Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <Sysmon schemaversion="4.10">
- <!-- захват MD5 хеш запускаемого процесса -->
- <HashAlgorithms>MD5</HashAlgorithms>
- <EventFiltering>
- <ImageLoad onmatch="exclude">
- <Signature condition="contains">microsoft</Signature>
- <Image condition="contains">mmc.exe</Image>
- <Image condition="contains">sysmon.exe</Image>
- <Image condition="contains">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
- <Signature condition="contains">windows</Signature>
- <Signature condition="contains">Kaspersky Lab</Signature>
- <Signature condition="contains">VMware</Signature>
- <Signature condition="contains">Crypto-Pro</Signature>
- <Signature condition="contains">Adobe Systems Incorporated</Signature>
- <Signature condition="contains">Center of Financial Technologies CJSC</Signature>
- <Signature condition="contains">Oracle America</Signature>
- <Signature condition="contains">Google Inc</Signature>
- <Signature condition="contains">Adobe Systems</Signature>
- </ImageLoad>
- <ProcessCreate onmatch="exclude">
- <CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine>
- <CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine>
- <ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine>
- <ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage>
- <Image condition="begin with">C:\Program Files\Windows Defender</Image>
- <Image condition="is">C:\Windows\System32\MpSigStub.exe</Image>
- <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image>
- <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image>
- <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image>
- <CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine>
- <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image>
- <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image>
- <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
- <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
- <ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
- <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage>
- <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage>
- <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage>
- <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage>
- <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage>
- <Image condition="end with">windows\system32\conhost.exe</Image>
- <Image condition="end with">windows\System32\SearchFilterHost.exe</Image>
- <Image condition="end with">Windows\System32\SearchProtocolHost.exe</Image>
- <Image condition="end with">Windows\System32\dllhost.exe</Image>
- <Image condition="end with">Windows\System32\audiodg.exe</Image>
- <Image condition="end with">Windows\Sysmon.exe</Image>
- <Image condition="end with">windows\system32\LogonUI.exe</Image>
- <Image condition="end with">Windows\System32\winlogon.exe</Image>
- <Image condition="end with">windows\system32\svchost.exe</Image>
- <Image condition="end with">windows\explorer.exe</Image>
- <Image condition="end with">windows\system32\lsass.exe</Image>
- <Image condition="end with">Windows\System32\taskhost.exe</Image>
- <Image condition="end with">Google\Update\GoogleUpdate.exe</Image>
- <Image condition="end with">autorunsc.exe</Image>
- <Image condition="end with">Windows\System32\consent.exe</Image>
- <Image condition="end with">chrome.exe</Image>
- <Image condition="end with">MpCmdRun.exe</Image>
- </ProcessCreate>
- <CreateRemoteThread onmatch="exclude">
- </CreateRemoteThread>
- <FileCreateTime onmatch="include" />
- <RawAccessRead onmatch="include" />
- <ProcessTerminate onmatch="include" />
- <RegistryEvent onmatch="include">
- <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
- <TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject>
- <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
- <TargetObject condition="contains">Windows\CurrentVersion\RunOnce</TargetObject>
- <TargetObject condition="contains">Control\Terminal Server</TargetObject>
- <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
- <TargetObject condition="contains">Windows\CurrentVersion\Internet Settings\ProxyServer</TargetObject>
- <TargetObject condition="contains">SecurityProviders\WDigest</TargetObject>
- <TargetObject condition="contains">Account\Users</TargetObject>
