From 756431d654d424937a606e52a4c3ea87a1ee783b Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Mon, 24 Mar 2025 10:34:23 +0545 Subject: [PATCH 1/8] Added new named pipes --- sysmonconfig-export-block.xml | 30 ++++++++++++++++++++++++++---- sysmonconfig-export.xml | 29 ++++++++++++++++++++++++++--- 2 files changed, 52 insertions(+), 7 deletions(-) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index 00cf2ae8..f7a481ed 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -946,7 +946,6 @@ \netlogon_ \srvsvc_ \lsarpc_ - \wkssvc_ \demon_pipe @@ -957,8 +956,6 @@ \mypipe-f \mypipe-h \windows.update.manager - \ntsvcs_ - \scerpc_ \demoagent_ \PGMessagePipe @@ -970,6 +967,7 @@ \f53f \rpc_ \spoolss_ + \Winsock2\CatalogChangeListener \win_svc \SearchTextHarvester \adschemerpc @@ -977,7 +975,15 @@ \bc367 \bc31a7 \testPipe - + \demoagent_ + + \adprinterpipe + + :\PerfLogs\ + :\Users\Public\ + :\Windows\System32\Tasks\ + :\Windows\Tasks\ + \scerpc \ntsvcs \wkssvc @@ -987,6 +993,14 @@ ConnectPipe \MICROSOFT##WID\tsql\query + \coerced\ + thisispipe + \pipe\ + \imposecost;\imposingcost + \PAExec + \RemCom + \PSEXESVC + \PSEXECSVC @@ -997,6 +1011,14 @@ \scerpc \ntsvcs \wkssvc + \MsFteWds + \PGMessagePipe + \SearchTextHarvester + \spoolss + \srvsvc + + \aurora-agent-64.exe + \aurora-agent.exe diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 056b4171..a5453e1e 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -990,7 +990,6 @@ \netlogon_ \srvsvc_ \lsarpc_ - \wkssvc_ \demon_pipe @@ -1001,8 +1000,6 @@ \mypipe-f \mypipe-h \windows.update.manager - \ntsvcs_ - \scerpc_ \demoagent_ \PGMessagePipe @@ -1014,6 +1011,7 @@ \f53f \rpc_ \spoolss_ + \Winsock2\CatalogChangeListener \win_svc \SearchTextHarvester \adschemerpc @@ -1021,6 +1019,15 @@ \bc367 \bc31a7 \testPipe + \demoagent_ + + \adprinterpipe + + :\PerfLogs\ + :\Users\Public\ + :\Windows\System32\Tasks\ + :\Windows\Tasks\ + \Microsoft\Windows\Start Menu\Programs\Startup\ \scerpc \ntsvcs @@ -1032,6 +1039,14 @@ ConnectPipe \MICROSOFT##WID\tsql\query + \coerced\ + thisispipe + \pipe\ + \imposecost;\imposingcost + \PAExec + \RemCom + \PSEXESVC + \PSEXECSVC @@ -1041,6 +1056,14 @@ \scerpc \ntsvcs \wkssvc + \MsFteWds + \PGMessagePipe + \SearchTextHarvester + \spoolss + \srvsvc + + \aurora-agent-64.exe + \aurora-agent.exe From ce3790794c0db44f80380f34518a4e9dd38bfb1d Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Mon, 24 Mar 2025 10:42:23 +0545 Subject: [PATCH 2/8] metadata updated --- sysmonconfig-export-block.xml | 4 ++++ sysmonconfig-export.xml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index f7a481ed..83d06f6b 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -3,6 +3,7 @@ Source project: https://github.com/SwiftOnSecurity/sysmon-config Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. + WARNING: THIS CONFIG INCLUDES BLOCKING RULES THAT MAY CAUSE ISSUES ENDSYSTEMS! Test this configuration intensively before using it on productive systems @@ -10,6 +11,9 @@ REQUIRED: Sysmon version 14 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon + + Forked project: https://github.com/Neo23x0/sysmon-config + Forked Last Updated: 2025-03-24 --> diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index a5453e1e..96f92529 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -4,6 +4,9 @@ Source project: https://github.com/SwiftOnSecurity/sysmon-config Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. + Forked project: https://github.com/Neo23x0/sysmon-config + Forked Last Updated: 2025-03-24 + REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon From 0ecd7626b7d0ef636012dbc2c1a1d680ec562a83 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Mon, 