Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
Fork version: <N/A>
Fork author: <N/A>
Fork project: <N/A>
Fork license: <N/A>
REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes)
- As of 2021-02-16 there is no machine-level version of Microsoft Teams. The one provided copies itself to the user profile.
NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader,
log-most approach. However, in the vast majority of cases, an attacker will bumble through multiple behavioral traps which
this configuration monitors, especially in the first minutes.
NOTE: If you encounter unexplainable event inclusion/exclusion, you may have a second Sysmon instance installed under a different exe filename.
To clear this, try downloading the latest version and uninstalling with -u force. If it hangs, kill the processes and run it again to cleanup.
TECHNICAL:
- Run sysmon.exe -? for a briefing on Sysmon configuration.
- Sysmon XML cannot use the AMPERSAND sign. Replace it with this: &
- Sysmon 8+ can track which rule caused an event to be logged through the "RuleName" field.
- If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
- Some Sysmon monitoring abilities are not meant for widely deployed general-purpose use due to performance impact. Depends on environment.
- Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
- All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
- In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
- "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
- "ProcessGuid" and "LoginGuid" are not random, they contain some embedded information. https://gist.github.com/mattifestation/0102042160c9a60b2b847378c0ef70b4
FILTERING: Filter conditions available for use are: is,is not,contains,contains any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image
- The "image" filter is usable on any field. Same as "is" but can either match entire string, or only the text after last "\". Credit: @mattifestation
-->
<Sysmonschemaversion="4.50">
<!--SYSMON META CONFIG-->
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms><!-- Both MD5 and SHA256 are the industry-standard algorithms. Remove IMPHASH if you do not use DLL import fingerprinting. -->
<CheckRevocation/><!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
<!-- <ImageLoad/> --><!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
<!-- <ProcessAccessConfig/> --><!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
<!-- <PipeMonitoringConfig/> --><!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->
<!-- <ArchiveDirectory> -->
<EventFiltering>
<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
<!--COMMENT: All processes launched will be logged, except for what matches a rule below. It's best to be as specific as possible,
to avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
code signatures to validate, but Sysmon does not support that. Look into AppLocker/WindowsDeviceGuard for whitelisting support. -->
<IntegrityLevelcondition="is">AppContainer</IntegrityLevel><!--Windows: Don't care about sandboxed processes right now. Will need to revisit this decision.-->
<ParentCommandLinecondition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine><!--Windows:CommandShell: Triggered when programs use the command shell, but doesn't provide attribution for what caused it-->
<CommandLinecondition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine><!--Windows:Network: DNS caching, other uses -->
<CommandLinecondition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine><!--Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
<ParentImagecondition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage><!--Microsoft:DotNet: Spawns thousands of ngen.exe processes-->
<!--SECTION: Microsoft:Office-->
<Imagecondition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image><!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
<Imagecondition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image><!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
<Imagecondition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image><!--Windows: Windows Media Player Network Sharing Service Configuration Application-->
<Imagename="T1099"condition="begin with">\Device\HarddiskVolumeShadowCopy</Image><!--Nothing should be written here | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ] -->
<TargetFilenamecondition="contains">\NVIDIA\NvBackend\ApplicationOntology\</TargetFilename><!--NVIDIA GeForce Experience Application Ontology, 1000's of events in user profile-->
</FileCreateTime>
</RuleGroup>
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
<!--COMMENT: By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
<!--TECHNICAL: For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
<!--TECHNICAL: For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
<!--TECHNICAL: These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST-->
<!--Suspicious sources for network-connecting binaries-->
<Imagename="Usermode"condition="begin with">C:\Users</Image><!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
<Imagename="Caution"condition="begin with">C:\Recycle</Image><!--Nothing should operate from the RecycleBin locations.-->
<Imagecondition="begin with">C:\ProgramData</Image><!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
<Imagecondition="begin with">C:\Windows\Temp</Image><!--Suspicious anything would communicate from the system-level temp directory-->
<Imagename="Caution"condition="begin with">\</Image><!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
<!--Live of the Land Binaries and scripts (LOLBAS) -->
<Imagecondition="image">bitsadmin.exe</Image><!-- Windows: Background Intelligent Transfer Service - Can download from URLs -->
<Imagecondition="image">esentutl.exe</Image><!-- Windows: Database utilities for the ESE - Can fetch from UNC paths -->
<Imagecondition="image">expand.exe</Image><!-- Windows: Expands one or more compressed files - Can fetch from UNC paths -->
<Imagecondition="image">extrac32.exe</Image><!--Windows: Uncompress .cab files - Can fetch from UNC paths -->
<Imagecondition="image">findstr.exe</Image><!-- Windows: Search for strings - Can fetch from UNC paths -->
<Imagecondition="image">GfxDownloadWrapper.exe</Image><!-- Intel Graphics Control Panel: Remote file download -->
<Imagecondition="image">ieexec.exe</Image><!-- Windows: Microsoft .NET Framework application - Download and execute from URLs -->
<Imagecondition="image">makecab.exe</Image><!-- Windows: Packages existing files into a .cab - Can fetch from UNC paths -->
<Imagecondition="image">replace.exe</Image><!-- Windows: Used to replace file with another file - Can fetch from UNC paths -->
<Imagecondition="image">Excel.exe</Image><!-- Windows Office: Excel - Can download from URLs -->
<Imagecondition="image">Powerpnt.exe</Image><!-- Windows Office: PowerPoint - Can download from URLs -->
<Imagecondition="image">Winword.exe</Image><!-- Windows Office: Word - Can download from URLs -->
<Imagecondition="image">squirrel.exe</Image><!-- Windows: Update the Nuget/Squirrel packages. Part of Teams. - Can download from URLs -->
<!--Relevant 3rd Party Tools-->
<Imagecondition="image">nc.exe</Image><!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
<Imagecondition="image">ncat.exe</Image><!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
<Imagecondition="image">psexec.exe</Image><!--Sysinternals:PsExec client side | Credit @Cyb3rOps -->
<Imagecondition="image">psexesvc.exe</Image><!--Sysinternals:PsExec server side | Credit @Cyb3rOps -->
<!--Dumping credentials from services or setting up a keylogger-->
<RulegroupRelation="and">
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\csrss.exe</TargetImage><!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<RulegroupRelation="and">
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\wininit.exe</TargetImage><!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<RulegroupRelation="and">
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\winlogon.exe</TargetImage><!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<RulegroupRelation="and">
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\services.exe</TargetImage><!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
<!--EVENT 11: "File created"-->
<!--NOTE: Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
<!--NOTE: You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
<Imagecondition="begin with">\Device\HarddiskVolumeShadowCopy</Image><!--Nothing should be executing from VSC | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ] -->
<!--EVENT 12: "Registry object added or deleted"-->
<!--EVENT 13: "Registry value set"-->
<!--EVENT 14: "Registry objected renamed"-->
<!--NOTE: Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
<!--NOTE: You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
<!--NOTE: "contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
<!--TECHNICAL: You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
<!--TECHNICAL: Possible prefixes are HKLM, HKCR, and HKU-->
<!--CRITICAL: Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
<!--CRITICAL: Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
<!--NOTE: Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
<!-- ! CRITICAL NOTE !: It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.
Sysmon's wildcard monitoring along with highly-tuned generic strings cuts the rulesets down immensely, compared to doing this in other tools.
For example, most COM hijacking in CLSID's across the registry is covered by a single rule monitoring a InProcServer32 wildcard-->
<!--ADDITIONAL REFERENCE: [ https://web.archive.org/web/20200116001643/http://scholarworks.rit.edu/cgi/viewcontent.cgi?article=1533&context=theses | Understanding malware autostart techniques - Matthew Gottlieb ] -->
<TargetObjectname="T1060,RunKey"condition="contains">CurrentVersion\Run</TargetObject><!--Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
<TargetObjectname="RDP port change"condition="end with">Control\Terminal Server\WinStations\RDP-Tcp\PortNumber</TargetObject><!--Windows: RDP port change under Control [ https://blog.menasec.net/2019/02/of-rdp-hijacking-part1-remote-desktop.html ]-->
<TargetObjectname="RDP port change"condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject><!--Windows: Allow same user to have mutliple RDP sessions, to hide from admin being impersonated-->
<TargetObjectname="ModifyRemoteDesktopState"condition="end with">fDenyTSConnections</TargetObject><!--Windows: Attacker turning on RDP-->
<TargetObjectcondition="end with">LastLoggedOnUser</TargetObject><!--Windows: Changing last-logged in user-->
<TargetObjectname="ModifyRemoteDesktopPort"condition="end with">RDP-tcp\PortNumber</TargetObject><!--Windows: Changing RDP port to evade IDS-->
<TargetObjectcondition="end with">Services\PortProxy\v4tov4</TargetObject><!--Windows: Changing RDP port to evade IDS-->
<!--CLSID launch commands and Default File Association changes-->
<TargetObjectname="T1042"condition="contains">\command\</TargetObject><!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
<TargetObjectname="T1122"condition="contains">\ddeexec\</TargetObject><!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
<!--Windows shell visual modifications used by malware-->
<TargetObjectname="T1158"condition="end with">\Hidden</TargetObject><!--Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event -->
<TargetObjectname="T1158"condition="end with">\ShowSuperHidden</TargetObject><!--Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
<TargetObjectname="T1158"condition="end with">\HideFileExt</TargetObject><!--Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users -->
<TargetObjectcondition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject><!--Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
<!--Terminal service boobytrap-->
<TargetObjectcondition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject><!--Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already-->
<!--Group Policy integrity-->
<TargetObjectname="T1484"condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject><!--Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying-->
<!--Winsock and Winsock2-->
<TargetObjectcondition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject><!--Windows: Wildcard, includes Winsock and Winsock2-->
<TargetObjectcondition="end with">\ProxyServer</TargetObject><!--Windows: System and user proxy server-->
<!--Credential providers-->
<TargetObjectcondition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject><!--Wildcard, includes Credential Providers and Credential Provider Filters-->
<TargetObjectcondition="contains">Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable</TargetObject><!--Windows: Malware often disables a web proxy for 2nd stage downloads -->
<!--Networking-->
<TargetObjectcondition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject><!--Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetObjectname="T1137"condition="contains">Microsoft\Office\Outlook\Addins\</TargetObject><!--Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues-->
<TargetObjectname="Context,ProtectedModeExitOrMacrosUsed"condition="contains">Security\Trusted Documents\TrustRecords</TargetObject><!--Microsoft:Office: Monitor when "Enable editing" or "Enable macros" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ] -->
<TargetObjectname="Context,ContactedDomain"condition="end with">\EnableBHO</TargetObject><!--Microsoft:Office: Contacted domains stored here 'HKEY_CURRENT_USER\<SID>\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\<domain>\EnableBHO' -->
<!--IE-->
<TargetObjectname="T1176"condition="contains">Internet Explorer\Toolbar\</TargetObject><!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
<TargetObjectname="T1176"condition="contains">Internet Explorer\Extensions\</TargetObject><!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
<TargetObjectname="T1176"condition="contains">Browser Helper Objects\</TargetObject><!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
<TargetObjectcondition="end with">\3\1206</TargetObject><!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
<TargetObjectcondition="end with">\3\2500</TargetObject><!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
<TargetObjectcondition="end with">\3\1809</TargetObject><!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
<TargetObjectcondition="end with">\UrlUpdateInfo</TargetObject><!--Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
<TargetObjectcondition="end with">\InstallSource</TargetObject><!--Windows: Source folder for certain program and component installations-->
<TargetObjectname="Alert,Sysinternals Tool Used"condition="end with">\EulaAccepted</TargetObject><!--Sysinternals tool launched. Lots of useful abilities for attackers -->
<!--Antivirus tampering-->
<TargetObjectname="T1089,Tamper-Defender"condition="end with">\DisableAntiSpyware</TargetObject><!--Windows:Defender: State modified via registry-->
<TargetObjectname="T1089,Tamper-Defender"condition="end with">\DisableAntiVirus</TargetObject><!--Windows:Defender: State modified via registry-->
<TargetObjectname="T1089,Tamper-Defender"condition="end with">\SpynetReporting</TargetObject><!--Windows:Defender: State modified via registry-->
<TargetObjectname="T1089,Tamper-Defender"condition="end with">DisableRealtimeMonitoring</TargetObject><!--Windows:Defender: State modified via registry-->
<TargetObjectname="T1089,Tamper-Defender"condition="end with">\SubmitSamplesConsent</TargetObject><!--Windows:Defender: State modified via registry-->
<TargetObjectname="T1562,Tamper-Defender"condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\</TargetObject><!--Windows:Defender: Exclusions in policy key-->
<TargetObjectcondition="contains">VirtualStore</TargetObject><!--Windows: Registry virtualization, something's wrong if it's in use [ https://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx ] -->
<!--Windows internals integrity monitoring-->
<TargetObjectname="T1183,IFEO"condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject><!--Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE-->
<TargetObjectcondition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject><!--Windows: Event log system integrity and ACLs-->
<TargetObjectname="Tamper-Safemode"condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject><!--Windows: Services approved to load in safe mode. Almost nothing should ever modify this.-->
<TargetObjectname="Tamper-Winlogon"condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject><!--Windows: Providers notified by WinLogon-->
<TargetObjectname="Context,DeviceConnectedOrUpdated"condition="end with">\FriendlyName</TargetObject><!--Windows: New devices connected and remembered-->
<TargetObjectname="Context,MsiInstallerStarted"condition="is">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject><!--Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
<TargetObjectname="Tamper-Tracing"condition="begin with">HKLM\Software\Microsoft\Tracing\RASAPI32</TargetObject><!--Windows: Malware sometimes disables tracing to obfuscate tracks-->
<TargetObjectname="Context,ProcessAccessedPrivateResource"condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject><!-- Windows: Win10 tracks when and what process uses webcam/microphone/location etc [ https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 ] -->
<TargetObjectcondition="contains">\Keyboard Layout\Preload</TargetObject><!--Microsoft:Windows: Keyboard layout loaded into user session [ https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index ] | Credit @cyb3rops -->
<TargetObjectcondition="contains">\Keyboard Layout\Substitutes</TargetObject><!--Microsoft:Windows: Keyboard layout loaded into user session [ https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index ] | Credit @cyb3rops -->
<TargetObjectname="InvDB-CompileTimeClaim"condition="end with">\LinkDate</TargetObject><!-- Compile time of EXE, may not be reliable [ https://en.wikipedia.org/wiki/Link_time ] -->
<TargetObjectcondition="end with">}\PreviousPolicyAreas</TargetObject><!--Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
<TargetObjectcondition="contains">\Control\WMI\Autologger\</TargetObject><!--Windows: Remove noise from monitoring "\Start"-->
<TargetObjectcondition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject><!--Windows: Remove noise from monitoring "\Start"-->
<TargetObjectcondition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject><!--Windows: Sensitive value during domain join-->
<TargetObjectcondition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject><!--Windows: Remove noise monitoring installations run as system-->
<TargetObjectcondition="end with">\services\trustedInstaller\Start</TargetObject><!--Windows: Remove noise from monitoring "\Start"-->
<TargetObjectcondition="end with">\services\tunnel\Start</TargetObject><!--Windows: Remove noise from monitoring "\Start"-->
<TargetObjectcondition="end with">\services\usoSvc\Start</TargetObject><!--Windows: Remove noise from monitoring "\Start"-->
<!--FileExts noise filtering-->
<TargetObjectcondition="end with">\UserChoice\ProgId</TargetObject><!--Windows: Remove noise from monitoring "FileExts"--><!--Win8+-->
<TargetObjectcondition="end with">\UserChoice\Hash</TargetObject><!--Windows: Remove noise from monitoring "FileExts"--><!--Win8+-->
<TargetObjectcondition="end with">\OpenWithList\MRUList</TargetObject><!--Windows: Remove noise from monitoring "FileExts"-->
<TargetObjectcondition="contains">Shell Extentions\Cached</TargetObject><!--Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--><!--Win8+-->
<!--Group Policy noise-->
<TargetObjectcondition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject><!--Windows: Routinely set through Group Policy, not especially important to log-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject><!--Windows:Group Policy: Noise below the actual key while building-->
<TargetObjectcondition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject><!--Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it-->
<!--SECTION: Office C2R-->
<TargetObjectcondition="contains">VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject><!--Microsoft: SearchProtocolHost writes to OfficeC2R registry for Outlook, seemingly regarding mail indexing-->
<TargetObjectcondition="begin with">HKLM\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject><!--Microsoft: Virtual registry for Office-->
<!--SECTION: 3rd party-->
<Imagecondition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image><!--Constantly writes to HKLM-->
<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
<!--EVENT 16: "Sysmon config state changed"-->
<!--COMMENT: This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
<!--NOTE: Using exclude with no rules means everything will be logged-->
</WmiEvent>
</RuleGroup>
<!--SYSMON EVENT ID 22 : DNS QUERY [DnsQuery]-->
<!--EVENT 22: "Dns query"-->
<!--NOTE: Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover. -->
<!--COMMENT: DNS logging is a very nuanced challenge in monitoring due to event volume. Legitimate domains can be used to host malware/C2, but lookup itself is not very informative.
It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2.
This section of Sysmon configuration will require your full judgement and knowledge of your org's priorities. There is no correct answer.-->
<!--OPERATIONS: Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
Search for Group Policy for these browsers to configure this.-->
<!--OPERATIONS: Most DNS traffic is web advertising. To significantly reduce DNS queries and malware ads, enable client-side advertising filtering via Group Policy. This is easy.
Internet Explorer: https://decentsecurity.com/adblocking-for-internet-explorer-deployment/
Also note, this configuration is designed for United States computers. Your country's users will may need customization to reduce noise.
-->
<!--CONFIG: DNS poisoning is an issue during threat investigations. Try to only exclude ROUTINE system-level queries you know are strongly validated with HTTPS or code signing.-->
<!--CONFIG: If you exclude microsoft.com, someone could register malware-microsoft.com and it wouldn't be logged. Use "END WITH" with leading . or "IS" operators.-->
<!--CONFIG: Be very specific in exclusions. Threat actors use legitimate services, too. Dont exclude all of AWS or Azure or Google or CDNs!-->
<!--CRITICAL: Do NOT exclude "wpad" lookups. This is a MitM vector routinely used by attackers. Disable WPAD or enforce client-side DNSSEC for AD domain lookups.-->
<QueryNamecondition="end with">.googlesyndication.com</QueryName><!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
