More network monitoring

Changes: - Monitor proxy server changes - Monitor writing Office macro documents - ngen/ngentask filtering - Now monitoring net.exe, sec.exe, qwinstal.exe, and sensitive ports, thanks to @ion-storm - Cleaned up NamedPipe area in sysmonconfig - Adding extra-NamedPipes.xml to show what I'm testing internally
KarlRanseier · Feb 28, 2017 · b1824ad · b1824ad
1 parent 9c0e37c
commit b1824ad
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 28 deletions.
diff --git a/extra-NamedPipes.xml b/extra-NamedPipes.xml
@@ -0,0 +1,21 @@
+<!--Addendum file for sysmon-config.xml which enables PipeEvent monitoring when merged. Currently under development.-->
+
+		<PipeEvent onmatch="exclude">
+		<!--COMMENT: Exclude known-good pipe users-->
+				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
+				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
+			<!--SECTION: Microsoft-->
+			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
+			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
+			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
+			<!--SECTION: Webroot-->
+			<PipeName condition="is">\WRSVCPipe</PipeName>
+			<PipeName condition="is">\WRSynUM2</PipeName>
+			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
+			<!--SECTION: Google-->
+			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
+			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
+			<!--SECTION: Other-->
+			<Image condition="end with">slack.exe</Image>
+		</PipeEvent>