sysmonconfig-export.xml

<!--
  sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community
  Master version:	64 | Date: 2018-01-30
  Master author:	@SwiftOnSecurity, other contributors also credited in-line or on Git
  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
  Fork version:	101, 2018-06-27
  Fork author:	ionstorm, contributions by mdavis332
  Fork project:	https://github.com/ion-storm/sysmon-config
  REQUIRED: Sysmon version 7.01 or higher (due to changes in registry syntax and bug-fixes)
	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
	Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated.
  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. Command to allow log access to the Network Service:
	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
  NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own.
	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very
	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
	as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
  NOTE: Sysmon is NOT a whitelist solution or HIDS engine, it is a computer change and event logging tool with very basic exclude rules.
	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
	to study it, many ways to evade some of the logging. If you are in a high-threat environment, you should consider a much broader
	log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which
	this configuration monitors, especially in the first minutes.
  TECHNICAL:
  - Run sysmon.exe -? for a briefing on Sysmon configuration.
  - Other languages may require localization. Registry and Filesystem paths can change. For example, \shell\open\command\, where "open" is localized.
  - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules.
  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
  - Some Sysmon monitoring abilities are not meant for widely deployed general-purpose use due to performance impact. Depends on environment.
  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
  - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart.
  - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart.
  - Sysmon does not track which rule caused an event to be logged.
  FILTERING: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image
  - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation
  PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier.
-->

<Sysmon schemaversion="4.00">
	<!--SYSMON META CONFIG-->
	<HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->

	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->

	<EventFiltering>

	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->

		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
		<ProcessCreate onmatch="exclude">
			<!--SECTION: Microsoft CUSTOM-->
			<ParentImage condition="is">C:\Program Files\SMS_CCM\CcmExec.exe</ParentImage> <!-- Microsoft:SCCM CUSTOM -->
			<ParentCommandLine condition="is">C:\Windows\CCM\CcmExec.exe</ParentCommandLine> <!-- Microsoft: SCCM CUSTOM -->
			<Image condition="is">C:\Windows\System32\VSSVC.exe</Image> <!-- Microsoft:Windows: Volume Shadow Service CUSTOM -->
			<Image condition="is">C:\Program Files\Microsoft Security Client\msseces.exe</Image> <!-- Microsoft: Client Security CUSTOM -->
			<Image condition="is">C:\Program Files\Microsoft Office\Office15\msoia.exe</Image> <!-- Microsoft: Office telemetry agent CUSTOM -->
			<ParentImage condition="is">C:\Program Files (x86)\Jenzamate\JenzaMate.exe</ParentImage> <!-- JenzaMate CUSTOM -->
			<Image condition="is">C:\Program Files (x86)\CX\putty.exe</Image> <!-- PuTTY CUSTOM -->
			<Image condition="is">C:\Windows\System32\scrnsave.scr</Image> <!-- Screen saver CUSTOM -->
			<Image condition="is">C:\Windows\System32\LogonUI.exe</Image> <!-- Logon GINA CUSTOM -->
			<ParentImage condition="begin with">C:\Program Files (x86)\Microsoft Office\Office</ParentImage> <!-- Microsoft: Office CUSTOM -->
			<Image condition="begin with">C:\Program Files (x86)\Microsoft Office\Office</Image> <!-- Microsoft: Office CUSTOM -->
			<!--SECTION: Microsoft Windows-->
			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!--Microsoft:Windows: Customer Experience Improvement-->
			<Image condition="is">C:\Windows\system32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
			<Image condition="is">C:\Windows\system32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
			<Image condition="is">C:\Windows\system32\musNotification.exe</Image> <!--Microsoft:Windows: Update pop-ups-->
			<Image condition="is">C:\Windows\system32\musNotificationUx.exe</Image> <!--Microsoft:Windows: Update pop-ups-->
			<Image condition="is">C:\Windows\system32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
			<Image condition="is">C:\Windows\system32\sndVol.exe</Image> <!--Microsoft:Windows: Volume control-->
			<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->																										 
			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
			<Image condition="is">C:\Windows\system32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adapter host process-->
			<Image condition="is">C:\Windows\System32\plasrv.exe</Image> <!--Microsoft:Windows: Performance Logs and Alerts DCOM Server-->
			<Image condition="is">C:\Windows\System32\wifitask.exe</Image> <!--Microsoft:Windows: Wireless Background Task-->
			<Image condition="is">C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe</Image> <!--Microsoft:Windows: Touch Keyboard and Handwriting Panel Helper-->
			<Image condition="is">C:\Windows\System32\TokenBrokerCookies.exe</Image> <!--Microsoft:Windows: SSO sign-in assistant for MicrosoftOnline.com-->
			<CommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</CommandLine> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<ParentCommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</ParentCommandLine> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<CommandLine condition="begin with"> "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" </CommandLine> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<CommandLine condition="is">C:\WINDOWS\system32\wermgr.exe -upload</CommandLine> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<CommandLine condition="is">\SystemRoot\System32\smss.exe</CommandLine> <!--Microsoft:Bootup: Windows Session Manager-->
			<CommandLine condition="is">\??\C:\WINDOWS\system32\autochk.exe *</CommandLine> <!--Microsoft:Bootup: Auto Check Utility-->
			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but doesn't provide attribution for what caused it-->
			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
			<CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</CommandLine> <!--Microsoft:Windows: WMI provider host-->
			<CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</CommandLine> <!--Microsoft:Windows: WMI provider host-->
			<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
			<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->																																		 
			<Image condition="is">C:\Windows\system32\SppExtComObj.Exe</Image> <!--Microsoft:Windows: KMS activation-->
			<Image condition="is">C:\Windows\system32\PrintIsolationHost.exe</Image> <!--Microsoft:Windows: Printing-->
			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->																										
			<!--SECTION: Microsoft:Windows:Defender-->
			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
			<Image condition="is">C:\Windows\system32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_</Image> <!--Microsoft:Defender: Signature updates-->
			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
			<!--SECTION: Microsoft:Windows:svchost-->
				<!--COMMENT: These generally not exclude sub-processes, which may be important. Do not exclude RemoteRegistry or Schedule.-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine> <!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k defragsvc</CommandLine> <!--Microsoft:Windows defragmentation-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k imgsvc</CommandLine> <!--Microsoft:The Windows Image Acquisition Service-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s EventSystem</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s bthserv</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine> <!--Microsoft:Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ] -->
			<CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost</CommandLine> <!--Microsoft:Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ] -->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows-->
			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc</CommandLine> <!--Microsoft:Windows: Windows Live Sign-In Assistant [ https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ ] -->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc</CommandLine> <!--Microsoft:Windows: Network Connectivity Assistant [ http://www.blackviper.com/windows-services/network-connectivity-assistant/ ] -->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
			<CommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC</CommandLine> <!--Microsoft:Windows:Apps: Client License Service-->
			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc</CommandLine> <!--Microsoft:Windows:Apps: AppX Deployment Service-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine> <!--Microsoft:Windows:Apps: Client License Service-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows:Apps [ https://www.howtogeek.com/320261/what-is-wsappx-and-why-is-it-running-on-my-pc/ ] -->
			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine> <!--Microsoft:Windows: Network services: Spawns Consent.exe-->
			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine> <!--Microsoft:Windows-->
			<!--SECTION: Microsoft:dotNet-->
			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet: Spawns thousands of ngen.exe processes-->
			<!--SECTION: Microsoft:Office-->
			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
			<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Licensing service-->
			<Image condition="is">C:\Program Files\Microsoft Office\Office16\msoia.exe</Image> <!--Microsoft:Office: Telemetry collector-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
			<!--SECTION: Microsoft Exchange-->
			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
			<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
			<!--SECTION: Microsoft Misc-->
			<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
			<!--SECTION: Microsoft:Office:Click2Run-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
			<!--SECTION: Microsoft:Windows: Media player-->
			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
			<!--SECTION: Google-->
			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome:Updater: You should experiment with this line since attackers sometimes hide in this folder-->
			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome:Updater: You should experiment with this line since attackers sometimes hide in this folder-->
			<!--SECTION: Firefox-->
			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<!--SECTION: Adobe-->
			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
			<!--SECTION: Adobe:Acrobat DC-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Acrobat 2015-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Acrobat Reader DC-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Flash-->
			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Updater-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Supporting processes-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
			<!--SECTION: Adobe:Creative Cloud-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
			<!--SECTION: Cisco-->
			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
			<!--SECTION: Custom Apps-->
			<ParentCommandLine condition="is">"C:\Program Files (x86)\RdpGuard\rdpguard-svc.exe"</ParentCommandLine> <!-- RDP Guard CUSTOM -->
			<Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> <!-- VMware VMtools daemon CUSTOM -->
			<!--SECTION: Drivers-->
				<!--COMMENT: Attackers sometimes hide themselves in the folders of drivers, be careful to only exclude what is clogging events-->
			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
			<CommandLine condition="is">C:\Windows\system32\igfxsrvc.exe -Embedding</CommandLine>
			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->																																	  
			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
			<!--SECTION: Dropbox-->
			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
			<!--SECTION: Dell-->
			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
			<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
			<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>
			<!--SECTION: Lenovo-->
			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
			<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
			<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
			<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
			<!--SECTION: MSI: Micro-Star International Computers-->
			<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
			<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
			<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
			<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
			<!--SECTION: Intel-->
			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
			<!--SECTION: Antivirus-->
			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
			<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
			<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
			<!--SECTION: Synaptics Touchpad-->
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
			<!--SECTION: Labtech -->
			<!--Since Labtech nests its processes, the following exclusions could be exploited, remove if you do not need-->
			<!--TODO: Will define these more in the future-->
			<ParentCommandLine condition="is">C:\Windows\LTSvc\LTSVC.exe -sLTService</ParentCommandLine> <!--Labtech Agent-->
			<ParentImage condition="is">C:\Windows\LTSvc\LTSVC.exe</ParentImage> <!--Labtech Agent-->
			<CommandLine condition="contains">find /i "Listening"</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">netstat -an</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">find /i "Listening"</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">netstat -an</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">tasklist</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">interface tcp show global</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">wmic path win32_operatingsystem get</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">sc queryex type= service</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">C:\Program Files (x86)\StorageCraft\ImageManager\ImageManager.exe</ParentCommandLine> <!--ShadowProtect noise -->
			<ParentCommandLine condition="contains">raw_agent_svc.exe</ParentCommandLine> <!--ShadowProtect noise -->
			<ParentImage condition="end with">raw_agent_svc.exe</ParentImage> <!--ShadowProtect noise -->
			<CommandLine condition="contains">IscsidscInterface.exe</CommandLine> <!--ShadowProtect noise -->
			<ParentCommandLine condition="contains">IscsidscInterface.exe</ParentCommandLine> <!--ShadowProtect noise -->
			<ParentCommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">find /i "Listening"</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">netstat -an</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">tasklist</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">wmic path win32_operatingsystem get</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">sc queryex type= service</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">C:\Program Files\StorageCraft\ImageManager\ImageManager.exe</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">Add-PSSnapin Microsoft.SharePoint.PowerShell</CommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">Get-WmiObject -Query 'SELECT LicensingType FROM Win32_TerminalServiceSetting').LicensingType</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">Get-WmiObject -Namespace Root\CimV2\TerminalServices</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">tasklist</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">vssadmin list writers</ParentCommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">vssadmin  list writers</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">net view \\localhost | find " Print</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">net view \\localhost | find " Disk</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<CommandLine condition="contains">C:\Windows\system32\net1 Share</CommandLine><!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""</ParentCommandLine> <!--Labtech Agent: Noise from nested processes in labtech-->
			<ParentImage condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</ParentImage> <!--Labtech Client-->
			<ParentCommandLine condition="contains">C:\Windows\LTSvc\LTSvcMon.exe -sLTService</ParentCommandLine>
			<ParentImage condition="is">C:\Windows\LTSvc\LTSvcMon.exe</ParentImage>
			<Image condition="is">C:\Windows\LTSvc\LTTray.exe</Image>
			<ParentCommandLine condition="contains">Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall</ParentCommandLine>
			<CommandLine condition="contains">interface tcp show global</CommandLine>
			<!--END: Labtech-->
			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->																			
			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
			<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->																																									 																																		   																								   
		</ProcessCreate>

