Skip to content

Instantly share code, notes, and snippets.

@VKECE

VKECE/sysmonconfeski

Created May 29, 2025 06:28
Show Gist options
  • Save VKECE/903872c8aeb8561f16c28029b8ba222d to your computer and use it in GitHub Desktop.
Save VKECE/903872c8aeb8561f16c28029b8ba222d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sysmonconfeski
<Sysmon schemaversion="4.22">
<!-- Capture all hashes -->
<HashAlgorithms>sha256</HashAlgorithms>
<CheckRevocation />
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include">
<ParentImage name="T1015 Accessibility Features" condition="image">sethc.exe</ParentImage>
<ParentImage name="T1015 Accessibility Features" condition="image">utilman.exe</ParentImage>
<ParentImage name="T1015 Accessibility Features" condition="image">osk.exe</ParentImage>
<ParentImage name="T1015 Accessibility Features" condition="image">Magnify.exe</ParentImage>
<ParentImage name="T1015 Accessibility Features" condition="image">DisplaySwitch.exe</ParentImage>
<ParentImage name="T1015 Accessibility Features" condition="image">Narrator.exe</ParentImage> <!-- added onr -->
<ParentImage name="T1015 Accessibility Features" condition="image">AtBroker.exe</ParentImage> <!-- added onr -->
<OriginalFileName name="T1138 Application Shimming" condition="is">sdbinst.exe</OriginalFileName>
<OriginalFileName name="T1197 BITS Jobs" condition="is">bitsadmin.exe</OriginalFileName>
<Rule name="Eventviewer Bypass UAC" groupRelation="and">
<ParentImage name="T1088 Bypass User Account Control" condition="image">eventvwr.exe</ParentImage>
<Image condition="is not">c:\windows\system32\mmc.exe</Image>
</Rule>
<ParentImage name="T1088 Bypass User Account Control" condition="image">fodhelper.exe</ParentImage>
<CommandLine name="T1027 Obfuscated Files or Information" condition="contains">ˆ</CommandLine>
<Rule name="Fltmc" groupRelation="and">
<OriginalFileName name="T1054 Indicator Blocking" condition="is">fltMC.exe</OriginalFileName>
<CommandLine name="T1054 Indicator Blocking" condition="contains">unload;detach</CommandLine>
</Rule>
<Rule groupRelation="or">
<OriginalFileName name="T1063 Security Software Discovery" condition="is">fltMC.exe</OriginalFileName>
<CommandLine name="T1063 Security Software Discovery" condition="contains">misc::mflt</CommandLine>
</Rule>
<Rule name="InstallUtil" groupRelation="and">
<OriginalFileName name="T1118 InstallUtil" condition="is">InstallUtil.exe</OriginalFileName>
<CommandLine name="T1118 InstallUtil" condition="contains all">/logfile=;/LogToConsole=false;/U</CommandLine>
</Rule>
<OriginalFileName name="T1033 System Owner/User Discovery" condition="is">whoami.exe</OriginalFileName>
<OriginalFileName name="T1016 System Network Configuration Discovery" condition="is">ipconfig.exe</OriginalFileName>
<OriginalFileName name="T1057 Process Discovery" condition="is">tasklist.exe</OriginalFileName>
<OriginalFileName name="T1033 System Owner/User Discovery" condition="contains any">systeminfo.exe;sysinfo.exe</OriginalFileName> <!-- change onr-->
<OriginalFileName name="T1049 System Network Connections Discovery" condition="is">netstat.exe</OriginalFileName>
<OriginalFileName name="T1057 Process Discovery" condition="image">qprocess.exe</OriginalFileName>
<OriginalFileName name="T1016 System Network Configuration Discovery" condition="is">nslookup.exe</OriginalFileName>
<OriginalFileName name="T1018 Remote System Discovery" condition="contains any">net.exe;net1.exe</OriginalFileName>
<OriginalFileName name="T1033 System Owner/User Discovery" condition="is">quser.exe</OriginalFileName>
<OriginalFileName name="T1057 Process Discovery" condition="is">query.exe</OriginalFileName>
<OriginalFileName name="T1016 System Network Configuration Discovery" condition="is">tracert.exe</OriginalFileName>
<OriginalFileName name="T1083 File and Directory Discovery" condition="is">tree.com</OriginalFileName>
<OriginalFileName name="T1016 System Network Configuration Discovery" condition="is">route.exe</OriginalFileName>
<OriginalFileName name="T1134 Access Token Manipulation" condition="is">runas.exe</OriginalFileName>
<OriginalFileName name="T1112 Modify Registry" condition="is">reg.exe</OriginalFileName>
<OriginalFileName condition="is">taskkill.exe</OriginalFileName>
<OriginalFileName name="T1063 Security Software Discovery" condition="is">netsh.exe</OriginalFileName>
<OriginalFileName name="T1087 Account Discovery" condition="is">klist.exe</OriginalFileName>
<OriginalFileName name="T1070 Indicator Removal on Host" condition="is">wevtutil.exe</OriginalFileName>
<OriginalFileName name="T1053 Scheduled Task" condition="is">taskeng.exe</OriginalFileName>
<OriginalFileName name="T1117 Regsvr32" condition="is">regsvr32.exe</OriginalFileName>
<ParentImage name="T1047 Windows Management Instrumentation" condition="image">wmiprvse.exe</ParentImage>
<OriginalFileName name="T1047 Windows Management Instrumentation" condition="is">wmiprvse.exe</OriginalFileName>
<OriginalFileName condition="is">hh.exe</OriginalFileName>
<OriginalFileName name="T1059 Command-Line Interface" condition="is">cmd.exe</OriginalFileName>
<ParentImage name="T1059 Command-Line Interface" condition="image">cmd.exe</ParentImage>
<Image name="T1086 PowerShell" condition="image">powershell.exe</Image>
<ParentImage name="T1086 PowerShell" condition="image">powershell.exe</ParentImage>
<ParentImage name="T1086 PowerShell" condition="image">powershell_ise.exe</ParentImage>
<OriginalFileName name="T1202 Indirect Command Execution" condition="is">bash.exe</OriginalFileName>
<OriginalFileName name="T1073 DLL Side-Loading" condition="is">odbcconf.exe</OriginalFileName>
<Image name="T1202 Indirect Command Execution" condition="image">pcalua.exe</Image>
<OriginalFileName name="T1202 Indirect Command Execution" condition="is">cscript.exe</OriginalFileName>
<OriginalFileName name="T1202 Indirect Command Execution" condition="is">wscript.exe</OriginalFileName>
<ParentImage name="T1202 Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
<ParentImage name="T1202 Indirect Command Execution" condition="image">cscript.exe</ParentImage>
<ParentImage name="T1202 Indirect Command Execution" condition="image">wscript.exe</ParentImage>
<ParentImage name="T1170 Mshta" condition="image">mshta.exe</ParentImage>
<ParentImage name="T1202 Indirect Command Execution" condition="image">control.exe</ParentImage>
<OriginalFileName name="T1170 Mshta" condition="is">mshta.exe</OriginalFileName>
<OriginalFileName name="T1158 Hidden Files and Directories" condition="is">attrib.exe</OriginalFileName>
<OriginalFileName name="T1087 Account Discovery" condition="is">cmdkey.exe</OriginalFileName>
<OriginalFileName name="T1016 System Network Configuration Discovery" condition="contains any">nbtstat.exe;nbtinfo.exe</OriginalFileName>
<OriginalFileName name="T1057 Process Discovery" condition="is">qwinsta.exe</OriginalFileName>
<OriginalFileName name="T1057 Process Discovery" condition="is">rwinsta.exe</OriginalFileName>
<OriginalFileName name="T1053 Scheduled Tasks" condition="contains any">schtasks.exe;sctasks.exe</OriginalFileName>
<OriginalFileName name="T1218 Signed Binary Proxy Execution" condition="is">replace.exe</OriginalFileName>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">jjs.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">appcmd.exe</Image>
<OriginalFileName name="T1031 Modify Existing Service" condition="is">sc.exe</OriginalFileName>
<OriginalFileName name="T1202 Indirect Command Execution" condition="is">certutil.exe</OriginalFileName>
<OriginalFileName name="T1081 Credentials in Files" condition="is">findstr.exe</OriginalFileName>
<OriginalFileName name="T1081 Credentials in Files" condition="is">where.exe</OriginalFileName>
<Image name="T1222 File Permissions Modification" condition="image">forfiles.exe</Image>
<OriginalFileName name="T1222 File Permissions Modification" condition="contains any">icacls.exe;cacls.exe</OriginalFileName>
<OriginalFileName name="T1074 Data Staged" condition="is">xcopy.exe</OriginalFileName>
<OriginalFileName name="T1074 Data Staged" condition="is">robocopy.exe</OriginalFileName>
<OriginalFileName name="T1222 File Permissions Modification" condition="is">takeown.exe</OriginalFileName>
<OriginalFileName condition="is">makecab.exe</OriginalFileName> <!-- change onur-->
<OriginalFileName condition="is">wusa.exe</OriginalFileName> <!-- change onur -->
<OriginalFileName name="T1490 Inhibit System Recovery" condition="is">vassadmin.exe</OriginalFileName>
<OriginalFileName name="T1033 System Owner/User Discovery" condition="contains any">nltest.exe;nltestk.exe</OriginalFileName>
<OriginalFileName name="T1202 Indirect Command Execution" condition="is">winrs.exe</OriginalFileName>
<OriginalFileName name="T1088 Bypass User Account Control" condition="is">computerdefaults.exe</OriginalFileName>
<OriginalFileName name="T1088 Bypass User Account Control" condition="is">dism.exe</OriginalFileName> <!-- added onr -->
<OriginalFileName name="T1088 Bypass User Account Control" condition="is">fodhelper.exe</OriginalFileName>
<OriginalFileName name="T1047 Windows Management Instrumentation" condition="is">mofcomp.exe</OriginalFileName>
<Image name="T1047 Windows Management Instrumentation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
