Skip to content

Commit a9ff298

Browse files
author
Azure Pipeline
committed
Updated after successful CICD run 09/20/2023 07:33:02 UTC
1 parent 5cd2c60 commit a9ff298

6 files changed

+96
-0
lines changed

0_custom_configuration/all_exclude_modules.txt

284 Bytes
Binary file not shown.

0_custom_configuration/all_modules.txt

284 Bytes
Binary file not shown.

sysmonconfig-excludes-only.xml

+24
Original file line numberDiff line numberDiff line change
@@ -330,6 +330,22 @@
330330
<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
331331
<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
332332
</Rule>
333+
<Rule groupRelation="and">
334+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
335+
<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
336+
</Rule>
337+
<Rule groupRelation="and">
338+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
339+
<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
340+
</Rule>
341+
<Rule groupRelation="and">
342+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
343+
<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
344+
</Rule>
345+
<Rule groupRelation="and">
346+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
347+
<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
348+
</Rule>
333349
</ImageLoad>
334350
</RuleGroup>
335351
<!-- Event ID 8 == CreateRemoteThread - Excludes -->
@@ -365,6 +381,12 @@
365381
<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
366382
<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
367383
<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
384+
<Rule groupRelation="and">
385+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
386+
<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
387+
</Rule>
388+
<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
389+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
368390
<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
369391
<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
370392
<SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -384,6 +406,8 @@
384406
<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
385407
<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
386408
<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
409+
<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
410+
<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
387411
<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
388412
<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
389413
<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>

sysmonconfig-mde-augment.xml

+24
Original file line numberDiff line numberDiff line change
@@ -906,6 +906,22 @@
906906
<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
907907
<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
908908
</Rule>
909+
<Rule groupRelation="and">
910+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
911+
<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
912+
</Rule>
913+
<Rule groupRelation="and">
914+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
915+
<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
916+
</Rule>
917+
<Rule groupRelation="and">
918+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
919+
<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
920+
</Rule>
921+
<Rule groupRelation="and">
922+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
923+
<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
924+
</Rule>
909925
</ImageLoad>
910926
</RuleGroup>
911927
<!-- Event ID 8 == CreateRemoteThread - Sysmon will not provide notable additional visibility over MDE. -->
@@ -1020,6 +1036,12 @@
10201036
<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
10211037
<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
10221038
<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
1039+
<Rule groupRelation="and">
1040+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
1041+
<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
1042+
</Rule>
1043+
<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
1044+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
10231045
<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
10241046
<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
10251047
<SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -1039,6 +1061,8 @@
10391061
<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
10401062
<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
10411063
<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
1064+
<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
1065+
<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
10421066
<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
10431067
<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
10441068
<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>

sysmonconfig-with-filedelete.xml

+24
Original file line numberDiff line numberDiff line change
@@ -1112,6 +1112,22 @@
11121112
<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
11131113
<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
11141114
</Rule>
1115+
<Rule groupRelation="and">
1116+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1117+
<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
1118+
</Rule>
1119+
<Rule groupRelation="and">
1120+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1121+
<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
1122+
</Rule>
1123+
<Rule groupRelation="and">
1124+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1125+
<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
1126+
</Rule>
1127+
<Rule groupRelation="and">
1128+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1129+
<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
1130+
</Rule>
11151131
</ImageLoad>
11161132
</RuleGroup>
11171133
<!-- Event ID 8 == CreateRemoteThread - Excludes -->
@@ -1237,6 +1253,12 @@
12371253
<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
12381254
<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
12391255
<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
1256+
<Rule groupRelation="and">
1257+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
1258+
<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
1259+
</Rule>
1260+
<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
1261+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
12401262
<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
12411263
<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
12421264
<SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -1256,6 +1278,8 @@
12561278
<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
12571279
<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
12581280
<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
1281+
<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
1282+
<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
12591283
<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
12601284
<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
12611285
<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>

sysmonconfig.xml

+24
Original file line numberDiff line numberDiff line change
@@ -1112,6 +1112,22 @@
11121112
<Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
11131113
<ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
11141114
</Rule>
1115+
<Rule groupRelation="and">
1116+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1117+
<ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
1118+
</Rule>
1119+
<Rule groupRelation="and">
1120+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1121+
<ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
1122+
</Rule>
1123+
<Rule groupRelation="and">
1124+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1125+
<ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
1126+
</Rule>
1127+
<Rule groupRelation="and">
1128+
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
1129+
<ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
1130+
</Rule>
11151131
</ImageLoad>
11161132
</RuleGroup>
11171133
<!-- Event ID 8 == CreateRemoteThread - Excludes -->
@@ -1237,6 +1253,12 @@
12371253
<SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
12381254
<TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
12391255
<TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
1256+
<Rule groupRelation="and">
1257+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
1258+
<TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
1259+
</Rule>
1260+
<SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
1261+
<SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
12401262
<SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
12411263
<Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
12421264
<SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -1256,6 +1278,8 @@
12561278
<SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
12571279
<SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
12581280
<SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
1281+
<SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
1282+
<SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
12591283
<SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
12601284
<SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
12611285
<SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>

0 commit comments

Comments
 (0)