24 Mar 2025 10:54:47 +0545 Subject: [PATCH 3/8] fixed the indentation --- sysmonconfig-export-block.xml | 42 ++++++++++++++++---------------- sysmonconfig-export.xml | 46 +++++++++++++++++------------------ 2 files changed, 44 insertions(+), 44 deletions(-) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index 83d06f6b..ac1fc406 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -971,7 +971,7 @@ \f53f \rpc_ \spoolss_ - \Winsock2\CatalogChangeListener + \Winsock2\CatalogChangeListener \win_svc \SearchTextHarvester \adschemerpc @@ -981,12 +981,12 @@ \testPipe \demoagent_ - \adprinterpipe + \adprinterpipe - :\PerfLogs\ - :\Users\Public\ - :\Windows\System32\Tasks\ - :\Windows\Tasks\ + :\PerfLogs\ + :\Users\Public\ + :\Windows\System32\Tasks\ + :\Windows\Tasks\ \scerpc \ntsvcs @@ -997,14 +997,14 @@ ConnectPipe \MICROSOFT##WID\tsql\query - \coerced\ - thisispipe - \pipe\ - \imposecost;\imposingcost - \PAExec - \RemCom - \PSEXESVC - \PSEXECSVC + \coerced\ + thisispipe + \pipe\ + \imposecost;\imposingcost + \PAExec + \RemCom + \PSEXESVC + \PSEXECSVC @@ -1015,14 +1015,14 @@ \scerpc \ntsvcs \wkssvc - \MsFteWds - \PGMessagePipe - \SearchTextHarvester - \spoolss - \srvsvc + \MsFteWds + \PGMessagePipe + \SearchTextHarvester + \spoolss + \srvsvc - \aurora-agent-64.exe - \aurora-agent.exe + \aurora-agent-64.exe + \aurora-agent.exe diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 96f92529..d8c69f0a 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -1014,7 +1014,7 @@ \f53f \rpc_ \spoolss_ - \Winsock2\CatalogChangeListener + \Winsock2\CatalogChangeListener \win_svc \SearchTextHarvester \adschemerpc @@ -1022,15 +1022,15 @@ \bc367 \bc31a7 \testPipe - \demoagent_ + \demoagent_ - \adprinterpipe + \adprinterpipe - :\PerfLogs\ - :\Users\Public\ - :\Windows\System32\Tasks\ - :\Windows\Tasks\ - \Microsoft\Windows\Start Menu\Programs\Startup\ + :\PerfLogs\ + :\Users\Public\ + :\Windows\System32\Tasks\ + :\Windows\Tasks\ + \Microsoft\Windows\Start Menu\Programs\Startup\ \scerpc \ntsvcs @@ -1042,14 +1042,14 @@ ConnectPipe \MICROSOFT##WID\tsql\query - \coerced\ - thisispipe - \pipe\ - \imposecost;\imposingcost - \PAExec - \RemCom - \PSEXESVC - \PSEXECSVC + \coerced\ + thisispipe + \pipe\ + \imposecost;\imposingcost + \PAExec + \RemCom + \PSEXESVC + \PSEXECSVC @@ -1059,14 +1059,14 @@ \scerpc \ntsvcs \wkssvc - \MsFteWds - \PGMessagePipe - \SearchTextHarvester - \spoolss - \srvsvc + \MsFteWds + \PGMessagePipe + \SearchTextHarvester + \spoolss + \srvsvc - \aurora-agent-64.exe - \aurora-agent.exe + \aurora-agent-64.exe + \aurora-agent.exe From 10cf690465d216750670deacd00c7f57ce92b546 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Mon, 24 Mar 2025 10:56:20 +0545 Subject: [PATCH 4/8] fixed indentation - 2 --- sysmonconfig-export-block.xml | 4 ++-- sysmonconfig-export.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index ac1fc406..a20177aa 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -12,8 +12,8 @@ REQUIRED: Sysmon version 14 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon - Forked project: https://github.com/Neo23x0/sysmon-config - Forked Last Updated: 2025-03-24 + Forked project: https://github.com/Neo23x0/sysmon-config + Forked Last Updated: 2025-03-24 --> diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index d8c69f0a..e7394f6c 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -4,8 +4,8 @@ Source project: https://github.com/SwiftOnSecurity/sysmon-config Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. - Forked project: https://github.com/Neo23x0/sysmon-config - Forked Last Updated: 2025-03-24 + Forked project: https://github.com/Neo23x0/sysmon-config + Forked Last Updated: 2025-03-24 REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon From 7ad57da9187f52a9130470f7e426b66d6289d023 Mon Sep 17 00:00:00 2001 From: swachchhanda000 Date: Mon, 24 Mar 2025 10:57:45 +0545 Subject: [PATCH 5/8] typo issue --- sysmonconfig-export-block.xml | 2 +- sysmonconfig-export.