- <TargetObject condition="contains">Control\Lsa</TargetObject>
- <TargetObject condition="contains">System\Setup</TargetObject>
- <TargetObject condition="contains">\Control panel</TargetObject>
- <TargetObject condition="contains">services\PortProxy\v4tov4\tcp</TargetObject>
- <TargetObject condition="contains">Software\Classes\exefile\shell\runas\command</TargetObject>
- <TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\App Paths</TargetObject>
- <TargetObject condition="contains">\Currentversion\Image File Execution Options\</TargetObject>
- <TargetObject condition="contains">currentversion\silentprocessexit</TargetObject>
- <TargetObject condition="contains">\CLSID\</TargetObject>
- <TargetObject condition="contains">\*\</TargetObject>
- <TargetObject condition="contains">\Enviroment</TargetObject>
- <TargetObject condition="contains">Policies\Microsoft\Windows\CredentialsDelegation\</TargetObject>
- <TargetObject condition="contains">\Windows Defender</TargetObject>
- <TargetObject condition="contains">\AmsiEnable</TargetObject>
- <TargetObject condition="end with">system\currentcontrolset\control\session manager\appcertdlls</TargetObject>
- <TargetObject condition="end with">microsoft\windows nt\currentversion\windows\appinit_dlls</TargetObject>
- <TargetObject condition="end with">microsoft\windows nt\currentversion\windows\loadappinit_dlls</TargetObject>
- <TargetObject condition="end with">microsoft\windows nt\currentversion\windows\requiresignedappinit_dlls</TargetObject>
- <TargetObject condition="contains">microsoft\windows nt\currentversion\appcompatflags\installedsdb</TargetObject>
- </RegistryEvent>
- <RegistryEvent onmatch="exclude">
- <Image condition="contains">C:\Program Files\Kaspersky Lab\</Image>
- </RegistryEvent>
- <FileCreate onmatch="include">
- <TargetFilename condition="end with">.exe</TargetFilename>
- <TargetFilename condition="end with">.ps1</TargetFilename>
- <TargetFilename condition="end with">.hta</TargetFilename>
- <TargetFilename condition="end with">.vbs</TargetFilename>
- <TargetFilename condition="end with">.ace</TargetFilename>
- <TargetFilename condition="end with">.xz</TargetFilename>
- <TargetFilename condition="end with">.wrn</TargetFilename>
- <TargetFilename condition="end with">.vbe</TargetFilename>
- <TargetFilename condition="end with">.pif</TargetFilename>
- <TargetFilename condition="end with">.log</TargetFilename>
- <TargetFilename condition="end with">.cpl</TargetFilename>
- <TargetFilename condition="end with">.cmd</TargetFilename>
- <TargetFilename condition="end with">.pub</TargetFilename>
- <TargetFilename condition="end with">.bat</TargetFilename>
- <TargetFilename condition="end with">.wsf</TargetFilename>
- <TargetFilename condition="end with">.epf</TargetFilename>
- <TargetFilename condition="end with">.scr</TargetFilename>
- <TargetFilename condition="end with">.lnk</TargetFilename>
- <TargetFilename condition="end with">.mht</TargetFilename>
- <TargetFilename condition="end with">.png</TargetFilename>
- <TargetFilename condition="contains">\Startup</TargetFilename>
- <TargetFilename condition="end with">.js</TargetFilename>
- <TargetFilename condition="end with">.py</TargetFilename>
- <TargetFilename condition="end with">.jse</TargetFilename>
- <TargetFilename condition="end with">.dll</TargetFilename>
- <TargetFilename condition="end with">.kirbi</TargetFilename>
- <TargetFilename condition="end with">.wll</TargetFilename>
- <TargetFilename condition="end with">.xll</TargetFilename>
- <TargetFilename condition="end with">.mof</TargetFilename>
- <TargetFilename condition="end with">.cs</TargetFilename>
- <TargetFilename condition="end with">.csproj</TargetFilename>
- <TargetFilename condition="end with">.proj</TargetFilename>
- <TargetFilename condition="end with">.sct</TargetFilename>
- <TargetFilename condition="end with">.xsl</TargetFilename>
- <TargetFilename condition="contains">mimilsa</TargetFilename>
- <TargetFilename condition="contains">Normal.dotm</TargetFilename>
- <TargetFilename condition="contains">PERSONAL.XLSB</TargetFilename>
- <TargetFilename condition="contains">amsi.dll</TargetFilename>
- <TargetFilename condition="end with">.jsp</TargetFilename>
- <TargetFilename condition="end with">.aspx</TargetFilename>
- <TargetFilename condition="end with">.asp</TargetFilename>
- <TargetFilename condition="contains">amsi.dll</TargetFilename>
- <TargetFilename condition="contains">.bmof</TargetFilename>
- <TargetFilename condition="contains">.fomb</TargetFilename>
- <TargetFilename condition="contains">.bmf</TargetFilename>
- <Image condition="end with">lsass.exe</Image>
- <Image condition="end with">rundll32.exe</Image>
- </FileCreate>
- <FileCreate onmatch="exclude">
- <TargetFilename condition="contains">\Microsoft\Office</TargetFilename>
- <TargetFilename condition="contains">\Roaming\Microsoft\Windows\Recent\</TargetFilename>
- <Image condition="end with">MpCmdRun.exe</Image>
- </FileCreate>
- <NetworkConnect onmatch="exclude">
- </NetworkConnect>
- <ProcessAccess onmatch="include">
- <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
- <GrantedAccess condition="is">0x1010</GrantedAccess>
- <GrantedAccess condition="is">0x1410</GrantedAccess>
- <GrantedAccess condition="is">0x143a</GrantedAccess>
- <GrantedAccess condition="is">0x1f0fff</GrantedAccess>
- <GrantedAccess condition="is">0x1f1fff</GrantedAccess>
- <GrantedAccess condition="is">0x1f2fff</GrantedAccess>
- <GrantedAccess condition="is">0x1f3fff</GrantedAccess>
- </ProcessAccess>
- <ProcessAccess onmatch="exclude">
- <SourceImage condition="end with">vmware-authd.exe</SourceImage>
- <SourceImage condition="end with">wmiprvse.exe</SourceImage>
- <SourceImage condition="end with">avp.exe</SourceImage>
- <SourceImage condition="end with">GoogleUpdate.exe</SourceImage>
- <SourceImage condition="end with">AdobeARM.exe</SourceImage>
- <GrantedAccess condition="is">0x1400</GrantedAccess>
- <GrantedAccess condition="is">0x1401</GrantedAccess>
- </ProcessAccess>
- <DriverLoad onmatch="exclude">
- <Signature condition="contains">microsoft</Signature>
- <Signature condition="contains">windows</Signature>
- <Signature condition="begin with">Intel </Signature>
- </DriverLoad>
- <PipeEvent onmatch="exclude">
- <Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
- <Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
- <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
- <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
- <PipeName condition="is">\WRSVCPipe</PipeName>
- <PipeName condition="is">\WRSynUM2</PipeName>
- <Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
- <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
- <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
- <Image condition="end with">slack.exe</Image>
- <Image condition="end with">wmiprvse.exe</Image>
- <Image condition="end with">svchost.exe</Image>
- <Image condition="end with">chrome.exe</Image>
- <PipeName condition="is">\srvsvc</PipeName>
- <PipeName condition="is">\wkssvc</PipeName>
- <PipeName condition="is">\lsass</PipeName>
- <PipeName condition="is">\MsFteWds</PipeName>
- <PipeName condition="is">\EMET_Service</PipeName>
- <PipeName condition="is">\eventlog</PipeName>
- <PipeName condition="is">\winreg</PipeName>
- <Image condition="image">EMET_Service.exe</Image>
- </PipeEvent>
- <FileCreateStreamHash onmatch="include">
- <TargetFilename condition="contains">Content.Outlook</TargetFilename>
- <TargetFilename condition="contains">Downloads</TargetFilename>
- <TargetFilename condition="contains">Temp\7z</TargetFilename>
- <TargetFilename condition="end with">.bat</TargetFilename>
- <TargetFilename condition="end with">.cmd</TargetFilename>
- <TargetFilename condition="end with">.hta</TargetFilename>
- <TargetFilename condition="end with">.lnk</TargetFilename>
- <TargetFilename condition="end with">.ps1</TargetFilename>
- <TargetFilename condition="end with">.ps2</TargetFilename>
- <TargetFilename condition="end with">.reg</TargetFilename>
- <TargetFilename condition="end with">.vb</TargetFilename>
- <TargetFilename condition="end with">.vbe</TargetFilename>
- <TargetFilename condition="end with">.vbs</TargetFilename>
- <TargetFilename condition="end with">.exe</TargetFilename>
- </FileCreateStreamHash>
- <FileCreateStreamHash onmatch="exclude">
- <Image condition="image">avp.exe</Image>
- <Image condition="image">chrome.exe</Image>
- </FileCreateStreamHash>
- <WmiEvent onmatch='exclude'>
- </WmiEvent>
- </EventFiltering>
- </Sysmon>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement