API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 22nd, 2019
97
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.83 KB | None | 0 0
raw download clone embed print report
  1. <manifest schemaversion="4.22" binaryversion="9.20">
  2. <configuration>
  3. <options>
  4. <!-- Command-line only options -->
  5. <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" />
  6. <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" />
  7. <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" />
  8. <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" />
  9. <option switch="t" name="DebugMode" argument="optional" noconfig="true" />
  10. <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
  11. <option switch="nologo" name="NoLogo" argument="none" noconfig="true" />
  12. <option switch="accepteula" name="AcceptEula" argument="none" noconfig="true" />
  13. <option switch="-" name="ConfigDefault" argument="none" noconfig="true" />
  14. <!-- Configuration file -->
  15. <option switch="h" name="HashAlgorithms" argument="required" />
  16. <option switch="n" name="NetworkConnect" argument="optional" rule="true" />
  17. <option switch="l" name="ImageLoad" argument="optional" rule="true" />
  18. <option switch="d" name="DriverName" argument="required" />
  19. <option switch="dns" name="DnsQuery" argument="optional" rule="true" />
  20. <option switch="k" name="ProcessAccess" argument="required" rule="true" forceconfig="true" />
  21. <option switch="r" name="CheckRevocation" argument="none" />
  22. <option switch="g" name="PipeMonitoring" argument="required" rule="true" forceconfig="true" />
  23. </options>
  24. <filters default="is">is,is not,contains,contains any,contains all,excludes,begin with,end with,less than,more than,image</filters>
  25. </configuration>
  26. <events>
  27. <event name="SYSMON_ERROR" value="255" level="Error" template="Error report" version="3">
  28. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  29. <data name="ID" inType="win:UnicodeString" outType="xs:string" />
  30. <data name="Description" inType="win:UnicodeString" outType="xs:string" />
  31. </event>
  32. <event name="SYSMON_CREATE_PROCESS" value="1" level="Informational" template="Process Create" rulename="ProcessCreate" ruledefault="include" version="5">
  33. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  34. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  35. <data name="ProcessGuid" inType="win:GUID" />
  36. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  37. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  38. <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
  39. <data name="Description" inType="win:UnicodeString" outType="xs:string" />
  40. <data name="Product" inType="win:UnicodeString" outType="xs:string" />
  41. <data name="Company" inType="win:UnicodeString" outType="xs:string" />
  42. <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" />
  43. <data name="CommandLine" inType="win:UnicodeString" outType="xs:string" />
  44. <data name="CurrentDirectory" inType="win:UnicodeString" outType="xs:string" />
  45. <data name="User" inType="win:UnicodeString" outType="xs:string" />
  46. <data name="LogonGuid" inType="win:GUID" />
  47. <data name="LogonId" inType="win:HexInt64" />
  48. <data name="TerminalSessionId" inType="win:UInt32" />
  49. <data name="IntegrityLevel" inType="win:UnicodeString" outType="xs:string" />
  50. <data name="Hashes" inType="win:UnicodeString" outType="xs:string" />
  51. <data name="ParentProcessGuid" inType="win:GUID" />
  52. <data name="ParentProcessId" inType="win:UInt32" outType="win:PID" />
  53. <data name="ParentImage" inType="win:UnicodeString" outType="xs:string" />
  54. <data name="ParentCommandLine" inType="win:UnicodeString" outType="xs:string" />
  55. </event>
  56. <event name="SYSMON_FILE_TIME" value="2" level="Informational" template="File creation time changed" rulename="FileCreateTime" ruledefault="include" version="4">
  57. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  58. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  59. <data name="ProcessGuid" inType="win:GUID" />
  60. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  61. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  62. <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" />
  63. <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" />
  64. <data name="PreviousCreationUtcTime" inType="win:UnicodeString" outType="xs:string" />
  65. </event>
  66. <event name="SYSMON_NETWORK_CONNECT" value="3" level="Informational" template="Network connection detected" rulename="NetworkConnect" version="5">
  67. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  68. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  69. <data name="ProcessGuid" inType="win:GUID" />
  70. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  71. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  72. <data name="User" inType="win:UnicodeString" outType="xs:string" />
  73. <data name="Protocol" inType="win:UnicodeString" outType="xs:string" />
  74. <data name="Initiated" inType="win:Boolean" />
  75. <data name="SourceIsIpv6" inType="win:Boolean" />
  76. <data name="SourceIp" inType="win:UnicodeString" outType="xs:string" />
  77. <data name="SourceHostname" inType="win:UnicodeString" outType="xs:string" />
  78. <data name="SourcePort" inType="win:UInt16" />
  79. <data name="SourcePortName" inType="win:UnicodeString" outType="xs:string" />
  80. <data name="DestinationIsIpv6" inType="win:Boolean" />
  81. <data name="DestinationIp" inType="win:UnicodeString" outType="xs:string" />
  82. <data name="DestinationHostname" inType="win:UnicodeString" outType="xs:string" />
  83. <data name="DestinationPort" inType="win:UInt16" />
  84. <data name="DestinationPortName" inType="win:UnicodeString" outType="xs:string" />
  85. </event>
  86. <event name="SYSMON_SERVICE_STATE_CHANGE" value="4" level="Informational" template="Sysmon service state changed" version="3">
  87. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  88. <data name="State" inType="win:UnicodeString" outType="xs:string" />
  89. <data name="Version" inType="win:UnicodeString" outType="xs:string" />
  90. <data name="SchemaVersion" inType="win:UnicodeString" outType="xs:string" />
  91. </event>
  92. <event name="SYSMON_PROCESS_TERMINATE" value="5" level="Informational" template="Process terminated" rulename="ProcessTerminate" ruledefault="include" version="3">
  93. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  94. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  95. <data name="ProcessGuid" inType="win:GUID" />
  96. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  97. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  98. </event>
  99. <event name="SYSMON_DRIVER_LOAD" value="6" level="Informational" template="Driver loaded" rulename="DriverLoad" ruledefault="include" version="3">
  100. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  101. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  102. <data name="ImageLoaded" inType="win:UnicodeString" outType="xs:string" />
  103. <data name="Hashes" inType="win:UnicodeString" outType="xs:string" />
  104. <data name="Signed" inType="win:UnicodeString" outType="xs:string" />
  105. <data name="Signature" inType="win:UnicodeString" outType="xs:string" />
  106. <data name="SignatureStatus" inType="win:UnicodeString" outType="xs:string" />
  107. </event>
  108. <event name="SYSMON_IMAGE_LOAD" value="7" level="Informational" template="Image loaded" rulename="ImageLoad" version="3">
  109. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  110. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  111. <data name="ProcessGuid" inType="win:GUID" />
  112. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  113. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  114. <data name="ImageLoaded" inType="win:UnicodeString" outType="xs:string" />
  115. <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
  116. <data name="Description" inType="win:UnicodeString" outType="xs:string" />
  117. <data name="Product" inType="win:UnicodeString" outType="xs:string" />
  118. <data name="Company" inType="win:UnicodeString" outType="xs:string" />
  119. <data name="OriginalFileName" inType="win:UnicodeString" outType="xs:string" />
  120. <data name="Hashes" inType="win:UnicodeString" outType="xs:string" />
  121. <data name="Signed" inType="win:UnicodeString" outType="xs:string" />
  122. <data name="Signature" inType="win:UnicodeString" outType="xs:string" />
  123. <data name="SignatureStatus" inType="win:UnicodeString" outType="xs:string" />
  124. </event>
  125. <event name="SYSMON_CREATE_REMOTE_THREAD" value="8" level="Informational" template="CreateRemoteThread detected" rulename="CreateRemoteThread" version="2">
  126. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  127. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  128. <data name="SourceProcessGuid" inType="win:GUID" />
  129. <data name="SourceProcessId" inType="win:UInt32" outType="win:PID" />
  130. <data name="SourceImage" inType="win:UnicodeString" outType="xs:string" />
  131. <data name="TargetProcessGuid" inType="win:GUID" />
  132. <data name="TargetProcessId" inType="win:UInt32" outType="win:PID" />
  133. <data name="TargetImage" inType="win:UnicodeString" outType="xs:string" />
  134. <data name="NewThreadId" inType="win:UInt32" />
  135. <data name="StartAddress" inType="win:UnicodeString" outType="xs:string" />
  136. <data name="StartModule" inType="win:UnicodeString" outType="xs:string" />
  137. <data name="StartFunction" inType="win:UnicodeString" outType="xs:string" />
  138. </event>
  139. <event name="SYSMON_RAWACCESS_READ" value="9" level="Informational" template="RawAccessRead detected" rulename="RawAccessRead" version="2">
  140. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  141. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  142. <data name="ProcessGuid" inType="win:GUID" />
  143. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  144. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  145. <data name="Device" inType="win:UnicodeString" outType="xs:string" />
  146. </event>
  147. <event name="SYSMON_ACCESS_PROCESS" value="10" level="Informational" template="Process accessed" rulename="ProcessAccess" version="3">
  148. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  149. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  150. <data name="SourceProcessGUID" inType="win:GUID" />
  151. <data name="SourceProcessId" inType="win:UInt32" outType="win:PID" />
  152. <data name="SourceThreadId" inType="win:UInt32" />
  153. <data name="SourceImage" inType="win:UnicodeString" outType="xs:string" />
  154. <data name="TargetProcessGUID" inType="win:GUID" />
  155. <data name="TargetProcessId" inType="win:UInt32" outType="win:PID" />
  156. <data name="TargetImage" inType="win:UnicodeString" outType="xs:string" />
  157. <data name="GrantedAccess" inType="win:HexInt32" />
  158. <data name="CallTrace" inType="win:UnicodeString" outType="xs:string" />
  159. </event>
  160. <event name="SYSMON_FILE_CREATE" value="11" level="Informational" template="File created" rulename="FileCreate" ruledefault="include" version="2">
  161. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  162. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  163. <data name="ProcessGuid" inType="win:GUID" />
  164. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  165. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  166. <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" />
  167. <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" />
  168. </event>
  169. <event name="SYSMON_REG_KEY" value="12" level="Informational" template="Registry object added or deleted" rulename="RegistryEvent" ruledefault="include" version="2">
  170. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  171. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  172. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  173. <data name="ProcessGuid" inType="win:GUID" />
  174. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  175. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  176. <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" />
  177. </event>
  178. <event name="SYSMON_REG_SETVALUE" value="13" level="Informational" template="Registry value set" rulename="RegistryEvent" ruledefault="include" version="2">
  179. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  180. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  181. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  182. <data name="ProcessGuid" inType="win:GUID" />
  183. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  184. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  185. <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" />
  186. <data name="Details" inType="win:UnicodeString" outType="xs:string" />
  187. </event>
  188. <event name="SYSMON_REG_NAME" value="14" level="Informational" template="Registry object renamed" rulename="RegistryEvent" ruledefault="include" version="2">
  189. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  190. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  191. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  192. <data name="ProcessGuid" inType="win:GUID" />
  193. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  194. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  195. <data name="TargetObject" inType="win:UnicodeString" outType="xs:string" />
  196. <data name="NewName" inType="win:UnicodeString" outType="xs:string" />
  197. </event>
  198. <event name="SYSMON_FILE_CREATE_STREAM_HASH" value="15" level="Informational" template="File stream created" rulename="FileCreateStreamHash" ruledefault="include" version="2">
  199. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  200. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  201. <data name="ProcessGuid" inType="win:GUID" />
  202. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  203. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  204. <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" />
  205. <data name="CreationUtcTime" inType="win:UnicodeString" outType="xs:string" />
  206. <data name="Hash" inType="win:UnicodeString" outType="xs:string" />
  207. </event>
  208. <event name="SYSMON_SERVICE_CONFIGURATION_CHANGE" value="16" level="Informational" template="Sysmon config state changed" version="3">
  209. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  210. <data name="Configuration" inType="win:UnicodeString" outType="xs:string" />
  211. <data name="ConfigurationFileHash" inType="win:UnicodeString" outType="xs:string" />
  212. </event>
  213. <event name="SYSMON_CREATE_NAMEDPIPE" value="17" level="Informational" template="Pipe Created" rulename="PipeEvent" ruledefault="exclude" version="1">
  214. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  215. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  216. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  217. <data name="ProcessGuid" inType="win:GUID" />
  218. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  219. <data name="PipeName" inType="win:UnicodeString" outType="xs:string" />
  220. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  221. </event>
  222. <event name="SYSMON_CONNECT_NAMEDPIPE" value="18" level="Informational" template="Pipe Connected" rulename="PipeEvent" ruledefault="exclude" version="1">
  223. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  224. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  225. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  226. <data name="ProcessGuid" inType="win:GUID" />
  227. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  228. <data name="PipeName" inType="win:UnicodeString" outType="xs:string" />
  229. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  230. </event>
  231. <event name="SYSMON_WMI_FILTER" value="19" level="Informational" template="WmiEventFilter activity detected" rulename="WmiEvent" ruledefault="exclude" version="3">
  232. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  233. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  234. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  235. <data name="Operation" inType="win:UnicodeString" outType="xs:string" />
  236. <data name="User" inType="win:UnicodeString" outType="xs:string" />
  237. <data name="EventNamespace" inType="win:UnicodeString" outType="xs:string" />
  238. <data name="Name" inType="win:UnicodeString" outType="xs:string" />
  239. <data name="Query" inType="win:UnicodeString" outType="xs:string" />
  240. </event>
  241. <event name="SYSMON_WMI_CONSUMER" value="20" level="Informational" template="WmiEventConsumer activity detected" rulename="WmiEvent" ruledefault="exclude" version="3">
  242. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  243. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  244. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  245. <data name="Operation" inType="win:UnicodeString" outType="xs:string" />
  246. <data name="User" inType="win:UnicodeString" outType="xs:string" />
  247. <data name="Name" inType="win:UnicodeString" outType="xs:string" />
  248. <data name="Type" inType="win:UnicodeString" outType="xs:string" />
  249. <data name="Destination" inType="win:UnicodeString" outType="xs:string" />
  250. </event>
  251. <event name="SYSMON_WMI_BINDING" value="21" level="Informational" template="WmiEventConsumerToFilter activity detected" rulename="WmiEvent" ruledefault="exclude" version="3">
  252. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  253. <data name="EventType" inType="win:UnicodeString" outType="xs:string" />
  254. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  255. <data name="Operation" inType="win:UnicodeString" outType="xs:string" />
  256. <data name="User" inType="win:UnicodeString" outType="xs:string" />
  257. <data name="Consumer" inType="win:UnicodeString" outType="xs:string" />
  258. <data name="Filter" inType="win:UnicodeString" outType="xs:string" />
  259. </event>
  260. <event name="SYSMON_DNS_QUERY" value="22" level="Informational" template="Dns query" rulename="DnsQuery" ruledefault="exclude" version="5">
  261. <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
  262. <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
  263. <data name="ProcessGuid" inType="win:GUID" />
  264. <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
  265. <data name="QueryName" inType="win:UnicodeString" outType="xs:string" />
  266. <data name="QueryStatus" inType="win:UnicodeString" outType="xs:string" />
  267. <data name="QueryResults" inType="win:UnicodeString" outType="xs:string" />
  268. <data name="Image" inType="win:UnicodeString" outType="xs:string" />
  269. </event>
  270. </events>
  271. </manifest>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!