Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
17 octobre 2018 3 17 /10 /octobre /2018 23:10

As you may know, some folks out there have published interesting SYSMON config parts. Basically, to exclude stuff that is legit and noisy, and include things that are suspicious by essence (even linking them with TTP!).

For instance: https://github.com/MotiBa/Sysmon/blob/master/config_v17.xml Great work!

But what I found out is that SYSMON can take a lot of CPU (and disk I/O) resources, as explained here:  https://twitter.com/ph_V/status/1049771902355558400

Well, still investigating it, but it appears that these perf issues are mainly related to the use of "ImageLoad" type events, and SYSMON v7/v8.

This actually means that the same XML config, to log/exclude the same events, does not lead to performance impacts while running SYSMON v6.10, and it does when you use it with SYSMON v7/V8 (after you convert the XML to be schema v4 compliant).

 

While we are at it, I am gonna publish here a few SYSMON rules, to exclude common security solutions that are noisy by default in SYSMON log, and are of very low interest in terms of logging.

 

TREND MICRO OfficeScan:

<Sysmon schemaversion="3.4"

 <ProcessCreate onmatch="exclude">

<Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe</Image>

</ProcessCreate>

 <NetworkConnect onmatch="exclude">

<Image condition="is">C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe</Image>

 </NetworkConnect>

 

 

SOPHOS Antivirus:

<Sysmon schemaversion="3.4"

 <ProcessCreate onmatch="exclude">

Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe</Image>

</ProcessCreate>

 

 <NetworkConnect onmatch="exclude">

<Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image>
      <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
      <Image condition="is">C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe</Image>

 </NetworkConnect>

 

 

KASPERSKY Antivirus:

<Sysmon schemaversion="3.4"

 <ProcessCreate onmatch="exclude">

<Image condition="begin with">C:\Program Files\Kaspersly Lab\</Image>

    </ProcessCreate>

 

 

ESET Nod32:

<Sysmon schemaversion="3.4"

 <ProcessCreate onmatch="exclude">

<Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image>

    </ProcessCreate>

 <NetworkConnect onmatch="exclude">

<Image condition="is">C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe</Image>

 </NetworkConnect>

 

 

SPLUNK Universal Forwarder:

<Sysmon schemaversion="3.4"

 <NetworkConnect onmatch="exclude">

 <Image condition="begin with">C:\Program Files\splunkUniversalForwarder\bin\</Image>

 </NetworkConnect>

 

 

MalwareBytes Antimalware:

<Sysmon schemaversion="3.4">

    <ProcessCreate onmatch="exclude">

    <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe</Image>
    <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe</Image>
    <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe</Image>
    </ProcessCreate>

 

    <ImageLoad onmatch="exclude">

    <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe</Image>
    <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe</Image>
    <Image condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe</Image>

    </ImageLoad>
    

    <ProcessAccess onmatch="exclude">

      <SourceImage condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe</SourceImage>
      <SourceImage condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe</SourceImage>
      <SourceImage condition="is">C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe</SourceImage>

    </ProcessAccess>

 

More to come :)

Partager cet article

Repost0

commentaires