Updated after successful CICD run 09/20/2023 07:33:02 UTC

Updated after successful CICD run 09/20/2023 07:33:02 UTC · olafhartong/sysmon-modular@a9ff298

6 files changed

lines changed

Original file line number	Diff line number	Diff line change
`@@ -330,6 +330,22 @@`
`330`	`330`	`<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>`
`331`	`331`	`<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>`
`332`	`332`	`</Rule>`
	`333`	`+<Rule groupRelation="and">`
	`334`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`335`	`+<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>`
	`336`	`+</Rule>`
	`337`	`+<Rule groupRelation="and">`
	`338`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`339`	`+<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>`
	`340`	`+</Rule>`
	`341`	`+<Rule groupRelation="and">`
	`342`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`343`	`+<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>`
	`344`	`+</Rule>`
	`345`	`+<Rule groupRelation="and">`
	`346`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`347`	`+<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>`
	`348`	`+</Rule>`
`333`	`349`	`</ImageLoad>`
`334`	`350`	`</RuleGroup>`
`335`	`351`	`<!-- Event ID 8 == CreateRemoteThread - Excludes -->`
`@@ -365,6 +381,12 @@`
`365`	`381`	`<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>`
`366`	`382`	`<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>`
`367`	`383`	`<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>`
	`384`	`+<Rule groupRelation="and">`
	`385`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>`
	`386`	`+<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>`
	`387`	`+</Rule>`
	`388`	`+<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>`
	`389`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>`
`368`	`390`	`<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>`
`369`	`391`	`<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">`
`370`	`392`	`<SourceImage condition="image">software_reporter_tool.exe</SourceImage>`
`@@ -384,6 +406,8 @@`
`384`	`406`	`<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>`
`385`	`407`	`<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>`
`386`	`408`	`<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>`
	`409`	`+<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>`
	`410`	`+<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>`
`387`	`411`	`<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>`
`388`	`412`	`<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>`
`389`	`413`	`<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>`

Original file line number	Diff line number	Diff line change
`@@ -906,6 +906,22 @@`
`906`	`906`	`<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>`
`907`	`907`	`<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>`
`908`	`908`	`</Rule>`
	`909`	`+<Rule groupRelation="and">`
	`910`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`911`	`+<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>`
	`912`	`+</Rule>`
	`913`	`+<Rule groupRelation="and">`
	`914`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`915`	`+<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>`
	`916`	`+</Rule>`
	`917`	`+<Rule groupRelation="and">`
	`918`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`919`	`+<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>`
	`920`	`+</Rule>`
	`921`	`+<Rule groupRelation="and">`
	`922`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`923`	`+<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>`
	`924`	`+</Rule>`
`909`	`925`	`</ImageLoad>`
`910`	`926`	`</RuleGroup>`
`911`	`927`	`<!-- Event ID 8 == CreateRemoteThread - Sysmon will not provide notable additional visibility over MDE. -->`
`@@ -1020,6 +1036,12 @@`
`1020`	`1036`	`<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>`
`1021`	`1037`	`<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>`
`1022`	`1038`	`<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>`
	`1039`	`+<Rule groupRelation="and">`
	`1040`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>`
	`1041`	`+<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>`
	`1042`	`+</Rule>`
	`1043`	`+<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>`
	`1044`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>`
`1023`	`1045`	`<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>`
`1024`	`1046`	`<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">`
`1025`	`1047`	`<SourceImage condition="image">software_reporter_tool.exe</SourceImage>`
`@@ -1039,6 +1061,8 @@`
`1039`	`1061`	`<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>`
`1040`	`1062`	`<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>`
`1041`	`1063`	`<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>`
	`1064`	`+<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>`
	`1065`	`+<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>`
`1042`	`1066`	`<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>`
`1043`	`1067`	`<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>`
`1044`	`1068`	`<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>`

Original file line number	Diff line number	Diff line change
`@@ -1112,6 +1112,22 @@`
`1112`	`1112`	`<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>`
`1113`	`1113`	`<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>`
`1114`	`1114`	`</Rule>`
	`1115`	`+<Rule groupRelation="and">`
	`1116`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1117`	`+<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>`
	`1118`	`+</Rule>`
	`1119`	`+<Rule groupRelation="and">`
	`1120`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1121`	`+<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>`
	`1122`	`+</Rule>`
	`1123`	`+<Rule groupRelation="and">`
	`1124`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1125`	`+<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>`
	`1126`	`+</Rule>`
	`1127`	`+<Rule groupRelation="and">`
	`1128`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1129`	`+<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>`
	`1130`	`+</Rule>`
`1115`	`1131`	`</ImageLoad>`
`1116`	`1132`	`</RuleGroup>`
`1117`	`1133`	`<!-- Event ID 8 == CreateRemoteThread - Excludes -->`
`@@ -1237,6 +1253,12 @@`
`1237`	`1253`	`<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>`
`1238`	`1254`	`<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>`
`1239`	`1255`	`<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>`
	`1256`	`+<Rule groupRelation="and">`
	`1257`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>`
	`1258`	`+<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>`
	`1259`	`+</Rule>`
	`1260`	`+<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>`
	`1261`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>`
`1240`	`1262`	`<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>`
`1241`	`1263`	`<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">`
`1242`	`1264`	`<SourceImage condition="image">software_reporter_tool.exe</SourceImage>`
`@@ -1256,6 +1278,8 @@`
`1256`	`1278`	`<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>`
`1257`	`1279`	`<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>`
`1258`	`1280`	`<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>`
	`1281`	`+<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>`
	`1282`	`+<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>`
`1259`	`1283`	`<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>`
`1260`	`1284`	`<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>`
`1261`	`1285`	`<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>`

Original file line number	Diff line number	Diff line change
`@@ -1112,6 +1112,22 @@`
`1112`	`1112`	`<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>`
`1113`	`1113`	`<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>`
`1114`	`1114`	`</Rule>`
	`1115`	`+<Rule groupRelation="and">`
	`1116`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1117`	`+<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>`
	`1118`	`+</Rule>`
	`1119`	`+<Rule groupRelation="and">`
	`1120`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1121`	`+<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>`
	`1122`	`+</Rule>`
	`1123`	`+<Rule groupRelation="and">`
	`1124`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1125`	`+<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>`
	`1126`	`+</Rule>`
	`1127`	`+<Rule groupRelation="and">`
	`1128`	`+<Image condition="is">C:\Windows\System32\svchost.exe</Image>`
	`1129`	`+<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>`
	`1130`	`+</Rule>`
`1115`	`1131`	`</ImageLoad>`
`1116`	`1132`	`</RuleGroup>`
`1117`	`1133`	`<!-- Event ID 8 == CreateRemoteThread - Excludes -->`
`@@ -1237,6 +1253,12 @@`
`1237`	`1253`	`<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>`
`1238`	`1254`	`<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>`
`1239`	`1255`	`<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>`
	`1256`	`+<Rule groupRelation="and">`
	`1257`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>`
	`1258`	`+<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>`
	`1259`	`+</Rule>`
	`1260`	`+<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>`
	`1261`	`+<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>`
`1240`	`1262`	`<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>`
`1241`	`1263`	`<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">`
`1242`	`1264`	`<SourceImage condition="image">software_reporter_tool.exe</SourceImage>`
`@@ -1256,6 +1278,8 @@`
`1256`	`1278`	`<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>`
`1257`	`1279`	`<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>`
`1258`	`1280`	`<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>`
	`1281`	`+<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>`
	`1282`	`+<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>`
`1259`	`1283`	`<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>`
`1260`	`1284`	`<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>`
`1261`	`1285`	`<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>`