├── LICENSE ├── README.md ├── acp └── categorizer │ └── current │ └── microsoft │ └── sysmon.csv └── fcp └── winc └── microsoft_windows_sysmon_operational ├── dns_codes.map.csv ├── microsoft_windows_sysmon.map.csv ├── microsoft_windows_sysmon.sdkkeyvaluefilereader.properties └── sysmon.xml /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 S3COPS https://github.com/S3COPS/ 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ArcSight-Sysmon-FlexConnector 2 | Microfocus ArcSight Windows Native FlexConnector for Microsoft Sysmon tool https://technet.microsoft.com/en-gb/sysinternals/sysmon 3 | 4 | Sysmon WINC Parser 5 | Updated for Sysinternals Sysmon v10.x - System activity monitor, Copyright (C) Mark Russinovich and Thomas Garnier 6 | 7 | NOTE: when using DNS Query Logging functionality, you may want to ensure the ArcSight SmartConnector Java Image is whitelisted or does not carry out DNS lookups or you will see the original DNS Query as well as a followup query from the jre/bin/java.exe image on the SmartConnector Host. 8 | 9 | Device / Product version: Sysmon v10.x, should be backward compatible to Sysmon v3. 10 | https://technet.microsoft.com/en-gb/sysinternals/sysmon 11 | 12 | SmartConnector Type: Windows Native Connector 13 | Dependencies: Microfocus ArcSight SmartConnector Framework at least 7.4 (For automatic IPv6 Parsing) 14 | 15 | # Installation Summary 16 | Copy the fcp and acp folders and the contents to the CONNECTOR_HOME/current/user/agent/ folder on the Windows Native Connector 17 | 18 | Add the following Event Log to the Windows Native Connector Custom Log section:Microsoft-Windows-Sysmon/Operational 19 | 20 | or add directly to the agent.properties file:agents[0].windowshoststable[0].eventlogtypes=Microsoft-Windows-Sysmon/Operational 21 | 22 | Restart the Windows Native Connector 23 | 24 | For more details on configuration of Sysmon refer to https://technet.microsoft.com/en-gb/sysinternals/sysmon 25 | 26 | for an excellent sample sysmon config file refer to https://github.com/SwiftOnSecurity/sysmon-config 27 | 28 | # Field Mappings Summary: Common Fields 29 | 30 | | ArcSight Fields | Mapping | 31 | |------------------------------------|-----------------------------------------------------------| 32 | | deviceVendor | Microsoft | 33 | | deviceProduct | Sysmon | 34 | | endTime | UtcTime | 35 | | deviceCustomDate1 | UtcTime | 36 | | deviceCustomDate1Label | Event TimeStamp (UTC) | 37 | | deviceTimeZone | UC | 38 | | transportProtocol | Protocol | 39 | | fileName | TargetFilename | 40 | | fileCreateTime | CreationUtcTime | 41 | | oldFileCreateTime | PreviousCreationUtcTime | 42 | | fileId | FileVersion | 43 | | fileHash | SHA256 | 44 | | additionaldata.Hash_SHA1 | SHA1 | 45 | | additionaldata.Hash_MD5 | MD5 | 46 | | additionaldata.Hash_SHA256 | SHA256 | 47 | | deviceProcessId | ProcessId | 48 | | deviceProcessName | Image | 49 | | deviceAction | __oneOf(State,EventType) | 50 | | deviceFacility | RuleName | 51 | | sourceUserName | User | 52 | | sourceUserId | LogonId | 53 | | sourceAddress | SourceIp | 54 | | sourcePort | SourcePort | 55 | | sourceHostName | SourceHostname | 56 | | sourceProcessId | __oneOfInteger(ParentProcessId,SourceProcessId,ProcessId) | 57 | | sourceProcessName | __oneOf(ParentImage,SourceImage,Image) | 58 | | destinationAddress | DestinationIp | 59 | | destinationPort | DestinationPort | 60 | | destinationHostName | DestinationHostname | 61 | | destinationProcessName | __oneOf(ImageLoaded,TargetImage,Image) | 62 | | destinationProcessId | TargetProcessId | 63 | | destinationServiceName | Product | 64 | | deviceCustomNumber2 | TerminalSessionId | 65 | | deviceCustomNumber2Label | Terminal Session ID | 66 | | deviceCustomNumber3 | SequenceNumber | 67 | | deviceCustomNumber3Label | Sequence Number | 68 | | deviceCustomString4 | Initiated | 69 | | deviceCustomString4Label | Initiated | 70 | | deviceCustomString5 | IntegrityLevel | 71 | | deviceCustomString5Label | IntegrityLevel | 72 | | deviceCustomString6 | ProcessGuid | 73 | | deviceCustomString6Label | Process Guid | 74 | | flexString1 | SourceProcessGUID | 75 | | flexString1Label | Source Process Guid | 76 | | flexString2 | TargetProcessGUID | 77 | | flexString2Label | Target Process GUID | 78 | | oldFilePermission | Description | 79 | | oldFileType | Company | 80 | | additionaldata.SourcePortName | SourcePortName | 81 | | additionaldata.DestinationPortName | DestinationPortName | 82 | | additionaldata.DestinationIsIpv6 | DestinationIsIpv6 | 83 | | additionaldata.SourceIsIpv6 | SourceIsIpv6 | 84 | | additionaldata.FileVersion | FileVersion | 85 | | additionaldata.Description | Description | 86 | | additionaldata.Product | Product | 87 | | additionaldata.Company | Company | 88 | 89 | 90 | # Event Specific Fields: 91 | 92 | | EventID | ArcSight Fields | Mapping | 93 | |---------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 94 | | 1 | message | __concatenate("Process Created: ",Image," Product: ",Product," Company: ",Company," Description: ",Description," FileVersion: ",FileVersion) | 95 | | 1 | deviceEventClassId | SysmonTask-SYSMON_CREATE_PROCESS | 96 | | 1 | deviceCustomString1Label | Command Line | 97 | | 1 | deviceCustomString1 | CommandLine | 98 | | 1 | deviceCustomString2Label | Parent Command Line | 99 | | 1 | deviceCustomString2 | ParentCommandLine | 100 | | 1 | deviceCustomString3Label | Current Directory | 101 | | 1 | deviceCustomString3 | CurrentDirectory | 102 | | 1 | deviceCustomString4Label | Parent Process GUID | 103 | | 1 | deviceCustomString4 | ParentProcessGuid | 104 | | 1 | destinationServiceName | Product | 105 | | 1 | oldFileName | OriginalFileName | 106 | | | | | 107 | | 2 | message | __concatenate("File creation time changed. Filename: ",TargetFilename) | 108 | | 2 | deviceEventClassId | SysmonTask-SYSMON_FILE_TIME | 109 | | | | | 110 | | 3 | message | __concatenate("A network connection was detected from ",SourceIp," to ",DestinationIp," destination port ",DestinationPort) | 111 | | 3 | deviceEventClassId | SysmonTask-SYSMON_NETWORK_CONNECT | 112 | | | | | 113 | | 4 | message | __concatenate("Sysmon Service state changed: ",State) | 114 | | 4 | deviceEventClassId | SysmonTask-SYSMON_SERVICE_STATE_CHANGE | 115 | | 4 | deviceCustomString1Label | Sysmon Version | 116 | | 4 | deviceCustomString1 | Version | 117 | | 4 | deviceCustomString2Label | Schema Version | 118 | | 4 | deviceCustomString2 | SchemaVersion | 119 | | | | | 120 | | 5 | message | __concatenate("Process Terminated: ",Image) | 121 | | 5 | deviceEventClassId | SysmonTask-SYSMON_PROCESS_TERMINATE | 122 | | | | | 123 | | 6 | message | __concatenate("Driver Loaded: ",ImageLoaded," Signed: ",Signed," Valid: ",SignatureStatus) | 124 | | 6 | deviceEventClassId | SysmonTask-SYSMON_DRIVER_LOAD | 125 | | 6 | deviceCustomString1Label | Signed | 126 | | 6 | deviceCustomString1 | Signed | 127 | | 6 | deviceCustomString2Label | Signature | 128 | | 6 | deviceCustomString2 | Signature | 129 | | 6 | deviceCustomString3Label | Signature Status | 130 | | 6 | deviceCustomString3 | SignatureStatus | 131 | | | | | 132 | | 7 | message | __concatenate("Image Loaded: ",ImageLoaded," Signed: ",Signed," Valid: ",SignatureStatus," Product: ",Product," Company: ",Company," Description: ",Description," FileVersion: ",FileVersion) | 133 | | 7 | deviceEventClassId | SysmonTask-SYSMON_IMAGE_LOAD | 134 | | 7 | deviceCustomString1Label | Signed | 135 | | 7 | deviceCustomString1 | Signed | 136 | | 7 | deviceCustomString2Label | Signature | 137 | | 7 | deviceCustomString2 | Signature | 138 | | 7 | deviceCustomString3Label | Signature Status | 139 | | 7 | deviceCustomString3 | SignatureStatus | 140 | | 7 | destinationServiceName | Product | 141 | | 7 | oldFileName | OriginalFileName | 142 | | | | | 143 | | 8 | message | CreateRemoteThread detected | 144 | | 8 | deviceEventClassId | SysmonTask-SYSMON_CREATE_REMOTE_THREAD | 145 | | 8 | deviceCustomString1Label | New Thread ID | 146 | | 8 | deviceCustomString1 | NewThreadId | 147 | | 8 | deviceCustomString2Label | Start Address | 148 | | 8 | deviceCustomString2 | StartAddress | 149 | | 8 | deviceCustomString3Label | Start Module | 150 | | 8 | deviceCustomString3 | StartModule | 151 | | 8 | deviceCustomString4Label | Start Function | 152 | | 8 | deviceCustomString4 | StartFunction | 153 | | | | | 154 | | 9 | message | __concatenate("RawAccessRead detected. Image: ",Image) | 155 | | 9 | deviceEventClassId | SysmonTask-SYSMON_RAWACCESS_READ | 156 | | 9 | deviceCustomString1Label | Device | 157 | | 9 | deviceCustomString1 | Device | 158 | | | | | 159 | | 10 | message | __concatenate("Process accessed. Target Process: ",TargetImage) | 160 | | 10 | deviceEventClassId | SysmonTask-SYSMON_ACCESS_PROCESS | 161 | | 10 | deviceCustomString1Label | Source Thread ID | 162 | | 10 | deviceCustomString1 | SourceThreadId | 163 | | 10 | deviceCustomString2Label | Granted Access | 164 | | 10 | deviceCustomString2 | GrantedAccess | 165 | | 10 | deviceCustomString3Label | Call Trace | 166 | | 10 | deviceCustomString3 | CallTrace | 167 | | | | | 168 | | 11 | message | __concatenate("File: ",TargetFilename," created by: ",Image) | 169 | | 11 | deviceEventClassId | SysmonTask-SYSMON_FILE_CREATE | 170 | | | | | 171 | | 12 | message | __concatenate("Registry: ",EventType," Object: ",TargetObject," by process: ",Image) | 172 | | 12 | deviceEventClassId | SysmonTask-SYSMON_REG_KEY | 173 | | 12 | fileName | TargetObject | 174 | | | | | 175 | | 13 | message | __concatenate("Registry Value: ",TargetObject," set by process: ",Image) | 176 | | 13 | deviceEventClassId | SysmonTask-SYSMON_REG_SETVALUE | 177 | | 13 | deviceCustomString1Label | Registry Value Details | 178 | | 13 | deviceCustomString1 | Details | 179 | | 13 | fileName | TargetObject | 180 | | | | | 181 | | 14 | message | __concatenate("Registry Object renamed: ",TargetObject," New name: ",NewName) | 182 | | 14 | deviceEventClassId | SysmonTask-SYSMON_REG_NAME | 183 | | 14 | oldFileName | TargetObject | 184 | | 14 | fileName | NewName | 185 | | | | | 186 | | 15 | message | __concatenate("File Stream Created: ",TargetFilename," by process: ",Image) | 187 | | 15 | deviceEventClassId | SysmonTask-SYSMON_FILE_CREATE_STREAM_HASH | 188 | | | | | 189 | | 16 | message | __concatenate("Sysmon configuration changed. Configuration: ",Configuration) | 190 | | 16 | deviceEventClassId | SysmonTask-SYSMON_SERVICE_CONFIGURATION_CHANGE | 191 | | 16 | fileName | Configuration | 192 | | 16 | fileHash | ConfigurationFileHash | 193 | | | | | 194 | | 17 | message | __concatenate("Pipe: ",PipeName," created | 195 | | 17 | deviceEventClassId | SysmonTask-SYSMON_CREATE_NAMEDPIPE | 196 | | 17 | fileName | PipeName | 197 | | | | | 198 | | 18 | message | __concatenate("Pipe: ",PipeName," connected | 199 | | 18 | deviceEventClassId | SysmonTask-SYSMON_CONNECT_NAMEDPIPE | 200 | | 18 | fileName | PipeName | 201 | | | | | 202 | | 19 | message | __concatenate(Name," ",Operation," Namespace: ",Namespace) | 203 | | 19 | deviceEventClassId | SysmonTask-SYSMON_WMI_FILTER | 204 | | 19 | deviceCustomString1Label | Name | 205 | | 19 | deviceCustomString1 | Name | 206 | | 19 | deviceCustomString2Label | Operation | 207 | | 19 | deviceCustomString2 | Operation | 208 | | 19 | deviceCustomString3Label | Event Namespace | 209 | | 19 | deviceCustomString3 | EventNamespace | 210 | | 19 | deviceCustomString4Label | Query | 211 | | 19 | deviceCustomString4 | Query | 212 | | | | | 213 | | 20 | message | __concatenate(Name," ",Operation," Type: ",Type," Location: ",Destination) | 214 | | 20 | deviceEventClassId | SysmonTask-SYSMON_WMI_CONSUMER | 215 | | 20 | deviceCustomString1Label | Name | 216 | | 20 | deviceCustomString1 | Name | 217 | | 20 | deviceCustomString2Label | Operation | 218 | | 20 | deviceCustomString2 | Operation | 219 | | 20 | deviceCustomString3Label | Type | 220 | | 20 | deviceCustomString3 | Type | 221 | | 20 | fileName | Destination | 222 | | | | | 223 | | 21 | message | __concatenate(EventType," Created by: ",User) | 224 | | 21 | deviceEventClassId | SysmonTask-SYSMON_WMI_BINDING | 225 | | 21 | deviceCustomString1Label | Consumer | 226 | | 21 | deviceCustomString1 | Consumer | 227 | | 21 | deviceCustomString2Label | Operation | 228 | | 21 | deviceCustomString2 | Operation | 229 | | 21 | deviceCustomString3Label | Filter | 230 | | 21 | deviceCustomString3 | Filter | 231 | | | | | 232 | | 22 | message | Mapped by DNS Response Code | 233 | | 22 | deviceEventClassId | SysmonTask-DNS_QUERY | 234 | | 22 | destinationHostName | QueryName | 235 | | 22 | requestUrl | QueryName | 236 | | 22 | deviceCustomNumber1Label | Query Status | 237 | | 22 | deviceCustomNumber1 | __safeToLong(QueryStatus) | 238 | | 22 | deviceCustomString1Label | Query Results | 239 | | 22 | deviceCustomString1 | QueryResults | 240 | | | | | 241 | | 255 | message | __concatenate("Sysmon Error ID: ",ID," Description: ",Description) | 242 | | 255 | deviceEventClassId | SysmonTask-SYSMON_ERROR | 243 | | 255 | deviceCustomString1Label | ID | 244 | | 255 | deviceCustomString1 | ID | 245 | | 255 | deviceCustomString2Label | Description | 246 | | 255 | deviceCustomString2 | Description | 247 | 248 | 249 | 250 | 251 | # USE CASE 252 | 253 | Detect suspicious processes, Powershell use, dual use tools and attempts of lateral movement (and more) 254 | 255 | Commmercial content package available for ArcSight SYSMON Content Package Via SOC Prime (https://socprime.com/) 256 | Sysmon Framework contains 26 scenarios which are recommended for monitoring in SOC and early detection of APT activity. 257 | https://tdm.socprime.com/use-case-library/info/425/ 258 | 259 | # Update 04/10/2019 - Microfocus release SmartConnector for Microsoft Sysmon 260 | Microfocus have now released an out of the box SmartConnector for Sysmon - most organisations implementing Sysmon for the first time should check that out in the first instance. 261 | https://community.microfocus.com/t5/ArcSight-Connectors/MS-Sysmon-Logs-Windows-Event-Log-Native/ta-p/2697357 262 | Current feedback is that the coverage and mappings of the Microfocus SmartConnector are not great, so for now we will maintain support for this Flex. 263 | To override the defaul parser and stop any issues with conflicts, we have added the override setting in the properties file. 264 | We will review the continued maintenance of this FlexConnector once the quality / adoption of the OOB release is better known. 265 | 266 | -------------------------------------------------------------------------------- /acp/categorizer/current/microsoft/sysmon.csv: -------------------------------------------------------------------------------- 1 | event.deviceEventClassId,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryOutcome,set.event.categorySignificance,set.event.categoryDeviceGroup,set.event.categoryDeviceType,set.event.categoryCustomFormatField,set.event.originator 2 | SysmonTask-SYSMON_CREATE_PROCESS,/Host/Resource/Process,/Execute/Start,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 3 | SysmonTask-SYSMON_FILE_TIME,/Host/Resource/File,/Modify/Configuration,,/Success,/Suspicious,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 4 | SysmonTask-SYSMON_NETWORK_CONNECT,/Host/Resource/Interface/Tunnel,/Access/Start,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 5 | SysmonTask-SYSMON_SERVICE_STATE_CHANGE,/Host/Application/Service,/Check,,/Success,/Informational/Warning,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 6 | SysmonTask-SYSMON_PROCESS_TERMINATE,/Host/Resource/Process,/Execute/Stop,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 7 | SysmonTask-SYSMON_DRIVER_LOAD,/Host/Resource/Process,/Execute/Start,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 8 | SysmonTask-SYSMON_IMAGE_LOAD,/Host/Resource/Process,/Execute/Start,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 9 | SysmonTask-SYSMON_CREATE_REMOTE_THREAD,/Host/Resource/Interface/Tunnel,/Access/Start,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 10 | SysmonTask-SYSMON_RAWACCESS_READ,/Host/Resource/Interface/Tunnel,/Communicate,/Traffic Anomaly,/Success,/Suspicious,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 11 | SysmonTask-SYSMON_ACCESS_PROCESS,/Host/Resource/Process,/Access,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 12 | SysmonTask-SYSMON_FILE_CREATE,/Host/Resource/File,/Create,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 13 | SysmonTask-SYSMON_REG_KEY,/Host/Resource/Registry,/Modify/Configuration,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 14 | SysmonTask-SYSMON_REG_SETVALUE,/Host/Resource/Registry,/Modify/Configuration,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 15 | SysmonTask-SYSMON_REG_NAME,/Host/Resource/Registry,/Modify/Configuration,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 16 | SysmonTask-SYSMON_FILE_CREATE_STREAM_HASH,/Host/Resource/File,/Communicate,/Traffic Anomaly,/Success,/Suspicious,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 17 | SysmonTask-SYSMON_SERVICE_CONFIGURATION_CHANGE,/Host/Application/Service,/Modify,,/Success,/Informational/Warning,/Operating System,/Operating System,,Source 18 | SysmonTask-SYSMON_CREATE_NAMEDPIPE,/Host/Resource/Interface/Tunnel,/Create,,/Success,/Informational/Warning,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 19 | SysmonTask-SYSMON_CONNECT_NAMEDPIPE,/Host/Resource/Interface/Tunnel,/Communicate,,/Success,/Informational/Warning,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 20 | SysmonTask-SYSMON_WMI_FILTER,/Host/Resource/File,/Access,,/Success,/Informational/Warning,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 21 | SysmonTask-SYSMON_WMI_CONSUMER,/Host/Resource/File,/Access,,/Success,/Informational/Warning,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 22 | SysmonTask-SYSMON_WMI_BINDING,/Host/Resource/File,/Access,,/Success,/Informational/Warning,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 23 | SysmonTask-SYSMON_ERROR,/Execute/Response,/Communicate,,/Success,/Informational/Error,/Operating System,/Operating System,,Source 24 | SysmonTask-DNS_QUERY,/Host/Application/Service,/Communicate/Query,,/Success,/Informational,Operating System,/Operating System,,Source 25 | SysmonTask-SYSMON_FILE_DELETE,/Host/Resource/File,/Delete,,/Success,/Informational,/Operating System,/Operating System,/Attack Lifecycle/Install,Source 26 | SysmonTask-SYSMON_CLIPBOARD,/Host/Resource/File,/Modify/Content,,/Success,/Informational,/Operating System,/Operating System,,Source 27 | SysmonTask-SYSMON_PROCESS_IMAGE_TAMPERING,/Host/Resource/File,/Found/Vulnerable,/Traffic Anomaly,/Success,/Suspicious,/Operating System,/Operating System,,Source 28 | -------------------------------------------------------------------------------- /fcp/winc/microsoft_windows_sysmon_operational/dns_codes.map.csv: -------------------------------------------------------------------------------- 1 | event.deviceCustomNumber1,set.event.message 2 | 0,The request completed successfully. 3 | 9001,DNS server unable to interpret format. 4 | 9002,DNS server failure. 5 | 9003,DNS name does not exist. 6 | 9004,DNS request not supported by name server. 7 | 9005,DNS operation refused. 8 | 9006,"DNS name that ought not exist, does exist." 9 | 9007,"DNS RR set that ought not exist, does exist." 10 | 9008,"DNS RR set that ought to exist, does not exist." 11 | 9009,DNS server not authoritative for zone. 12 | 9010,DNS name in update or prereq is not in zone. 13 | 9016,DNS signature failed to verify. 14 | 9017,DNS bad key. 15 | 9018,DNS signature validity expired. 16 | 9101,Only the DNS server acting as the key master for the zone may perform this operation. 17 | 9102,This operation is not allowed on a zone that is signed or has signing keys. 18 | 9103,NSEC3 is not compatible with the RSA-SHA-1 algorithm. Choose a different algorithm or use NSEC. 19 | 9104,The zone does not have enough signing keys. There must be at least one key signing key (KSK) and at least one zone signing key (ZSK). 20 | 9105,The specified algorithm is not supported. 21 | 9106,The specified key size is not supported. 22 | 9107,One or more of the signing keys for a zone are not accessible to the DNS server. Zone signing will not be operational until this error is resolved. 23 | 9108,The specified key storage provider does not support DPAPI++ data protection. Zone signing will not be operational until this error is resolved. 24 | 9109,An unexpected DPAPI++ error was encountered. Zone signing will not be operational until this error is resolved. 25 | 9110,An unexpected crypto error was encountered. Zone signing may not be operational until this error is resolved. 26 | 9111,The DNS server encountered a signing key with an unknown version. Zone signing will not be operational until this error is resolved. 27 | 9112,The specified key service provider cannot be opened by the DNS server. 28 | 9113,The DNS server cannot accept any more signing keys with the specified algorithm and KSK flag value for this zone. 29 | 9114,The specified rollover period is invalid. 30 | 9115,The specified initial rollover offset is invalid. 31 | 9116,The specified signing key is already in process of rolling over keys. 32 | 9117,The specified signing key does not have a standby key to revoke. 33 | 9118,This operation is not allowed on a zone signing key (ZSK). 34 | 9119,This operation is not allowed on an active signing key. 35 | 9120,The specified signing key is already queued for rollover. 36 | 9121,This operation is not allowed on an unsigned zone. 37 | 9122,This operation could not be completed because the DNS server listed as the current key master for this zone is down or misconfigured. Resolve the problem on the current key master for this zone or use another DNS server to seize the key master role. 38 | 9123,The specified signature validity period is invalid. 