├── .gitignore ├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── linux ├── README.md ├── configs │ ├── ConvertTo-MainConfig.ps1 │ ├── README.md │ ├── Split-XmlConfig.ps1 │ ├── _events │ │ ├── 11_FileCreate │ │ │ ├── T1037_BootLogonInitScripts_CommonDirectories.xml │ │ │ ├── T1053.003_Cron_Activity.xml │ │ │ ├── T1105_IngressToolTransfer_CommonTools.xml │ │ │ └── T1543.002_CreateModSystemProcess_Systemd.xml │ │ ├── 1_ProcessCreate │ │ │ ├── T1021.004_SSH_CommonCommands.xml │ │ │ ├── T1027.001_BinaryPadding_DD.xml │ │ │ ├── T1033_UserDiscovery_LoggedInUsers.xml │ │ │ ├── T1053.003_Cron_Activity.xml │ │ │ ├── T1059.004_UnixShell_CommonShells.xml │ │ │ ├── T1070.006_Timestomp_Touch.xml │ │ │ ├── T1087.001_LocalAccount_Commands.xml │ │ │ ├── T1105_IngressToolTransfer_CommonTools.xml │ │ │ ├── T1123_AudioCapture_Activity.xml │ │ │ ├── T1136.001_CreateLocalAccount_Commands.xml │ │ │ ├── T1203_ExploitationForClientExecution_SCXRunAsProviders.xml │ │ │ ├── T1485_DataDestruction_DD.xml │ │ │ ├── T1505.003_WebShell_SuspSubProcesses.xml │ │ │ ├── T1543.002_CreateModSystemProcess_Systemd.xml │ │ │ └── T1548.001_ElevationControl_CommonProcesses.xml │ │ └── 3_NetworkConnect │ │ │ └── T1105_IngressToolTransfer_CommonTools.xml │ ├── attack-based │ │ ├── collection │ │ │ └── T1123_AudioCapture_Activity.xml │ │ ├── command_control │ │ │ └── T1105_IngressToolTransfer_CommonTools.xml │ │ ├── defense_evasion │ │ │ ├── T1027.001_BinaryPadding_DD.xml │ │ │ └── T1070.006_Timestomp_Touch.xml │ │ ├── discovery │ │ │ ├── T1033_UserDiscovery_LoggedInUsers.xml │ │ │ └── T1087.001_LocalAccount_Commands.xml │ │ ├── execution │ │ │ ├── T1059.004_UnixShell_CommonShells.xml │ │ │ └── T1203_ExploitationForClientExecution_SCXRunAsProviders.xml │ │ ├── impact │ │ │ └── T1485_DataDestruction_DD.xml │ │ ├── lateral_movement │ │ │ └── T1021.004_SSH_CommonCommands.xml │ │ ├── persistence │ │ │ ├── T1037_BootLogonInitScripts_CommonDirectories.xml │ │ │ ├── T1053.003_Cron_Activity.xml │ │ │ ├── T1136.001_CreateLocalAccount_Commands.xml │ │ │ ├── T1505.003_WebShell_SuspSubProcesses.xml │ │ │ └── T1543.002_CreateModSystemProcess_Systemd.xml │ │ └── privilege_escalation │ │ │ └── T1548.001_ElevationControl_CommonProcesses.xml │ ├── collect-all.xml │ └── main.xml └── schemas │ └── sysmonv1.0.0.xml └── windows ├── README.md └── schemas ├── sysmonv11.0_4.30.xml ├── sysmonv11.10_4.32.xml ├── sysmonv11.11_4.32.xml ├── sysmonv12.03_4.40.xml ├── sysmonv12_4.40.xml ├── sysmonv13.01_4.50.xml ├── sysmonv13.10_4.60.xml ├── sysmonv13.21_4.70.xml ├── sysmonv13.22_4.70.xml ├── sysmonv13.24_4.70.xml ├── sysmonv13.30_4.81.xml └── sysmonv14.0_4.82.xml /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/.gitignore -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/CODE_OF_CONDUCT.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/README.md -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/SECURITY.md -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/SUPPORT.md -------------------------------------------------------------------------------- /linux/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/README.md -------------------------------------------------------------------------------- /linux/configs/ConvertTo-MainConfig.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/ConvertTo-MainConfig.ps1 -------------------------------------------------------------------------------- /linux/configs/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/README.md -------------------------------------------------------------------------------- /linux/configs/Split-XmlConfig.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/Split-XmlConfig.ps1 -------------------------------------------------------------------------------- /linux/configs/_events/11_FileCreate/T1037_BootLogonInitScripts_CommonDirectories.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/11_FileCreate/T1037_BootLogonInitScripts_CommonDirectories.xml -------------------------------------------------------------------------------- /linux/configs/_events/11_FileCreate/T1053.003_Cron_Activity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/11_FileCreate/T1053.003_Cron_Activity.xml -------------------------------------------------------------------------------- /linux/configs/_events/11_FileCreate/T1105_IngressToolTransfer_CommonTools.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/11_FileCreate/T1105_IngressToolTransfer_CommonTools.xml -------------------------------------------------------------------------------- /linux/configs/_events/11_FileCreate/T1543.002_CreateModSystemProcess_Systemd.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/11_FileCreate/T1543.002_CreateModSystemProcess_Systemd.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1021.004_SSH_CommonCommands.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1021.004_SSH_CommonCommands.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1027.001_BinaryPadding_DD.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1027.001_BinaryPadding_DD.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1033_UserDiscovery_LoggedInUsers.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1033_UserDiscovery_LoggedInUsers.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1053.003_Cron_Activity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1053.003_Cron_Activity.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1059.004_UnixShell_CommonShells.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1059.004_UnixShell_CommonShells.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1070.006_Timestomp_Touch.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1070.006_Timestomp_Touch.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1087.001_LocalAccount_Commands.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1087.001_LocalAccount_Commands.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1105_IngressToolTransfer_CommonTools.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1105_IngressToolTransfer_CommonTools.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1123_AudioCapture_Activity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1123_AudioCapture_Activity.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1136.001_CreateLocalAccount_Commands.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1136.001_CreateLocalAccount_Commands.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1203_ExploitationForClientExecution_SCXRunAsProviders.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1203_ExploitationForClientExecution_SCXRunAsProviders.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1485_DataDestruction_DD.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1485_DataDestruction_DD.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1505.003_WebShell_SuspSubProcesses.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1505.003_WebShell_SuspSubProcesses.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1543.002_CreateModSystemProcess_Systemd.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1543.002_CreateModSystemProcess_Systemd.xml -------------------------------------------------------------------------------- /linux/configs/_events/1_ProcessCreate/T1548.001_ElevationControl_CommonProcesses.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/1_ProcessCreate/T1548.001_ElevationControl_CommonProcesses.xml -------------------------------------------------------------------------------- /linux/configs/_events/3_NetworkConnect/T1105_IngressToolTransfer_CommonTools.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/_events/3_NetworkConnect/T1105_IngressToolTransfer_CommonTools.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/collection/T1123_AudioCapture_Activity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/collection/T1123_AudioCapture_Activity.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/command_control/T1105_IngressToolTransfer_CommonTools.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/command_control/T1105_IngressToolTransfer_CommonTools.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/defense_evasion/T1027.001_BinaryPadding_DD.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/defense_evasion/T1027.001_BinaryPadding_DD.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/defense_evasion/T1070.006_Timestomp_Touch.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/defense_evasion/T1070.006_Timestomp_Touch.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/discovery/T1033_UserDiscovery_LoggedInUsers.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/discovery/T1033_UserDiscovery_LoggedInUsers.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/discovery/T1087.001_LocalAccount_Commands.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/discovery/T1087.001_LocalAccount_Commands.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/execution/T1059.004_UnixShell_CommonShells.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/execution/T1059.004_UnixShell_CommonShells.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/execution/T1203_ExploitationForClientExecution_SCXRunAsProviders.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/execution/T1203_ExploitationForClientExecution_SCXRunAsProviders.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/impact/T1485_DataDestruction_DD.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/impact/T1485_DataDestruction_DD.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/lateral_movement/T1021.004_SSH_CommonCommands.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/lateral_movement/T1021.004_SSH_CommonCommands.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/persistence/T1037_BootLogonInitScripts_CommonDirectories.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/persistence/T1037_BootLogonInitScripts_CommonDirectories.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/persistence/T1136.001_CreateLocalAccount_Commands.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/persistence/T1136.001_CreateLocalAccount_Commands.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/persistence/T1505.003_WebShell_SuspSubProcesses.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/persistence/T1505.003_WebShell_SuspSubProcesses.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/persistence/T1543.002_CreateModSystemProcess_Systemd.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/persistence/T1543.002_CreateModSystemProcess_Systemd.xml -------------------------------------------------------------------------------- /linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/attack-based/privilege_escalation/T1548.001_ElevationControl_CommonProcesses.xml -------------------------------------------------------------------------------- /linux/configs/collect-all.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/collect-all.xml -------------------------------------------------------------------------------- /linux/configs/main.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/configs/main.xml -------------------------------------------------------------------------------- /linux/schemas/sysmonv1.0.0.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/linux/schemas/sysmonv1.0.0.xml -------------------------------------------------------------------------------- /windows/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/README.md -------------------------------------------------------------------------------- /windows/schemas/sysmonv11.0_4.30.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv11.0_4.30.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv11.10_4.32.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv11.10_4.32.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv11.11_4.32.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv11.11_4.32.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv12.03_4.40.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv12.03_4.40.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv12_4.40.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv12_4.40.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv13.01_4.50.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv13.01_4.50.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv13.10_4.60.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv13.10_4.60.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv13.21_4.70.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv13.21_4.70.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv13.22_4.70.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv13.22_4.70.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv13.24_4.70.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv13.24_4.70.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv13.30_4.81.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv13.30_4.81.xml -------------------------------------------------------------------------------- /windows/schemas/sysmonv14.0_4.82.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/MSTIC-Sysmon/HEAD/windows/schemas/sysmonv14.0_4.82.xml --------------------------------------------------------------------------------