API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 28th, 2020
198
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.18 KB | None | 0 0
raw download clone embed print report
  1. <Sysmon schemaversion="4.10">
  2. <!-- захват MD5 хеш запускаемого процесса -->
  3. <HashAlgorithms>MD5</HashAlgorithms>
  4. <EventFiltering>
  5.  
  6. <ImageLoad onmatch="exclude">
  7. <Signature condition="contains">microsoft</Signature>
  8. <Image condition="contains">mmc.exe</Image>
  9. <Image condition="contains">sysmon.exe</Image>
  10. <Image condition="contains">C:\Program Files\Google\Chrome\Application\chrome.exe</Image>
  11. <Signature condition="contains">windows</Signature>
  12. <Signature condition="contains">Kaspersky Lab</Signature>
  13. <Signature condition="contains">VMware</Signature>
  14. <Signature condition="contains">Crypto-Pro</Signature>
  15. <Signature condition="contains">Adobe Systems Incorporated</Signature>
  16. <Signature condition="contains">Center of Financial Technologies CJSC</Signature>
  17. <Signature condition="contains">Oracle America</Signature>
  18. <Signature condition="contains">Google Inc</Signature>
  19. <Signature condition="contains">Adobe Systems</Signature>
  20. </ImageLoad>
  21.  
  22. <ProcessCreate onmatch="exclude">
  23. <CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine>
  24. <CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine>
  25. <ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine>
  26. <ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage>
  27. <Image condition="begin with">C:\Program Files\Windows Defender</Image>
  28. <Image condition="is">C:\Windows\System32\MpSigStub.exe</Image>
  29. <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image>
  30. <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image>
  31. <Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image>
  32. <CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine>
  33. <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image>
  34. <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image>
  35. <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
  36. <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
  37. <ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
  38. <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage>
  39. <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage>
  40. <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage>
  41. <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage>
  42. <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage>
  43.  
  44.  
  45.  
  46. <Image condition="end with">windows\system32\conhost.exe</Image>
  47. <Image condition="end with">windows\System32\SearchFilterHost.exe</Image>
  48. <Image condition="end with">Windows\System32\SearchProtocolHost.exe</Image>
  49. <Image condition="end with">Windows\System32\dllhost.exe</Image>
  50. <Image condition="end with">Windows\System32\audiodg.exe</Image>
  51. <Image condition="end with">Windows\Sysmon.exe</Image>
  52. <Image condition="end with">windows\system32\LogonUI.exe</Image>
  53. <Image condition="end with">Windows\System32\winlogon.exe</Image>
  54. <Image condition="end with">windows\system32\svchost.exe</Image>
  55. <Image condition="end with">windows\explorer.exe</Image>
  56. <Image condition="end with">windows\system32\lsass.exe</Image>
  57. <Image condition="end with">Windows\System32\taskhost.exe</Image>
  58. <Image condition="end with">Google\Update\GoogleUpdate.exe</Image>
  59. <Image condition="end with">autorunsc.exe</Image>
  60. <Image condition="end with">Windows\System32\consent.exe</Image>
  61. <Image condition="end with">chrome.exe</Image>
  62. <Image condition="end with">MpCmdRun.exe</Image>
  63. </ProcessCreate>
  64.  
  65. <CreateRemoteThread onmatch="exclude">
  66. </CreateRemoteThread>
  67.  
  68. <FileCreateTime onmatch="include" />
  69.  
  70. <RawAccessRead onmatch="include" />
  71.  
  72. <ProcessTerminate onmatch="include" />
  73.  
  74. <RegistryEvent onmatch="include">
  75. <TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
  76. <TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject>
  77. <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
  78. <TargetObject condition="contains">Windows\CurrentVersion\RunOnce</TargetObject>
  79. <TargetObject condition="contains">Control\Terminal Server</TargetObject>
  80. <TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
  81. <TargetObject condition="contains">Windows\CurrentVersion\Internet Settings\ProxyServer</TargetObject>
  82. <TargetObject condition="contains">SecurityProviders\WDigest</TargetObject>
  83. <TargetObject condition="contains">Account\Users</TargetObject>
  84. <TargetObject condition="contains">Control\Lsa</TargetObject>
  85. <TargetObject condition="contains">System\Setup</TargetObject>
  86. <TargetObject condition="contains">\Control panel</TargetObject>
  87. <TargetObject condition="contains">services\PortProxy\v4tov4\tcp</TargetObject>
  88. <TargetObject condition="contains">Software\Classes\exefile\shell\runas\command</TargetObject>
  89. <TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\App Paths</TargetObject>
  90. <TargetObject condition="contains">\Currentversion\Image File Execution Options\</TargetObject>
  91. <TargetObject condition="contains">currentversion\silentprocessexit</TargetObject>
  92. <TargetObject condition="contains">\CLSID\</TargetObject>
  93. <TargetObject condition="contains">\*\</TargetObject>
  94. <TargetObject condition="contains">\Enviroment</TargetObject>
  95. <TargetObject condition="contains">Policies\Microsoft\Windows\CredentialsDelegation\</TargetObject>
  96. <TargetObject condition="contains">\Windows Defender</TargetObject>
  97. <TargetObject condition="contains">\AmsiEnable</TargetObject>
  98.  
  99.  
  100. <TargetObject condition="end with">system\currentcontrolset\control\session manager\appcertdlls</TargetObject>
  101. <TargetObject condition="end with">microsoft\windows nt\currentversion\windows\appinit_dlls</TargetObject>
  102. <TargetObject condition="end with">microsoft\windows nt\currentversion\windows\loadappinit_dlls</TargetObject>
  103. <TargetObject condition="end with">microsoft\windows nt\currentversion\windows\requiresignedappinit_dlls</TargetObject>
  104. <TargetObject condition="contains">microsoft\windows nt\currentversion\appcompatflags\installedsdb</TargetObject>
  105. </RegistryEvent>
  106. <RegistryEvent onmatch="exclude">
  107. <Image condition="contains">C:\Program Files\Kaspersky Lab\</Image>
  108. </RegistryEvent>
  109.  
  110. <FileCreate onmatch="include">
  111. <TargetFilename condition="end with">.exe</TargetFilename>
  112. <TargetFilename condition="end with">.ps1</TargetFilename>
  113. <TargetFilename condition="end with">.hta</TargetFilename>
  114. <TargetFilename condition="end with">.vbs</TargetFilename>
  115. <TargetFilename condition="end with">.ace</TargetFilename>
  116. <TargetFilename condition="end with">.xz</TargetFilename>
  117. <TargetFilename condition="end with">.wrn</TargetFilename>
  118. <TargetFilename condition="end with">.vbe</TargetFilename>
  119. <TargetFilename condition="end with">.pif</TargetFilename>
  120. <TargetFilename condition="end with">.log</TargetFilename>
  121. <TargetFilename condition="end with">.cpl</TargetFilename>
  122. <TargetFilename condition="end with">.cmd</TargetFilename>
  123. <TargetFilename condition="end with">.pub</TargetFilename>
  124. <TargetFilename condition="end with">.bat</TargetFilename>
  125. <TargetFilename condition="end with">.wsf</TargetFilename>
  126. <TargetFilename condition="end with">.epf</TargetFilename>
  127. <TargetFilename condition="end with">.scr</TargetFilename>
  128. <TargetFilename condition="end with">.lnk</TargetFilename>
  129. <TargetFilename condition="end with">.mht</TargetFilename>
  130. <TargetFilename condition="end with">.png</TargetFilename>
  131. <TargetFilename condition="contains">\Startup</TargetFilename>
  132. <TargetFilename condition="end with">.js</TargetFilename>
  133. <TargetFilename condition="end with">.py</TargetFilename>
  134. <TargetFilename condition="end with">.jse</TargetFilename>
  135. <TargetFilename condition="end with">.dll</TargetFilename>
  136. <TargetFilename condition="end with">.kirbi</TargetFilename>
  137. <TargetFilename condition="end with">.wll</TargetFilename>
  138. <TargetFilename condition="end with">.xll</TargetFilename>
  139. <TargetFilename condition="end with">.mof</TargetFilename>
  140. <TargetFilename condition="end with">.cs</TargetFilename>
  141. <TargetFilename condition="end with">.csproj</TargetFilename>
  142. <TargetFilename condition="end with">.proj</TargetFilename>
  143. <TargetFilename condition="end with">.sct</TargetFilename>
  144. <TargetFilename condition="end with">.xsl</TargetFilename>
  145. <TargetFilename condition="contains">mimilsa</TargetFilename>
  146. <TargetFilename condition="contains">Normal.dotm</TargetFilename>
  147. <TargetFilename condition="contains">PERSONAL.XLSB</TargetFilename>
  148. <TargetFilename condition="contains">amsi.dll</TargetFilename>
  149. <TargetFilename condition="end with">.jsp</TargetFilename>
  150. <TargetFilename condition="end with">.aspx</TargetFilename>
  151. <TargetFilename condition="end with">.asp</TargetFilename>
  152. <TargetFilename condition="contains">amsi.dll</TargetFilename>
  153. <TargetFilename condition="contains">.bmof</TargetFilename>
  154. <TargetFilename condition="contains">.fomb</TargetFilename>
  155. <TargetFilename condition="contains">.bmf</TargetFilename>
  156. <Image condition="end with">lsass.exe</Image>
  157. <Image condition="end with">rundll32.exe</Image>
  158. </FileCreate>
  159. <FileCreate onmatch="exclude">
  160. <TargetFilename condition="contains">\Microsoft\Office</TargetFilename>
  161. <TargetFilename condition="contains">\Roaming\Microsoft\Windows\Recent\</TargetFilename>
  162. <Image condition="end with">MpCmdRun.exe</Image>
  163. </FileCreate>
  164.  
  165. <NetworkConnect onmatch="exclude">
  166. </NetworkConnect>
  167.  
  168. <ProcessAccess onmatch="include">
  169. <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
  170. <GrantedAccess condition="is">0x1010</GrantedAccess>
  171. <GrantedAccess condition="is">0x1410</GrantedAccess>
  172. <GrantedAccess condition="is">0x143a</GrantedAccess>
  173. <GrantedAccess condition="is">0x1f0fff</GrantedAccess>
  174. <GrantedAccess condition="is">0x1f1fff</GrantedAccess>
  175. <GrantedAccess condition="is">0x1f2fff</GrantedAccess>
  176. <GrantedAccess condition="is">0x1f3fff</GrantedAccess>
  177. </ProcessAccess>
  178. <ProcessAccess onmatch="exclude">
  179. <SourceImage condition="end with">vmware-authd.exe</SourceImage>
  180. <SourceImage condition="end with">wmiprvse.exe</SourceImage>
  181. <SourceImage condition="end with">avp.exe</SourceImage>
  182. <SourceImage condition="end with">GoogleUpdate.exe</SourceImage>
  183. <SourceImage condition="end with">AdobeARM.exe</SourceImage>
  184.  
  185.  
  186. <GrantedAccess condition="is">0x1400</GrantedAccess>
  187. <GrantedAccess condition="is">0x1401</GrantedAccess>
  188.  
  189. </ProcessAccess>
  190.  
  191. <DriverLoad onmatch="exclude">
  192. <Signature condition="contains">microsoft</Signature>
  193. <Signature condition="contains">windows</Signature>
  194. <Signature condition="begin with">Intel </Signature>
  195. </DriverLoad>
  196.  
  197. <PipeEvent onmatch="exclude">
  198. <Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
  199. <Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
  200. <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
  201. <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
  202. <PipeName condition="is">\WRSVCPipe</PipeName>
  203. <PipeName condition="is">\WRSynUM2</PipeName>
  204. <Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
  205. <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
  206. <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
  207. <Image condition="end with">slack.exe</Image>
  208. <Image condition="end with">wmiprvse.exe</Image>
  209. <Image condition="end with">svchost.exe</Image>
  210. <Image condition="end with">chrome.exe</Image>
  211. <PipeName condition="is">\srvsvc</PipeName>
  212. <PipeName condition="is">\wkssvc</PipeName>
  213. <PipeName condition="is">\lsass</PipeName>
  214. <PipeName condition="is">\MsFteWds</PipeName>
  215. <PipeName condition="is">\EMET_Service</PipeName>
  216. <PipeName condition="is">\eventlog</PipeName>
  217. <PipeName condition="is">\winreg</PipeName>
  218. <Image condition="image">EMET_Service.exe</Image>
  219. </PipeEvent>
  220.  
  221. <FileCreateStreamHash onmatch="include">
  222. <TargetFilename condition="contains">Content.Outlook</TargetFilename>
  223. <TargetFilename condition="contains">Downloads</TargetFilename>
  224. <TargetFilename condition="contains">Temp\7z</TargetFilename>
  225. <TargetFilename condition="end with">.bat</TargetFilename>
  226. <TargetFilename condition="end with">.cmd</TargetFilename>
  227. <TargetFilename condition="end with">.hta</TargetFilename>
  228. <TargetFilename condition="end with">.lnk</TargetFilename>
  229. <TargetFilename condition="end with">.ps1</TargetFilename>
  230. <TargetFilename condition="end with">.ps2</TargetFilename>
  231. <TargetFilename condition="end with">.reg</TargetFilename>
  232. <TargetFilename condition="end with">.vb</TargetFilename>
  233. <TargetFilename condition="end with">.vbe</TargetFilename>
  234. <TargetFilename condition="end with">.vbs</TargetFilename>
  235. <TargetFilename condition="end with">.exe</TargetFilename>
  236. </FileCreateStreamHash>
  237.  
  238. <FileCreateStreamHash onmatch="exclude">
  239. <Image condition="image">avp.exe</Image>
  240. <Image condition="image">chrome.exe</Image>
  241. </FileCreateStreamHash>
  242.  
  243. <WmiEvent onmatch='exclude'>
  244. </WmiEvent>
  245. </EventFiltering>
  246.  
  247. </Sysmon>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!