39 | 9124,The specified NSEC3 iteration count is higher than allowed by the minimum key length used in the zone. 40 | 9125,This operation could not be completed because the DNS server has been configured with DNSSEC features disabled. Enable DNSSEC on the DNS server. 41 | 9126,This operation could not be completed because the XML stream received is empty or syntactically invalid. 42 | 9127,"This operation completed, but no trust anchors were added because all of the trust anchors received were either invalid, unsupported, expired, or would not become valid in less than 30 days." 43 | 9128,The specified signing key is not waiting for parental DS update. 44 | 9129,"Hash collision detected during NSEC3 signing. Specify a different user-provided salt, or use a randomly generated salt, and attempt to sign the zone again." 45 | 9130,NSEC is not compatible with the NSEC3-RSA-SHA-1 algorithm. Choose a different algorithm or use NSEC3. 46 | 9501,No records found for given DNS query. 47 | 9502,Bad DNS packet. 48 | 9503,No DNS packet. 49 | 9504,"DNS error, check rcode." 50 | 9505,Unsecured DNS packet. 51 | 9506,DNS query request is pending. 52 | 9551,Invalid DNS type. 53 | 9552,Invalid IP address. 54 | 9553,Invalid property. 55 | 9554,Try DNS operation again later. 56 | 9555,Record for given name and type is not unique. 57 | 9556,DNS name does not comply with RFC specifications. 58 | 9557,DNS name is a fully-qualified DNS name. 59 | 9558,DNS name is dotted (multi-label). 60 | 9559,DNS name is a single-part name. 61 | 9560,DNS name contains an invalid character. 62 | 9561,DNS name is entirely numeric. 63 | 9562,The operation requested is not permitted on a DNS root server. 64 | 9563,The record could not be created because this part of the DNS namespace has been delegated to another server. 65 | 9564,The DNS server could not find a set of root hints. 66 | 9565,The DNS server found root hints but they were not consistent across all adapters. 67 | 9566,The specified value is too small for this parameter. 68 | 9567,The specified value is too large for this parameter. 69 | 9568,This operation is not allowed while the DNS server is loading zones in the background. Please try again later. 70 | 9569,The operation requested is not permitted on against a DNS server running on a read-only DC. 71 | 9570,No data is allowed to exist underneath a DNAME record. 72 | 9571,This operation requires credentials delegation. 73 | 9572,Name resolution policy table has been corrupted. DNS resolution will fail until it is fixed. Contact your network administrator. 74 | 9601,DNS zone does not exist. 75 | 9602,DNS zone information not available. 76 | 9603,Invalid operation for DNS zone. 77 | 9604,Invalid DNS zone configuration. 78 | 9605,DNS zone has no start of authority (SOA) record. 79 | 9606,DNS zone has no Name Server (NS) record. 80 | 9607,DNS zone is locked. 81 | 9608,DNS zone creation failed. 82 | 9609,DNS zone already exists. 83 | 9610,DNS automatic zone already exists. 84 | 9611,Invalid DNS zone type. 85 | 9612,Secondary DNS zone requires master IP address. 86 | 9613,DNS zone not secondary. 87 | 9614,Need secondary IP address. 88 | 9615,WINS initialization failed. 89 | 9616,Need WINS servers. 90 | 9617,NBTSTAT initialization call failed. 91 | 9618,Invalid delete of start of authority (SOA). 92 | 9619,A conditional forwarding zone already exists for that name. 93 | 9620,This zone must be configured with one or more master DNS server IP addresses. 94 | 9621,The operation cannot be performed because this zone is shut down. 95 | 9622,This operation cannot be performed because the zone is currently being signed. Please try again later. 96 | 9651,Primary DNS zone requires datafile. 97 | 9652,Invalid datafile name for DNS zone. 98 | 9653,Failed to open datafile for DNS zone. 99 | 9654,Failed to write datafile for DNS zone. 100 | 9655,Failure while reading datafile for DNS zone. 101 | 9701,DNS record does not exist. 102 | 9702,DNS record format error. 103 | 9703,Node creation failure in DNS. 104 | 9704,Unknown DNS record type. 105 | 9705,DNS record timed out. 106 | 9706,Name not in DNS zone. 107 | 9707,CNAME loop detected. 108 | 9708,Node is a CNAME DNS record. 109 | 9709,A CNAME record already exists for given name. 110 | 9710,Record only at DNS zone root. 111 | 9711,DNS record already exists. 112 | 9712,Secondary DNS zone data error. 113 | 9713,Could not create DNS cache data. 114 | 9714,DNS name does not exist. 115 | 9715,Could not create pointer (PTR) record. 116 | 9716,DNS domain was undeleted. 117 | 9717,The directory service is unavailable. 118 | 9718,DNS zone already exists in the directory service. 119 | 9719,DNS server not creating or reading the boot file for the directory service integrated DNS zone. 120 | 9720,Node is a DNAME DNS record. 121 | 9721,A DNAME record already exists for given name. 122 | 9722,An alias loop has been detected with either CNAME or DNAME records. 123 | 9751,DNS AXFR (zone transfer) complete. 124 | 9752,DNS zone transfer failed. 125 | 9753,Added local WINS server. 126 | 9801,Secure update call needs to continue update request. 127 | 9851,TCP/IP network protocol not installed. 128 | 9852,No DNS servers configured for local system. 129 | 9901,The specified directory partition does not exist. 130 | 9902,The specified directory partition already exists. 131 | 9903,This DNS server is not enlisted in the specified directory partition. 132 | 9904,This DNS server is already enlisted in the specified directory partition. 133 | 9905,The directory partition is not available at this time. Please wait a few minutes and try again. 134 | 9906,The operation failed because the domain naming master FSMO role could not be reached. The domain controller holding the domain naming master FSMO role is down or unable to service the request or is not running Windows Server 2003 or later. 135 | -------------------------------------------------------------------------------- /fcp/winc/microsoft_windows_sysmon_operational/microsoft_windows_sysmon.map.csv: -------------------------------------------------------------------------------- 1 | event.externalId,set.event.name 2 | 1,Process Create 3 | 2,File creation time changed 4 | 3,Network connection detected 5 | 4,Sysmon service state changed 6 | 5,Process terminated 7 | 6,Driver loaded 8 | 7,Image loaded 9 | 8,CreateRemoteThread detected 10 | 9,RawAccessRead detected 11 | 10,Process accessed 12 | 11,File created 13 | 12,Registry object added or deleted 14 | 13,Registry value set 15 | 14,Registry object renamed 16 | 15,File stream created 17 | 16,Sysmon config state changed 18 | 17,Pipe Created 19 | 18,Pipe Connected 20 | 19,WmiEventFilter activity detected 21 | 20,WmiEventConsumer activity detected 22 | 21,WmiEventConsumerToFilter activity detected 23 | 22,DNS Query 24 | 23,File Deleted 25 | 24,Clipboard changed 26 | 25,Process Tampering 27 | 255,Error report 28 | -------------------------------------------------------------------------------- /fcp/winc/microsoft_windows_sysmon_operational/microsoft_windows_sysmon.sdkkeyvaluefilereader.properties: -------------------------------------------------------------------------------- 1 | ############################################################################################################### 2 | # 3 | # Sysmon WINC Parser 4 | # Sysinternals Sysmon - System activity monitor, Copyright (C) Mark Russinovich and Thomas Garnier 5 | # Device / Product version: Sysmon v13.x (Backward compatible at least to version 6) 6 | # https://technet.microsoft.com/en-gb/sysinternals/sysmon 7 | # 8 | # Parser Author: KSQ 9 | # Source repository: https://github.com/S3COPS/ 10 | # 11 | # SmartConnector Type: Windows Native Connector 12 | # Dependencies: Microfocus ArcSight SmartConnector Framework at least 7.4 (For automatic IPv6 Parsing) 13 | # 14 | ##### MIT License ###### 15 | # 16 | # Copyright (c) 2019 S3COPS https://github.com/S3COPS/ 17 | # 18 | # Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal 19 | # in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 20 | # copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 21 | # 22 | # The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 23 | # 24 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 25 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 26 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 27 | # SOFTWARE. 28 | # 29 | ##### Installation Summary ###### 30 | # Copy the fcp and acp folders and the contents to the CONNECTOR_HOME/current/user/agent/ folder on the Windows Native Connector 31 | # Add the following Event Log to the Windows Native Connector Custom Log section:Microsoft-Windows-Sysmon/Operational 32 | # or add directly to the agent.properties file:agents[0].windowshoststable[0].eventlogtypes=Microsoft-Windows-Sysmon/Operational 33 | # Restart the Windows Native Connector 34 | # 35 | # For more details on configuration of Sysmon refer to https://technet.microsoft.com/en-gb/sysinternals/sysmon 36 | # for an excellent sample sysmon config file refer to https://github.com/SwiftOnSecurity/sysmon-config 37 | # 38 | ############################################################################################################### 39 | 40 | 41 | ############################################################################################################### 42 | # This setting forces ArcSight to ignore the out of the box parser and to use this instead 43 | # 44 | replace.defaults=x 45 | # 46 | ############################################################################################################### 47 | 48 | 49 | key.delimiter=&& 50 | key.value.delimiter== 51 | key.regexp=([^&=]+) 52 | 53 | additionaldata.enabled=true 54 | trim.values=true 55 | trim.tokens=true 56 | # 57 | # IPv6 aware parser - needs Connector Framework 7.4 or above. 58 | # Sysmon events interchange IPv4 / IPv6 addresses in the SourceIp / DestinationIp field. 