	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->

		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
		<FileCreateTime onmatch="include">
			<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
		</FileCreateTime>

		<FileCreateTime onmatch="exclude">
			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
			<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
			<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->				
			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
			<Image condition="contains">setup</Image> <!--Ignore setups-->
			<Image condition="contains">install</Image> <!--Ignore setups-->
			<Image condition="contains">Update\</Image> <!--Ignore setups-->
			<Image condition="end with">redist.exe</Image> <!--Ignore setups-->
			<Image condition="is">msiexec.exe</Image> <!--Ignore setups-->
			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
			<Image condition="is">C:\Program Files\SMS_CCM\CcmExec.exe</Image> <!-- Microsoft: SCCM CUSTOM -->
			<Image condition="contains">\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe</Image> <!-- Microsoft: SSRS CUSTOM -->
			<Image condition="image">MsMpEng.exe</Image> <!-- Microsoft: Antimalware engine CUSTOM -->
			<TargetFilename condition="contains">C:\Program Files\Update Services\LogFiles\WSUSTemp</TargetFilename> <!-- Microsoft: WSUS CUSTOM -->
			<TargetFilename condition="contains"> C:\Windows\System32\LogFiles\Scm\</TargetFilename> <!-- Microsoft: SCM Logging CUSTOM -->
		</FileCreateTime>

	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
		<!--TECHNICAL:	These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST-->
		