<OriginalFileName name="T1047 Windows Management Instrumentation" condition="is">ScrCons</OriginalFileName>
<Rule name="Mavinject" groupRelation="and">
<OriginalFileName name="T1218 Signed Binary Proxy Execution" condition="contains any">Mavinject.exe;mavinject64.exe</OriginalFileName>
<CommandLine name="T1218 Signed Binary Proxy Execution" condition="contains">/INJECTRUNNING</CommandLine>
</Rule>
<Rule name="Mavinject" groupRelation="and">
<OriginalFileName name="T1191 CMSTP" condition="is">CMSTP.exe</OriginalFileName>
<CommandLine name="T1191 CMSTP" condition="contains all">/ni;/s</CommandLine>
</Rule>
<OriginalFileName name="T1191 Trusted Developer Utilities" condition="is">MSBuild.exe</OriginalFileName>
<ParentImage name="T1137 Office Application Startup" condition="image">excel.exe</ParentImage>
<ParentImage name="T1137 Office Application Startup" condition="image">winword.exe</ParentImage>
<ParentImage name="T1137 Office Application Startup" condition="image">powerpnt.exe</ParentImage>
<ParentImage name="T1137 Office Application Startup" condition="image">outlook.exe</ParentImage>
<ParentImage name="T1137 Office Application Startup" condition="image">msaccess.exe</ParentImage>
<ParentImage name="T1137 Office Application Startup" condition="image">mspub.exe</ParentImage>
<OriginalFileName name="T1121 Regsvcs/Regasm" condition="contains any">regsvcs.exe;regasm.exe</OriginalFileName>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">SyncAppvPublishingServer.exe</Image>
<OriginalFileName name="T1057 Process Discovery" condition="is">PsList.exe</OriginalFileName>
<OriginalFileName name="T1007 System Service Discovery" condition="is">PsService.exe</OriginalFileName>
<OriginalFileName name="T1035 Service Execution" condition="is">PsExec.exe</OriginalFileName>
<OriginalFileName name="T1035 Service Execution" condition="is">PsExec.c</OriginalFileName>
<OriginalFileName name="T1033 System Owner/User Discovery" condition="is">PsGetSID.exe</OriginalFileName>
<OriginalFileName name="T1089 Disabling Security Tools" condition="is">PsKill.exe</OriginalFileName>
<OriginalFileName name="T1089 Disabling Security Tools" condition="is">PKill.exe</OriginalFileName>
<OriginalFileName name="T1003 Credential Dumping" condition="contains">ProcDump</OriginalFileName>
<OriginalFileName name="T1033 System Owner/User Discovery" condition="is">PsLoggedOn.exe</OriginalFileName>
<OriginalFileName name="T1105 Remote File Copy" condition="image">PsFile.exe</OriginalFileName>
<OriginalFileName name="T1088 Bypass User Account Control" condition="contains">ShellRunas</OriginalFileName>
<OriginalFileName name="T1057 Process Discovery" condition="is">PipeList.exe</OriginalFileName>
<OriginalFileName name="T1083 File and Directory Discovery" condition="is">AccessChk.exe</OriginalFileName>
<OriginalFileName name="T1083 File and Directory Discovery" condition="is">AccessEnum.exe</OriginalFileName> <!-- added onr -->
<OriginalFileName name="T1033 System Owner/User Discovery" condition="is">LogonSessions.exe</OriginalFileName>
<OriginalFileName name="T1005 Data from Local System" condition="is">PsLogList.exe</OriginalFileName>
<OriginalFileName name="T1057 Process Discovery" condition="is">PsInfo.exe</OriginalFileName>
<OriginalFileName name="T1007 System Service Discovery" condition="contains">LoadOrd</OriginalFileName>
<OriginalFileName name="T1098 Account Manipulation" condition="is">PsPasswd.exe</OriginalFileName>
<OriginalFileName name="T1012 Query Registry" condition="is">ru.exe</OriginalFileName>
<OriginalFileName name="T1012 Query Registry" condition="contains">Regsize</OriginalFileName>
<OriginalFileName name="T1003 Credential Dumping" condition="is">ProcDump</OriginalFileName>
<CommandLine name="T1003 Credential Dumping" condition="is">-ma lsass.exe</CommandLine>
<Image name="T1036 Masquerading" condition="begin with">C:\PerfLogs\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\$Recycle.bin\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Intel\Logs\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Users\Default\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Users\Public\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Users\NetworkService\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Fonts\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Debug\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Media\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Help\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\addins\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\repair\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\security\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
<Image name="T1036 Masquerading" condition="contains">VolumeShadowCopy</Image>
<Image name="T1036 Masquerading" condition="contains">\htdocs\</Image>
<Image name="T1036 Masquerading" condition="contains">\wwwroot\</Image>
<Image name="T1036 Masquerading" condition="contains">\Temp\</Image>
<Rule name="Control Panel Items" groupRelation="or">
<CommandLine name="T1196 Control Panel Items" condition="contains all">control;/name</CommandLine>
<CommandLine name="T1196 Control Panel Items" condition="contains all">rundll32.exe;shell32.dll;Control_RunDLL</CommandLine>
</Rule>
<Rule name="Windows Defender tampering" groupRelation="and">
<Image name="T1089 Disabling Security Tools" condition="image">MpCmdRun.exe</Image>
<CommandLine name="T1089 Disabling Security Tools" condition="contains any">Add-MpPreference;RemoveDefinitions;DisableIOAVProtection</CommandLine>
</Rule>
<OriginalFileName name="T1028 Windows Remote Management" condition="is">wsmprovhost.exe</OriginalFileName>
<Image name="T1028 Windows Remote Management" condition="image">winrm.cmd</Image>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 2 == File Creation Time. -->
<FileCreateTime onmatch="include">
<Image name="T1099 Timestomp" condition="begin with">C:\Temp</Image>
<Image name="T1099 Timestomp" condition="begin with">C:\Windows\Temp</Image>
<Image name="T1099 Timestomp" condition="begin with">C:\Tmp</Image>
<Image name="T1099 Timestomp" condition="begin with">C:\Users</Image>
</FileCreateTime>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 3 == Network Connection. -->
<NetworkConnect onmatch="include">
<Image name="T1021 Remote Services" condition="image">vnc.exe</Image>
<Image name="T1021 Remote Services" condition="image">vncviewer.exe</Image>
<Image name="T1021 Remote Services" condition="image">vncservice.exe</Image>
<Image name="T1035 Service Execution" condition="image">winexesvc.exe</Image>
<Image name="T1197 BITS Jobs" condition="image">bitsadmin.exe</Image>
<Image name="T1021 Remote Services" condition="image">omniinet.exe</Image>
<Image name="T1021 Remote Services" condition="image">hpsmhd.exe</Image>
<Image name="T1016 System Network Configuration Discovery" condition="image">ipconfig.exe</Image>
<Image name="T1057 Process Discovery" condition="image">tasklist.exe</Image>
<Image name="T1049 System Network Connections Discovery" condition="image">netstat.exe</Image>
<Image name="T1057 Process Discovery" condition="image">qprocess.exe</Image>
<Image name="T1016 System Network Configuration Discovery" condition="image">nslookup.exe</Image>
<Image name="T1018 Remote System Discovery" condition="image">net.exe</Image>
<Image name="T1033 System Owner/User Discovery" condition="image">quser.exe</Image>
<Image name="T1057 Process Discovery" condition="image">query.exe</Image>
<Image name="T1134 Access Token Manipulation" condition="image">runas.exe</Image>
<Image name="T1112 Modify Registry" condition="image">reg.exe</Image>
<Image name="T1063 Security Software Discovery" condition="image">netsh.exe</Image>
<Image condition="image">klist.exe</Image>
<Image name="T1070 Indicator Removal on Host" condition="image">wevtutil.exe</Image>
<Image name="T1053 Scheduled Task" condition="image">taskeng.exe</Image>
<Image name="T1117 Regsvr32" condition="image">regsvr32.exe</Image>
<Image condition="image">hh.exe</Image>
<Image name="T1059 Command-Line Interface" condition="image">cmd.exe</Image>
<Image name="T1086 PowerShell" condition="image">powershell.exe</Image>
<Image name="T1202 Indirect Command Execution" condition="image">bash.exe</Image>
<Image name="T1202 Indirect Command Execution" condition="image">pcalua.exe</Image>
<Image name="T1202 Indirect Command Execution" condition="image">cscript.exe</Image>
<Image name="T1202 Indirect Command Execution" condition="image">wscript.exe</Image>
<Image name="T1170 Mshta" condition="image">mshta.exe</Image>
<Image name="T1016 System Network Configuration Discovery" condition="image">nbtstat.exe</Image>
<Image name="T1069 Permission Groups Discovery" condition="image">net1.exe</Image>
<Image name="T1018 Remote System Discovery" condition="image">nslookup.exe</Image>
<Image name="T1057 Process Discovery" condition="image">qwinsta.exe</Image>
<Image name="T1057 Process Discovery" condition="image">rwinsta.exe</Image>
<Image condition="image">schtasks.exe</Image>
<Image condition="image">taskkill.exe</Image>
<Image name="T1031 Modify Existing Service" condition="image">sc.exe</Image>
<Image name="T1033 System Owner/User Discovery" condition="image">nltest.exe</Image>
<Image name="T1202 Indirect Command Execution" condition="image">winrs.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">Mavinject.exe</Image>
