It is recommended to test the downloaded configuration on a small set of systems in your environment in any case. diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 2193333..47fdb8e 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -357,6 +357,7 @@ 5985 5986 4444 + NT AUTHOR 1080 3128 @@ -599,165 +600,7 @@ For example, most COM hijacking in CLSID's across the registry is covered by a single rule monitoring a InProcServer32 wildcard--> - - - - - - - - - \MiniNT - CurrentVersion\Run - Policies\Explorer\Run - Group Policy\Scripts - Windows\System\Scripts - CurrentVersion\Windows\Load - CurrentVersion\Windows\Run - CurrentVersion\Winlogon\Shell - CurrentVersion\Winlogon\System - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug - UserInitMprLogonScript - user shell folders\startup - - \ServiceDll - \ServiceManifest - \ImagePath - \Start - - Control\Terminal Server\WinStations\RDP-Tcp\PortNumber - Control\Terminal Server\fSingleSessionPerUser - fDenyTSConnections - LastLoggedOnUser - RDP-tcp\PortNumber - Services\PortProxy\v4tov4 - - \command\ - \ddeexec\ - {86C86720-42A0-1069-A2E8-08002B30309D} - exefile - - \InprocServer32\(Default) - - \Hidden - \ShowSuperHidden - \HideFileExt - - Classes\*\ - Classes\AllFilesystemObjects\ - Classes\Directory\ - Classes\Drive\ - Classes\Folder\ - Classes\PROTOCOLS\ - ContextMenuHandlers\ - CurrentVersion\Shell - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad - HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers - - HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ - - HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ - - HKLM\SYSTEM\CurrentControlSet\Services\WinSock - \ProxyServer - - HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ - HKLM\Software\Microsoft\Netsh - Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable - - HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ - HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles - \EnableFirewall - \DoNotAllowExceptions - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ - - Microsoft\Office\Outlook\Addins\ - Office Test\ - \Software\Microsoft\Office\;\Outlook\WebView\;URL - Security\Trusted Documents\TrustRecords - - Internet Explorer\Toolbar\ - Internet Explorer\Extensions\ - Browser Helper Objects\ - \DisableSecuritySettingsCheck - \3\1206 - \3\2500 - \3\1809 - - HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ - HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ - - \UrlUpdateInfo - \InstallSource - \EulaAccepted - - \DisableAntiSpyware - \DisableAntiVirus - \SpynetReporting - DisableRealtimeMonitoring - \SubmitSamplesConsent - HKLM\Software\Microsoft\Windows Defender\Exclusions - - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - - HKLM\Software\Microsoft\Security Center\ - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom - HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB - VirtualStore - - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ - HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ - HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ - HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ - \FriendlyName - HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) - HKLM\Software\Microsoft\Tracing\RASAPI32 - HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ - - \LowerCaseLongPath - \Publisher - \BinProductVersion - \DriverVersion - \DriverVerVersion - \LinkDate - Compatibility Assistant\Store\ - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports - \Keyboard Layout\Preload - \Keyboard Layout\Substitutes - - regedit.exe - \ - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ - - - Microsoft\Cryptography\OID\ - WOW6432Node\Microsoft\Cryptography\OID\ - Microsoft\Cryptography\Providers\Trust\ - WOW6432Node\Microsoft\Cryptography\Providers\Trust\ - Control\Print\Environments\Windows x64\Drivers - - + From ca54b563654572672078defb5599b3c1e483a6c2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 10:10:31 +0200 Subject: [PATCH 11/15] fix: accidental removal of section --- sysmonconfig-export.xml | 161 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 159 insertions(+), 2 deletions(-) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 47fdb8e..2193333 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -357,7 +357,6 @@ 5985 5986 4444 - NT AUTHOR 1080 3128 @@ -600,7 +599,165 @@ For example, most COM hijacking in CLSID's across the registry is covered by a single rule monitoring a InProcServer32 wildcard--> - + + + + + + + + + \MiniNT + CurrentVersion\Run + Policies\Explorer\Run + Group Policy\Scripts + Windows\System\Scripts + CurrentVersion\Windows\Load + CurrentVersion\Windows\Run + CurrentVersion\Winlogon\Shell + CurrentVersion\Winlogon\System + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit + HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 + HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute + HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug + UserInitMprLogonScript + user shell folders\startup + + \ServiceDll + \ServiceManifest + \ImagePath + \Start + + Control\Terminal Server\WinStations\RDP-Tcp\PortNumber + Control\Terminal Server\fSingleSessionPerUser + fDenyTSConnections + LastLoggedOnUser + RDP-tcp\PortNumber + Services\PortProxy\v4tov4 + + \command\ + \ddeexec\ + {86C86720-42A0-1069-A2E8-08002B30309D} + exefile + + \InprocServer32\(Default) + + \Hidden + \ShowSuperHidden + \HideFileExt + + Classes\*\ + Classes\AllFilesystemObjects\ + Classes\Directory\ + Classes\Drive\ + Classes\Folder\ + Classes\PROTOCOLS\ + ContextMenuHandlers\ + CurrentVersion\Shell + HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks + HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad + HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers + + HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ + + HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ + + HKLM\SYSTEM\CurrentControlSet\Services\WinSock + \ProxyServer + + HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ + HKLM\Software\Microsoft\Netsh + Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable + + HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ + HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles + \EnableFirewall + \DoNotAllowExceptions + HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List + HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ + HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ + HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ + + Microsoft\Office\Outlook\Addins\ + Office Test\ + \Software\Microsoft\Office\;\Outlook\WebView\;URL + Security\Trusted Documents\TrustRecords + + Internet Explorer\Toolbar\ + Internet Explorer\Extensions\ + Browser Helper Objects\ + \DisableSecuritySettingsCheck + \3\1206 + \3\2500 + \3\1809 + + HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ + HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ + HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ + HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ + + \UrlUpdateInfo + \InstallSource + \EulaAccepted + + \DisableAntiSpyware + \DisableAntiVirus + \SpynetReporting + DisableRealtimeMonitoring + \SubmitSamplesConsent + HKLM\Software\Microsoft\Windows Defender\Exclusions + + HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + + HKLM\Software\Microsoft\Security Center\ + SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom + HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB + VirtualStore + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ + HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ + HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ + HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ + \FriendlyName + HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) + HKLM\Software\Microsoft\Tracing\RASAPI32 + HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ + + \LowerCaseLongPath + \Publisher + \BinProductVersion + \DriverVersion + \DriverVerVersion + \LinkDate + Compatibility Assistant\Store\ + HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports + \Keyboard Layout\Preload + \Keyboard Layout\Substitutes + + regedit.exe + \ + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\ + + + Microsoft\Cryptography\OID\ + WOW6432Node\Microsoft\Cryptography\OID\ + Microsoft\Cryptography\Providers\Trust\ + WOW6432Node\Microsoft\Cryptography\Providers\Trust\ + Control\Print\Environments\Windows x64\Drivers + + From 876166b3ebd77ca76b55f2f74c9a98b92e644f1e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 10:15:01 +0200 Subject: [PATCH 12/15] filter: OneDrive --- sysmonconfig-export.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 2193333..229902f 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -383,6 +383,8 @@ 127.0.0.1 fe80:0:0:0 + + \AppData\Local\Microsoft\OneDrive\OneDrive.exe From 4aa2ad4f7fcd100c5f6f1d9f21a4af11e7e01c75 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 24 Jul 2021 16:13:52 +0200 Subject: [PATCH 13/15] SeriousSAM CS Pattern --- sysmonconfig-export.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 229902f..8922dd8 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -555,6 +555,7 @@ \SAM-haxx \Sam.save \hive_sam_ + C:\windows\temp\sam C:\Windows\System32\spool\drivers\x64 From fd602c9fe17c11a3cb9de7db1f66744df2b194e7 Mon Sep 17 00:00:00 2001 From: humpalum Date: Mon, 26 Jul 2021 09:33:39 +0200 Subject: [PATCH 14/15] First CI workflow draft Added a workflow that installs sysmon with the config and fails when sysmon has an error --- .github/workflows/main.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..e6c5dad --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,27 @@ +name: CI + +on: + # Trigger the workflow on push or pull requests, but only for the + # main branch + push: + branches: + - main + pull_request: + branches: + - main + workflow_dispatch: + +jobs: + msbuild: + runs-on: 'windows-latest' + steps: + - name: Checkout open-sysmon-conf + uses: actions/checkout@v2 + + - name: Download Sysmon + run: Invoke-WebRequest http://live.sysinternals.com/tools/sysmon.exe -OutFile .\sysmon.exe + shell: powershell + + - name: Run Sysmon + run: .\sysmon.exe -accepteula -i sysmonconfig-export.xml + shell: powershell From 7b98675d16c1c4363f13f0dc22ef69ba047acf30 Mon Sep 17 00:00:00 2001 From: humpalum Date: Mon, 26 Jul 2021 09:35:09 +0200 Subject: [PATCH 15/15] fix: renamed main to master --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e6c5dad..b7b1db1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,10 +5,10 @@ on: # main branch push: branches: - - main + - master pull_request: branches: - - main + - master workflow_dispatch: jobs: