md5,sha256

NotesWhat is notes.io?

Notes brand slogan

Notes - notes.io

Popular notes
<Sysmon schemaversion="4.30">

<HashAlgorithms>md5,sha256</HashAlgorithms>
<CheckRevocation/>

<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<Image condition="end with" name="T1086 -1">powershell.exe</Image>
<Image condition="contains" name="T1086 -2">.ps1</Image>
<Image condition="contains" name="T1086 -3">.ps2</Image>
<Image condition="end with" name="T1059 -4">cmd.exe</Image>
<Image condition="end with" name="T1117 -5">regsvr32.exe</Image>
<Image condition="end with" name="T1059 -6">vshadow.exe</Image>
<Image condition="end with" name="T1202 -7">forfiles.exe</Image>
<Image condition="end with" name="T1085 -8">rundll32.exe</Image>
<Image condition="image" name="T1117 -9">regsvr32.exe</Image>
<Image condition="end with" name="T1085 -10">dllhost.exe</Image>
<Image condition="end with" name="T1059 -11">cscript.exe</Image>
<Image condition="end with" name="T1059 -12">wscript.exe</Image>
<Image condition="end with" name="T1059 -13">hh.exe</Image>
<Image condition="end with" name="T1059 -14">bash.exe</Image>
<Image condition="end with" name="T1059 -15">scrcons.exe</Image>
<Image condition="end with" name="T1059 -16">schtasks.exe</Image>
<Image condition="end with" name="T1059 -17">sh.exe</Image>
<Image condition="end with" name="S0160 -18">certutil.exe</Image>
<Image condition="contains" name="T1036 -19">PerfLogs</Image>
<Image condition="contains" name="T1036 -20">$Recycle.bin</Image>
<Image condition="contains" name="T1036 -21">IntelLogs</Image>
<Image condition="contains" name="T1036 -22">UsersAll Users</Image>
<Image condition="contains" name="T1036 -23">UsersDefault</Image>
<Image condition="contains" name="T1036 -24">UsersPublic</Image>
<Image condition="contains" name="T1036 -25">UsersNetworkService</Image>
<Image condition="contains" name="T1036 -26">WindowsFonts</Image>
<Image condition="contains" name="T1036 -27">WindowsDebug</Image>
<Image condition="contains" name="T1036 -28">WindowsMedia</Image>
<Image condition="contains" name="T1036 -29">WindowsIME</Image>
<Image condition="contains" name="T1036 -30">WindowsHelp</Image>
<Image condition="contains" name="T1036 -31">Windowsaddins</Image>
<Image condition="contains" name="T1036 -32">Windowsrepair</Image>
<Image condition="contains" name="T1036 -33">Windowssecurity</Image>
<Image condition="contains" name="T1036 -34">RSAMachineKeys</Image>
<Image condition="contains" name="T1036 -35">wwwroot</Image>
<Image condition="contains" name="T1036 -36">wmpub</Image>
<Image condition="contains" name="T1036 -37">htdocs</Image>
<Image condition="contains" name="T1036 -38">Windowssystem32configsystemprofile</Image>
<Image condition="end with" name="T1135 -39">net.exe</Image>
<Image condition="end with" name="T1135 -40">net1.exe</Image>
<Image condition="end with" name="T1047 -41">wmic.exe</Image>
<Image condition="end with" name="T1197 -42">bitsadmin.exe</Image>
<Image condition="end with" name="T1059 -43">conhost.exe</Image>
<Image condition="end with" name="T1489 -44">sc.exe</Image>
<Image condition="end with" name="T1082 -45">appcmd.exe</Image>
<Image condition="image" name="T1112 -1a">reg.exe</Image>
<Image condition="image" name="T1003 -event1">vaultcmd.exe</Image>
<Image name="T1057 -1" condition="image">tasklist.exe</Image>
<Image name="T1057 -2" condition="image">qprocess.exe</Image>
<Image name="T1218.008" condition="image">odbcconf.exe</Image>
<Image name="T1218.009 -1" condition="image">regasm.exe</Image>
<Image name="T1218.009 -2" condition="image">regsvcs.exe</Image>
<Image name="T1087 -1" condition="image">adfind.exe</Image>
<Image name="T1546.011 -3" condition="image">sdbinst.exe</Image>
<Image name="T1027.002 -1" condition="image">upx.exe</Image>
<Image name="T1016 -1" condition="image">arp.exe</Image>
<Image name="T1016 -2" condition="image">nbtstat.exe</Image>
<Image name="T1490" condition="image">bcdedit.exe</Image>
<Image name="T1482 -1" condition="image">nltest.exe</Image>
<Image name="T1490 -1" condition="image">bcedit.exe</Image>
<Image name="T1566.001 -1" condition="image">AcroRd32.exe</Image>
<Image name="T1566.001 -2" condition="image">Acrobat.exe</Image>
<Image name="T1566.001 -3" condition="image">FoxitPhantomPDF.exe</Image>
<Image name="T1566.001 -3" condition="image">FoxitReader.exe</Image>
<Image name="T1566.001 -4" condition="image">outlook.exe</Image>
<Image name="T1566.001 -5" condition="image">eqnedt32.exe</Image>
<Image name="T1566.001 -6" condition="image">excel.exe</Image>
<Image name="T1566.001 -7" condition="image">fltldr.exe</Image>
<Image name="T1566.001 -8" condition="image">msaccess.exe</Image>
<Image name="T1566.001 -9" condition="image">mspub.exe</Image>
<Image name="T1566.001 -10" condition="image">powerpnt.exe</Image>
<Image name="T1566.001 -11" condition="image">winword.exe</Image>
<Image condition="image" name="T1566.001 -12">firefox.exe</Image>
<Image condition="image" name="T1566.001 -13">wevtutil</Image>

<CommandLine condition="contains" name="T1056 -46">/stext</CommandLine>
<CommandLine condition="contains" name="T1056 -47">/scomma</CommandLine>
<CommandLine condition="contains" name="T1191 -48">cmstp.exe</CommandLine>
<CommandLine condition="contains" name="T1158 -51">attrib +h</CommandLine>
<CommandLine condition="contains" name="T1086 -56">new-object system.net.webclient).downloadstring(</CommandLine>
<CommandLine condition="contains" name="T1086 -57">new-object system.net.webclient).downloadfile(</CommandLine>
<CommandLine condition="contains" name="T1086 -58"> -enc </CommandLine>
<CommandLine condition="contains" name="T1086 -59"> -EncodedCommand </CommandLine>
<CommandLine condition="contains" name="T1086 -60"> -w hidden </CommandLine>
<CommandLine condition="contains" name="T1086 -61"> -window hidden </CommandLine>
<CommandLine condition="contains" name="T1086 -62"> -windowstyle hidden </CommandLine>
<CommandLine condition="contains" name="T1086 -63"> -noni </CommandLine>
<CommandLine condition="contains" name="T1086 -64"> -noninteractive </CommandLine>
<CommandLine condition="contains" name="T1059 -77">vssadmin.exe Delete Shadows</CommandLine>
<CommandLine condition="contains" name="T1059 -78">vssadmin create shadow /for=</CommandLine>
<CommandLine condition="contains" name="T1059 -79">vssadmin delete shadows /for=</CommandLine>
<CommandLine condition="contains" name="T1059 -80">copy \?GLOBALROOTDevice*windowsntdsntds.dit</CommandLine>
<CommandLine condition="contains" name="T1059 -81">copy \?GLOBALROOTDevice*configSAM</CommandLine>
<CommandLine condition="contains" name="T1059 -82">reg SAVE HKLMSYSTEM</CommandLine>
<CommandLine condition="contains" name="T1210 -83">transport=dt_socket,address=*</CommandLine>
<CommandLine condition="contains" name="T1562.001 -84">//e:{16d51579-a30b-4c8b-a276-0ff4dc41e755}</CommandLine>
<CommandLine condition="contains" name="T1490 -85">shadowcopy delete</CommandLine>
<CommandLine condition="contains" name="T1490 -86">vssadmin.exe Delete Shadows</CommandLine>
<CommandLine condition="contains" name="T1562.001 -87">WindowsSoundRecorder</CommandLine>
<CommandLine condition="contains" name="T1002 -1">Compress-Archive</CommandLine>
<CommandLine condition="contains" name="T1002 -2">System.IO.Compression.FileSystem</CommandLine>
<CommandLine condition="contains" name="T1059 -105">mimikatz.exe</CommandLine>
<CommandLine condition="contains" name="T1016 -3">ipconfig</CommandLine>