		<!-- https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf -->

		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
		<NetworkConnect onmatch="include">
		<!--COMMENT:	Takes a very conservative approach to network logging, limit to extremely high-signal events.-->
		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which may not always have the information or may be a CDN. Using that field is best-effort only.-->
		<!--TECHNICAL:	These exe's do not initiate their connections, and cannot be included: BITSADMIN-->
			<!--Suspicious sources-->
			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
			<Image condition="begin with">C:\Perflogs\</Image>
			<Image condition="contains">config\systemprofile\</Image>
			<Image condition="contains">\Windows\Fonts\</Image>
			<Image condition="contains">\Windows\IME\</Image>
			<Image condition="contains">\Windows\addins\</Image>
			<Image condition="contains">chrome.exe</Image>
			<Image condition="contains">iexplore.exe</Image>
			<Image condition="contains">firefox.exe</Image>
			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
			<Image condition="contains">MicrosoftEdge.exe</Image>
			<Image condition="contains">explorer.exe</Image>
			<!--Suspicious sources for network-connecting binaries-->		   
			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
			<Image condition="begin with">C:\Windows\Temp</Image> <!--Suspicious anything would communicate from the system-level temp directory-->
			<!--Suspicious Windows tools-->
			<Image condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling, removed in Win10 | Credit @ion-storm -->
			<Image condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
			<Image condition="image">cmd.exe</Image> <!--Microsoft:Windows: Remote command prompt-->
			<Image condition="image">cmstp.exe</Image> <!--Microsoft:Windows: Connection manager profiles can launch executables from WebDAV [ https://twitter.com/NickTyrer/status/958450014111633408 ] | Credit @NickTyrer @Oddvarmoe @KyleHanslovan @subTee -->
			<Image condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
			<Image condition="image">driverquery.exe</Image> <!--Microsoft:Windows: Remote recognisance of system configuration, oudated/vulnerable drivers -->
			<Image condition="image">dsquery.exe</Image> <!--Microsoft: Query Active Directory -->
			<Image condition="image">hh.exe</Image> <!--Microsoft:Windows: HTML Help Executable, opens CHM files -->
			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
			<Image condition="image">installutil.exe</Image>
			<Image condition="image">java.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files | Credit @ion-storm -->
			<Image condition="image">javaw.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files -->
			<Image condition="image">javaws.exe</Image> <!--Java: Monitor usage of vulnerable application and init from JAR files -->
			<Image condition="image">mmc.exe</Image> <!--Microsoft:Windows: -->
			<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
			<Image condition="image">mshta.exe</Image> <!--Microsoft:Windows: HTML application executes scripts without IE protections | Credit @ion-storm [ https://en.wikipedia.org/wiki/HTML_Application ] -->
			<Image condition="image">msiexec.exe</Image> <!--Microsoft:Windows: Can install from http:// paths | Credit @vector-sec -->
			<Image condition="image">nbtstat.exe</Image> <!--Microsoft:Windows: NetBIOS statistics, attackers use to enumerate local network -->
			<Image condition="image">net.exe</Image> <!--Microsoft:Windows: Note - May not detect anything, net.exe is a front-end to lower APIs | Credit @ion-storm -->
			<Image condition="image">net1.exe</Image> <!--Microsoft:Windows: Launched by "net.exe", but it may not detect connections either -->
			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://secrary.com/ReversingMalware/CoinMiner/ ] [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">nslookup.exe</Image> <!--Microsoft:Windows: Retrieve data over DNS -->
			<Image condition="image">powershell.exe</Image> <!--Microsoft:Windows: PowerShell interface-->
			<Image condition="image">qprocess.exe</Image> <!--Microsoft:Windows: [ https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf ] -->
			<Image condition="image">qwinsta.exe</Image> <!--Microsoft:Windows: Query remote sessions | Credit @ion-storm -->
			<Image condition="image">qwinsta.exe</Image> <!--Microsoft:Windows: Remotely query login sessions on a server or workstation | Credit @ion-storm -->
			<Image condition="image">reg.exe</Image> <!--Microsoft:Windows: Remote Registry editing ability | Credit @ion-storm -->
			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">rwinsta.exe</Image> <!--Microsoft:Windows: Disconnect remote sessions | Credit @ion-storm -->
			<Image condition="image">sc.exe</Image> <!--Microsoft:Windows: Remotely change Windows service settings | Credit @ion-storm -->
			<Image condition="image">schtasks.exe</Image> <!--Microsoft:Windows: Command-line interface to local and remote tasks -->															
			<Image condition="image">taskkill.exe</Image> <!--Microsoft:Windows: Kill processes, has remote ability -->	 
			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
			<Image condition="image">mshta.exe</Image>
			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
			<Image condition="contains">pskill</Image><!--Detect pskill-->
			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
			<Image condition="contains">psservice</Image><!--Detect PsService-->
			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
			<Image condition="image">java.exe</Image>
			<Image condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->														   
			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
			<Image condition="image">telnet.exe</Image><!-- Telnet -->
			<Image condition="image">ssh.exe</Image><!-- SSH -->
			<Image condition="image">putty.exe</Image><!-- SSH -->
			<Image condition="image">kitty.exe</Image><!-- SSH -->
			<Image condition="image">kitty_portable.exe</Image><!-- SSH -->
			<Image condition="image">psftp.exe</Image><!-- SFTP -->
			<Image condition="image">net.exe</Image><!-- net use/net view-->														 
			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->															   
			<Image condition="image">tasklist.exe</Image> <!--Microsoft:Windows: List processes, has remote ability -->
			<Image condition="image">wmic.exe</Image> <!--Microsoft:WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->													 
			<Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
			<!--Relevant 3rd Party Tools-->
			<Image condition="image">nc.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
			<Image condition="image">ncat.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
			<Image condition="image">psexec.exe</Image> <!--Sysinternals:PsExec client side | Credit @Cyb3rOps -->
			<Image condition="image">psexesvc.exe</Image> <!--Sysinternals:PsExec server side | Credit @Cyb3rOps -->
			<Image condition="image">tor.exe</Image> <!--Tor [ https://www.hybrid-analysis.com/sample/800bf028a23440134fc834efc5c1e02cc70f05b2e800bbc285d7c92a4b126b1c?environmentId=100 ] -->																	   
			<Image condition="image">vnc.exe</Image> <!-- VNC client | Credit @Cyb3rOps -->
			<Image condition="image">vncservice.exe</Image> <!-- VNC server | Credit @Cyb3rOps -->
			<Image condition="image">vncviewer.exe</Image> <!-- VNC client | Credit @Cyb3rOps -->
			<Image condition="image">winexesvc.exe</Image> <!-- Winexe service executable | Credit @Cyb3rOps -->
			<Image condition="image">nmap.exe</Image>									 
			<Image condition="image">psinfo.exe</Image>
			<!--Hack tools hosting-->
			<DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
			<DestinationHostname condition="end with">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
			<!--Suspicious destinations-->
			<DestinationHostname condition="is">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="is">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname condition="end with">goo.gl</DestinationHostname>
			<DestinationHostname condition="end with">git.io</DestinationHostname>
			<DestinationHostname condition="end with">bit.ly</DestinationHostname>
			<DestinationHostname condition="end with">t.co</DestinationHostname>
			<DestinationHostname condition="end with">ow.ly</DestinationHostname>
			<!--Dynamic DNS Providers-->
			<DestinationHostname condition="end with">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="end with">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--Tor2Web Providers-->
			<DestinationHostname condition="end with">onion.to</DestinationHostname>
			<DestinationHostname condition="end with">onion.cab</DestinationHostname>
			<DestinationHostname condition="end with">onion.sh</DestinationHostname>
			<DestinationHostname condition="end with">onion.nu</DestinationHostname>
			<DestinationHostname condition="end with">onion.direct</DestinationHostname>
			<DestinationHostname condition="end with">tor2web.org</DestinationHostname>
			<DestinationHostname condition="end with">tor2web.fi</DestinationHostname>
			<DestinationHostname condition="end with">tor2web.blutmagie.de</DestinationHostname>
			<DestinationHostname condition="end with">tor-gateways.de</DestinationHostname>
			<DestinationHostname condition="end with">hiddenservice.net</DestinationHostname>
			
			<!--Ports: Suspicious-->
			<DestinationPort condition="is">22</DestinationPort> <!--SSH protocol, monitor admin connections-->																																					   
			<DestinationPort condition="is">23</DestinationPort> <!--Telnet protocol, monitor admin connections, insecure-->																														
			<DestinationPort condition="is">25</DestinationPort> <!--SMTP mail protocol port, insecure, used by threats-->																																			
			<DestinationPort condition="is">80</DestinationPort> <!--RDP Port-->			
			<DestinationPort condition="is">139</DestinationPort>  <!--SMB Port-->
			<DestinationPort condition="is">443</DestinationPort> <!--RDP Port-->
			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
			<DestinationPort condition="is">142</DestinationPort> <!--IMAP mail protocol port, insecure, used by threats-->																																			   
			<DestinationPort condition="is">3389</DestinationPort> <!--Microsoft:Windows:RDP: Monitor admin connections-->																																				   
			<DestinationPort condition="is">5800</DestinationPort> <!--VNC protocol: Monitor admin connections, often insecure-->																									   
			<DestinationPort condition="is">5900</DestinationPort> <!--VNC protocol Monitor admin connections, often insecure-->																																				  
			<DestinationPort condition="is">1194</DestinationPort> <!--OpenVPN Port-->
			<DestinationPort condition="is">1701</DestinationPort> <!--L2TP Port-->
			<DestinationPort condition="is">1723</DestinationPort> <!--Tor Port-->
			<DestinationPort condition="is">1293</DestinationPort> <!--IPSec Nat Traversal Port-->
			<DestinationPort condition="is">4500</DestinationPort> <!--Tor Port-->
			<DestinationPort condition="is">4443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">2448</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">8143</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">1777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">1443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">243</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">65535</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">13506</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">200</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">198</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">49180</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">13507</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">3360</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">6625</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">4444</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">4438</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">1904</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">13505</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">13504</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">12102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">9631</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">5445</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">2443</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">777</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">13394</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">13145</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">12103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">5552</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">3939</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">3675</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">666</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">473</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">5649</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">4455</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">4433</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">1817</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">100</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">65520</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">1960</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">1515</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">743</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">700</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">14154</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">14103</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">14102</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">12322</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">10101</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">7210</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">4040</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<DestinationPort condition="is">9943</DestinationPort> <!--Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -->
			<!--Ports: Proxy-->
			<DestinationPort condition="is">1080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->																																	   
			<DestinationPort condition="is">3128</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->																													   
			<DestinationPort condition="is">8080</DestinationPort> <!--Socks proxy port | Credit @ion-storm-->																																		   
			<!--Ports: Tor-->
			<DestinationPort condition="is">1723</DestinationPort> <!--Tor protocol [ https://attack.mitre.org/wiki/Technique/T1090 ] | Credit @ion-storm-->																														
			<DestinationPort condition="is">4500</DestinationPort> <!--Tor protocol, also triggers on IPsec [ https://attack.mitre.org/wiki/Technique/T1090 ] | Credit @ion-storm-->
			<DestinationPort condition="is">9001</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
			<DestinationPort condition="is">9030</DestinationPort> <!--Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ] -->
		</NetworkConnect>

		<NetworkConnect onmatch="exclude">
			<!--COMMENT: Unfortunately, these exclusions are very broad and easily abused, but it's a limitation of Sysmon rules that they can't be more specific as they're in user folders-->
			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
			<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
			<!--SECTION: Microsoft-->
			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->														 															
			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
			<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
			<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
			<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
			<Image condition="is">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
			
			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
			<Image condition="is">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
			<!-- Custom Entries -->
			<DestinationPortName condition="is">bootps</DestinationPortName> <!--DHCP-->
			<DestinationPortName condition="is">epmap</DestinationPortName> <!--RDP endpoint mapper (and DCOM)-->
			<SourcePortName condition="is">epmap</SourcePortName> <!--RDP endpoint mapper (and DCOM)-->
			<SourcePortName condition="is">dhcpv6-client</SourcePortName> <!--dhcp client-->
			<SourcePortName condition="is">dhcpv6-server</SourcePortName> <!--dhcp server-->
			<DestinationPortName condition="is">domain</DestinationPortName> <!--DNS-->
			<DestinationHostname condition="is">ems-nie8500</DestinationHostname> <!--Johnson controls-->
			<SourcePort condition="is">5040</SourcePort> <!-- Microsoft: WDS RPC -->
			<DestinationHostname condition="begin with">msdc</DestinationHostname> <!-- Domain Controller CUSTOM -->
			<DestinationHostname condition="begin with">sccm</DestinationHostname> <!-- SCCM CUSTOM -->
			<DestinationHostname condition="begin with">backup</DestinationHostname> <!-- backup server CUSTOM -->
			<Image condition="end with">AlertusDesktopAlert.exe</Image> <!-- Alertus -->
			<Image condition="end with">lync.exe</Image> <!-- Skype for Business -->
			<Image condition="end with">OUTLOOK.exe</Image> <!-- Microsoft Outlook -->
			<Image condition="end with">WINWORD.exe</Image> <!-- Microsoft Word -->
			<Image condition="end with">UcMapi.exe</Image> <!-- Microsoft Gobble-dee-gook -->
			<Image condition="is">C:\Program Files (x86)\Jenzabar JenzaMate\jre\bin\javaw.exe</Image> <!-- Jenzabar JenzaMate -->
		</NetworkConnect>

	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->

		<!--DATA: UtcTime, State, Version, SchemaVersion-->
		<!--Cannot be filtered.-->

	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
		<!--COMMENT:	Useful data in building infection timelines.-->

		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
		<ProcessTerminate onmatch="include">
			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
		</ProcessTerminate>

		<ProcessTerminate onmatch="exclude">
		</ProcessTerminate>

	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
			about what you exclude from monitoring. Low event volume, little incentive to exclude.
			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->

		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<DriverLoad onmatch="exclude">
			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
			<Signature condition="begin with">Intel </Signature> <!--Exclude signed Intel drivers-->
			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI drivers-->										   
		</DriverLoad>

	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->

		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<ImageLoad onmatch="include">
			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll </ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
			<!-- Mimikatz Detection -->
			<ImageLoaded condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
			<ImageLoaded condition="is">C:\Windows\System32\hid.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
			<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
			<ImageLoaded condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
			<ImageLoaded condition="is">WMINet_Utils.dll</ImageLoaded> <!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
			<!-- END: Mimikatz Detection -->
			<!--COMMENT:	Can cause high system load, disabled by default, important examples included below.-->
			<!-- <ImageLoaded condition="contains">system.automation</ImageLoaded> -->
			<!-- <ImageLoaded condition="image">wshom.ocx</ImageLoaded> -->
			<!-- <ImageLoaded condition="image">vbscript.dll</ImageLoaded> -->
			<!-- <ImageLoaded condition="image">javascript.dll</ImageLoaded> -->
			<!-- <ImageLoaded condition="contains">msxml4</ImageLoaded> -->
			<!-- <ImageLoaded condition="image">hal.dll</ImageLoaded> -->
			<!-- <ImageLoaded condition="image">scrrun.dll</ImageLoaded> -->
			<!-- <ImageLoaded condition="contains">npjpi</ImageLoaded> -->
			<!-- <ImageLoaded condition="image">jp2iexp.dll</ImageLoaded> -->
			<!-- Mimikatz -->
			<!--NOTES: [ https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ ] -->
			<!-- <ImageLoaded condition="image">wdigest.dll</ImageLoaded> -->
			<!-- Microsoft & Common Computer Vendor Exclusions -->
			<!-- Here are the exclude rules, were using include now :)
			<Signature condition="contains">Microsoft</Signature>
			<Signature condition="contains">Windows</Signature>
			<Signature condition="contains">Dell</Signature>
			<Signature condition="contains">Lenovo</Signature>
			<Signature condition="contains">HP</Signature>
			<Signature condition="contains">Micro-Star</Signature>
			<Signature condition="contains">MSI</Signature>
			<Signature condition="contains">Intel</Signature>
			<Signature condition="contains">AMD</Signature>
			<Signature condition="contains">Advanced Micro Devices</Signature>
			<Signature condition="contains">Broadcom</Signature>
			<Signature condition="contains">Realtek</Signature>
			<Signature condition="contains">VMware</Signature>
			<Signature condition="contains">Synaptic</Signature>
			<Signature condition="contains">Logitech</Signature>
			<Signature condition="contains">Steelseries</Signature>
			<Signature condition="contains">Cisco</Signature>
			<Signature condition="contains">Fortinet</Signature> -->										
		</ImageLoad>
		<ImageLoad onmatch="exclude">
			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
			<!-- Custom App Exclusions -->
			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
			<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image> <!-- Microsoft: SMS/WMI CUSTOM -->
			<ImageLoaded condition="is">C:\Program Files\Bonjour\mdnsNSP.dll</ImageLoaded> <!-- Apple: Bonjour CUSTOM -->
			<ImageLoaded condition="contains">mscss7cm_en.dub</ImageLoaded> <!-- Microsoft: Office CUSTOM -->
			<ImageLoaded condition="contains">mscss7wre_en.dub</ImageLoaded> <!-- Microsoft: Office CUSTOM -->
			<ImageLoaded condition="contains">PROOF\MSSP7EN.LEX</ImageLoaded> <!-- Microsoft: Office CUSTOM -->
			<ImageLoaded condition="is">C:\Program Files (x86)\IBM\Informix\Client-SDK\bin\igo4n304.dll</ImageLoaded> <!-- IBM Informix Driver CUSTOM -->
			<Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> <!-- VMware VMtools daemon CUSTOM -->
			<ImageLoaded condition="contains">VMware\VMware Tools\sigc-2.0.dll</ImageLoaded> <!-- VMware VMtools daemon CUSTOM -->
			<Image condition="contains">\Jenzamate\JenzaMate.exe</Image> <!-- JenzaMate CUSTOM -->
			<Image condition="contains">\Jenzamate\jre\bin\javaw.exe</Image> <!-- JenzaMate CUSTOM -->
			<ImageLoaded condition="begin with">C:\Program Files (x86)\IBM\Informix\Client-SDK\</ImageLoaded> <!-- IBM Informix CUSTOM -->
			<Image condition="begin with">C:\Program Files (x86)\Jenzabar JenzaMate\</Image> <!-- JenzaMate CUSTOM -->
			<Image condition="end with">:\Windows\System32\LogonUI.exe</Image> <!-- Microsoft: Logon GINA CUSTOM -->
			<ImageLoaded condition="end with">:\Windows\System32\cryptdll.dll</ImageLoaded> <!-- Microsoft: Cryptography Manager CUSTOM -->
		</ImageLoad>

	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->

		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
		<CreateRemoteThread onmatch="exclude">
			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
			<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\rdpclip.exe</SourceImage> <!-- RDS rdclip CUSTOM -->
			<TargetImage condition="is">C:\Windows\CCM\SCNotification.exe</TargetImage> <!-- Microsoft: CCM CUSTOM -->
			<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage> <!-- Microsoft: Wmi CUSTOM -->
		</CreateRemoteThread>

	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
		<!--EVENT 9: "RawAccessRead detected"-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->

		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
		<RawAccessRead onmatch="include">
		</RawAccessRead>

	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
		<!--EVENT 10: "Process accessed"-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	Monitor for processes accessing other process' memory.-->

		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
		<ProcessAccess onmatch="include">
		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
				Disabled by default since including even one entry here activates this component. Reward/performance decision.
				Encourage you to experiment with this feature yourself.
				Uses 4mbs+ IO -->
			<!-- Hancitor process hollowing -->
			<!-- <SourceImage condition="image">winword.exe</SourceImage> -->
			<!-- <SourceImage condition="image">excel.exe</SourceImage> -->
			<!-- <SourceImage condition="image">mspub.exe</SourceImage> -->
			<!-- <SourceImage condition="image">msbuild.exe</SourceImage> -->
			<!-- <SourceImage condition="image">powerpnt.exe</SourceImage> -->
			<!-- <SourceImage condition="contains">powershell.exe</SourceImage> -->
			<!-- ShellCode Spawned from Office Macros Credit: @JohnLaTwC -->
			<!-- <CallTrace condition="contains">VBE7.dll</CallTrace> -->
			<!-- <CallTrace condition="contains">VBE6.dll</CallTrace> -->
 			<!--Include mimikatz-specific events.-->
			<!-- <TargetImage condition="contains">C:\Windows\System32\lsass.exe</TargetImage> -->
			<!-- <TargetImage condition="contains">C:\Windows\System32\winlogon.exe</TargetImage> -->
			<!--MimiKatz Detection Credit: @Cyb3rWard0g: https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html -->
			<!-- <CallTrace condition="contains">WinSCard.dll</CallTrace>  -->
			<!-- <CallTrace condition="contains">cryptdll.dll</CallTrace> -->
			<!-- <CallTrace condition="contains">hid.dll</CallTrace> -->
			<!-- <CallTrace condition="contains">samlib.dll</CallTrace> -->
			<!-- <CallTrace condition="contains">vaultcli.dll</CallTrace> -->
			<!-- <CallTrace condition="contains">WMINet_Utils.dll</CallTrace> -->
			<!-- END: Mimikatz Detection -->
		</ProcessAccess>
		<!--<ProcessAccess onmatch="exclude"> -->
			<!-- <SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage> -->
			<!-- <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage> -->
			<!-- <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage> -->
			<!-- <TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage> -->
			<!-- ShellCode Spawned from Office Macros: Credit: @JohnLaTwC -->
			<!-- <CallTrace condition="excludes">UNKNOWN</CallTrace> -->
			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
			<!-- <SourceImage condition="contains">C:\Program Files (x86)\ScreenConnect Client</SourceImage> -->
		<!--</ProcessAccess> -->

	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
		<!--EVENT 11: "File created"-->
		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
		<FileCreate onmatch="include">
			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ] -->
			<TargetFilename condition="contains">\Startup\</TargetFilename> <!--Microsoft:Office: Changes to user's auto-launched files and shortcuts-->
			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->																											 
			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->																																					  
			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
			<TargetFilename condition="end with">.chm</TargetFilename>
			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
			<TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets-->
			<TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets-->
			<TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] -->
			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
			<TargetFilename condition="end with">.scr</TargetFilename> <!--System driver files-->
			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->											
			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
			<TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
			<TargetFilename condition="begin with">C:\Windows\system32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
			<!--Windows application compatibility-->
			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
			<TargetFilename condition="contains">VirtualStore</TargetFilename> <!--Microsoft:Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ] -->																			   
			<!--Exploitable file names-->
			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename condition="end with">.*proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->																												 
			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
			<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
			<!--SECTION: Ransomware-->
			<TargetFilename condition="contains">help_decrypt</TargetFilename>
			<TargetFilename condition="contains">help_restore</TargetFilename>
			<TargetFilename condition="contains">ReadDecryptFilesHere</TargetFilename>
			<TargetFilename condition="contains">howto_recover_file</TargetFilename>
			<TargetFilename condition="contains">recover_file_</TargetFilename>
			<TargetFilename condition="contains">Recovery_file_</TargetFilename>
			<TargetFilename condition="contains">how_to_decrypt</TargetFilename>
			<TargetFilename condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
			<TargetFilename condition="contains">_how_recover_</TargetFilename>
			<TargetFilename condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
			<TargetFilename condition="contains">help_my_files</TargetFilename>
			<TargetFilename condition="contains">how_recover</TargetFilename>
			<TargetFilename condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
			<TargetFilename condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
			<TargetFilename condition="contains">YOUR_FILES.url</TargetFilename>
			<TargetFilename condition="contains">Coin.Locker.txt</TargetFilename>
			<TargetFilename condition="contains">_secret_code.txt</TargetFilename>
			<TargetFilename condition="contains">Decrypt_readme.txt</TargetFilename>
			<TargetFilename condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
			<TargetFilename condition="contains">FILESAREGONE.txt</TargetFilename>
			<TargetFilename condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
			<TargetFilename condition="contains">HELLOTHERE.TXT</TargetFilename>
			<TargetFilename condition="contains">READTHISNOW!!!.txt</TargetFilename>
			<TargetFilename condition="contains">SECRETIDHERE.KEY</TargetFilename>
			<TargetFilename condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
			<TargetFilename condition="contains">SECRET.KEY</TargetFilename>
			<TargetFilename condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
			<TargetFilename condition="contains">RECOVERY_FILES.TXT</TargetFilename>
			<TargetFilename condition="contains">RECOVERY_FILE.</TargetFilename>
			<TargetFilename condition="contains">HowtoRestore_Files</TargetFilename>
			<TargetFilename condition="contains">restorefiles</TargetFilename>
			<TargetFilename condition="contains">howrecover+</TargetFilename>
			<TargetFilename condition="contains">recoveryfile</TargetFilename>
			<TargetFilename condition="contains">help_recover_instructions</TargetFilename>
			<TargetFilename condition="contains">_Locky_recover</TargetFilename>
			<TargetFilename condition="contains">_ReCoVeRy_</TargetFilename>
			<!--SECTION: Certificates -->
			<TargetFilename condition="contains">.pem</TargetFilename>
			<TargetFilename condition="contains">.crt</TargetFilename>
			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
			<TargetFilename condition="contains">.cer</TargetFilename>
			<TargetFilename condition="contains">.csr</TargetFilename>
			<TargetFilename condition="contains">.der</TargetFilename>
			<TargetFilename condition="contains">.p7b</TargetFilename>
			<TargetFilename condition="contains">.p7r</TargetFilename>
			<TargetFilename condition="contains">.p7s</TargetFilename>
			<TargetFilename condition="contains">.pfx</TargetFilename>
			<TargetFilename condition="contains">.sto</TargetFilename>
			<TargetFilename condition="contains">.p12</TargetFilename>
			<TargetFilename condition="contains">.crl</TargetFilename>
			<TargetFilename condition="contains">.sst</TargetFilename>
			<TargetFilename condition="contains">.key</TargetFilename>
			<!--SECTION: CIA Vault7 Leak -->
			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
			<TargetFilename condition="contains">.manifest</TargetFilename>
			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
			<TargetFilename condition="contains">HammerDrillStatus.dll</TargetFilename> <!-- Vault7 CIA Leak: HammerDrill DLL -->
			<!--SECTION: Mimikatz-->
			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
		</FileCreate>

		<FileCreate onmatch="exclude">
			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
			<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
			<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->																													 
			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\IE</TargetFilename> <!-- Microsoft:Windows: Creates thousands of files including new profiles -->
			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
			<!--SECTION: Microsoft-->
			<Image condition="contains">C:\Windows\System32\svchost.exe</Image> <!-- Microsoft:Windows: Svchost creating thousands of files, creating new profiles on TS's -->
			<Image condition="contains">C:\Windows\System32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
			<!--SECTION: Microsoft:Office-->
			<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
			<!--SECTION: Microsoft:Office:Click2Run-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
			<!--SECTION: Microsoft:Windows-->
			<Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Microsoft:Windows: WMI Performance updates-->
			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
			<TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
			<TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
			<!--SECTION: Microsoft:Windows:Updates-->
			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
			<Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
			<!--SECTION: Dell-->
			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
			<!--SECTION: Intel-->
			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
			<!--SECTION: Adobe-->
			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
			<!--SECTION: Custom-->
			<Image condition="is">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Microsoft: SMS/WMI CUSTOM -->
			<TargetFilename condition="contains">:\Windows\System32\LogFiles\Scm\</TargetFilename> <!-- Microsoft: SCM Logging CUSTOM -->
			<Image condition="is">C:\Program Files\Microsoft Configuration Manager\bin\x64\smsexec.exe</Image> <!-- Microsoft: SCCM CUSTOM -->
			<TargetFilename condition="contains">Sources\wsus\WsusContent</TargetFilename> <!-- Microsoft: WSUS CUSTOM --> 
			<TargetFilename condition="contains">:\Windows\System32\spool\PRINTERS\</TargetFilename> <!-- Microsoft: Print spooler CUSTOM -->
			<TargetFilename condition="contains">:\Windows\System32\spool\V4Dirs\</TargetFilename> <!-- Microsoft: Print spooler CUSTOM -->																									 
			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!-- Microsoft: stuff CUSTOM -->
			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!-- Microsoft: stuff CUSTOM -->
			<TargetFilename condition="end with">.SQM</TargetFilename> <!-- Ignore Exchange files created -->
			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->																											
			<!--SECTION: Microsoft:Windows:Updates-->
			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
			<Image condition="begin with">Firefox Setup </Image> <!-- Firefox:Installer -->
			<TargetFilename condition="is">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive</TargetFilename> <!--Powershell spam!-->
			<TargetFilename condition="is">C:\Windows\System32\config\netlogon.ftl</TargetFilename> <!-- Microsoft:Windows: Domain login cache-->
			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image><!-- Microsoft:Windows: WMI Performance updates-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image><!-- Microsoft:Office Click2Run-->
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
			<!--SECTION: Dell-->
			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
			<!--SECTION: Intel-->
			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
			<!--SECTION: Chrome Noise-->
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlUws.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\IpMalware.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
										  
		</FileCreate>

	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
		<!--EVENT 12: "Registry object added or deleted"-->
		<!--EVENT 13: "Registry value set-->
		<!--EVENT 14: "Registry objected renamed"-->

		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->

		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->

		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->

		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
		<RegistryEvent onmatch="include">
			<!--Autorun or Startups-->
				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
				<!--ADDITIONAL REFERENCE: [ https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 ] -->
			<TargetObject condition="contains">CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
			<TargetObject condition="contains">Policies\Explorer\Run</TargetObject> <!--Microsoft:Windows: Alternate runs keys | Credit @ion-storm-->
			<TargetObject condition="contains">Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
			<TargetObject condition="contains">Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Wildcard for Logon, Loggoff, Shutdown-->
			<TargetObject condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
			<TargetObject condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
			<TargetObject condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
			<TargetObject condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
			<TargetObject condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject> <!--Microsoft:Windows: Autorun location [ https://attack.mitre.org/wiki/Technique/T1004 ] [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!--Microsoft:Windows: Automatic program crash debug program [ https://www.symantec.com/security_response/writeup.jsp?docid=2007-050712-5453-99&tabid=2 ] -->
			<TargetObject condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
			<!--Services-->
			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
			<TargetObject condition="end with">\ServiceManifest</TargetObject> <!--Microsoft:Windows: Manifest pointing to service's DLL [ https://www.geoffchappell.com/studies/windows/win32/services/svchost/index.htm ] -->
			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://attack.mitre.org/wiki/Technique/T1050 ] -->
			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
			<!--CLSID launch commands and Default File Association changes-->
			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
			<TargetObject condition="contains">shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
			<TargetObject condition="contains">shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>  <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
			<!--CLSID launch commands and file association changes-->																																													   
			<TargetObject condition="contains">shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
			<TargetObject condition="contains">Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
			<TargetObject condition="contains">{86C86720-42A0-1069-A2E8-08002B30309D}</TargetObject> <!--Microsoft:Windows: Tooltip handler-->
			<TargetObject condition="contains">exefile</TargetObject> <!--Microsoft:Windows Executable handler, to ensure any changes not generally monitored, for less-common shell command types like "runas"-->
			<!--Windows COM-->
			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
			<!--Windows shell visual modifications-->
			<TargetObject condition="end with">\Hidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event -->
			<TargetObject condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
			<TargetObject condition="end with">\HideFileExt</TargetObject> <!--Microsoft:Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users -->
			<!--Windows shell hijack and modifications-->
			<TargetObject condition="contains">Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject condition="contains">Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject condition="contains">Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject condition="contains">CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<!--AppPaths hijacking-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
			<!--Terminal service boobytrap-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject> <!--Microsoft:Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already-->
			<!--Terminal service boobytraps-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>			   
			<!--Group Policy integrity-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying-->
			<!--Winsock and Winsock2-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
			<!--Credential providers-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credential Providers and Credential Provider Filters-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1131 ] [ https://attack.mitre.org/wiki/Technique/T1101 ] -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!--Microsoft:Windows: Netsh helper DLL [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
			<!--Networking-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
			<TargetObject condition="end with">\EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">\DoNotAllowExceptions</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for all networks| Credit @ion-storm -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for domain networks -->
			<!--DLLs that get injected into every process at launch-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows:  Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ] -->
			<!--Office-->
			<TargetObject condition="contains">Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues-->
			<TargetObject condition="contains">Office Test\</TargetObject> <!-- Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
			<TargetObject condition="contains">Security\Trusted Documents\TrustRecords</TargetObject> <!--Microsoft:Office: Monitor when "Enable editing" or "Enable macros" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ] -->
			<TargetObject condition="contains">\Microsoft\Office\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
			<TargetObject condition="contains">\Microsoft\Office\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
			<!--IE-->
			<TargetObject condition="contains">Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
			<TargetObject condition="contains">Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
			<TargetObject condition="contains">Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
			<!--Magic registry keys-->
			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->																																																													 
			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
			<!--Install/Infection artifacts-->
			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
			<!--Windows UAC tampering-->
			<TargetObject condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<TargetObject condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<!--Microsoft Security Center tampering | Credit @ion-storm -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth</TargetObject> <!--Microsoft:Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
			<!--Windows application compatibility-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ] -->
			<TargetObject condition="contains">VirtualStore</TargetObject> <!--Microsoft:Windows: Registry virtualization [ https://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx ] -->
			<!--Windows internals integrity monitoring-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->																													   
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
			<!--Common Malware Persistence locations-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
			<!--Group Policy Scripts-->
			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
			<!--Detect Network History-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
			<TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
			<TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
			<!--Detect User Activity-->
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
			<!--Detect Threats from Webroot Antivirus-->
			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
			<TargetObject condition="contains">\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
			<!--Detect Changes to Proxy Server Setting-->
			<TargetObject condition="contains">HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
			<!--Detect Browser Hijackers-->
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>
			<!--Detect Unauthorized Firewall Changes-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering-->
			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
			<TargetObject condition="contains">\Security\Level</TargetObject>
			<TargetObject condition="contains">\Security\Level1Remove</TargetObject>
			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
			<!--Detect if Windows Defender is Disabled-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
			<!-- Lots of noise from multiple locations, need a better monitor
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
			-->
			<!-- Other Stuff -->	
			<TargetObject condition="begin with">HKCU\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
			<TargetObject condition="contains">\comfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\htafile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\batfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> <!-- Detect: UAC Bypass via sdclt: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -->
			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\mscfile\shell\open\command</TargetObject> <!-- Detect: Event Viewer UAC Bypass: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ -->
			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
			-->																																			  
		</RegistryEvent>

		<RegistryEvent onmatch="exclude">
		<!--COMMENT:	Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently.-->
			<!--SECTION: Microsoft binaries-->
			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
			<Image condition="is">C:\Windows\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image> <!--Microsoft:Windows:Defender-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>																							   																																														
			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\</TargetObject> <!-- Edge Extensions Creating Reg entries on launch -->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->																							   
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Cortana-->
			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Routinely refreshes EMET configuration keys from Group Policy-->
			<!--Misc-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->		  
			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join-->
			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system-->
			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise-->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10-->
			<Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</Image>
			<!--Bootup Control noise-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<!--Services startup settings noise, some low-risk services routinely change it and this can be ignored-->
			<TargetObject condition="end with">\services\bits\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
			<TargetObject condition="end with">\services\deviceAssociationService\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\fhsvc\Start</TargetObject> <!--Microsoft:Windows: File History Service-->
			<TargetObject condition="end with">\services\nal\Start</TargetObject> <!--Intel: Network adapter diagnostic driver-->
			<TargetObject condition="end with">\services\trustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\usoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<!--FileExts noise filtering-->
			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\UserChoice</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
			<!--Group Policy noise-->
			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Microsoft:Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it-->
			<!--SECTION: 3rd party-->
			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
			<!--SECTION: Labtech-->
			<TargetObject condition="end with">\LTSvcMon\Start</TargetObject>
			<TargetObject condition="end with">\LTService\Start</TargetObject>
			<!--SECTION: ShadowProtect-->
			<TargetObject condition="contains">{F2C2787D-95AB-40D4-942D-298F5F757874}</TargetObject>
			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>
			<TargetObject condition="begin with">HKCU\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
			<TargetObject condition="begin with">HKCU\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\</TargetObject>																
			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
			<!--SECTION: CUSTOM-->
			<Image condition="is">C:\Program Files\Microsoft Configuration Manager\bin\x64\smsexec.exe</Image> <!-- Microsoft: SCCM service CUSTOM -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SMS\Identification\</TargetObject> <!-- Microsoft: SCCM/SMS CUSTOM -->
			<Image condition="is">C:\Windows\CCM\UpdateTrustedSites.exe</Image> <!-- Microsoft: ZoneMap CUSTOM -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\</TargetObject> <!-- Network Adapter changes CUSTOM -->
			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!-- Win Installers CUSTOM -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\</TargetObject> <!-- Microsoft: Task Scheduler CUSTOM -->
			<Image condition="is">C:\Windows\System32\spoolsv.exe</Image> <!-- Microsoft: Print Spooler CUSTOM -->
			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!-- Adobe: Crap CUSTOM -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Enum\SWD\PRINTENUM\</TargetObject> <!-- Microsoft: RDS Printer redirection CUSTOM -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\DeviceClasses\</TargetObject> <!-- Microsoft: RDS Printer redirection CUSTOM -->
			<Image condition="end with">:\Program Files (x86)\Microsoft SQL Server\130\Tools\Binn\ManagementStudio\Ssms.exe</Image> <!-- Microsoft: SSRS CUSTOM -->
			<Image condition="begin with">C:\Program Files (x86)\Microsoft Office\Office</Image> <!-- Microsoft: Office CUSTOM -->
			<Image condition="is">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- Microsoft: Wmi CUSTOM -->
			<Image condition="is">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe</Image> <!-- Adobe: crap CUSTOM -->
			<Image condition="is">C:\Windows\System32\RuntimeBroker.exe</Image> <!-- Microsoft: Runtime Broker CUSTOM -->
		</RegistryEvent>

	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
		<!--EVENT 15: "File stream created"-->
		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->

		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
		<FileCreateStreamHash onmatch="include">
			<TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
			<TargetFilename condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
			<TargetFilename condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
			<TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->																
			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->								 
			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
			<TargetFilename condition="end with">.dll</TargetFilename> <!--Executable-->
			<TargetFilename condition="end with">.sys</TargetFilename> <!--Executable-->															  
			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
			<TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file | Credit @ion-storm -->
			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell-->
			<TargetFilename condition="end with">.ps2</TargetFilename> <!--PowerShell-->
			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
			<TargetFilename condition="end with">.jse</TargetFilename> <!--Registry File-->
			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->																	
			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->
			<TargetFilename condition="end with">.js</TargetFilename> <!--Java-->
			<!--SECTION: Certificates -->
			<TargetFilename condition="contains">.pem</TargetFilename>
			<TargetFilename condition="contains">.crt</TargetFilename>
			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
			<TargetFilename condition="contains">.cer</TargetFilename>
			<TargetFilename condition="contains">.csr</TargetFilename>
			<TargetFilename condition="contains">.der</TargetFilename>
			<TargetFilename condition="contains">.p7b</TargetFilename>
			<TargetFilename condition="contains">.p7r</TargetFilename>
			<TargetFilename condition="contains">.p7s</TargetFilename>
			<TargetFilename condition="contains">.pfx</TargetFilename>
			<TargetFilename condition="contains">.sto</TargetFilename>
			<TargetFilename condition="contains">.p12</TargetFilename>
			<TargetFilename condition="contains">.crl</TargetFilename>
			<TargetFilename condition="contains">.sst</TargetFilename>
			<TargetFilename condition="contains">.key</TargetFilename>
			<!--SECTION: CIA Vault7 Leak -->
			<TargetFilename condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
			<TargetFilename condition="contains">.manifest</TargetFilename>
			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
		</FileCreateStreamHash>

		<FileCreateStreamHash onmatch="exclude">
		</FileCreateStreamHash>

	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
		<!--EVENT 16: "Sysmon config state changed"-->
		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
		
		<!--DATA: UtcTime, Configuration, ConfigurationFileHash-->
		<!--Cannot be filtered.-->

	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
		<!--EVENT 17: "Pipe Created"-->
		<!--EVENT 18: "Pipe Connected"-->

		<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
		<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->

		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
		<PipeEvent onmatch="include">
		</PipeEvent>
		
		<PipeEvent onmatch="exclude">
			<!--COMMENT: Exclude known-good pipe users-->
				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
			<!--SECTION: Microsoft-->
			<PipeName condition="contains">lsass</PipeName>
			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
			<Image condition="is">C:\Program Files\Microsoft Configuration Manager\bin\x64\smsexec.exe</Image> <!-- SCCM/SMS agent CUSTOM -->
			<Image condition="is">C:\Program Files\Microsoft Configuration Manager\bin\x64\cmupdate.exe</Image> <!-- SCCM/SMS update agent CUSTOM -->
			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image> <!-- IIS/WDS Imaging CUSTOM -->
			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image> <!-- IIS/WDS Imaging CUSTOM -->
			<PipeName condition="is">\SQLLocal\MSSQLSERVER</PipeName> <!-- SQL Server CUSTOM -->
			<PipeName condition="is">\SQLLocal\ADK</PipeName> <!-- SQL Server CUSTOM -->
			<Image condition="is">C:\Windows\system32\wbem\wmiprvse.exe</Image> <!-- SMS/WMI CUSTOM -->
			<Image condition="end with">slack.exe</Image>
			<Image condition="is">C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe</Image> <!-- Backup Exec CUSTOM -->
			<Image condition="is">C:\Program Files (x86)\RdpGuard\rdpguard-svc.exe</Image> <!-- RDP Guard CUSTOM -->
			<PipeName condition="contains">\com.Yammer.YammerDesktop</PipeName> <!-- Microsoft: Yammer CUSTOM -->
			<PipeName condition="is">\winreg</PipeName> <!-- CUSTOM -->
			<Image condition="end with">:\Windows\System32\tssdis.exe</Image> <!-- Microsoft: Terminal Services Session Broker Service CUSTOM -->
			<PipeName condition="is">\HydraLsPipe</PipeName> <!-- Microsoft: Terminal Services Licensing Server CUSTOM -->
			<PipeName condition="is">\MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft: Server internal database CUSTOM -->
			<Image condition="end with">:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!-- Adobe: Crap CUSTOM -->
			<PipeName condition="begin with">\AIPC_SRV\AcroSBL</PipeName> <!-- Adobe: more of their crap CUSTOM -->
			<PipeName condition="begin with">\ACROCOMM\ACTWIN</PipeName> <!-- Adobe: more of their crap CUSTOM -->
			<Image condition="begin with">C:\Program Files (x86)\Microsoft Office\Office</Image> <!-- Microsoft: Office CUSTOM -->
			<Image condition="begin with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader</Image> <!-- Adobe: crap CUSTOM -->
			<Image condition="is">C:\Windows\System32\svchost.exe</Image> <!-- Microsoft: svchost CUSTOM -->
			<!--SECTION: Microsoft IIS -->
			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
			<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
			<!--SECTION: Microsoft Exchange Server -->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Worker.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\NodeRunner.exe</Image>
			<!--SECTION: Microsoft DNS Server -->
			<Image condition="is">C:\Windows\system32\dns.exe</Image>
			<!--SECTION: Microsoft SQL Server -->
			<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
			<!--SECTION: Microsoft Skype For Business Server -->
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe</Image>
			<!--SECTION: Microsoft DFS Replication -->
			<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
			<Image condition="is">C:\Windows\System32\LxRun.exe</Image> <!--Bash On Windows -->
			<PipeName condition="contains">vmware-</PipeName>
			<Image condition="is">\System</Image>
			<PipeName condition="is">\InitShutdown</PipeName>
			<Image condition="is">C:\Windows\System32\wininit.exe</Image>
			<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
			<Image condition="is">C:\Windows\System32\services.exe</Image>
			<PipeName condition="is">\ntsvcs</PipeName>
			<PipeName condition="is">\scerpc</PipeName>
			<Image condition="is">C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe</Image>
			<Image condition="is">C:\Windows\System32\smss.exe</Image>
			<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
			<PipeName condition="is">\epmapper</PipeName>
			<PipeName condition="is">\atsvc</PipeName>
			<PipeName condition="is">\browser</PipeName>
			<PipeName condition="is">\srvsvc</PipeName>
			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
			<PipeName condition="is">\W32TIME_ALT</PipeName>
			<PipeName condition="is">\eventlog</PipeName>
			<PipeName condition="is">\wkssvc</PipeName>
			<PipeName condition="contains">\TDLN-</PipeName>
			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
			<PipeName condition="is">\MsFteWds</PipeName>
			<!--SECTION: Webroot-->
			<PipeName condition="is">\WRSVCPipe</PipeName>
			<PipeName condition="is">\WRSynUM2</PipeName>
			<PipeName condition="is">\wrUrl</PipeName><!--Webroot Webfiltering Pipe-->
			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
			<!--SECTION: Google-->
			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
			<Image condition="contains">AppData\Local\Google\Chrome\User Data\SwReporter\</Image>
			<PipeName condition="contains">mojo.</PipeName>
			<PipeName condition="contains">crashpad_</PipeName>
			<PipeName condition="contains">chrome.</PipeName>
			<PipeName condition="contains">GoogleCrashServices</PipeName>
			<!--SECTION: Other-->
			<Image condition="end with">slack.exe</Image>
			<!--SECTION: ConnectWise-->
			<PipeName condition="contains">booma\</PipeName>
			<!--SECTION: EnPass-->
			<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
			<Image condition="contains">qtsingleapp-enpass-</Image>
			<!--SECTION: Everything Search-->
			<PipeName condition="contains">Everything Service</PipeName>
			<PipeName condition="contains">anchor_gui_agent</PipeName>
			<!--SECTION: Lenovo-->
			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
			<!--SECTION: Labtech-->
			<Image condition="is">C:\Windows\LTSvc\LTSVC.exe</Image>
			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
			<Image condition="contains">C:\Program Files\Lenovo\</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
			<PipeName condition="contains">Anonymous Pipe</PipeName> <!-- NOTICE: Comment this out if you dont use Labtech, labtech nests processes and causes excessive noise -->
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
			<Image condition="is">postgres.exe</Image>
			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
			<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
			<PipeName condition="contains">SQLAnywhereLRM</PipeName>
			<PipeName condition="contains">SQLLocal</PipeName>
			<PipeName condition="contains">DropboxPipe_</PipeName>
			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
			<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
			<Image condition="is">C:\Pfx Engagement\WM\PfxEngagement.exe</Image>
			<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
			<Image condition="is">ScreenConnect.ClientService.exe</Image>
			<Image condition="is">QBW32.EXE</Image>
		</PipeEvent>

	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
		<!--EVENT 19: "WmiEventFilter activity detected"-->
		<!--EVENT 20: "WmiEventConsumer activity detected"-->
		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->

		<!--ADDITIONAL REFERENCE: [ https://www.darkoperator.com/blog/2017/10/15/sysinternals-sysmon-610-tracking-of-permanent-wmi-events ] -->
		<!--ADDITIONAL REFERENCE: [ https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ ] -->

		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
		<WmiEvent onmatch="include">
		</WmiEvent>

	<!--SYSMON EVENT ID 255 : ERROR-->
		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
			Sysinternals forum or over Twitter (@markrussinovich)."-->
		<!--Cannot be filtered.-->

	</EventFiltering>
</Sysmon>