<Image name="T1053 Scheduled Task" condition="image">at.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">certutil.exe</Image>
<Image condition="image">cmd.exe</Image>
<Image name="T1218 Signed Script Proxy Execution" condition="image">cscript.exe</Image>
<Image condition="image">java.exe</Image>
<Image name="T1170 Mshta" condition="image">mshta.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">msiexec.exe</Image>
<Image name="T1069 Permission Groups Discovery" condition="image">net.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">notepad.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">powershell.exe</Image>
<Image name="T1012 Query Registry" condition="image">reg.exe</Image>
<Image name="T1218 Regsvr32" condition="image">regsvr32.exe</Image>
<Image name="T1085 Rundll32" condition="image">rundll32.exe</Image>
<Image name="T1031 Modify Existing Service" condition="image">sc.exe</Image>
<Image name="T1047 Windows Management Instrumentation" condition="image">wmic.exe</Image>
<Image name="T1218 Signed Script Proxy Execution" condition="image">wscript.exe</Image>
<Image condition="image">driverquery.exe</Image>
<Image condition="image">dsquery.exe</Image>
<Image condition="image">hh.exe</Image>
<Image condition="image">infDefaultInstall.exe</Image>
<Image condition="image">javaw.exe</Image>
<Image condition="image">javaws.exe</Image>
<Image name="T1031 Modify Existing Service" condition="image">mmc.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">msbuild.exe</Image>
<Image name="T1016 System Network Configuration Discovery" condition="image">nbtstat.exe</Image>
<Image name="T1069 Permission Groups Discovery" condition="image">net1.exe</Image>
<Image name="T1018 Remote System Discovery" condition="image">nslookup.exe</Image>
<Image name="T1057 Process Discovery" condition="image">qprocess.exe</Image>
<Image name="T1057 Process Discovery" condition="image">qwinsta.exe</Image>
<Image name="T1121 Regsvcs/Regasm" condition="image">regsvcs.exe</Image>
<Image name="T1057 Process Discovery" condition="image">rwinsta.exe</Image>
<Image name="T1053 Scheduled Task" condition="image">schtasks.exe</Image>
<Image name="T1089 Disabling Security Tools" condition="image">taskkill.exe</Image>
<Image name="T1057 Process Discovery" condition="image">tasklist.exe</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">replace.exe</Image>
<DestinationPort name="T1043 Commonly Used Port" condition="is">1080</DestinationPort>
<DestinationPort name="T1043 Commonly Used Port" condition="is">3128</DestinationPort>
<DestinationPort name="T1043 Commonly Used Port" condition="is">8080</DestinationPort>
<DestinationPort name="T1021 Remote Services" condition="is">22</DestinationPort>
<DestinationPort name="T1021 Remote Services" condition="is">23</DestinationPort>
<DestinationPort name="T1043 Commonly Used Port" condition="is">25</DestinationPort>
<DestinationPort name="T1021 Remote Services" condition="is">3389</DestinationPort>
<DestinationPort name="T1021 Remote Services" condition="is">5800</DestinationPort>
<DestinationPort name="T1021 Remote Services" condition="is">5900</DestinationPort>
<Image name="T1035 Service Execution" condition="image">psexec.exe</Image>
<Image name="T1035 Service Execution" condition="image">psexesvc.exe</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Users</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\ProgramData</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Temp</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Temp</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\PerfLogs\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\$Recycle.bin\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Intel\Logs\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Users\Default\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Users\Public\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Users\NetworkService\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Fonts\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Debug\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Media\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\Help\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\addins\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\repair\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\security\</Image>
<Image name="T1036 Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
<Image name="T1036 Masquerading" condition="contains">\htdocs\</Image>
<Image name="T1036 Masquerading" condition="contains">\wwwroot\</Image>
<Image name="T1218 Signed Binary Proxy Execution" condition="image">SyncAppvPublishingServer.exe</Image>
<Image condition="image">tor.exe</Image>
<DestinationPort name="T1043 Commonly Used Port" condition="is">1723</DestinationPort>
<DestinationPort name="T1043 Commonly Used Port" condition="is">4500</DestinationPort>
<DestinationPort name="T1043 Commonly Used Port" condition="is">9001</DestinationPort>
<DestinationPort name="T1043 Commonly Used Port" condition="is">9030</DestinationPort>
<DestinationPort name="T1028 Windows Remote Management" condition="is">5986</DestinationPort>
</NetworkConnect>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 5 == Process Terminated. -->
<ProcessTerminate onmatch="include">
<Image condition="begin with">C:\Users</Image>
<Image condition="begin with">C:\Temp</Image>
<Image condition="begin with">C:\Windows\Temp</Image>
</ProcessTerminate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 6 == Driver Loaded. -->
<DriverLoad onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 7 == Image Loaded. -->
<ImageLoad onmatch="include">
<Rule groupRelation="and">
<ImageLoaded name="T1003 Credential Dumping" condition="is">C:\Windows\System32\samlib.dll</ImageLoaded>
<ImageLoaded name="T1003 Credential Dumping" condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded>
<ImageLoaded name="T1003 Credential Dumping" condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
<ImageLoaded name="T1003 Credential Dumping" condition="is">C:\Windows\System32\hid.dll</ImageLoaded>
<ImageLoaded name="T1003 Credential Dumping" condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded>
<ImageLoaded name="T1003 Credential Dumping" condition="is">C:\Windows\System32\wlanapi.dll</ImageLoaded>
</Rule>
<ImageLoaded name="T1137 Office Application Startup" condition="end with">.wll</ImageLoaded>
<ImageLoaded name="T1137 Office Application Startup" condition="end with">.xll</ImageLoaded>
<ImageLoaded name="T1086 PowerShell" condition="end with">system.management.automation.ni.dll</ImageLoaded>
<ImageLoaded name="T1086 PowerShell" condition="end with">system.management.automation.dll</ImageLoaded>
<ImageLoaded name="T1053 Scheduled Task" condition="end with">taskschd.dll</ImageLoaded>
<ImageLoaded name="T1117 Regsvr32" condition="end with">scrobj.dll</ImageLoaded>
<ImageLoaded name="T1073 DLL Side-Loading" condition="contains any">admin$;c$;\\;\appdata\;\temp\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">c:\programdata\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\Media\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\addins\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\system32\config\systemprofile\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\Debug\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\Temp</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\PerfLogs\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\Help\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Intel\Logs\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Temp</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\repair\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\security\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">C:\Windows\Fonts\</ImageLoaded>
<ImageLoaded condition="begin with" name="T1073 DLL Side-Loading">file:</ImageLoaded>
<ImageLoaded name="T1073 DLL Side-Loading" condition="contains">$Recycle.bin\</ImageLoaded>
<ImageLoaded name="T1073 DLL Side-Loading" condition="contains">\Windows\IME\</ImageLoaded>
<ImageLoaded name="T1047 Windows Management Instrumentation" condition="end with">wmiutils.dll</ImageLoaded>
</ImageLoad>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 8 == CreateRemoteThread. -->
<CreateRemoteThread onmatch="include">
<StartFunction name="T1055 Process Injection" condition="contains">LoadLibrary</StartFunction>
<TargetImage name="T1055 Process Injection" condition="is">C:\Windows\System32\rundll32.exe</TargetImage>
<TargetImage name="T1055 Process Injection" condition="is">C:\Windows\System32\svchost.exe</TargetImage>
<TargetImage name="T1055 Process Injection" condition="is">C:\Windows\System32\sysmon.exe</TargetImage>
<Rule groupRelation="and">
<StartAddress name="T1003 Credential Dumping" condition="is">0x001A0000</StartAddress>
<TargetImage condition="is">c:\windows\system32\lsass.exe</TargetImage>
</Rule>
<StartAddress name="T1055 Process Injection" condition="is">0x00590000</StartAddress>
</CreateRemoteThread>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 9 == RawAccessRead. -->
<RawAccessRead onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 10 == ProcessAccess. -->