59 | ipv6.aware=true 60 | 61 | # Vendor details 62 | event.deviceVendor=__getVendor("Microsoft") 63 | event.deviceProduct=__stringConstant("Sysmon") 64 | # 65 | # Events are all recorded in UTC time 66 | # depending on the time setting on the host, multiple formats are possible 67 | # 68 | event.endTime=__parseMultipleTimeStamp(UtcTime,"MM/dd/yyyy HH\:mm\:ss.SSS","yyyy-MM-dd HH\:mm\:ss.SSS") 69 | event.deviceCustomDate1=__parseMultipleTimeStamp(UtcTime,"MM/dd/yyyy HH\:mm\:ss.SSS","yyyy-MM-dd HH\:mm\:ss.SSS") 70 | event.deviceCustomDate1Label=__stringConstant("Event TimeStamp (UTC)") 71 | event.deviceTimeZone=__getTimeZone(__stringConstant("UTC")) 72 | # 73 | # Common Mappings to be applied Globally: 74 | # General mappings 75 | event.transportProtocol=Protocol 76 | # Added various image/target image so that file name/file hash 77 | # matching is easier next to each other and there's no analyst confusion what the hash is for (Thanks StevenD) 78 | # Note that submessages also set this field 79 | # July 2019 - updated previous mappings for event.fileName to the more correct event.filePath 80 | # It is recommeded users double check any content developed 81 | event.filePath=__oneOf(TargetFilename,ImageLoaded,TargetImage,Image) 82 | # 83 | event.fileCreateTime=__parseMultipleTimeStamp(CreationUtcTime,"MM/dd/yyyy HH\:mm\:ss.SSS","yyyy-MM-dd HH\:mm\:ss.SSS") 84 | event.oldFileCreateTime=__parseMultipleTimeStamp(PreviousCreationUtcTime,"MM/dd/yyyy HH\:mm\:ss.SSS","yyyy-MM-dd HH\:mm\:ss.SSS") 85 | event.fileId=FileVersion 86 | # Hash selection 87 | # By default SHA256 maps to the fileHash field 88 | # The user has options to add additional Hash formats which are added to the relevant "additionaldata" field 89 | # These can be mapped at the Console or this parser can be updated below. 90 | event.fileHash=__regexTokenNoWarning(Hashes,".*SHA256=(\\w+).*") 91 | # 92 | # Commented out non-default settings - these can be reset if used in an organisation 93 | # additionaldata.Hash_SHA1=__regexTokenNoWarning(Hashes,".*SHA1=(\\w+).*") 94 | additionaldata.Hash_MD5=__regexTokenNoWarning(Hashes,".*MD5=(\\w+).*") 95 | # additionaldata.Hash_SHA256=__regexTokenNoWarning(Hashes,".*SHA256=(\\w+).*") 96 | # additionaldata.Hash_IMPHASH=__regexTokenNoWarning(Hashes,".*IMPHASH=(\\w+).*") 97 | # Device Mappings 98 | event.deviceProcessId=__safeToInteger(ProcessId) 99 | event.deviceProcessName=Image 100 | event.deviceAction=__oneOf(State,EventType) 101 | # Added RuleName in v8 - Changed from dvcfacility to reason for fitment/visibility 102 | # i have left event.deviceFacility mapping in place for now in case anyone has used it in content, 103 | # but suggestion from StevenD to change to event.reason makes sense so please use this going forward. 104 | event.deviceFacility=RuleName 105 | event.reason=RuleName 106 | # Source Mappings 107 | event.sourceUserName=User 108 | event.sourceUserId=LogonId 109 | event.sourceAddress=SourceIp 110 | event.sourcePort=__safeToInteger(SourcePort) 111 | event.sourceHostName=SourceHostname 112 | event.sourceProcessId=__oneOfInteger(ParentProcessId,SourceProcessId,ProcessId) 113 | event.sourceProcessName=__oneOf(ParentImage,SourceImage,Image) 114 | # 115 | # Destination Mappings 116 | event.destinationAddress=DestinationIp 117 | event.destinationPort=__safeToInteger(DestinationPort) 118 | event.destinationHostName=DestinationHostname 119 | event.destinationProcessName=__oneOf(ImageLoaded,TargetImage,Image) 120 | event.destinationProcessId=__safeToInteger(TargetProcessId) 121 | event.destinationServiceName=Product 122 | 123 | # Device Custom Settings 124 | # 125 | event.deviceCustomNumber2=__safeToLong(TerminalSessionId) 126 | event.deviceCustomNumber2Label=__stringConstant("Terminal Session ID") 127 | event.deviceCustomNumber3=__safeToLong(SequenceNumber) 128 | event.deviceCustomNumber3Label=__stringConstant("Sequence Number") 129 | # 130 | event.deviceCustomString4=Initiated 131 | event.deviceCustomString4Label=__stringConstant("Initiated") 132 | event.deviceCustomString5=IntegrityLevel 133 | event.deviceCustomString5Label=__stringConstant("IntegrityLevel") 134 | event.deviceCustomString6=ProcessGuid 135 | event.deviceCustomString6Label=__stringConstant("Process Guid") 136 | # 137 | event.flexString1=SourceProcessGUID 138 | event.flexString1Label=__stringConstant("Source Process Guid") 139 | event.flexString2=TargetProcessGUID 140 | event.flexString2Label=__stringConstant("Target Process GUID") 141 | 142 | # Stuff that wont fit anywhere else, but could be useful 143 | # event.filePermission= 144 | event.oldFilePermission=Description 145 | event.oldFileType=Company 146 | # event.oldFileId= 147 | 148 | # 149 | 150 | # Additional Data Mappings - some of the below have now been moved into CEF Fields, 151 | # but have been left in the parser for backward compatability with end users content. 152 | # 153 | additionaldata.SourcePortName=SourcePortName 154 | additionaldata.DestinationPortName=DestinationPortName 155 | additionaldata.DestinationIsIpv6=DestinationIsIpv6 156 | additionaldata.SourceIsIpv6=SourceIsIpv6 157 | additionaldata.FileVersion=FileVersion 158 | additionaldata.Description=Description 159 | additionaldata.Product=Product 160 | additionaldata.Company=Company 161 | additionaldata.archived=Archived 162 | additionaldata.session=Session 163 | 164 | 165 | # 166 | ############################################################################################################### 167 | # 168 | # Conditional Map settings 169 | conditionalmap.count=1 170 | conditionalmap[0].field=event.externalId 171 | conditionalmap[0].mappings.count=27 172 | # 173 | ############################################################################################################### 174 | # 175 | # Event ID 1: Process Create 176 | # RuleName 177 | # UtcTime: %1 178 | # ProcessGuid: %2 179 | # ProcessId: %3 180 | # Image: %4 181 | # CommandLine: %5 182 | # CurrentDirectory: %6 183 | # User: %7 184 | # LogonGuid: %8 185 | # LogonId: %9 186 | # TerminalSessionId: %10 187 | # IntegrityLevel: %11 188 | # Hashes: %12 189 | # ParentProcessGuid: %13 190 | # ParentProcessId: %14 191 | # ParentImage: %15 192 | # ParentCommandLine: %16 193 | # 194 | # Introduced in v7: 195 | # 196 | # FileVersion: 197 | # Description: 198 | # Product: 199 | # Company: 200 | # OriginalFileName 201 | # 202 | conditionalmap[0].mappings[0].values=1 203 | conditionalmap[0].mappings[0].event.message=__concatenate("Process Created: ",Image," Product: ",Product," Company: ",Company," Description: ",Description," FileVersion: ",FileVersion) 204 | conditionalmap[0].mappings[0].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_CREATE_PROCESS") 205 | conditionalmap[0].mappings[0].event.deviceCustomString1Label=__stringConstant("Command Line") 206 | conditionalmap[0].mappings[0].event.deviceCustomString1=__replaceAll(CommandLine,"\\s+"," ") 207 | conditionalmap[0].mappings[0].event.deviceCustomString2Label=__stringConstant("Parent Command Line") 208 | conditionalmap[0].mappings[0].event.deviceCustomString2=__replaceAll(ParentCommandLine,"\\s+"," ") 209 | conditionalmap[0].mappings[0].event.deviceCustomString3Label=__stringConstant("Current Directory") 210 | conditionalmap[0].mappings[0].event.deviceCustomString3=CurrentDirectory 211 | conditionalmap[0].mappings[0].event.deviceCustomString4Label=__stringConstant("Parent Process GUID") 212 | conditionalmap[0].mappings[0].event.deviceCustomString4=ParentProcessGuid 213 | conditionalmap[0].mappings[0].event.destinationServiceName=Product 214 | conditionalmap[0].mappings[0].event.oldFilePath=OriginalFileName 215 | # 216 | ############################################################################################################### 217 | # 218 | # event ID 2: File creation time changed 219 | # RuleName 220 | # UtcTime: %1 221 | # ProcessGuid: %2 222 | # ProcessId: %3 223 | # Image: %4 224 | # TargetFilename: %5 225 | # CreationUtcTime: %6 226 | # PreviousCreationUtcTime: %7 227 | 228 | conditionalmap[0].mappings[1].values=2 229 | conditionalmap[0].mappings[1].event.message=__concatenate("File creation time changed. Filename: ",TargetFilename) 230 | conditionalmap[0].mappings[1].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_FILE_TIME") 231 | # 232 | ############################################################################################################### 233 | # Event ID 3: Network connection detected 234 | # RuleName 235 | # UtcTime: %1 236 | # ProcessGuid: %2 237 | # ProcessId: %3 238 | # Image: %4 239 | # User: %5 240 | # Protocol: %6 241 | # Initiated: %7 242 | # SourceIsIpv6: %8 243 | # SourceIp: %9 244 | # SourceHostname: %10 245 | # SourcePort: %11 246 | # SourcePortName: %12 247 | # DestinationIsIpv6: %13 248 | # DestinationIp: %14 249 | # DestinationHostname: %15 250 | # DestinationPort: %16 251 | # DestinationPortName: %17 252 | # 253 | conditionalmap[0].mappings[2].values=3 254 | conditionalmap[0].mappings[2].event.message=__concatenate("A network connection was detected from ",SourceIp," to ",DestinationIp," destination port ",DestinationPort) 255 | conditionalmap[0].mappings[2].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_NETWORK_CONNECT") 256 | # 257 | ############################################################################################################### 258 | # Event ID 4: Sysmon service state changed: 259 | # UtcTime: %1 260 | # State: %2 261 | # Version: %3 262 | # SchemaVersion: %4 263 | 264 | conditionalmap[0].mappings[3].values=4 265 | conditionalmap[0].mappings[3].event.message=__concatenate("Sysmon Service state changed: ",State) 266 | conditionalmap[0].mappings[3].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_SERVICE_STATE_CHANGE") 267 | conditionalmap[0].mappings[3].event.deviceCustomString1Label=__stringConstant("Sysmon Version") 268 | conditionalmap[0].mappings[3].event.deviceCustomString1=Version 269 | conditionalmap[0].mappings[3].event.deviceCustomString2Label=__stringConstant("Schema Version") 270 | conditionalmap[0].mappings[3].event.deviceCustomString2=SchemaVersion 271 | 272 | # 273 | ############################################################################################################### 274 | # Event ID 5: Process terminated 275 | # RuleName 276 | # UtcTime: %1 277 | # ProcessGuid: %2 278 | # ProcessId: %3 279 | # Image: %4 280 | 281 | conditionalmap[0].mappings[4].values=5 282 | conditionalmap[0].mappings[4].event.message=__concatenate("Process Terminated: ",Image) 283 | conditionalmap[0].mappings[4].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_PROCESS_TERMINATE") 284 | # 285 | ############################################################################################################### 286 | # Event ID 6: Driver loaded 287 | # RuleName 288 | # UtcTime: %1 289 | # ImageLoaded: %2 290 | # Hashes: %3 291 | # Signed: %4 292 | # Signature: %5 293 | # SignatureStatus: %6 294 | 295 | conditionalmap[0].mappings[5].values=6 296 | conditionalmap[0].mappings[5].event.message=__concatenate("Driver Loaded: ",ImageLoaded," Signed: ",Signed," Valid: ",SignatureStatus) 297 | conditionalmap[0].mappings[5].