sysmon-config

sysmon-config copied to clipboard

Update the Antivirus Tampering configuration, using general condition

1

As mentioned in the DFIR Report, another techniques might be use to disable Defender Real-Time Protection mechanism. So in this PR, i want to use a general condition for monitor...

hieuttmmo

test

1

w09rkerbee

Add Splunk exclusions per sysmon-modular

1

If using Splunk Universal Forwarders for sending events to Splunk, the Splunk process are very noisy. This will tune those out so that a default config will not log that...

DustyMMiller

Matches registry events that changes the URL value for the WebView of Outlook which could enable persistence for hackers. Ref: https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70

humpalum

The path works for all 4 types of exclusions.

phantinuss

Sysmon de-installed. Still many EventID 1001, APPCRASH Sysmon64.exe (every 20 sec)

4

Running Windows Server 2019 (1809) on physical hardware Installed Sysmon64 on this domain controller. After a while I started seeing EventID 1001's, many of them, about every 20 seconds. So...

Wim277

Hi, According Cobalt Strike documentation (https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/) and some test I suggest to add a named pipe used by Cobalt Strike. Take into account widely Cobalt Strike is used today, adding...

WojciechLesicki

Example for the FileDelete event is not correct, this diff fixes it.

sigalpes

Thanks for all the hard work this is awesome. I added the WinRM ports 5985,5986 for Event ID 3 and I believe I corrected the Metasploit port. The default port...

tobor88

lord-garmadon