<ProcessAccess onmatch="include">
<CallTrace name="T1003 Credential Dumping" condition="contains">dbghelp.dll</CallTrace>
<CallTrace name="T1003 Credential Dumping" condition="contains">dbgore.dll</CallTrace>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\csrss.exe</TargetImage>
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\wininit.exe</TargetImage>
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\winlogon.exe</TargetImage>
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\services.exe</TargetImage>
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1FFFFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1010</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="T1003 Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x143A</GrantedAccess>
</Rule>
<GrantedAccess name="T1093 Process Hollowing">0x0800</GrantedAccess>
<GrantedAccess name="T1003 Credential Dumping">0x0810</GrantedAccess>
<GrantedAccess name="T1055 Process Injection">0x0820</GrantedAccess>
<GrantedAccess name="T1093 Process Hollowing">0x800</GrantedAccess>
<GrantedAccess name="T1003 Credential Dumping">0x810</GrantedAccess>
<GrantedAccess name="T1055 Process Injection">0x820</GrantedAccess>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\PerfLogs\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\$Recycle.bin\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Intel\Logs\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Users\Default\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Users\Public\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Users\NetworkService\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\Fonts\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\Debug\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\Media\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\Help\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\addins\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\repair\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\security\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="begin with">C:\Windows\system32\config\systemprofile\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="contains">VolumeShadowCopy</SourceImage>
<SourceImage name="T1036 Masquerading" condition="contains">\htdocs\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="contains">\wwwroot\</SourceImage>
<SourceImage name="T1036 Masquerading" condition="contains">\Temp\</SourceImage>
<Rule groupRelation="and">
<CallTrace name="T1086 PowerShell" condition="contains">System.Management.Automation.ni.dll</CallTrace>
<SourceImage condition="is not">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</SourceImage>
</Rule>
</ProcessAccess>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 11 == FileCreate. -->
<FileCreate onmatch="include">
<TargetFilename name="T1138 Application Shimming" condition="contains">C:\Windows\AppPatch\Custom</TargetFilename>
<TargetFilename condition="end with">.bat</TargetFilename>
<TargetFilename condition="end with">.cmd</TargetFilename>
<TargetFilename name="T1064 Scripting" condition="end with">.chm</TargetFilename>
<TargetFilename condition="begin with">C:\Users\Default</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="contains">AppData\Local\Microsoft\CLR_v2.0\UsageLogs\</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\cscript.exe.log</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\wscript.exe.log</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\wmic.exe.log</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\mshta.exe.log</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\svchost.exe.log</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\regsvr32.exe.log</TargetFilename>
<TargetFilename name="T1218 Office Signed Binary Proxy Execution" condition="end with">\UsageLogs\rundll32.exe.log</TargetFilename>
<TargetFilename condition="contains">\Downloads\</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
<TargetFilename condition="end with">.exe</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename>
<TargetFilename name="T1170 Mshta" condition="end with">.hta</TargetFilename>
<TargetFilename condition="end with">.iso</TargetFilename>
<TargetFilename condition="end with">.img</TargetFilename>
<TargetFilename name="T1187 Forced Authentication" condition="end with">.lnk</TargetFilename>
<TargetFilename name="T1187 Forced Authentication" condition="end with">.scf</TargetFilename>
<TargetFilename condition="end with">.application</TargetFilename>
<TargetFilename condition="end with">.appref-ms</TargetFilename>
<TargetFilename name="T1191 Trusted Developer Utilities" condition="end with">.*proj</TargetFilename>
<TargetFilename name="T1191 Trusted Developer Utilities" condition="end with">.sln</TargetFilename>
<TargetFilename condition="end with">.settingcontent-ms</TargetFilename>
<TargetFilename condition="end with">.docm</TargetFilename>
<TargetFilename condition="end with">.pptm</TargetFilename>
<TargetFilename condition="end with">.xlsm</TargetFilename> <!-- added onr -->
<TargetFilename condition="end with">.xlm</TargetFilename>
<TargetFilename condition="end with">.dotm</TargetFilename>
<TargetFilename condition="end with">.xltm</TargetFilename>
<TargetFilename condition="end with">.potm</TargetFilename>
<TargetFilename condition="end with">.ppsm</TargetFilename>
<TargetFilename condition="end with">.sldm</TargetFilename>
<TargetFilename condition="end with">.xlam</TargetFilename>
<TargetFilename condition="end with">.xla</TargetFilename>
<TargetFilename condition="end with">.iqy</TargetFilename>
<TargetFilename condition="end with">.slk</TargetFilename>
<TargetFilename condition="contains">\Content.Outlook\</TargetFilename>
<TargetFilename condition="end with">.rft</TargetFilename>
<TargetFilename condition="end with">.jsp</TargetFilename>
<TargetFilename condition="end with">.jspx</TargetFilename>
<TargetFilename condition="end with">.asp</TargetFilename>
<TargetFilename condition="end with">.aspx</TargetFilename>
<TargetFilename condition="end with">.php</TargetFilename>
<TargetFilename condition="end with">.war</TargetFilename>
<TargetFilename condition="end with">.ace</TargetFilename>
<TargetFilename name="T1086 PowerShell" condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename>
<TargetFilename name="T1086 PowerShell" condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
<TargetFilename name="T1086 PowerShell" condition="end with">.ps1</TargetFilename>
<TargetFilename name="T1086 PowerShell" condition="end with">.ps2</TargetFilename>
<TargetFilename condition="end with">.py</TargetFilename>
<TargetFilename condition="end with">.pyc</TargetFilename>
<TargetFilename condition="end with">.pyw</TargetFilename>
<Image condition="image">rundll32.exe</Image>
<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename>
<TargetFilename condition="contains">\Startup</TargetFilename>
<TargetFilename condition="contains">\Start Menu</TargetFilename>
<TargetFilename condition="end with">.sys</TargetFilename>
<TargetFilename condition="end with">.url</TargetFilename>
<TargetFilename condition="end with">.vb</TargetFilename>
<TargetFilename condition="end with">.vbe</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
<TargetFilename name="T1047 Windows Management Instrumentation" condition="begin with">C:\Windows\System32\Wbem</TargetFilename>
<TargetFilename name="T1047 Windows Management Instrumentation" condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
<Image name="T1047 Windows Management Instrumentation" condition="begin with">C:\WINDOWS\system32\wbem\scrcons.exe</Image>
<TargetFilename name="T1044 File System Permissions Weakness" condition="begin with">C:\Windows\Temp\</TargetFilename>
<TargetFilename name="T1044 File System Permissions Weakness" condition="begin with">C:\Temp\</TargetFilename>
<TargetFilename name="T1044 File System Permissions Weakness" condition="begin with">C:\PerfLogs\</TargetFilename>
<TargetFilename name="T1044 File System Permissions Weakness" condition="begin with">C:\Users\Public\</TargetFilename>
<TargetFilename name="T1044 File System Permissions Weakness" condition="contains">\AppData\Temp\</TargetFilename>
</FileCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
<RegistryEvent onmatch="include">
<TargetObject name="T1015 Accessibility Features" condition="is">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject name="T1138 Application Shimming" condition="contains">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
<TargetObject name="T1138 Application Shimming" condition="contains">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
<TargetObject name="T1131 Authentication Package" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa</TargetObject>
<TargetObject name="T1060 Registry Run Keys / Start Folder" condition="contains">\CurrentVersion\Run</TargetObject>
<TargetObject condition="contains">\Group Policy\Scripts</TargetObject>
<TargetObject name="T1037 Logon Scripts" condition="contains">\Windows\System\Scripts</TargetObject>
<TargetObject name="T1060 Registry Run Keys / Start Folder" condition="contains">\Policies\Explorer\Run</TargetObject>
<TargetObject condition="end with">\ServiceDll</TargetObject>
<TargetObject condition="end with">\ImagePath</TargetObject>
<TargetObject condition="end with">\Start</TargetObject>
<TargetObject name="T1004 Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject>
<TargetObject name="T1004 Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject>
<TargetObject name="T1004 Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
<TargetObject name="T1060 Registry Run Keys / Start Folder" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject>
<TargetObject name="T1042 Change Default File Association" condition="contains">\Explorer\FileExts</TargetObject>
<TargetObject condition="contains">\shell\install\command</TargetObject>
<TargetObject condition="contains">\shell\open\command</TargetObject>
<TargetObject condition="contains">\shell\open\ddeexec</TargetObject>
<TargetObject name="T1060 Registry Run Keys / Start Folder" condition="contains">Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
<TargetObject name="T1088 Bypass User Account Control" condition="contains">\mscfile\shell\open\command</TargetObject>
<TargetObject name="T1088 Bypass User Account Control" condition="contains">ms-settings\shell\open\command</TargetObject>
<TargetObject name="T1088 Bypass User Account Control" condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject>
<TargetObject name="T1122 Component Object Model Hijacking" condition="contains">Software\Classes\CLSID</TargetObject>
<TargetObject name="T1098 Account Manipulation" condition="contains">\services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
<TargetObject name="T1103 Appinit DLLs" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject>
<TargetObject name="T1103 Appinit DLLs" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject>
<TargetObject name="T1103 Appinit DLLs" condition="is">REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions</TargetObject>
<TargetObject name="T1183 Image File Execution Options Injection" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject name="T1183 Image File Execution Options Injection" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="contains">\Internet Explorer\Toolbar</TargetObject>
<TargetObject condition="contains">\Internet Explorer\Extensions</TargetObject>
<TargetObject condition="contains">\Browser Helper Objects</TargetObject>
<TargetObject name="T1013 Forced Authentication" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject>
<TargetObject name="T1128 Netsh Helper DLL" condition="contains">SOFTWARE\Microsoft\Netsh</TargetObject>
<TargetObject condition="end with">\UrlUpdateInfo</TargetObject>
<TargetObject condition="contains">\Microsoft\Office\Outlook\Addins</TargetObject>
<TargetObject condition="contains">\Software\Microsoft\VSTO\Security\Inclusion</TargetObject>
<TargetObject condition="contains">\Software\Microsoft\VSTO\SolutionMetadata</TargetObject>
<TargetObject name="T1076 Remote Desktop Protocol" condition="is">HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</TargetObject>
<TargetObject name="T1101 Security Support Provider" condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe</TargetObject>
<TargetObject name="T1198 SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject>
<TargetObject name="T1198 SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject>
<TargetObject name="T1198 SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject>
<TargetObject name="T1198 SIP and Trust Provider Hijacking" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject>
<TargetObject name="T1035 Service Execution" condition="end with">\PsExec\EulaAccepted</TargetObject>
<TargetObject name="T1105 Remote File Copy" condition="end with">\PsFile\EulaAccepted</TargetObject>
<TargetObject name="T1033 System Owner/User Discovery" condition="end with">\PsGetSID\EulaAccepted</TargetObject>
<TargetObject name="T1057 Process Discovery" condition="end with">\PsInfo\EulaAccepted</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="end with">\PsKill\EulaAccepted</TargetObject>
<TargetObject name="T1057 Process Discovery" condition="end with">\PsList\EulaAccepted</TargetObject>
<TargetObject name="T1033 System Owner/User Discovery" condition="end with">\PsLoggedOn\EulaAccepted</TargetObject>
<TargetObject name="T1035 Service Execution" condition="end with">\PsLogList\EulaAccepted</TargetObject>
<TargetObject name="T1098 Account Manipulation" condition="end with">\PsPasswd\EulaAccepted</TargetObject>
<TargetObject name="T1035 Service Execution" condition="end with">\PsService\EulaAccepted</TargetObject>
<TargetObject name="undefined" condition="end with">\PsShutDown\EulaAccepted</TargetObject>
<TargetObject name="undefined" condition="end with">\PsSuspend\EulaAccepted</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="contains">SYSTEM\CurrentControlSet\services\SysmonDrv</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="contains">SYSTEM\CurrentControlSet\services\Sysmon</TargetObject>
<TargetObject name="T1060 Registry Run Keys / Start Folder" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
<TargetObject name="T1209 Time Providers" condition="contains">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders</TargetObject>
<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths</TargetObject>
<TargetObject name="T1182 AppCert DLLs" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls</TargetObject>
<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa</TargetObject>
<TargetObject name="T1003 Credential Dumping" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject>
<TargetObject name="T1003 Credential Dumping" condition="contains">\Control\SecurityProviders\WDigest</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT</TargetObject>
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot</TargetObject>
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon</TargetObject>
<TargetObject condition="end with">\FriendlyName</TargetObject>
<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
<Rule groupRelation="and">
<TargetObject name="T1088 Bypass User Account Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</TargetObject>
<Image condition="is not">C:\Windows\System32\svchost.exe</Image>
</Rule>
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
<TargetObject name="T1130 Install Root Certificate" condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</TargetObject>
<TargetObject name="T1130 Install Root Certificate" condition="contains">\Microsoft\SystemCertificates\Root\Certificates</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
<TargetObject name="T1089 Disabling Security Tools" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
<TargetObject condition="contains">\Classes\AllFilesystemObjects</TargetObject>
<TargetObject condition="contains">\Classes\Directory</TargetObject>
<TargetObject condition="contains">\Classes\Drive</TargetObject>
<TargetObject condition="contains">\Classes\Folder</TargetObject>
<TargetObject condition="contains">\ContextMenuHandlers</TargetObject>
<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject>
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject>
<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}</TargetObject>
<TargetObject name="T1088 Bypass User Account Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
<TargetObject name="T1088 Bypass User Account Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
<TargetObject name="T1088 Bypass User Account Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
<TargetObject name="T1088 Bypass User Account Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject>
<TargetObject condition="end with">\ProxyServer</TargetObject>
<TargetObject name="T1047 Windows Management Instrumentation" condition="contains">SYSTEM\CurrentControlSet\Control\CrashControl</TargetObject>
</RegistryEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 15 == FileStream Created. -->
<FileCreateStreamHash onmatch="include">
<TargetFilename condition="contains">Temp\7z</TargetFilename>
<TargetFilename condition="end with">.bat</TargetFilename>
<TargetFilename condition="end with">.cmd</TargetFilename>
<TargetFilename condition="end with">Temp\debug.bin</TargetFilename>
<TargetFilename condition="contains">Downloads</TargetFilename>
<TargetFilename condition="end with">.exe</TargetFilename>
<TargetFilename condition="end with">.hta</TargetFilename>
<TargetFilename condition="end with">.lnk</TargetFilename>
<TargetFilename condition="contains">Content.Outlook</TargetFilename>
<TargetFilename name="T1086 PowerShell" condition="end with">.ps1</TargetFilename>
<TargetFilename name="T1086 PowerShell" condition="end with">.ps2</TargetFilename>
<TargetFilename condition="end with">.reg</TargetFilename>
<TargetFilename condition="end with">.vb</TargetFilename>
<TargetFilename condition="end with">.vbe</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
</FileCreateStreamHash>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
<PipeEvent onmatch="exclude">
<Image condition="is">Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe</Image>
<Image condition="is">Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</Image>
<Image condition="is">Program Files (x86)\Citrix\ICA Client\wfcrun32.exe</Image>
<Image condition="is">Program Files (x86)\Citrix\ICA Client\concentr.exe</Image>
<PipeName condition="begin with">\Vivisimo Velocity</PipeName>
<PipeName condition="is">\SQLLocal\MSSQLSERVER</PipeName>
<PipeName condition="is">\SQLLocal\INSTANCE01</PipeName>
<PipeName condition="is">\SQLLocal\SQLEXPRESS</PipeName>
<PipeName condition="is">\SQLLocal\COMMVAULT</PipeName>
<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
<PipeName condition="is">\SQLLocal\RTC</PipeName>
<PipeName condition="is">\SQLLocal\TMSM</PipeName>
<Image condition="is">Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe</Image>
<Image condition="end with">PostgreSQL\9.6\bin\postgres.exe</Image>
<PipeName condition="contains">\pgsignal_</PipeName>
<Image condition="is">Program Files\Qlik\Sense\Engine\Engine.exe</Image>
<Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image>
<Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image>
<Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe</Image>
<Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc.exe</Image>
<Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc64.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe</Image>
<Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe</Image>
<PipeName condition="is">\Trend Micro OSCE Command Handler Manager</PipeName>
<PipeName condition="is">\Trend Micro OSCE Command Handler2 Manager</PipeName>
<PipeName condition="is">\Trend Micro Endpoint Encryption ToolBox Command Handler Manager</PipeName>
<PipeName condition="is">\OfcServerNamePipe</PipeName>
<PipeName condition="is">\ntapvsrq</PipeName>
<PipeName condition="is">\srvsvc</PipeName>
<PipeName condition="is">\wkssvc</PipeName>
<PipeName condition="is">\lsass</PipeName>
<PipeName condition="is">\winreg</PipeName>
<PipeName condition="is">\spoolss</PipeName>
<PipeName condition="contains">Anonymous Pipe</PipeName>
<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
</PipeEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
<WmiEvent onmatch="include">
<Operation name="T1047 Windows Management Instrumentation" condition="is">Created</Operation>
</WmiEvent>
</RuleGroup>
<RuleGroup groupRelation="or">
<DnsQuery onmatch="exclude">
<QueryName condition="end with">.1rx.io</QueryName>
<QueryName condition="end with">.2mdn.net</QueryName>
<QueryName condition="end with">.adadvisor.net</QueryName>
<QueryName condition="end with">.adap.tv</QueryName>
<QueryName condition="end with">.addthis.com</QueryName>
<QueryName condition="end with">.adform.net</QueryName>
<QueryName condition="end with">.adnxs.com</QueryName>
<QueryName condition="end with">.adroll.com</QueryName>
<QueryName condition="end with">.adrta.com</QueryName>
<QueryName condition="end with">.adsafeprotected.com</QueryName>
<QueryName condition="end with">.adsrvr.org</QueryName>
<QueryName condition="end with">.advertising.com</QueryName>
<QueryName condition="end with">.amazon-adsystem.com</QueryName>
<QueryName condition="end with">.amazon-adsystem.com</QueryName>
<QueryName condition="end with">.analytics.yahoo.com</QueryName>
<QueryName condition="end with">.aol.com</QueryName>
<QueryName condition="end with">.betrad.com</QueryName>
<QueryName condition="end with">.bidswitch.net</QueryName>
<QueryName condition="end with">.casalemedia.com</QueryName>
<QueryName condition="end with">.chartbeat.net</QueryName>
<QueryName condition="end with">.cnn.com</QueryName>
<QueryName condition="end with">.convertro.com</QueryName>
<QueryName condition="end with">.criteo.com</QueryName>
<QueryName condition="end with">.criteo.net</QueryName>
<QueryName condition="end with">.crwdcntrl.net</QueryName>
<QueryName condition="end with">.demdex.net</QueryName>
<QueryName condition="end with">.domdex.com</QueryName>
<QueryName condition="end with">.dotomi.com</QueryName>
<QueryName condition="end with">.doubleclick.net</QueryName>
<QueryName condition="end with">.doubleverify.com</QueryName>
<QueryName condition="end with">.emxdgt.com</QueryName>
<QueryName condition="end with">.exelator.com</QueryName>
<QueryName condition="end with">.google-analytics.com</QueryName>
<QueryName condition="end with">.googleadservices.com</QueryName>
<QueryName condition="end with">.googlesyndication.com</QueryName>
<QueryName condition="end with">.googletagmanager.com</QueryName>
<QueryName condition="end with">.googlevideo.com</QueryName>
<QueryName condition="end with">.gstatic.com</QueryName>
<QueryName condition="end with">.gvt1.com</QueryName>
<QueryName condition="end with">.gvt2.com</QueryName>
<QueryName condition="end with">.ib-ibi.com</QueryName>
<QueryName condition="end with">.jivox.com</QueryName>
<QueryName condition="end with">.mathtag.com</QueryName>
<QueryName condition="end with">.moatads.com</QueryName>
<QueryName condition="end with">.moatpixel.com</QueryName>
<QueryName condition="end with">.mookie1.com</QueryName>
<QueryName condition="end with">.myvisualiq.net</QueryName>
<QueryName condition="end with">.netmng.com</QueryName>
<QueryName condition="end with">.nexac.com</QueryName>
<QueryName condition="end with">.openx.net</QueryName>
<QueryName condition="end with">.optimizely.com</QueryName>
<QueryName condition="end with">.outbrain.com</QueryName>
<QueryName condition="end with">.pardot.com</QueryName>
<QueryName condition="end with">.phx.gbl</QueryName>
<QueryName condition="end with">.pinterest.com</QueryName>
<QueryName condition="end with">.pubmatic.com</QueryName>
<QueryName condition="end with">.quantcount.com</QueryName>
<QueryName condition="end with">.quantserve.com</QueryName>
<QueryName condition="end with">.revsci.net</QueryName>
<QueryName condition="end with">.rfihub.net</QueryName>
<QueryName condition="end with">.rlcdn.com</QueryName>
<QueryName condition="end with">.rubiconproject.com</QueryName>
<QueryName condition="end with">.scdn.co</QueryName>
<QueryName condition="end with">.scorecardresearch.com</QueryName>
<QueryName condition="end with">.serving-sys.com</QueryName>
<QueryName condition="end with">.sharethrough.com</QueryName>
<QueryName condition="end with">.simpli.fi</QueryName>
<QueryName condition="end with">.sitescout.com</QueryName>
<QueryName condition="end with">.smartadserver.com</QueryName>
<QueryName condition="end with">.snapads.com</QueryName>
<QueryName condition="end with">.spotxchange.com</QueryName>
<QueryName condition="end with">.taboola.com</QueryName>
<QueryName condition="end with">.taboola.map.fastly.net</QueryName>
<QueryName condition="end with">.tapad.com</QueryName>
<QueryName condition="end with">.tidaltv.com</QueryName>
<QueryName condition="end with">.trafficmanager.net</QueryName>
<QueryName condition="end with">.tremorhub.com</QueryName>
<QueryName condition="end with">.tribalfusion.com</QueryName>
<QueryName condition="end with">.turn.com</QueryName>
<QueryName condition="end with">.twimg.com</QueryName>
<QueryName condition="end with">.tynt.com</QueryName>
<QueryName condition="end with">.w55c.net</QueryName>
<QueryName condition="end with">.ytimg.com</QueryName>
<QueryName condition="end with">.zorosrv.com</QueryName>
<QueryName condition="is">1rx.io</QueryName>
<QueryName condition="is">adservice.google.com</QueryName>
<QueryName condition="is">ampcid.google.com</QueryName>
<QueryName condition="is">clientservices.googleapis.com</QueryName>
<QueryName condition="is">googleadapis.l.google.com</QueryName>
<QueryName condition="is">imasdk.googleapis.com</QueryName>
<QueryName condition="is">l.google.com</QueryName>
<QueryName condition="is">ml314.com</QueryName>
<QueryName condition="is">mtalk.google.com</QueryName>
<QueryName condition="is">update.googleapis.com</QueryName>
<QueryName condition="is">www.googletagservices.com</QueryName>
<QueryName condition="end with">.mozaws.net</QueryName>
<QueryName condition="end with">.mozilla.com</QueryName>
<QueryName condition="end with">.mozilla.net</QueryName>
<QueryName condition="end with">.mozilla.org</QueryName>
<QueryName condition="is">clients1.google.com</QueryName>
<QueryName condition="is">clients2.google.com</QueryName>
<QueryName condition="is">clients3.google.com</QueryName>
<QueryName condition="is">clients4.google.com</QueryName>
<QueryName condition="is">clients5.google.com</QueryName>
<QueryName condition="is">clients6.google.com</QueryName>
<QueryName condition="is">safebrowsing.googleapis.com</QueryName>
<QueryName condition="end with">.akadns.net</QueryName>
<QueryName condition="end with">.netflix.com</QueryName>
<QueryName condition="end with">aspnetcdn.com</QueryName>
<QueryName condition="is">ajax.googleapis.com</QueryName>
<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
<QueryName condition="is">fonts.googleapis.com</QueryName>
<QueryName condition="end with">.typekit.net</QueryName>
<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
<QueryName condition="end with">.stackassets.com</QueryName>
<QueryName condition="end with">.steamcontent.com</QueryName>
<QueryName condition="end with">.arpa.</QueryName>
<QueryName condition="end with">.arpa</QueryName>
<QueryName condition="end with">.msftncsi.com</QueryName>
<QueryName condition="end with">.localmachine</QueryName>
<QueryName condition="is">localhost</QueryName>
<Rule groupRelation="and">
<Image condition="is">C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe</Image>
<QueryName condition="end with">.logitech.com</QueryName>
</Rule>