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_DRIVER_LOAD") 298 | conditionalmap[0].mappings[5].event.deviceCustomString1Label=__stringConstant("Signed") 299 | conditionalmap[0].mappings[5].event.deviceCustomString1=Signed 300 | conditionalmap[0].mappings[5].event.deviceCustomString2Label=__stringConstant("Signature") 301 | conditionalmap[0].mappings[5].event.deviceCustomString2=Signature 302 | conditionalmap[0].mappings[5].event.deviceCustomString3Label=__stringConstant("Signature Status") 303 | conditionalmap[0].mappings[5].event.deviceCustomString3=SignatureStatus 304 | # 305 | ############################################################################################################### 306 | # Event ID 7: Image loaded 307 | # RuleName 308 | # UtcTime: %1 309 | # ProcessGuid: %2 310 | # ProcessId: %3 311 | # Image: %4 312 | # ImageLoaded: %5 313 | # Hashes: %6 314 | # Signed: %7 315 | # Signature: %8 316 | # SignatureStatus: %9 317 | # 318 | # Introduced in v7: 319 | # 320 | # FileVersion: 321 | # Description: 322 | # Product: 323 | # Company: 324 | # OriginalFileName: 325 | 326 | conditionalmap[0].mappings[6].values=7 327 | conditionalmap[0].mappings[6].event.message=__concatenate("Image Loaded: ",ImageLoaded," Signed: ",Signed," Valid: ",SignatureStatus," Product: ",Product," Company: ",Company," Description: ",Description," FileVersion: ",FileVersion) 328 | conditionalmap[0].mappings[6].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_IMAGE_LOAD") 329 | conditionalmap[0].mappings[6].event.deviceCustomString1Label=__stringConstant("Signed") 330 | conditionalmap[0].mappings[6].event.deviceCustomString1=Signed 331 | conditionalmap[0].mappings[6].event.deviceCustomString2Label=__stringConstant("Signature") 332 | conditionalmap[0].mappings[6].event.deviceCustomString2=Signature 333 | conditionalmap[0].mappings[6].event.deviceCustomString3Label=__stringConstant("Signature Status") 334 | conditionalmap[0].mappings[6].event.deviceCustomString3=SignatureStatus 335 | conditionalmap[0].mappings[0].event.destinationServiceName=Product 336 | conditionalmap[0].mappings[0].event.oldFileName=OriginalFileName 337 | # 338 | ############################################################################################################### 339 | # Event ID 8: CreateRemoteThread detected 340 | # RuleName 341 | # UtcTime: %1 342 | # SourceProcessGuid: %2 343 | # SourceProcessId: %3 344 | # SourceImage: %4 345 | # TargetProcessGuid: %5 346 | # TargetProcessId: %6 347 | # TargetImage: %7 348 | # NewThreadId: %8 349 | # StartAddress: %9 350 | # StartModule: %10 351 | # StartFunction: %11 352 | 353 | conditionalmap[0].mappings[7].values=8 354 | conditionalmap[0].mappings[7].event.message=__concatenate("CreateRemoteThread detected") 355 | conditionalmap[0].mappings[7].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_CREATE_REMOTE_THREAD") 356 | conditionalmap[0].mappings[7].event.deviceCustomString1Label=__stringConstant("New Thread ID") 357 | conditionalmap[0].mappings[7].event.deviceCustomString1=NewThreadId 358 | conditionalmap[0].mappings[7].event.deviceCustomString2Label=__stringConstant("Start Address") 359 | conditionalmap[0].mappings[7].event.deviceCustomString2=StartAddress 360 | conditionalmap[0].mappings[7].event.deviceCustomString3Label=__stringConstant("Start Module") 361 | conditionalmap[0].mappings[7].event.deviceCustomString3=StartModule 362 | conditionalmap[0].mappings[7].event.deviceCustomString4Label=__stringConstant("Start Function") 363 | conditionalmap[0].mappings[7].event.deviceCustomString4=StartFunction 364 | # 365 | ############################################################################################################### 366 | # Event ID 9: RawAccessRead detected 367 | # RuleName 368 | # UtcTime: %1 369 | # ProcessGuid: %2 370 | # ProcessId: %3 371 | # Image: %4 372 | # Device: %5 373 | 374 | conditionalmap[0].mappings[8].values=9 375 | conditionalmap[0].mappings[8].event.message=__concatenate("RawAccessRead detected. Image: ",Image) 376 | conditionalmap[0].mappings[8].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_RAWACCESS_READ") 377 | conditionalmap[0].mappings[8].event.deviceCustomString1Label=__stringConstant("Device") 378 | conditionalmap[0].mappings[8].event.deviceCustomString1=Device 379 | # 380 | ############################################################################################################### 381 | # Event ID 10: Process accessed 382 | # RuleName 383 | # UtcTime: %1 384 | # SourceProcessGUID: %2 385 | # SourceProcessId: %3 386 | # SourceThreadId: %4 387 | # SourceImage: %5 388 | # TargetProcessGUID: %6 389 | # TargetProcessId: %7 390 | # TargetImage: %8 391 | # GrantedAccess: %9 392 | # CallTrace: %10 393 | 394 | conditionalmap[0].mappings[9].values=10 395 | conditionalmap[0].mappings[9].event.message=__concatenate("Process accessed. Target Process: ",TargetImage) 396 | conditionalmap[0].mappings[9].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_ACCESS_PROCESS") 397 | conditionalmap[0].mappings[9].event.deviceCustomString1Label=__stringConstant("Source Thread ID") 398 | conditionalmap[0].mappings[9].event.deviceCustomString1=SourceThreadId 399 | conditionalmap[0].mappings[9].event.deviceCustomString2Label=__stringConstant("Granted Access") 400 | conditionalmap[0].mappings[9].event.deviceCustomString2=GrantedAccess 401 | conditionalmap[0].mappings[9].event.deviceCustomString3Label=__stringConstant("Call Trace") 402 | conditionalmap[0].mappings[9].event.deviceCustomString3=CallTrace 403 | # 404 | ############################################################################################################### 405 | # Event ID 11: File created 406 | # RuleName 407 | # UtcTime: %1 408 | # ProcessGuid: %2 409 | # ProcessId: %3 410 | # Image: %4 411 | # TargetFilename: %5 412 | # CreationUtcTime: %6 413 | 414 | conditionalmap[0].mappings[10].values=11 415 | conditionalmap[0].mappings[10].event.message=__concatenate("File: ",TargetFilename," created by: ",Image) 416 | conditionalmap[0].mappings[10].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_FILE_CREATE") 417 | # 418 | ############################################################################################################### 419 | # Event ID 12: Registry object added or deleted 420 | # RuleName 421 | # EventType: %1 422 | # UtcTime: %2 423 | # ProcessGuid: %3 424 | # ProcessId: %4 425 | # Image: %5 426 | # TargetObject: %6 427 | 428 | conditionalmap[0].mappings[11].values=12 429 | conditionalmap[0].mappings[11].event.message=__concatenate("Registry: ",EventType," Object: ",TargetObject," by process: ",Image) 430 | conditionalmap[0].mappings[11].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_REG_KEY") 431 | conditionalmap[0].mappings[11].event.filePath=TargetObject 432 | # 433 | ############################################################################################################### 434 | # Event ID 13: Registry value set 435 | # RuleName 436 | # EventType: %1 437 | # UtcTime: %2 438 | # ProcessGuid: %3 439 | # ProcessId: %4 440 | # Image: %5 441 | # TargetObject: %6 442 | # Details: %7 443 | 444 | conditionalmap[0].mappings[12].values=13 445 | conditionalmap[0].mappings[12].event.message=__concatenate("Registry Value: ",TargetObject," set by process: ",Image) 446 | conditionalmap[0].mappings[12].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_REG_SETVALUE") 447 | conditionalmap[0].mappings[12].event.deviceCustomString1Label=__stringConstant("Registry Value Details") 448 | conditionalmap[0].mappings[12].event.deviceCustomString1=Details 449 | conditionalmap[0].mappings[12].event.filePath=TargetObject 450 | 451 | # 452 | ############################################################################################################### 453 | # Event ID 14: Registry object renamed 454 | # RuleName 455 | # EventType: %1 456 | # UtcTime: %2 457 | # ProcessGuid: %3 458 | # ProcessId: %4 459 | # Image: %5 460 | # TargetObject: %6 461 | # NewName: %7 462 | 463 | conditionalmap[0].mappings[13].values=14 464 | conditionalmap[0].mappings[13].event.message=__concatenate("Registry Object renamed: ",TargetObject," New name: ",NewName) 465 | conditionalmap[0].mappings[13].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_REG_NAME") 466 | conditionalmap[0].mappings[13].event.oldFilePath=TargetObject 467 | conditionalmap[0].mappings[13].event.filePath=NewName 468 | # 469 | ############################################################################################################### 470 | # Event ID 15: File stream created 471 | # RuleName 472 | # UtcTime: %1 473 | # ProcessGuid: %2 474 | # ProcessId: %3 475 | # Image: %4 476 | # TargetFilename: %5 477 | # CreationUtcTime: %6 478 | # Hash: %7 479 | 480 | conditionalmap[0].mappings[14].values=15 481 | conditionalmap[0].mappings[14].event.message=__concatenate("File Stream Created: ",TargetFilename," by process: ",Image) 482 | conditionalmap[0].mappings[14].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_FILE_CREATE_STREAM_HASH") 483 | # 484 | ############################################################################################################### 485 | # Event ID 16: Sysmon config state changed 486 | # UtcTime: %1 487 | # Configuration: %2 488 | # ConfigurationFileHash: %3 489 | 490 | conditionalmap[0].mappings[15].values=16 491 | conditionalmap[0].mappings[15].event.message=__concatenate("Sysmon configuration changed. Configuration: ",Configuration) 492 | conditionalmap[0].mappings[15].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_SERVICE_CONFIGURATION_CHANGE") 493 | conditionalmap[0].mappings[15].event.filePath=Configuration 494 | conditionalmap[0].mappings[15].event.fileHash=__regexToken(ConfigurationFileHash,".*SHA1=(\\w+).*") 495 | # 496 | ############################################################################################################### 497 | # Event ID 17: Pipe Created 498 | # RuleName 499 | # EventType: 500 | # UtcTime: %1 501 | # ProcessGuid: %2 502 | # ProcessId: %3 503 | # PipeName: %4 504 | # Image: %5 505 | 506 | conditionalmap[0].mappings[16].values=17 507 | conditionalmap[0].mappings[16].event.message=__concatenate("Pipe: ",PipeName," created") 508 | conditionalmap[0].mappings[16].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_CREATE_NAMEDPIPE") 509 | conditionalmap[0].mappings[16].event.fileName=PipeName 510 | # 511 | ############################################################################################################### 512 | # Event ID 18: Pipe Connected 513 | # RuleName 514 | # EventType: 515 | # UtcTime: %1 516 | # ProcessGuid: %2 517 | # ProcessId: %3 518 | # PipeName: %4 519 | # Image: %5 520 | 521 | conditionalmap[0].mappings[17].values=18 522 | conditionalmap[0].mappings[17].event.message=__concatenate("Pipe: ",PipeName," connected") 523 | conditionalmap[0].mappings[17].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_CONNECT_NAMEDPIPE") 524 | conditionalmap[0].mappings[17].event.fileName=PipeName 525 | # 526 | ############################################################################################################### 527 | # The Following Events were introduced in Sysmon v7 528 | ############################################################################################################### 529 | # Event ID 19: Wmi Event Filtter Activity Detected 530 | # RuleName 531 | # EventType: %1 532 | # UtcTime: %2 533 | # Operation: %3 534 | # User: %4 535 | # EventNamespace: %5 536 | # Name: %6 537 | # Query: %7 538 | 539 | conditionalmap[0].mappings[18].values=19 540 | conditionalmap[0].mappings[18].event.message=__concatenate(Name," ",Operation," Namespace: ",Namespace) 541 | conditionalmap[0].mappings[18].