Evasion Technique Enhancements

[trustedsec]

Just for of a bypass technique that I'll commonly use is for example on 64-bit platforms, there is the syswow64 directory which is the 32-compatibility for windows 64 bit platforms. In the current configs when things like wmiprvse (specifically in the ProcessCreation section) and essentially any of them where the path is specified for system32, if I call the 32-bit version of it, sysmon wouldn't trigger off of those. You could still copy the binary to a different location, but at least with these two you cover both major locations.

<CommandLine condition="contains">wmiprvse.exe -secured -Embedding</CommandLine> 

As an example, using contains instead and limiting it instead of system32 just removing the full path for the rulesets.

Just a suggestion!

-Dave