revocation check added

Blumira · Apr 14, 2018 · b71a02a · b71a02a
1 parent 4af5805
commit b71a02a
Show file tree

Hide file tree

Showing 135 changed files with 266 additions and 62 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
diff --git a/10_process_access/exclude_lsass_noise.xml b/10_process_access/exclude_lsass_noise.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/10_process_access/include_general_commment.xml b/10_process_access/include_general_commment.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/10_process_access/include_mimikatz_inmem.xml b/10_process_access/include_mimikatz_inmem.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/>
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/exclude_dell_process.xml b/11_file_create/exclude_dell_process.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/exclude_intel_gfx_service.xml b/11_file_create/exclude_intel_gfx_service.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/exclude_microsoft_click2run.xml b/11_file_create/exclude_microsoft_click2run.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/exclude_microsoft_services.xml b/11_file_create/exclude_microsoft_services.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/exclude_microsoft_windows_update.xml b/11_file_create/exclude_microsoft_windows_update.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_appc_shim.xml b/11_file_create/include_appc_shim.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_batch_files.xml b/11_file_create/include_batch_files.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_default_profile_changes.xml b/11_file_create/include_default_profile_changes.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_downloaded_files.xml b/11_file_create/include_downloaded_files.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_drivers_added.xml b/11_file_create/include_drivers_added.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_executables.xml b/11_file_create/include_executables.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_group_policy_changes.xml b/11_file_create/include_group_policy_changes.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_hta_scripts.xml b/11_file_create/include_hta_scripts.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_microsoft_clickonce.xml b/11_file_create/include_microsoft_clickonce.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_microsoft_msbuild_scripts.xml b/11_file_create/include_microsoft_msbuild_scripts.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_ms_office_documents_with_macros.xml b/11_file_create/include_ms_office_documents_with_macros.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_outlook_attachments.xml b/11_file_create/include_outlook_attachments.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_powershell_changes.xml b/11_file_create/include_powershell_changes.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_powershell_scripts.xml b/11_file_create/include_powershell_scripts.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_scheduled_task_changes.xml b/11_file_create/include_scheduled_task_changes.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_start_menu_items.xml b/11_file_create/include_start_menu_items.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_startup_items.xml b/11_file_create/include_startup_items.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_system_driver_files.xml b/11_file_create/include_system_driver_files.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_visual_basic_scripts.xml b/11_file_create/include_visual_basic_scripts.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/11_file_create/include_wmi_changes.xml b/11_file_create/include_wmi_changes.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_internet_explorer_settings.xml b/12_13_14_registry_event/exclude_internet_explorer_settings.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_webroot.xml b/12_13_14_registry_event/exclude_webroot.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_widcomm_bt_driver.xml b/12_13_14_registry_event/exclude_widcomm_bt_driver.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_windows_bootup_control.xml b/12_13_14_registry_event/exclude_windows_bootup_control.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_windows_file_exts.xml b/12_13_14_registry_event/exclude_windows_file_exts.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_windows_generic_binaries.xml b/12_13_14_registry_event/exclude_windows_generic_binaries.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_windows_misc.xml b/12_13_14_registry_event/exclude_windows_misc.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/exclude_windows_service_autostart.xml b/12_13_14_registry_event/exclude_windows_service_autostart.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_accessibility_features.xml b/12_13_14_registry_event/include_accessibility_features.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_appc_shim.xml b/12_13_14_registry_event/include_appc_shim.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_authentication_package.xml b/12_13_14_registry_event/include_authentication_package.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_autoruns_and_startup_keys.xml b/12_13_14_registry_event/include_autoruns_and_startup_keys.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_bypass_uac.xml b/12_13_14_registry_event/include_bypass_uac.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_com_hijack.xml b/12_13_14_registry_event/include_com_hijack.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_disable_password_change.xml b/12_13_14_registry_event/include_disable_password_change.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_dll_injection_at_process_launch.xml b/12_13_14_registry_event/include_dll_injection_at_process_launch.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_dns_serverdll_injection.xml b/12_13_14_registry_event/include_dns_serverdll_injection.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_group_policy_integrity.xml b/12_13_14_registry_event/include_group_policy_integrity.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_internet_explorer_extentions_helpers_or_toolbars.xml b/12_13_14_registry_event/include_internet_explorer_extentions_helpers_or_toolbars.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>

diff --git a/12_13_14_registry_event/include_local_port_monitor.xml b/12_13_14_registry_event/include_local_port_monitor.xml
@@ -1,6 +1,7 @@
 <Sysmon schemaversion="4.0">
    <!-- Capture all hashes -->
-   <HashAlgorithms>*</HashAlgorithms>
+   <HashAlgorithms>*</HashAlgorithms>
+   <CheckRevocation/> 
    <EventFiltering>
       <!-- Event ID 1 == Process Creation. -->
       <ProcessCreate onmatch="include"/>