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_WMI_FILTER") 542 | conditionalmap[0].mappings[18].event.deviceCustomString1Label=__stringConstant("Name") 543 | conditionalmap[0].mappings[18].event.deviceCustomString1=Name 544 | conditionalmap[0].mappings[18].event.deviceCustomString2Label=__stringConstant("Operation") 545 | conditionalmap[0].mappings[18].event.deviceCustomString2=Operation 546 | conditionalmap[0].mappings[18].event.deviceCustomString3Label=__stringConstant("Event Namespace") 547 | conditionalmap[0].mappings[18].event.deviceCustomString3=EventNamespace 548 | conditionalmap[0].mappings[18].event.deviceCustomString4Label=__stringConstant("Query") 549 | conditionalmap[0].mappings[18].event.deviceCustomString4=Query 550 | 551 | # 552 | ############################################################################################################### 553 | # Event ID 20: WmiEventConsumer activity detected 554 | # RuleName 555 | # EventType: %1 556 | # UtcTime: %2 557 | # Operation: %3 558 | # User: %4 559 | # Name: %5 560 | # Type: %6 561 | # Destination: %7 562 | 563 | conditionalmap[0].mappings[19].values=20 564 | conditionalmap[0].mappings[19].event.message=__concatenate(Name," ",Operation," Type: ",Type," Location: ",Destination) 565 | conditionalmap[0].mappings[19].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_WMI_CONSUMER") 566 | conditionalmap[0].mappings[19].event.deviceCustomString1Label=__stringConstant("Name") 567 | conditionalmap[0].mappings[19].event.deviceCustomString1=Name 568 | conditionalmap[0].mappings[19].event.deviceCustomString2Label=__stringConstant("Operation") 569 | conditionalmap[0].mappings[19].event.deviceCustomString2=Operation 570 | conditionalmap[0].mappings[19].event.deviceCustomString3Label=__stringConstant("Type") 571 | conditionalmap[0].mappings[19].event.deviceCustomString3=Type 572 | conditionalmap[0].mappings[19].event.fileName=Destination 573 | # 574 | ############################################################################################################### 575 | # Event ID 21: WmiEventConsumerToFilter activity detected 576 | # RuleName 577 | # EventType: %1 578 | # UtcTime: %2 579 | # Operation: %3 580 | # User: %4 581 | # Consumer: %5 582 | # Filter: %6 583 | 584 | conditionalmap[0].mappings[20].values=21 585 | conditionalmap[0].mappings[20].event.message=__concatenate(EventType," Created by: ",User) 586 | conditionalmap[0].mappings[20].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_WMI_BINDING") 587 | conditionalmap[0].mappings[20].event.deviceCustomString1Label=__stringConstant("Consumer") 588 | conditionalmap[0].mappings[20].event.deviceCustomString1=Consumer 589 | conditionalmap[0].mappings[20].event.deviceCustomString2Label=__stringConstant("Operation") 590 | conditionalmap[0].mappings[20].event.deviceCustomString2=Operation 591 | conditionalmap[0].mappings[20].event.deviceCustomString3Label=__stringConstant("Filter") 592 | conditionalmap[0].mappings[20].event.deviceCustomString3=Filter 593 | # 594 | # 595 | ############################################################################################################### 596 | # The Following Events were introduced in Sysmon v10 597 | ############################################################################################################### 598 | # Event ID 22: DNS Query 599 | # RuleName 600 | # UtcTime 601 | # ProcessGuid 602 | # ProcessId 603 | # QueryName 604 | # QueryStatus 605 | # QueryResults 606 | # Image 607 | # 608 | conditionalmap[0].mappings[21].values=22 609 | conditionalmap[0].mappings[21].event.message=__concatenate(EventType) 610 | conditionalmap[0].mappings[21].event.deviceEventClassId=__stringConstant("SysmonTask-DNS_QUERY") 611 | conditionalmap[0].mappings[21].event.destinationHostName=QueryName 612 | conditionalmap[0].mappings[21].event.requestUrl=QueryName 613 | conditionalmap[0].mappings[21].event.deviceCustomNumber1Label=__stringConstant("Query Status") 614 | conditionalmap[0].mappings[21].event.deviceCustomNumber1=__safeToLong(QueryStatus) 615 | conditionalmap[0].mappings[21].event.deviceCustomString1Label=__stringConstant("Query Results") 616 | conditionalmap[0].mappings[21].event.deviceCustomString1=QueryResults 617 | # 618 | 619 | ############################################################################################################### 620 | # The Following Event was introduced in Sysmon v11 621 | ############################################################################################################### 622 | # Event ID 23: File Delete 623 | # RuleName 624 | # UtcTime: %1 625 | # ProcessGuid: %2 626 | # ProcessId: %3 627 | # Image: %4 628 | # TargetFilename: %5 629 | # Hashes: %6 630 | # IsExecutable: %7 631 | # Archived: %8 632 | 633 | conditionalmap[0].mappings[22].values=23 634 | conditionalmap[0].mappings[22].event.message=__concatenate("File: ",TargetFilename," deleted by: ",Image) 635 | conditionalmap[0].mappings[22].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_FILE_DELETE") 636 | # 637 | ############################################################################################################### 638 | # The Following Event was introduced in Sysmon v13 639 | ############################################################################################################### 640 | # Event ID 24: Clipboard changed 641 | # RuleName: %1 642 | # UtcTime: %2 643 | # ProcessGuid: %3 644 | # ProcessId: %4 645 | # Image: %5 646 | # Session: %6 647 | # ClientInfo: %7 648 | # Hashes: %8 649 | # Archived: %9 650 | 651 | conditionalmap[0].mappings[23].values=24 652 | # conditionalmap[0].mappings[23].event.message=__concatenate() 653 | conditionalmap[0].mappings[23].event.deviceEventClassId=__stringConstant("SSysmonTask-SYSMON_CLIPBOARD") 654 | conditionalmap[0].mappings[23].event.deviceCustomString1Label=__stringConstant("Client Info") 655 | conditionalmap[0].mappings[23].event.deviceCustomString1=ClientInfo 656 | # 657 | 658 | ############################################################################################################### 659 | # The Following Event was introduced in Sysmon v13 660 | ############################################################################################################### 661 | # Event ID 25: Process Tampering 662 | # RuleName: %1 663 | # UtcTime: %2 664 | # ProcessGuid: %3 665 | # ProcessId: %4 666 | # Image: %5 667 | # Type: %6 668 | 669 | conditionalmap[0].mappings[24].values=25 670 | # conditionalmap[0].mappings[24].event.message=__concatenate() 671 | conditionalmap[0].mappings[24].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_PROCESS_IMAGE_TAMPERING") 672 | conditionalmap[0].mappings[24].event.deviceCustomString1Label=__stringConstant("Type") 673 | conditionalmap[0].mappings[24].event.deviceCustomString1=Type 674 | # 675 | 676 | ############################################################################################################### 677 | # Event ID 255: Error report 678 | # UtcTime: %1 679 | # ID: %2 680 | # Description: %3 681 | 682 | conditionalmap[0].mappings[25].values=255 683 | conditionalmap[0].mappings[25].event.message=__concatenate("Sysmon Error ID: ",ID," Description: ",Description) 684 | conditionalmap[0].mappings[25].event.deviceEventClassId=__stringConstant("SysmonTask-SYSMON_ERROR") 685 | conditionalmap[0].mappings[25].event.deviceCustomString1Label=__stringConstant("ID") 686 | conditionalmap[0].mappings[25].event.deviceCustomString1=ID 687 | conditionalmap[0].mappings[25].event.deviceCustomString2Label=__stringConstant("Description") 688 | conditionalmap[0].mappings[25].event.deviceCustomString2=Description 689 | 690 | # 691 | ############################################################################################################### 692 | # catch all event for future changes / additions 693 | conditionalmap[0].mappings[26].event.name=__stringConstant("Unparsed Event") 694 | # 695 | ############################################################################################################### 696 | 697 | # Extra Processor Settings 698 | # Set map file to map event Names and Categories 699 | extraprocessor.count=2 700 | extraprocessor[0].type=map 701 | extraprocessor[0].filename=winc/microsoft_windows_sysmon_operational/microsoft_windows_sysmon.map.csv 702 | extraprocessor[0].allowoverwrite=true 703 | # 704 | extraprocessor[1].type=map 705 | extraprocessor[1].filename=winc/microsoft_windows_sysmon_operational/dns_codes.map.csv 706 | extraprocessor[1].allowoverwrite=true 707 | ############################################################################################################### 708 | -------------------------------------------------------------------------------- /fcp/winc/microsoft_windows_sysmon_operational/sysmon.xml: -------------------------------------------------------------------------------- 1 | 66 | 67 | 68 | 69 | md5,sha256,IMPHASH 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 84 | 85 | 86 | 87 | 88 | 89 | "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" 90 | C:\Windows\system32\DllHost.exe /Processid 91 | C:\Windows\system32\wbem\wmiprvse.exe -Embedding 92 | C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 93 | C:\Windows\system32\wermgr.exe -upload 94 | C:\Windows\system32\SearchIndexer.exe /Embedding 95 | C:\windows\system32\wermgr.exe -queuereporting 96 | \??\C:\Windows\system32\autochk.exe * 97 | \SystemRoot\System32\smss.exe 98 | C:\Windows\System32\RuntimeBroker.exe -Embedding 99 | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe 100 | C:\Windows\System32\TokenBrokerCookies.exe 101 | C:\Windows\System32\plasrv.exe 102 | C:\Windows\System32\wifitask.exe 103 | C:\Windows\system32\CompatTelRunner.exe 104 | C:\Windows\system32\PrintIsolationHost.exe 105 | C:\Windows\system32\SppExtComObj.Exe 106 | C:\Windows\system32\audiodg.exe 107 | C:\Windows\system32\conhost.exe 108 | C:\Windows\system32\mobsync.exe 109 | C:\Windows\system32\musNotification.exe 110 | C:\Windows\system32\musNotificationUx.exe 111 | C:\Windows\system32\powercfg.exe 112 | C:\Windows\system32\sndVol.exe 113 | C:\Windows\system32\sppsvc.exe 114 | C:\Windows\system32\wbem\WmiApSrv.exe 115 | AppContainer 116 | %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows 117 | C:\windows\system32\wermgr.exe -queuereporting 118 | C:\WINDOWS\system32\devicecensus.exe UserCxt 119 | C:\Windows\System32\usocoreworker.exe -Embedding 120 | C:\Windows\system32\SearchIndexer.exe 121 | 122 | C:\Windows\system32\svchost.exe -k appmodel -s StateRepository 123 | C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc 124 | C:\Windows\system32\svchost.exe -k appmodel 125 | C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc 126 | C:\Windows\system32\svchost.exe -k camera -s FrameServer 127 | C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM 128 | C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay 129 | C:\Windows\system32\svchost.exe -k defragsvc 130 | C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc 131 | C:\Windows\system32\svchost.exe -k imgsvc 132 | C:\Windows\system32\svchost.exe -k localService -s EventSystem 133 | C:\Windows\system32\svchost.exe -k localService -s bthserv 134 | C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc 135 | C:\Windows\system32\svchost.exe -k localService -s nsi 136 | C:\Windows\system32\svchost.exe -k localService -s w32Time 137 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation 138 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp 139 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog 140 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc 141 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc 142 | C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService 143 | C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService 144 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted 145 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc 146 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV 147 | C:\Windows\system32\svchost.exe -k localServiceNoNetwork 148 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum 149 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc 150 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService 151 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService 152 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService 153 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService 154 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService 155 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum 156 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc 157 | C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc 158 | C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr 159 | C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv 160 | C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv 161 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost 162 | C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost 163 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted 164 | C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc 165 | C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc 166 | C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC 167 | C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC 168 | C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS 169 | C:\Windows\system32\svchost.exe -k netsvcs -s BITS 170 | C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc 171 | C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc 172 | C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo 173 | C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc 174 | C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc 175 | C:\Windows\system32\svchost.exe -k netsvcs -s SENS 176 | C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv 177 | C:\Windows\system32\svchost.exe -k netsvcs -s Themes 178 | C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt 179 | C:\Windows\system32\svchost.exe -k netsvcs 180 | C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc 181 | C:\Windows\system32\svchost.exe -k networkService -s Dnscache 182 | C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation 183 | C:\Windows\system32\svchost.exe -k networkService -s NlaSvc 184 | C:\Windows\system32\svchost.exe -k networkService -s TermService 185 | C:\Windows\system32\svchost.exe -k networkService 186 | C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted 187 | C:\Windows\system32\svchost.exe -k rPCSS 188 | C:\Windows\system32\svchost.exe -k secsvcs 189 | C:\Windows\system32\svchost.exe -k swprv 190 | C:\Windows\system32\svchost.exe -k unistackSvcGroup 191 | C:\Windows\system32\svchost.exe -k utcsvc 192 | C:\Windows\system32\svchost.exe -k wbioSvcGroup 193 | C:\Windows\system32\svchost.exe -k werSvcGroup 194 | C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc 195 | C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC 196 | C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc 197 | C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC 198 | C:\Windows\system32\svchost.exe -k wsappx 199 | C:\Windows\system32\svchost.exe -k netsvcs 200 | C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted 201 | C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM 202 | 203 | "C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type= 204 | 205 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 206 | C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe 207 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 208 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 209 | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 210 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe 211 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 212 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe 213 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 214 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe 215 | 216 | C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE 217 | C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE 218 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 219 | C:\Program Files\Microsoft Office\Office16\msoia.exe 220 | C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe 221 | 222 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 223 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 224 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 225 | 226 | C:\Program Files\Windows Media Player\wmpnscfg.exe 227 | 228 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= 229 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | C:\Users 240 | .exe 241 | \Device\HarddiskVolumeShadowCopy 242 | 243 | 244 | 245 | 246 | 247 | OneDrive.exe 248 | C:\Windows\system32\backgroundTaskHost.exe 249 | setup 250 | install 251 | Update\ 252 | redist.exe 253 | msiexec.exe 254 | TrustedInstaller.exe 255 | \NVIDIA\NvBackend\ApplicationOntology\ 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | C:\Users 273 | C:\Recycle 274 | C:\ProgramData 275 | C:\Windows\Temp 276 | \ 277 | C:\perflogs 278 | C:\intel 279 | C:\Windows\fonts 280 | C:\Windows\system32\config 281 | 282 | at.exe 283 | certutil.exe 284 | cmd.exe 285 | cmstp.exe 286 | cscript.exe 287 | driverquery.exe 288 | dsquery.exe 289 | hh.exe 290 | infDefaultInstall.exe 291 | java.exe 292 | javaw.exe 293 | javaws.exe 294 | mmc.exe 295 | msbuild.exe 296 | mshta.exe 297 | msiexec.exe 298 | nbtstat.exe 299 | net.exe 300 | net1.exe 301 | notepad.exe 302 | nslookup.exe 303 | powershell.exe 304 | qprocess.exe 305 | qwinsta.exe 306 | qwinsta.exe 307 | reg.exe 308 | regsvcs.exe 309 | regsvr32.exe 310 | rundll32.exe 311 | rwinsta.exe 312 | sc.exe 313 | schtasks.exe 314 | taskkill.exe 315 | tasklist.exe 316 | wmic.exe 317 | wscript.exe 318 | 319 | nc.exe 320 | ncat.exe 321 | psexec.exe 322 | psexesvc.exe 323 | tor.exe 324 | vnc.exe 325 | vncservice.exe 326 | vncviewer.exe 327 | winexesvc.exe 328 | nmap.exe 329 | psinfo.exe 330 | 331 | 22 332 | 23 333 | 25 334 | 143 335 | 3389 336 | 5800 337 | 5900 338 | 444 339 | 340 | 1080 341 | 3128 342 | 8080 343 | 344 | 1723 345 | 9001 346 | 9030 347 | 348 | 349 | 350 | 351 | 352 | 353 | C:\ProgramData\Microsoft\Windows Defender\Platform\ 354 | AppData\Local\Microsoft\Teams\current\Teams.exe 355 | .microsoft.com 356 | microsoft.com.akadns.net 357 | microsoft.com.nsatc.net 358 | 359 | 127.0.0.1 360 | fe80:0:0:0 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | C:\Users 376 | \ 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 389 | 390 | 391 | 392 | 393 | 394 | microsoft 395 | windows 396 | Intel 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 414 | 415 | 416 | 417 | 418 | 419 | C:\Windows\system32\wbem\WmiPrvSE.exe 420 | C:\Windows\system32\svchost.exe 421 | C:\Windows\system32\wininit.exe 422 | C:\Windows\system32\csrss.exe 423 | C:\Windows\system32\services.exe 424 | C:\Windows\system32\winlogon.exe 425 | C:\Windows\system32\audiodg.exe 426 | C:\Windows\system32\kernel32.dll 427 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 428 | 429 | 430 | 431 | 432 | 433 | 434 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | \Start Menu 467 | \Startup\ 468 | \Content.Outlook\ 469 | \Downloads\ 470 | .application 471 | .appref-ms 472 | .bat 473 | .chm 474 | .cmd 475 | .cmdline 476 | .crx 477 | .dmp 478 | .docm 479 | .dll 480 | .exe 481 | .exe.log 482 | .jar 483 | .jnlp 484 | .jse 485 | .hta 486 | .job 487 | .pptm 488 | .ps1 489 | .sys 490 | .scr 491 | .vbe 492 | .vbs 493 | .xlsm 494 | proj 495 | .sln 496 | C:\Users\Default 497 | C:\Windows\system32\Drivers 498 | C:\Windows\SysWOW64\Drivers 499 | C:\Windows\system32\GroupPolicy\Machine\Scripts 500 | C:\Windows\system32\GroupPolicy\User\Scripts 501 | C:\Windows\system32\Wbem 502 | C:\Windows\SysWOW64\Wbem 503 | C:\Windows\system32\WindowsPowerShell 504 | C:\Windows\SysWOW64\WindowsPowerShell 505 | C:\Windows\Tasks\ 506 | C:\Windows\system32\Tasks 507 | C:\Windows\SysWOW64\Tasks 508 | \Device\HarddiskVolumeShadowCopy 509 | 510 | C:\Windows\AppPatch\Custom 511 | VirtualStore 512 | 513 | .xls 514 | .ppt 515 | .rtf 516 | 517 | 518 | 519 | 520 | 521 | 522 | C:\Program Files (x86)\EMET 5.5\EMET_Service.exe 523 | 524 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe 525 | 526 | C:\Windows\system32\smss.exe 527 | C:\Windows\system32\CompatTelRunner.exe 528 | \\?\C:\Windows\system32\wbem\WMIADAP.EXE 529 | C:\Windows\system32\mobsync.exe 530 | C:\Windows\system32\DriverStore\Temp\ 531 | C:\Windows\system32\wbem\Performance\ 532 | C:\Windows\Installer\ 533 | 534 | C:\$WINDOWS.~BT\Sources\ 535 | C:\Windows\winsxs\amd64_microsoft-windows 536 | 537 | 538 | 539 | 540 | 541 | 542 | 543 | 544 | 545 | 546 | 547 | 548 | 549 | 550 | 551 | 552 | 553 | 554 | 555 | 558 | 559 | 560 | 561 | 562 | 563 | 564 | 565 | 566 | 567 | 568 | CurrentVersion\Run 569 | Policies\Explorer\Run 570 | Group Policy\Scripts 571 | Windows\System\Scripts 572 | CurrentVersion\Windows\Load 573 | CurrentVersion\Windows\Run 574 | CurrentVersion\Winlogon\Shell 575 | CurrentVersion\Winlogon\System 576 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 577 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 578 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 579 | HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 580 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute 581 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug 582 | UserInitMprLogonScript 583 | user shell folders\startup 584 | 585 | \ServiceDll 586 | \ServiceManifest 587 | \ImagePath 588 | \Start 589 | 590 | Control\Terminal Server\WinStations\RDP-Tcp\PortNumber 591 | Control\Terminal Server\fSingleSessionPerUser 592 | fDenyTSConnections 593 | LastLoggedOnUser 594 | RDP-tcp\PortNumber 595 | Services\PortProxy\v4tov4 596 | 597 | \command\ 598 | \ddeexec\ 599 | {86C86720-42A0-1069-A2E8-08002B30309D} 600 | exefile 601 | 602 | \InprocServer32\(Default) 603 | 604 | \Hidden 605 | \ShowSuperHidden 606 | \HideFileExt 607 | 608 | Classes\*\ 609 | Classes\AllFilesystemObjects\ 610 | Classes\Directory\ 611 | Classes\Drive\ 612 | Classes\Folder\ 613 | Classes\PROTOCOLS\ 614 | ContextMenuHandlers\ 615 | CurrentVersion\Shell 616 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks 617 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad 618 | HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers 619 | 620 | HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ 621 | 622 | HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram 623 | 624 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ 625 | 626 | HKLM\SYSTEM\CurrentControlSet\Services\WinSock 627 | \ProxyServer 628 | 629 | HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider 630 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ 631 | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders 632 | HKLM\Software\Microsoft\Netsh 633 | 634 | HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ 635 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles 636 | \EnableFirewall 637 | \DoNotAllowExceptions 638 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 639 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List 640 | 641 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ 642 | HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ 643 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ 644 | 645 | Microsoft\Office\Outlook\Addins\ 646 | Office Test\ 647 | Security\Trusted Documents\TrustRecords 648 | 649 | Internet Explorer\Toolbar\ 650 | Internet Explorer\Extensions\ 651 | Browser Helper Objects\ 652 | \DisableSecuritySettingsCheck 653 | \3\1206 654 | \3\2500 655 | \3\1809 656 | 657 | HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ 658 | HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ 659 | HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ 660 | HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ 661 | 662 | \UrlUpdateInfo 663 | \InstallSource 664 | \EulaAccepted 665 | 666 | \DisableAntiSpyware 667 | \DisableAntiVirus 668 | \SpynetReporting 669 | DisableRealtimeMonitoring 670 | \SubmitSamplesConsent 671 | 672 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 673 | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy 674 | 675 | HKLM\Software\Microsoft\Security Center\ 676 | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 677 | 678 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom 679 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB 680 | VirtualStore 681 | 682 | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 683 | HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ 684 | HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ 685 | HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ 686 | \FriendlyName 687 | HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) 688 | HKLM\Software\Microsoft\Tracing\RASAPI32 689 | 690 | \LowerCaseLongPath 691 | \Publisher 692 | \BinProductVersion 693 | \DriverVersion 694 | \DriverVerVersion 695 | \LinkDate 696 | Compatibility Assistant\Store\ 697 | 698 | \ 699 | 700 | 701 | 702 | 703 | 704 | 705 | 706 | \{CAFEEFAC- 707 | CreateKey 708 | HKLM\COMPONENTS 709 | 710 | HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache 711 | 712 | Toolbar\WebBrowser 713 | Browser\ITBar7Height 714 | Browser\ITBar7Layout 715 | Internet Explorer\Toolbar\Locked 716 | Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} 717 | }\PreviousPolicyAreas 718 | \Control\WMI\Autologger\ 719 | HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start 720 | \Lsa\OfflineJoin\CurrentValue 721 | HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ 722 | _Classes\AppX 723 | HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ 724 | 725 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid 726 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache 727 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains 728 | 729 | \Services\BITS\Start 730 | \services\clr_optimization_v2.0.50727_32\Start 731 | \services\clr_optimization_v2.0.50727_64\Start 732 | \services\clr_optimization_v4.0.30319_32\Start 733 | \services\clr_optimization_v4.0.30319_64\Start 734 | \services\deviceAssociationService\Start 735 | \services\fhsvc\Start 736 | \services\nal\Start 737 | \services\trustedInstaller\Start 738 | \services\tunnel\Start 739 | \services\usoSvc\Start 740 | 741 | \UserChoice\ProgId 742 | \UserChoice\Hash 743 | \OpenWithList\MRUList 744 | Shell Extentions\Cached 745 | 746 | HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups 747 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder 748 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID 749 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID 750 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell 751 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime 752 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder 753 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID 754 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID 755 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell 756 | SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime 757 | \safer\codeidentifiers\0\HASHES\{ 758 | 759 | VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ 760 | HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ 761 | 762 | C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe 763 | HKCR\VLC. 764 | HKCR\iTunes. 765 | 766 | HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658} 767 | 768 | 769 | 770 | 771 | 772 | 776 | 777 | 778 | 779 | 780 | Downloads 781 | Temp\7z 782 | Startup 783 | .bat 784 | .cmd 785 | .doc 786 | .hta 787 | .lnk 788 | .ppt 789 | .ps1 790 | .ps2 791 | .reg 792 | .jse 793 | .vb 794 | .vbe 795 | .vbs 796 | 797 | 798 | 799 | 800 | 801 | 802 | 803 | 804 | 805 | 806 | 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | 820 | 821 | 822 | 823 | 824 | 825 | 826 | 827 | 828 | 829 | 830 | 831 | 832 | 833 | 834 | 835 | 836 | 837 | 838 | 839 | 840 | 841 | 842 | 843 | 844 | 847 | 848 | 850 | 851 | 857 | 858 | 859 | 860 | 861 | 862 | 863 | 864 | 865 | 866 | 867 | 868 | 869 | 870 | 871 | 872 | 873 | 874 | 875 | 876 | 877 | 878 | .arpa. 879 | .arpa 880 | .msftncsi.com 881 | ..localmachine 882 | localhost 883 | 884 | -pushp.svc.ms 885 | .b-msedge.net 886 | .bing.com 887 | .hotmail.com 888 | .live.com 889 | .live.net 890 | .s-microsoft.com 891 | .microsoft.com 892 | .microsoftonline.com 893 | .microsoftstore.com 894 | .ms-acdc.office.com 895 | .msedge.net 896 | .msn.com 897 | .msocdn.com 898 | .skype.com 899 | .skype.net 900 | .windows.com 901 | .windows.net.nsatc.net 902 | .windowsupdate.com 903 | .xboxlive.com 904 | login.windows.net 905 | C:\ProgramData\Microsoft\Windows Defender\Platform\ 906 | 907 | .activedirectory.windowsazure.com 908 | .aria.microsoft.com 909 | .msauth.net 910 | .msftauth.net 911 | .opinsights.azure.com 912 | osi.office.net 913 | loki.delve.office.com 914 | management.azure.com 915 | messaging.office.com 916 | outlook.office365.com 917 | portal.azure.com 918 | protection.outlook.com 919 | substrate.office.com 920 | 921 | .mozaws.net 922 | .mozilla.com 923 | .mozilla.net 924 | .mozilla.org 925 | .spotify.com 926 | .spotify.map.fastly.net 927 | clients1.google.com 928 | clients2.google.com 929 | clients3.google.com 930 | clients4.google.com 931 | clients5.google.com 932 | clients6.google.com 933 | safebrowsing.googleapis.com 934 | 935 | .akadns.net 936 | .netflix.com 937 | aspnetcdn.com 938 | ajax.googleapis.com 939 | cdnjs.cloudflare.com 940 | fonts.googleapis.com 941 | .typekit.net 942 | cdnjs.cloudflare.com 943 | .stackassets.com 944 | .steamcontent.com 945 | 946 | .disqus.com 947 | .fontawesome.com 948 | disqus.com 949 | 950 | .1rx.io 951 | .2mdn.net 952 | .adadvisor.net 953 | .adap.tv 954 | .addthis.com 955 | .adform.net 956 | .adnxs.com 957 | .adroll.com 958 | .adrta.com 959 | .adsafeprotected.com 960 | .adsrvr.org 961 | .advertising.com 962 | .amazon-adsystem.com 963 | .amazon-adsystem.com 964 | .analytics.yahoo.com 965 | .aol.com 966 | .betrad.com 967 | .bidswitch.net 968 | .casalemedia.com 969 | .chartbeat.net 970 | .cnn.com 971 | .convertro.com 972 | .criteo.com 973 | .criteo.net 974 | .crwdcntrl.net 975 | .demdex.net 976 | .domdex.com 977 | .dotomi.com 978 | .doubleclick.net 979 | .doubleverify.com 980 | .emxdgt.com 981 | .exelator.com 982 | .google-analytics.com 983 | .googleadservices.com 984 | .googlesyndication.com 985 | .googletagmanager.com 986 | .googlevideo.com 987 | .gstatic.com 988 | .gvt1.com 989 | .gvt2.com 990 | .ib-ibi.com 991 | .jivox.com 992 | .mathtag.com 993 | .moatads.com 994 | .moatpixel.com 995 | .mookie1.com 996 | .myvisualiq.net 997 | .netmng.com 998 | .nexac.com 999 | .openx.net 1000 | .optimizely.com 1001 | .outbrain.com 1002 | .pardot.com 1003 | .phx.gbl 1004 | .pinterest.com 1005 | .pubmatic.com 1006 | .quantcount.com 1007 | .quantserve.com 1008 | .revsci.net 1009 | .rfihub.net 1010 | .rlcdn.com 1011 | .rubiconproject.com 1012 | .scdn.co 1013 | .scorecardresearch.com 1014 | .serving-sys.com 1015 | .sharethrough.com 1016 | .simpli.fi 1017 | .sitescout.com 1018 | .smartadserver.com 1019 | .snapads.com 1020 | .spotxchange.com 1021 | .taboola.com 1022 | .taboola.map.fastly.net 1023 | .tapad.com 1024 | .tidaltv.com 1025 | .trafficmanager.net 1026 | .tremorhub.com 1027 | .tribalfusion.com 1028 | .turn.com 1029 | .twimg.com 1030 | .tynt.com 1031 | .w55c.net 1032 | .ytimg.com 1033 | .zorosrv.com 1034 | 1rx.io 1035 | adservice.google.com 1036 | ampcid.google.com 1037 | clientservices.googleapis.com 1038 | googleadapis.l.google.com 1039 | imasdk.googleapis.com 1040 | l.google.com 1041 | ml314.com 1042 | mtalk.google.com 1043 | update.googleapis.com 1044 | www.googletagservices.com 1045 | 1046 | .pscp.tv 1047 | 1048 | .digicert.com 1049 | .globalsign.com 1050 | .globalsign.net 1051 | msocsp.com 1052 | ocsp.msocsp.com 1053 | pki.goog 1054 | ocsp.godaddy.com 1055 | amazontrust.com 1056 | ocsp.sectigo.com 1057 | pki-goog.l.google.com 1058 | .usertrust.com 1059 | ocsp.comodoca.com 1060 | ocsp.verisign.com 1061 | ocsp.entrust.net 1062 | ocsp.identrust.com 1063 | status.rapidssl.com 1064 | status.thawte.com 1065 | ocsp.int-x3.letsencrypt.org 1066 | 1067 | 1068 | 1069 | 1070 | 1073 | 1074 | 1075 | 1076 | 1077 | --------------------------------------------------------------------------------