sysmon-config
sysmon-config copied to clipboard
Sysmon configuration file template with default high-quality event tracing
As mentioned in the DFIR Report, another techniques might be use to disable Defender Real-Time Protection mechanism. So in this PR, i want to use a general condition for monitor...
test
If using Splunk Universal Forwarders for sending events to Splunk, the Splunk process are very noisy. This will tune those out so that a default config will not log that...
Matches registry events that changes the URL value for the WebView of Outlook which could enable persistence for hackers. Ref: https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
The path works for all 4 types of exclusions.
Running Windows Server 2019 (1809) on physical hardware Installed Sysmon64 on this domain controller. After a while I started seeing EventID 1001's, many of them, about every 20 seconds. So...
Hi, According Cobalt Strike documentation (https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/) and some test I suggest to add a named pipe used by Cobalt Strike. Take into account widely Cobalt Strike is used today, adding...
Example for the FileDelete event is not correct, this diff fixes it.
Thanks for all the hard work this is awesome. I added the WinRM ports 5985,5986 for Event ID 3 and I believe I corrected the Metasploit port. The default port...