<ParentImage condition="end with" name="T1170 -88">mshta.exe</ParentImage>
<ParentImage condition="end with" name="T1028 -89">wsmprovhost.exe</ParentImage>
<ParentImage condition="contains" name="T1028 -90">WinrsHost.exe</ParentImage>
<ParentImage condition="end with" name="T1059 -91">WINWORD.exe</ParentImage>
<ParentImage condition="end with" name="T1059 -92">EXCEL.exe</ParentImage>
<ParentImage condition="end with" name="T1059 -93">POWERPNT.exe</ParentImage>
<ParentImage condition="end with" name="T1059 -94">MSPUB.exe</ParentImage>
<ParentImage condition="end with" name="T1059 -95">VISIO.exe</ParentImage>
<ParentImage condition="end with" name="T1085 -96">control.exe</ParentImage>
<ParentImage condition="end with" name="T1175 -97">mmc.exe</ParentImage>
<ParentImage condition="contains" name="T1059 -98">cscript.exe</ParentImage>
<ParentImage condition="contains" name="T1059 -99">wscript.exe</ParentImage>
<ParentImage condition="end with" name="T1218 -100">msiexec.exe</ParentImage>
<ParentImage name="T1566.001" condition="image">outlook.exe</ParentImage>
<ParentImage name="T1015 -1" condition="image">sethc.exe</ParentImage>
<ParentImage name="T1015 -2" condition="image">utilman.exe</ParentImage>
<ParentImage name="T1015 -3" condition="image">osk.exe</ParentImage>
<ParentImage name="T1015 -4" condition="image">Magnify.exe</ParentImage>
<ParentImage name="T1015 -5" condition="image">DisplaySwitch.exe</ParentImage>
<ParentImage name="T1015 -6" condition="image">Narrator.exe</ParentImage>
<ParentImage name="T1015 -7" condition="image">AtBroker.exe</ParentImage>



<ParentCommandLine condition="is" name="T1088 -101">C:WindowsSystem32eventvwr.exe</ParentCommandLine>
<ParentCommandLine condition="contains" name="T1055 -102">\.pipe</ParentCommandLine>
<ParentCommandLine condition="contains" name="T1218 -103">ftp -s:</ParentCommandLine>
<ParentCommandLine condition="contains" name="T1218 -104">pcalua.exe -a</ParentCommandLine>



</ProcessCreate>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 2 == File Creation Time. -->
<FileCreateTime onmatch="include">
</FileCreateTime>
</RuleGroup>


<RuleGroup name="" groupRelation="or">
<!-- Event ID 3 == Network Connection. -->
<NetworkConnect onmatch="include">
<Image condition="image" name="T1175 -1">mshta.exe</Image>
<Image condition="image" name="T1059 -2">certutil.exe</Image>
<Image condition="image" name="T1117 -3">regsvr32.exe</Image>
<Image condition="end with" name="T1085 -4">rundll32.exe</Image>
<Image condition="image" name="T1086 -5">powershell.exe</Image>

<DestinationIp condition="is" name="T1090 -6">127.0.0.1</DestinationIp>
<DestinationIp condition="is" name="T1090 -7">::1</DestinationIp>

<DestinationPort condition="is" name="T1090 SSH">22</DestinationPort> <!--SSH protocol, monitor admin connections-->
<DestinationPort condition="is" name="T1090 Telnet">23</DestinationPort> <!--Telnet protocol, monitor admin connections, insecure-->
<DestinationPort condition="is" name="T1090 SNTP">25</DestinationPort> <!--SMTP mail protocol port, insecure, used by threats-->
<DestinationPort condition="is" name="T1090 IMAP">143</DestinationPort> <!--IMAP mail protocol port, insecure, used by threats-->
<DestinationPort condition="is" name="T1090 RDP">3389</DestinationPort> <!--Windows:RDP: Monitor admin connections-->
<DestinationPort condition="is" name="T1021 VNC-5800">5800</DestinationPort> <!--VNC protocol: Monitor admin connections, often insecure, using hard-coded admin password-->
<DestinationPort condition="is" name="T1021 VNC-5900">5900</DestinationPort> <!--VNC protocol Monitor admin connections, often insecure, using hard-coded admin password-->
<DestinationPort condition="is" name="T1064 Metasploit">4444</DestinationPort>

<DestinationPort condition="is" name="T1090 -10">1723</DestinationPort> <!--Tor protocol-->
<DestinationPort condition="is" name="T1090 -11">9001</DestinationPort> <!--Tor protocol-->
<DestinationPort condition="is" name="T1090 -12">9030</DestinationPort> <!--Tor protocol-->
<Image condition="image" name="T1112 -1b">reg.exe</Image>
<DestinationPort condition="is" name="T1048 -13">21</DestinationPort>
<SourcePort condition="is" name="T1048 -14">21</SourcePort>

<DestinationPort condition="is" name="T1043 -1">80</DestinationPort>
<DestinationPort condition="is" name="T1043 -2">443</DestinationPort>
<DestinationPort condition="is" name="T1043 -3">53</DestinationPort>
<DestinationPort condition="is" name="T1043 -3">135</DestinationPort>
<DestinationPort condition="is" name="T1557.001 -1">5355</DestinationPort>
<DestinationPort condition="is" name="T1557.001 -2">137</DestinationPort>
<DestinationPort condition="is" name="T1557.001 -3">5353</DestinationPort>


</NetworkConnect>
</RuleGroup>

<!--Event ID 4 : RESERVED FOR SYSMON SERVICE STATUS MESSAGES CAN NOT BE FILTERED-->

<RuleGroup name="" groupRelation="or">
<!-- Event ID 5 == Process Terminated. -->
<ProcessTerminate onmatch="include">
</ProcessTerminate>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 6 == Driver Loaded. -->
<!--TECHNICAL: If exclude it's used Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
<DriverLoad onmatch="include">
<ImageLoaded condition="contains" name="T1014 -1">Temp</ImageLoaded>
<ImageLoaded condition="end with" name="T1082 -2">RwDrv.sys</ImageLoaded>
</DriverLoad>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 7 == Image Load-->
<ImageLoad onmatch="include">
<Signed condition="is" name="T1073 -1">false</Signed>
</ImageLoad>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 8 == CreateRemoteThread. -->
<CreateRemoteThread onmatch="include">
<TargetImage condition="is" name="S0121 -1">C:Windowssystem32lsass.exe</TargetImage>
</CreateRemoteThread>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 9 == RawAccessRead. -->
<RawAccessRead onmatch="include">
</RawAccessRead>
</RuleGroup>

<!-- Event ID 10 == ProcessAccess. -->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude">
<SourceImage condition="end with" name="T1003 - exclude - 1">wmiprvse.exe</SourceImage>
<SourceImage condition="end with" name="T1003 - exclude -2">GoogleUpdate.exe</SourceImage>
<SourceImage condition="end with" name="T1003 - exclude -3">LTSVC.exe</SourceImage>
<SourceImage condition="end with" name="T1003 - exclude -4">VBoxService.exe</SourceImage> <!--# Virtual Box -->
<SourceImage condition="end with" name="T1003 - exclude -5">vmtoolsd.exe</SourceImage>
<SourceImage condition="end with" name="T1003 - exclude -6">CitrixSystem32wfshell.exe</SourceImage> <!--#Citrix process in C:Program Files (x86)CitrixSystem32wfshell.exe -->
<SourceImage condition="is" name="T1003 - exclude -7">C:WindowsSystem32lsm.exe</SourceImage> <!--# System process under C:WindowsSystem32lsm.exe -->
<SourceImage condition="end with" name="T1003 - exclude -8">Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage> <!--# Microsoft Azure AD Connect Health Sync Agent -->
<SourceImage condition="begin with" name="T1003 - exclude -9">C:Program Files (x86)SymantecSymantec Endpoint Protection</SourceImage> <!-- # Symantec -->
<SourceImage condition="contains" name="T1003 - exclude -10">Windows Defender</SourceImage>
</ProcessAccess>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include">
<CallTrace condition="contains" name="T1003 -1">dbghelp.dll</CallTrace>
<CallTrace condition="contains" name="T1003 -2">dbgcore.dll</CallTrace>
<CallTrace condition="contains" name="T1003 -3">mimikatz</CallTrace>

<TargetImage condition="contains" name="T1003 -4">lsass.exe</TargetImage>

<GrantedAccess condition="is" name="T1093 -6">0x800</GrantedAccess>
</ProcessAccess>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 11 == FileCreate. -->
<FileCreate onmatch="include">
<TargetFilename condition="is" name="T1088 -1">AppDataLocalTempcomctl32.dll</TargetFilename>
<TargetFilename condition="is" name="T1088 -2">AppDataLocalTempdismcore.dll</TargetFilename>
<TargetFilename condition="is" name="T1088 -3">AppDataLocalTempwow64log.dll</TargetFilename>
<TargetFilename condition="contains" name="T1053 -4">System32aitagent.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -5">compattelDiagTrackRunner.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -6">system32CompatTelRunner.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -7">System32acproxy.dl</TargetFilename>
<TargetFilename condition="contains" name="T1053 -8">system32wsqmcons.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -9">lpremove.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -10">srrstr.dll</TargetFilename>
<TargetFilename condition="contains" name="T1053 -11">system32wermgr.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -12">System32sdclt.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -13">system32appidcertstorecheck.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -14">system32AppHostRegistrationVerifier.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -15">System32MicTray64.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -16">system32usoclient.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -17">System32dsregcmd.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -18">System32sihclient.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -19">dimsjob.dll</TargetFilename>
<TargetFilename condition="contains" name="T1053 -20">Lracengn.dll</TargetFilename>
<TargetFilename condition="contains" name="T1053 -21">HotstartUserAgent.dll</TargetFilename>
<TargetFilename condition="contains" name="T1053 -22">MsCtfMonitor.dll</TargetFilename>
<TargetFilename condition="contains" name="T1053 -23">PlaySndSrv.dll</TargetFilename>
<TargetFilename condition="contains" name="T1053 -24">AdobeARM.exe</TargetFilename>
<TargetFilename condition="contains" name="T1053 -25">GoogleUpdateGoogleUpdate.exe</TargetFilename>
<TargetFilename condition="end with" name="T1129 -26">UsageLogscscript.exe.log</TargetFilename>
<TargetFilename condition="end with" name="T1129 -27">UsageLogswscript.exe.log</TargetFilename>
<TargetFilename condition="end with" name="T1129 -28">UsageLogsmshta.log</TargetFilename>
<TargetFilename condition="end with" name="T1129 -29">UsageLogswmic.log</TargetFilename>
<TargetFilename condition="end with" name="T1129 -30">UsageLogsregsvr32.exe.log</TargetFilename>
<TargetFilename condition="end with" name="T1129 -31">UsageLogssvchost.log</TargetFilename>
<TargetFilename condition="contains" name="T1088 -32">AppDataLocalTempmscoree.dll</TargetFilename>
<TargetFilename condition="contains" name="T1088 -33">AppDataLocalTempGdiPlus.dll</TargetFilename>
<TargetFilename condition="begin with" name="T1546.011 -1">C:WindowsAppPatchCustom</TargetFilename> <!--Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
<TargetFilename condition="contains" name="T1023 -35">Start Menu</TargetFilename>
<TargetFilename condition="begin with" name="T1053 -36">C:WindowsTasks</TargetFilename>
<TargetFilename condition="end with" name="T1574 -1">system32oci.dll</TargetFilename>
<TargetFilename condition="end with" name="T1574 -2">system32fveapi.dll</TargetFilename>
<TargetFilename condition="end with" name="T1547.005">system32mimilsa.log</TargetFilename>
<TargetFilename condition="contains" name="T1137.006">RoamingMicrosoftWordSTARTUP</TargetFilename>
<TargetFilename condition="contains" name="T1546.013">DocumentsWindowsPowerShell</TargetFilename>

</FileCreate>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
<RegistryEvent onmatch="include">
<TargetObject condition="contains" name="T1088 -1">exefileshellrunascommandIsolatedCommand</TargetObject>
<TargetObject condition="contains" name="T1088 -2">ms-settingsshellopencommandDelegateExecute</TargetObject>
<TargetObject condition="contains" name="T1088 -3">ms-settingsshellopencommand(Default)</TargetObject>
<TargetObject condition="contains" name="T1088 -4">ms-settingsshellopencommand</TargetObject>
<TargetObject condition="contains" name="T1562.001 -5">SystemCurrentControlSetControlSESSION MANAGEREnvironment__PSLockdownPolicy</TargetObject>
<TargetObject condition="contains" name="T1088 -6">SOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemEnableLUA</TargetObject>
<TargetObject condition="contains" name="T1562.001 -7">SOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellScriptBlockLoggingEnableScriptBlockLogging</TargetObject>
<TargetObject condition="contains" name="T1562.001 -8">SOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShellExecutionPolicy</TargetObject>
<TargetObject condition="contains" name="T1562.001 -9">SoftwareMicrosoftOffice*ExcelSecurityAccessVBOM</TargetObject>
<TargetObject condition="contains" name="T1562.001 -10">SoftwareMicrosoftOffice*PowerPointSecurityAccessVBOM</TargetObject>
<TargetObject condition="contains" name="T1562.001 -11">SoftwareMicrosoftOffice*WordSecurityAccessVBOM</TargetObject>
<TargetObject condition="contains" name="T1562.001 -12">SoftwareMicrosoftOffice*AccessSecurityAccessVBOM</TargetObject>
<TargetObject condition="contains" name="T1562.001 -13">SoftwareMicrosoftOffice*OutlookSecurityAccessVBOM</TargetObject>
<TargetObject condition="contains" name="T1130 -14">SOFTWAREPoliciesMicrosoftSystemCertificatesRootCertificates</TargetObject>
<TargetObject condition="contains" name="T1547.001 -15">WindowsCurrentVersionRun</TargetObject>
<TargetObject condition="contains" name="T1060 -17">SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Foldersstartup</TargetObject>
<TargetObject condition="contains" name="T1060 -18">SoftwareMicrosoftWindowsCurrentVersionExplorerShell Foldersstartup</TargetObject>
<TargetObject condition="begin with" name="T1138,AppCompatShim -19">HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsCustom</TargetObject> <!--Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
<TargetObject condition="begin with" name="T1138,AppCompatShim -20">HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsInstalledSDB</TargetObject> <!--Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ] -->
<TargetObject condition="contains" name="T1015 -21">SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exeDebugger</TargetObject>
<TargetObject condition="contains" name="T1015 -22">SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exeDebugger</TargetObject>
<TargetObject condition="contains" name="T1015 -23">SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsosk.exeDebugger</TargetObject>
<TargetObject condition="contains" name="T1015 -24">SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMagnify.exeDebugger</TargetObject>
<TargetObject condition="contains" name="T1015 -25">SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNarrator.exeDebugger</TargetObject>
<TargetObject condition="contains" name="T1015 -26">SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsDisplaySwitch.exeDebugger</TargetObject>
<TargetObject condition="contains" name="T1015 -27">SoftwareMicrosoftWindows NTCurrentVersionWinlogonShell</TargetObject>
<TargetObject condition="contains" name="Change of keyboard layout -28">Keyboard LayoutPreload</TargetObject> <!--Microsoft:Windows: Keyboard layout loaded into user session [ https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index ] -->
<TargetObject condition="contains" name="Change of keyboard layout -29">Keyboard LayoutSubstitutes</TargetObject> <!-- https://twitter.com/cyb3rops/status/1183431685402234880 -->
<TargetObject condition="contains" name="T1013 -30">CurrentControlSetControlPrintMonitors</TargetObject>
<TargetObject condition="contains" name="T1209 -31">CurrentControlSetServicesW32TimeTimeProviders</TargetObject>
<TargetObject condition="contains" name="T1546.002 -1">Control PanelDesktopSCRNSAVE.EXE</TargetObject>
<TargetObject condition="contains" name="T1546.002 -2">Control PanelDesktopScreenSaveActive</TargetObject>
<TargetObject condition="contains" name="T1546.002 -3">Control PanelDesktopScreenSaverIsSecure</TargetObject>
<TargetObject condition="contains" name="T1546.002 -4">Control PanelDesktopScreenSaveTimeout</TargetObject>
<TargetObject condition="contains" name="T1092 -1">SYSTEMCurrentControlSetEnumUSB</TargetObject>
<TargetObject condition="contains" name="T1182 -1">ControlSession ManagerAppCertDLLs</TargetObject>

<TargetObject condition="contains" name="T1546.015 -1">InprocServer32scrobj</TargetObject>
<TargetObject condition="contains" name="T1547.002 -1">CurrentControlSetControlLsaSecurity Package</TargetObject>
<TargetObject condition="contains" name="T1547.002 -2">CurrentControlSetControlLsaOSConfigSecurity Packages</TargetObject>
<TargetObject condition="contains" name="T1037.001 -1">EnvironmentUserInitMprLogonScript</TargetObject>
<TargetObject condition="contains" name="T1546.010 -1">Windows NTCurrentVersionWindowsAppInit_DLLs</TargetObject>
<TargetObject condition="contains" name="T1574.007 -1">EnvironmentPath</TargetObject>
<TargetObject condition="contains" name="T1574.012 -1">EnvironmentCOR_PROFILER</TargetObject>
<TargetObject condition="contains" name="T1547.004 -1">CurrentVersionWinlogonShell</TargetObject>
<TargetObject condition="contains" name="T1547.004 -2">CurrentVersionWinlogonUserinit</TargetObject>
<TargetObject condition="contains" name="T1547.004 -3">CurrentVersionWinlogonNotify</TargetObject>
<TargetObject condition="contains" name="T1569.002">ServicesW32TimeFailureCommand</TargetObject>
<TargetObject condition="contains" name="T1546.010">Windows NTCurrentVersionWindowsLoadAppInit_DLLs</TargetObject>
<TargetObject condition="contains" name="T1546.010">Windows NTCurrentVersionWindowsAppInit_DLLs</TargetObject>
<TargetObject condition="contains" name="T1137.002">MicrosoftOffice testSpecial</TargetObject>
<TargetObject condition="contains" name="T1546.012">Windows NTCurrentVersionImage File Execution Options</TargetObject>
<TargetObject condition="contains" name="T1546.012">Windows NTCurrentVersionSilentProcessExit</TargetObject>
<TargetObject condition="contains" name="T1547.003">ServicesW32TimeTimeProviders</TargetObject>
<TargetObject condition="contains" name="T1078.001 -1">SAMSAMDomainsAccountUsers00001F5F</TargetObject>

</RegistryEvent>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 15 == FileStream Created. -->
<FileCreateStreamHash onmatch="include">
</FileCreateStreamHash>

</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
<PipeEvent onmatch="include">
</PipeEvent>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 19,20,21, == WmiEvent. Log WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter creation activity-->
<WmiEvent onmatch="include">
<Operation condition="is" name="T1047 -1">Created</Operation>
</WmiEvent>
</RuleGroup>

<RuleGroup name="" groupRelation="or">
<!-- Event ID 22 == DNSQuery-->
<DnsQuery onmatch="include">
</DnsQuery>
</RuleGroup>

</EventFiltering>
</Sysmon>
     
 
what is notes.io
  

Notes.io is a web-based application for taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000 notes created and continuing...

With notes.io;

  • * You can take a note from anywhere and any device with internet connection.
  • * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
  • * You can quickly share your contents without website, blog and e-mail.
  • * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
  • * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.

Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.

Easy: Notes.io doesn’t require installation. Just write and share note!

Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )

Free: Notes.io works for 12 years and has been free since the day it was started.


You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;


Email: [email protected]

Twitter: http://twitter.com/notesio

Instagram: http://instagram.com/notes.io

Facebook: http://facebook.com/notesio



Regards;
Notes.io Team

     
 
Shortened Note Link
  
 
Looding Image
 
     
 
Long File
  
 

For written notes was greater than 18KB Unable to shorten.

To be smaller than 18KB, please organize your notes, or sign in.

  
     

Notes

I'm Feeling Lucky

repost for Instagram

Paste Keyboard iOS - Quick Replies

v 2.7.3

We'd love to hear from you. Please email us at [email protected]

Copyright 2022 Metromedya