Skip to content

Commit

Permalink
Merge pull request #56 from AndrewRathbun/main
Browse files Browse the repository at this point in the history 
update Sysmon, add Windows 11 Pro 24H2
  • Loading branch information
@AndrewRathbun
AndrewRathbun authored Oct 3, 2024
2 parents f1b010c + 2cc020f commit ca1914a
Show file tree
Hide file tree
Showing 894 changed files with 977,180 additions and 0 deletions.
107 changes: 107 additions & 0 deletions ETWProvidersManifests/ThirdParty/Microsoft-Sysmon/Microsoft-Windows-Sysmon.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,24 @@
<Guid>{C511FFB3-9FBF-45F5-A97B-9BEE0000001A}</Guid>
<Value>26</Value>
</Task>
<Task>
<Message>File Block Executable (rule: FileBlockExecutable)</Message>
<Name>SysmonTask-SYSMONEVENT_FILE_BLOCK_EXE</Name>
<Guid>{C511FFB3-9FBF-45F5-A97B-9BEE0000001B}</Guid>
<Value>27</Value>
</Task>
<Task>
<Message>File Block Shredding (rule: FileBlockShredding)</Message>
<Name>SysmonTask-SYSMONEVENT_FILE_BLOCK_SHREDDING</Name>
<Guid>{C511FFB3-9FBF-45F5-A97B-9BEE0000001C}</Guid>
<Value>28</Value>
</Task>
<Task>
<Message>File Executable Detected (rule: FileExecutableDetected)</Message>
<Name>SysmonTask-SYSMONEVENT_FILE_EXE_DETECTED</Name>
<Guid>{C511FFB3-9FBF-45F5-A97B-9BEE0000001D}</Guid>
<Value>29</Value>
</Task>
</Tasks>
<Opcodes>
<Opcode>
Expand Down Expand Up @@ -1037,6 +1055,95 @@ IsExecutable: %9]]></Message>
<data name="Hashes" inType="win:UnicodeString" outType="xs:string"/>
<data name="IsExecutable" inType="win:Boolean" outType="xs:boolean"/>
</template>
]]></Template>
</Event>
<Event>
<Id>27</Id>
<Version>5</Version>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Level>Information</Level>
<Task>File Block Executable (rule: FileBlockExecutable)</Task>
<Message><![CDATA[
File Block Executable:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8]]></Message>
<Template><![CDATA[
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="RuleName" inType="win:UnicodeString" outType="xs:string"/>
<data name="UtcTime" inType="win:UnicodeString" outType="xs:string"/>
<data name="ProcessGuid" inType="win:GUID" outType="xs:GUID"/>
<data name="ProcessId" inType="win:UInt32" outType="win:PID"/>
<data name="User" inType="win:UnicodeString" outType="xs:string"/>
<data name="Image" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetFilename" inType="win:UnicodeString" outType="xs:string"/>
<data name="Hashes" inType="win:UnicodeString" outType="xs:string"/>
</template>
]]></Template>
</Event>
<Event>
<Id>28</Id>
<Version>5</Version>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Level>Information</Level>
<Task>File Block Shredding (rule: FileBlockShredding)</Task>
<Message><![CDATA[
File Block Shredding:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8
IsExecutable: %9]]></Message>
<Template><![CDATA[
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="RuleName" inType="win:UnicodeString" outType="xs:string"/>
<data name="UtcTime" inType="win:UnicodeString" outType="xs:string"/>
<data name="ProcessGuid" inType="win:GUID" outType="xs:GUID"/>
<data name="ProcessId" inType="win:UInt32" outType="win:PID"/>
<data name="User" inType="win:UnicodeString" outType="xs:string"/>
<data name="Image" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetFilename" inType="win:UnicodeString" outType="xs:string"/>
<data name="Hashes" inType="win:UnicodeString" outType="xs:string"/>
<data name="IsExecutable" inType="win:Boolean" outType="xs:boolean"/>
</template>
]]></Template>
</Event>
<Event>
<Id>29</Id>
<Version>5</Version>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Level>Information</Level>
<Task>File Executable Detected (rule: FileExecutableDetected)</Task>
<Message><![CDATA[
File Executable Detected:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8]]></Message>
<Template><![CDATA[
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="RuleName" inType="win:UnicodeString" outType="xs:string"/>
<data name="UtcTime" inType="win:UnicodeString" outType="xs:string"/>
<data name="ProcessGuid" inType="win:GUID" outType="xs:GUID"/>
<data name="ProcessId" inType="win:UInt32" outType="win:PID"/>
<data name="User" inType="win:UnicodeString" outType="xs:string"/>
<data name="Image" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetFilename" inType="win:UnicodeString" outType="xs:string"/>
<data name="Hashes" inType="win:UnicodeString" outType="xs:string"/>
</template>
]]></Template>
</Event>
<Event>
Expand Down
31 changes: 31 additions & 0 deletions ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/ACPI.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
<Providers>
<Provider>
<Name>ACPI</Name>
<Metadata>
<Guid>{00000000-0000-0000-0000-000000000000}</Guid>
<ParameterFilePath></ParameterFilePath>
<MessageFilePath>%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\acpi.sys</MessageFilePath>
<HelpLink></HelpLink>
<PublisherMessage></PublisherMessage>
<Channels>
<Channel>
<Message></Message>
<Path>System</Path>
<Index>4294967295</Index>
<Id>8</Id>
<Imported>true</Imported>
</Channel>
</Channels>
<Levels>
</Levels>
<Tasks>
</Tasks>
<Opcodes>
</Opcodes>
<Keywords>
</Keywords>
</Metadata>
<EventMetadata>
</EventMetadata>
</Provider>
</Providers>
Loading

0 comments on commit ca1914a

Please sign in to comment.