<Image condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</Image>
<QueryName condition="end with">-pushp.svc.ms</QueryName>
<QueryName condition="end with">.b-msedge.net</QueryName>
<QueryName condition="end with">.bing.com</QueryName>
<QueryName condition="end with">.hotmail.com</QueryName>
<QueryName condition="end with">.live.com</QueryName>
<QueryName condition="end with">.live.net</QueryName>
<QueryName condition="end with">.s-microsoft.com</QueryName>
<QueryName condition="end with">.microsoft.com</QueryName>
<QueryName condition="end with">.microsoftonline.com</QueryName>
<QueryName condition="end with">.microsoftstore.com</QueryName>
<QueryName condition="end with">.ms-acdc.office.com</QueryName>
<QueryName condition="end with">.msedge.net</QueryName>
<QueryName condition="end with">.msn.com</QueryName>
<QueryName condition="end with">.msocdn.com</QueryName>
<QueryName condition="end with">.skype.com</QueryName>
<QueryName condition="end with">.skype.net</QueryName>
<QueryName condition="end with">.windows.com</QueryName>
<QueryName condition="end with">.windows.net.nsatc.net</QueryName>
<QueryName condition="end with">.windowsupdate.com</QueryName>
<QueryName condition="end with">.xboxlive.com</QueryName>
<QueryName condition="is">login.windows.net</QueryName>
<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName>
<QueryName condition="end with">.aria.microsoft.com</QueryName>
<QueryName condition="end with">.msauth.net</QueryName>
<QueryName condition="end with">.msftauth.net</QueryName>
<QueryName condition="end with">.opinsights.azure.com</QueryName>
<QueryName condition="is">management.azure.com</QueryName>
<QueryName condition="is">outlook.office365.com</QueryName>
<QueryName condition="is">portal.azure.com</QueryName>
<QueryName condition="is">substrate.office.com</QueryName>
<QueryName condition="is">osi.office.net</QueryName>
<QueryName condition="end with">.digicert.com</QueryName>
<QueryName condition="end with">.globalsign.com</QueryName>
<QueryName condition="end with">.globalsign.net</QueryName>
<QueryName condition="is">msocsp.com</QueryName>
<QueryName condition="is">ocsp.msocsp.com</QueryName>
<QueryName condition="end with">pki.goog</QueryName>
<QueryName condition="is">ocsp.godaddy.com</QueryName>
<QueryName condition="end with">amazontrust.com</QueryName>
<QueryName condition="is">ocsp.sectigo.com</QueryName>
<QueryName condition="is">pki-goog.l.google.com</QueryName>
<QueryName condition="end with">.usertrust.com</QueryName>
<QueryName condition="is">ocsp.comodoca.com</QueryName>
<QueryName condition="is">ocsp.verisign.com</QueryName>
<QueryName condition="is">ocsp.entrust.net</QueryName>
<QueryName condition="end with">ocsp.identrust.com</QueryName>
<QueryName condition="is">status.rapidssl.com</QueryName>
<QueryName condition="is">status.thawte.com</QueryName>
<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
<QueryName condition="is">subca.ocsp-certum.com</QueryName>
<QueryName condition="is">cscasha2.ocsp-certum.com</QueryName>
<QueryName condition="end with">.spotify.com</QueryName>
<QueryName condition="end with">.spotify.map.fastly.net</QueryName>
</DnsQuery>
</RuleGroup>
<RuleGroup groupRelation="or">
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage>
<StartModule condition="is">C:\windows\system32\kernel32.dll</StartModule>
<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
<SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
</CreateRemoteThread>
</RuleGroup>
<RuleGroup groupRelation="or">
<RegistryEvent onmatch="exclude">
<Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe</Image>
<Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</Image>
<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject>
<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject>
<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject>
<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject>
<TargetObject condition="end with">ShellBrowser</TargetObject>
<Image condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe</Image>
<Image condition="is">C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe</Image>
<Image condition="is">C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Agent\masvc.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Agent\x86\mfemactl.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Agent\x86\macompatsvc.exe</Image>
<Image condition="is">C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe</Image>
<Image condition="begin with">C:\Program Files\Common Files\McAfee\Engine\scanners</Image>
<Image condition="is">C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe</Image>
<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject>
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject>
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject>
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject>
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject>
<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject>
<TargetObject condition="contains">\OpenWithProgids</TargetObject>
<TargetObject condition="end with">\OpenWithList</TargetObject>
<TargetObject condition="end with">\UserChoice</TargetObject>
<TargetObject condition="end with">\UserChoice\ProgId</TargetObject>
<TargetObject condition="end with">\UserChoice\Hash</TargetObject>
<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject>
<TargetObject condition="end with">} 0xFFFF</TargetObject>
<Image condition="end with">Office\root\integration\integrator.exe</Image>
<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image>
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image>
<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
<Image condition="is">C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe</Image>
<TargetObject condition="end with">\CurrentVersion\Run</TargetObject>
<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject>
<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject>
<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject>
<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject>
<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject>
<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject>
<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject>
<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject>
<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject>
<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject>
<TargetObject condition="end with">\Components\Wlansvc</TargetObject>
<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject>
<TargetObject condition="end with">\Directory\shellex</TargetObject>
<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject>
<TargetObject condition="end with">\Drive\shellex</TargetObject>
<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject>
<TargetObject condition="contains">_Classes\AppX</TargetObject>
<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject>
<TargetObject condition="is">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates</TargetObject>
<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
<Image condition="begin with">C:\$WINDOWS.~BT\</Image>
<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject>
<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject>
<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject>
<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject>
<TargetObject condition="end with">\services\DeviceAssociationService\Start</TargetObject>
<TargetObject condition="end with">\services\BITS\Start</TargetObject>
<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject>
<TargetObject condition="end with">\services\tunnel\Start</TargetObject>
<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject>
</RegistryEvent>
</RuleGroup>
<RuleGroup groupRelation="or">
<NetworkConnect onmatch="exclude">
<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image>
<Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image>
<Image condition="image">OneDrive.exe</Image>
<Image condition="image">OneDriveStandaloneUpdater.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
<Image condition="is">C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe</Image>
<Image condition="image">Spotify.exe</Image>
<Image condition="is">C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe</Image>
<Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image>
<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
</NetworkConnect>
</RuleGroup>
<RuleGroup groupRelation="or">
<DriverLoad onmatch="exclude">
<Signature condition="begin with">Intel </Signature>
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
</RuleGroup>
<RuleGroup groupRelation="or">
<ProcessCreate onmatch="exclude">
<Rule groupRelation="and">
<Image condition="end with">AcroRd32.exe</Image>
<CommandLine condition="contains any">/CR;channel=</CommandLine>
</Rule>
<Rule groupRelation="or">
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image>
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
</Rule>
<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image>
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image>
<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage>
<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage>
<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine>
<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image>
<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image>
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage>
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage>
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage>
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage>
<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage>
<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image>
<Image condition="begin with">C:\Program Files\Realtek\</Image>
<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage>
<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image>
<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
<Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image>
<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image>
<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage>
<ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe</ParentImage>
<ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe</ParentImage>
<ParentImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe</ParentImage>
<ParentImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\RES Software\Workspace Manager\respesvc.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe</ParentImage>
<Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe</Image>
<Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe</Image>
<Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe</Image>
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image>
<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage>
<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image>
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image>
<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine>
<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine>
<Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe</Image>
<Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe</Image>
<Image condition="begin with">C:\Program Files\Splunk\bin\</Image>
<ParentImage condition="is">C:\Program Files\Splunk\bin\splunkd.exe</ParentImage>
<Image condition="begin with">D:\Program Files\Splunk\bin\</Image>
<ParentImage condition="is">D:\Program Files\Splunk\bin\splunkd.exe</ParentImage>
<Image condition="begin with">C:\Program Files\SplunkUniversalForwarder\bin\</Image>
<ParentImage condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</ParentImage>
<ParentImage condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</ParentImage>
<Image condition="begin with">D:\Program Files\SplunkUniversalForwarder\bin\</Image>
<ParentImage condition="is">D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</ParentImage>
<ParentImage condition="is">D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</ParentImage>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine>
<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k defragsvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k imgsvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s EventSystem</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s bthserv</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
<CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine>
<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k swprv</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine>
<CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC</CommandLine>
<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx</CommandLine>
<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine>
<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine>
<Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image>
<Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe</Image>
<Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe</Image>
<Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe</Image>
<Image condition="begin with">C:\Program Files\Windows Defender\</Image>
<Image condition="is">C:\Windows\system32\MpSigStub.exe</Image>
<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_</Image>
<Image condition="is">C:\Program Files\Microsoft Security Client\MpCmdRun.exe</Image>
<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine>
<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine>
<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image>
<Image condition="is">C:\Windows\System32\MusNotification.exe</Image>
<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image>
<Image condition="is">C:\Windows\System32\audiodg.exe</Image>
<Image condition="is">C:\Windows\System32\conhost.exe</Image>
<Image condition="is">C:\Windows\System32\powercfg.exe</Image>
<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image>
<Image condition="is">C:\Windows\System32\wermgr.exe</Image>
<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image>
<Image condition="is">C:\Windows\system32\sppsvc.exe</Image>
<IntegrityLevel condition="is">AppContainer</IntegrityLevel>
<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine>
<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage>
</ProcessCreate>
</RuleGroup>
<RuleGroup groupRelation="or">
<FileCreate onmatch="exclude">
<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image>
<Image condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe</Image>
<Image condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe</Image>
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image>
<Image condition="is">C:\Windows\System32\smss.exe</Image>
<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image>
<Image condition="is">C:\Windows\system32\wbem\WMIADAP.EXE</Image>
<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename>
<TargetFilename condition="end with">WRITABLE.TST</TargetFilename>
<TargetFilename condition="contains">\AppData\Roaming\Microsoft\Windows\Recent\</TargetFilename>
<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename>
<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image>
<Image condition="is">c:\Program Files\Microsoft Security Client\MsMpEng.exe</Image>
<Image condition="is">c:\windows\system32\provtool.exe</Image>
<Image condition="is">C:\WINDOWS\CCM\CcmExec.exe</Image>
<TargetFilename condition="begin with">C:\Windows\CCM</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector</TargetFilename>
<TargetFilename condition="begin with">C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant</TargetFilename>
<Image condition="is">C:\WINDOWS\system32\svchost.exe</Image>
</FileCreate>
</RuleGroup>
<RuleGroup groupRelation="or">
<PipeEvent onmatch="include">
<PipeName name="T1077 Windows Admin Shares" condition="begin with">\atsvc</PipeName>
<PipeName name="T1077 Windows Admin Shares" condition="begin with">\msagent_</PipeName>
<PipeName name="T1077 Windows Admin Shares" condition="begin with">\msf-pipe</PipeName>
<PipeName name="T1077 Windows Admin Shares" condition="begin with">\PSEXESVC</PipeName>
<PipeName name="T1049 System Network Connections Discovery" condition="begin with">\srvsvc</PipeName>
<PipeName name="T1033 System Owner/User Discovery" condition="begin with">\winreg</PipeName>
</PipeEvent>
</RuleGroup>
<RuleGroup groupRelation="or">
<FileCreateTime onmatch="exclude">
<Image condition="end with">AppData\Local\Google\Chrome\Application\chrome.exe</Image>
<Image condition="end with">Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe</Image>
<Image condition="image">OneDrive.exe</Image>
<Image condition="contains">setup</Image>
</FileCreateTime>
</RuleGroup>
<RuleGroup groupRelation="or">
<ProcessAccess onmatch="exclude">
<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Ivanti\Workspace Control\cpushld.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\RES Software\Workspace Manager\cpushld.exe</SourceImage>
<SourceImage condition="end with">wmiprvse.exe</SourceImage>
<SourceImage condition="end with">GoogleUpdate.exe</SourceImage>
<SourceImage condition="end with">LTSVC.exe</SourceImage>
<SourceImage condition="end with">taskmgr.exe</SourceImage>
<SourceImage condition="end with">VBoxService.exe</SourceImage>
<SourceImage condition="end with">vmtoolsd.exe</SourceImage>
<SourceImage condition="end with">\Citrix\System32\wfshell.exe</SourceImage>
<SourceImage condition="is">C:\Windows\System32\lsm.exe</SourceImage>
<SourceImage condition="end with">Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage>
<SourceImage condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</SourceImage>
<GrantedAccess>0x1000</GrantedAccess>
<GrantedAccess>0x1400</GrantedAccess>
<GrantedAccess>0x101400</GrantedAccess>
<GrantedAccess>0x101000</GrantedAccess>
<SourceImage condition="is">C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\McAfee\Agent\x86\macompatsvc.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Microsoft Security Client\MsMpEng.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe</SourceImage>
<SourceImage condition="is">C:\WINDOWS\CCM\CcmExec.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe</SourceImage>
<SourceImage condition="is">C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe</SourceImage>
<SourceImage condition="is">C:\Program Files\WinZip\FAHWindow64.exe</SourceImage>
</ProcessAccess>
</RuleGroup>
</EventFiltering>
</Sysmon>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment