0

I am creating a sysmon configuration to implement in my lab environment. This environment is used to build replica networks for troubleshooting problems and testing different software. I have created this sysmon configuration file to monitor the lab.

<Sysmon schemaversion="4.50">
  <HashAlgorithms>md5,sha256</HashAlgorithms>
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <!-- Process Creation -->
      <ProcessCreate onmatch="include">
        <CommandLine condition="contains"> </CommandLine>
      </ProcessCreate>

      <!-- Process Termination -->
      <ProcessTerminate onmatch="include" />

      <!-- File Creation -->
      <FileCreateStreamHash onmatch="include">
        <Image condition="is">*</Image>
      </FileCreateStreamHash>
      
      <!-- File Deletion -->
      <FileDelete onmatch="include">
        <TargetFilename condition="is">*</TargetFilename>
      </FileDelete>

      <!-- Network Connection -->
      <NetworkConnect onmatch="include" />

      <!-- Registry Changes -->
      <RegistryEvent onmatch="include">
        <TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</TargetObject>
        <Details condition="contains">SetValueKey</Details>
      </RegistryEvent>

      <!-- Process Tampering Events -->
      <ProcessTampering onmatch="include" />

      <!-- Driver Loaded -->
      <DriverLoad onmatch="include" />

      <!-- Create Remote Thread -->
      <CreateRemoteThread onmatch="include" />

      <!-- Raw Access Read -->
      <RawAccessRead onmatch="include" />

      <!-- Pipe Created Event -->
      <PipeEvent onmatch="include" />

      <!-- WMI Event -->
      <WmiEvent onmatch="include" />

      <!-- DNS Events -->
      <DnsQuery onmatch="include" />

      <!-- File Creation Time -->
      <FileCreateTime onmatch="include" />

      <!-- Process Changed -->
      <ProcessTampering onmatch="include" />

      <!-- Monitoring Logs -->
      <FileCreate onmatch="include">
        <TargetFilename condition="contains">log</TargetFilename>
      </FileCreate>

      <!-- Monitoring Registry files -->
      <RegistryEvent onmatch="include">
        <TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</TargetObject>
        <Details condition="contains">SetValueKey</Details>
      </RegistryEvent>

      <!-- Monitoring common malware hiding places -->
      <FileCreate onmatch="include">
        <TargetFilename condition="contains">AppData\Local\Temp</TargetFilename>
      </FileCreate>
      <FileCreate onmatch="include">
        <TargetFilename condition="contains">ProgramData\Microsoft\Crypto\RSA\MachineKeys</TargetFilename>
      </FileCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Can any Microsoft wizards out there look it over for me and let me know if this looks sufficient and point me in a direction of how I should fine tune this config for my use case if not.

Thanks all!

teck223
  • 1
  • 1

0 Answers0