profile
viewpoint

PR closed SwiftOnSecurity/sysmon-config

Resilio Sync

Great tool: https://www.resilio.com/individuals/ Used to be BTSync

+2 -0

1 comment

1 changed file

mubix

pr closed time in 2 months

pull request commentSwiftOnSecurity/sysmon-config

Resilio Sync

Thanks for your work on this, but the base version needs to be as lean as possible to ensure attackers can't used missing locations on victim computers to hide.

mubix

comment created time in 2 months

PR closed SwiftOnSecurity/sysmon-config

Blizzard Agent

Yes it's called Agent.exe, yes it's in ProgramData Yes it's in a subfolder with a build number like Agent.6082 so it's nearly impossible to exclude right. Mostly I'm making this pull request as a way to ping the community as a way to fix this.

+1 -0

2 comments

1 changed file

mubix

pr closed time in 2 months

pull request commentSwiftOnSecurity/sysmon-config

Blizzard Agent

Thanks for your work on this, but the base version needs to be as lean as possible to ensure attackers can't used missing locations on victim computers to hide.

mubix

comment created time in 2 months

push eventSwiftOnSecurity/sysmon-config

davidbernalm

commit sha e478ac0227cc89cdc2c1e9a524688fd2bf189a20

Suggested exclusions for Win10 Exclude: Smartscreen, C:\Windows\System32\smartscreen.exe Network Setup Service, C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc Microsoft Feeds Synchronization C:\Windows\System32\msfeedssync.exe RunTimeBroker C:\Windows\System32\RuntimeBroker.exe -Embedding

view details

SwiftOnSecurity

commit sha 1c1e0ec0d9693b5e3fef72faf94989deef9ff6cc

Merge pull request #60 from davidbernalm/patch-1 Suggested exclusions for Win10

view details

push time in 2 months

PR merged SwiftOnSecurity/sysmon-config

Suggested exclusions for Win10

Exclude: Smartscreen, C:\Windows\System32\smartscreen.exe Network Setup Service, C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc Microsoft Feeds Synchronization C:\Windows\System32\msfeedssync.exe RunTimeBroker C:\Windows\System32\RuntimeBroker.exe -Embedding

+4 -0

0 comment

1 changed file

davidbernalm

pr closed time in 2 months

push eventSwiftOnSecurity/sysmon-config

Simon Garrelou

commit sha d7348095d129ce292891db3c6a8d4be98e66f88d

FileCreate: match ".dmp" files

view details

SwiftOnSecurity

commit sha 64e6d2ae3fdf93a2bfffd99cd04a610cf771a44c

Merge pull request #76 from airbus-cert/master FileCreate: match ".dmp" files

view details

push time in 2 months

PR merged SwiftOnSecurity/sysmon-config

FileCreate: match ".dmp" files

According to gentilkiwi's blog post (in French, sorry), it is possible to dump lsass.exe directly from the Task Manager, without using procdump or any similar tool. Mimikatz can then be used on this dump as usual.

What's interesting is you cannot specify the name of the dump file, it is always of the form [processname].DMP.

I believe monitoring the creation of files with extension .dmp could help catch attackers trying to use this technique to steal credentials.

+1 -0

0 comment

1 changed file

simsor

pr closed time in 2 months

push eventSwiftOnSecurity/sysmon-config

Paul Masek

commit sha 0a628f3f506905cec47b787ff7552752710fc43e

typo fix: unexplanable > unexplainable

view details

SwiftOnSecurity

commit sha b03f1b9f240265f7f4cfee8ea344f15f0462b1db

Merge pull request #78 from itpropaul/patch-1 typo fix: unexplanable > unexplainable

view details

push time in 2 months

push eventSwiftOnSecurity/sysmon-config

Paul Masek

commit sha f50e12056e0fb80b2adca6669638e6bc36e46152

added loopback address to networkconnect exclusions

view details

SwiftOnSecurity

commit sha d1bdff972400e6fdbb0e15352131895df247b81b

Merge pull request #82 from itpropaul/patch-2 added loopback address to networkconnect exclusions

view details

push time in 2 months

push eventSwiftOnSecurity/sysmon-config

tomx4096

commit sha abe1a000135c094d65ab98e1ee765662f9b45d3b

fixed typo in RecycleBin network rule

view details

SwiftOnSecurity

commit sha 4979186ad7cb2ba4e3b49807fbd96406511a1b11

Merge pull request #86 from tomx4096/master fixed typo in RecycleBin network rule

view details

push time in 2 months

PR merged SwiftOnSecurity/sysmon-config

fixed typo in RecycleBin network rule

C:\Recyle -> C:\Recycle

+1 -1

0 comment

1 changed file

tomx4096

pr closed time in 2 months

push eventSwiftOnSecurity/sysmon-config

SwiftOnSecurity

commit sha 0812e99e76083ddc75583ad3a16e57826553310c

Update z-AlphaVersion.xml

view details

push time in 2 months

push eventSwiftOnSecurity/sysmon-config

SwiftOnSecurity

commit sha e212ff71b28bee88ac34c2fcf0fad0f6d00035fc

Update z-AlphaVersion.xml

view details

push time in 2 months

push eventSwiftOnSecurity/sysmon-config

Keep Watcher

commit sha aefebc78f521b78f88c98562fc96457b0375b83d

Bugfix: SecurityProvider reg key The registry key path included an extra SecurityProviders string, preventing it from returning WDigest modification events.

view details

SwiftOnSecurity

commit sha facc9cda0cc08f48ae897288224897458e4445fa

Merge pull request #85 from keepwatch/master Bugfix: SecurityProvider reg key

view details

push time in 2 months

PR merged SwiftOnSecurity/sysmon-config

Bugfix: SecurityProvider reg key

The registry key path included an extra SecurityProviders string, preventing it from returning WDigest modification events.

Test: From a Powershell prompt (run as administrator), run: Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name UseLogonCredential -Value 1.

+1 -1

2 comments

1 changed file

keepwatch

pr closed time in 2 months

more