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index a20177aa..5d45f363 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -13,7 +13,7 @@ https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon Forked project: https://github.com/Neo23x0/sysmon-config - Forked Last Updated: 2025-03-24 + Fork Last Updated: 2025-03-24 --> diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index e7394f6c..05681e65 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -5,7 +5,7 @@ Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. Forked project: https://github.com/Neo23x0/sysmon-config - Forked Last Updated: 2025-03-24 + Fork Last Updated: 2025-03-24 REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon From a5225b759cdd6472e75cbfb76b1f302a0b1cadad Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 2 Jul 2025 16:49:34 +0545 Subject: [PATCH 6/8] Apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- sysmonconfig-export-block.xml | 4 ---- sysmonconfig-export.xml | 3 --- 2 files changed, 7 deletions(-) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index 5d45f363..0bf43bf9 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -3,7 +3,6 @@ Source project: https://github.com/SwiftOnSecurity/sysmon-config Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. - WARNING: THIS CONFIG INCLUDES BLOCKING RULES THAT MAY CAUSE ISSUES ENDSYSTEMS! Test this configuration intensively before using it on productive systems @@ -11,9 +10,6 @@ REQUIRED: Sysmon version 14 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon - - Forked project: https://github.com/Neo23x0/sysmon-config - Fork Last Updated: 2025-03-24 --> diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index 05681e65..d8e517c3 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -4,9 +4,6 @@ Source project: https://github.com/SwiftOnSecurity/sysmon-config Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. - Forked project: https://github.com/Neo23x0/sysmon-config - Fork Last Updated: 2025-03-24 - REQUIRED: Sysmon version 13 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon From c0039102d035cdf24420004e075218d1afeb3f47 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 2 Jul 2025 17:18:54 +0545 Subject: [PATCH 7/8] Apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- sysmonconfig-export-block.xml | 1 - sysmonconfig-export.xml | 1 - 2 files changed, 2 deletions(-) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index 0bf43bf9..84efe15a 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -975,7 +975,6 @@ \bc367 \bc31a7 \testPipe - \demoagent_ \adprinterpipe diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml index d8e517c3..73610206 100644 --- a/sysmonconfig-export.xml +++ b/sysmonconfig-export.xml @@ -1019,7 +1019,6 @@ \bc367 \bc31a7 \testPipe - \demoagent_ \adprinterpipe From 026883f36b5ec1cd705faa1823c315c12604cbb6 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 2 Jul 2025 17:20:09 +0545 Subject: [PATCH 8/8] Update sysmonconfig-export-block.xml --- sysmonconfig-export-block.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysmonconfig-export-block.xml b/sysmonconfig-export-block.xml index 84efe15a..9f4489cf 100644 --- a/sysmonconfig-export-block.xml +++ b/sysmonconfig-export-block.xml @@ -992,6 +992,7 @@ ConnectPipe \MICROSOFT##WID\tsql\query + \coerced\ thisispipe \pipe\ @@ -1000,7 +1001,6 @@ \RemCom \PSEXESVC \PSEXECSVC -