sysmonconfig-export.xml

<!--
  sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community
  Source version:	
  Source author:	@SwiftOnSecurity, other contributors also credited in-line or on Git
  Source project:	https://github.com/SwiftOnSecurity/sysmon-config
  Source license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.
  Fork version:	<N/A>
  Fork author:	Ceramicskate0
  Fork project:	https://github.com/ceramicskate0/sysmon-config
  Fork license:	<N/A>
  REQUIRED: Sysmon version 9.10 or higher (due to changes in syntax and bug-fixes)
	https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
	Note that 6.03 and 7.01 have critical fixes for filtering, it's VERY recommended you stay updated.
  NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF | Command to allow log access to the Network Service:
	wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
  NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own.
	This configuration is based around known, high-signal event tracing, and thus appears complicated, but it is only very
	detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the
	client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly
	as possible to technicians armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations.
  NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool.
	Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate
	processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
  NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, just remove that section.
	You can remove DNS events from Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22
	Additionally, if you want to monitor DNS, you should deploy client-side adblocking to reduce lookups. See the DNS section for info.
  NOTE: This configuration is designed for PER-MACHINE installs of Chrome and OneDrive. That moves their binaries out of user-controlled folders.
	Otherwise, attackers could imitate these common applications, and bypass your logging. Below are silent upgrades you can do, no user impact:
	https://docs.microsoft.com/en-us/onedrive/per-machine-installation
	https://cloud.google.com/chrome-enterprise/browser/download/
	
  NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing
	to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader,
	log-most approach. However, in the vast majority of cases, an attacker will bumble through multiple behavioral traps which
	this configuration monitors, especially in the first minutes. Even APT do not send their A-team unless they know you're hardened.
	10% of the effort gets 95% of the results. APT rely on nobody watching because almost nobody does. Your effort makes the difference.
	
	What matters is you. Start acting like it. Start demanding it. I spent 10 years not doing that. I regret every moment I didn't.
	YOU make the difference. I went from a department with nothing, to a deparment with everything. And yet, PEOPLE are what matter.
	If you are reading this, you are already far along the path to changing the world for the better. Advocate for yourself.
	Find somewhere new if you are selfless, yet unvalued. These words are what I would have told an earlier me. I wish I did.
	You are already the candidate of the future. A mirror will never tell truth. Tools can only show what you already beleive.
  NOTE: If you encounter unexplanable event inclusion/exclusion, you may have a second Sysmon instance installed under a different exe filename.
	To clear this, try downloading the latest version and uninstalling with -u force. If it hangs, kill the processes and run it again to cleanup.
  TECHNICAL:
  - Run sysmon.exe -? for a briefing on Sysmon configuration.
  - Sysmon 8+ can track which rule caused an event to be logged through the "RuleName" field.
  - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default.
  - Some Sysmon monitoring abilities are not meant for widely deployed general-purpose use due to performance impact. Depends on environment.
  - Duplicate or overlapping "Include" rules do not result in duplicate events being logged.
  - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx.
  - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)"
  - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
  - "ProcessGuid" and "LoginGuid" are not random, they contain some embedded information. https://gist.github.com/mattifestation/0102042160c9a60b2b847378c0ef70b4
  FILTERING: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image
  - The "image" filter is usable on any field. Same as "is" but can either match entire string, or only the text after last "\". Credit: @mattifestation
-->

<Sysmon schemaversion="4.90">
	<!--SYSMON META CONFIG-->
	<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->
	
	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->

	<EventFiltering>

		<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
		<RuleGroup name="ProcessCreate Exclude" groupRelation="or">
		<ProcessCreate onmatch="exclude">
			<!--SECTION: Microsoft Windows-->
			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\usocoreworker.exe</Image>
			<Image condition="is">C:\Windows\System32\SpatialAudioLicenseSrv.exe</Image>
			<Image condition="is">c:\riot games\league of legends\leagueclient.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\common7\servicehub\hosts\servicehub.host.clr.x64\servicehub.datawarehousehost.exe</Image>
			<Image condition="is">C:\Windows\System32\UsoClient.exe</Image>
			<Image condition="is">c:\Windows\system32\sdclt.exe</Image>
			<Image condition="is">c:\Windows\system32\mmc.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\CompPkgSrv.exe</Image>
			<Image condition="is">c:\Windows\system32\sgrmbroker.exe</Image>
			<Image condition="is">C:\Windows\System32\WerFault.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\SDXHelper.exe</Image>
			<Image condition="end with">AppData\Roaming\Resilio Sync\Resilio Sync.exe</Image> <!--Resilio Sync-->
			<Image condition="is">C:\Windows\ImmersiveControlPanel\SystemSettings.exe</Image>
			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
			<Image condition="is">c:\Windows\system32\conhost.exe</Image><!-- Child process of conhost not very good tell, parent of conhost is better for detection. But this is useful if you want to track who is using console per process-->
			<Image condition="is">C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe</Image> <!--Microsoft:Windows: Touch Keyboard and Handwriting Panel Helper-->
			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\audiodg.exe</Image>
			<Image condition="is">C:\Windows\System32\wsqmcons.exe</Image>
			<Image condition="is">C:\Windows\System32\RuntimeBroker.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe</Image>
			<Image condition="is">C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\NVIDIA Corporation\Update Core\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files (x86)\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files (x86)\SWELF\SWELF.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!--Microsoft:Windows: Customer Experience Improvement-->
			<Image condition="is">C:\Windows\system32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
			<Image condition="is">C:\Windows\system32\musNotification.exe</Image> <!--Microsoft:Windows: Update pop-ups-->
			<Image condition="is">C:\Windows\system32\musNotificationUx.exe</Image> <!--Microsoft:Windows: Update pop-ups-->
			<Image condition="is">C:\Windows\system32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
			<Image condition="is">C:\Windows\system32\sndVol.exe</Image> <!--Microsoft:Windows: Volume control-->
			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
			<Image condition="is">C:\Windows\system32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adapter host process-->
			<Image condition="is">C:\Windows\System32\plasrv.exe</Image> <!--Microsoft:Windows: Performance Logs and Alerts DCOM Server-->
			<Image condition="is"> C:\Windows\System32\wuauclt.exe</Image>
			<Image condition="is">C:\Windows\System32\MusNotifyIcon.exe</Image>
			<Image condition="is">C:\Windows\System32\appidcertstorecheck.exe</Image>
			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->			
			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\system32\SppExtComObj.Exe</Image> <!--Microsoft:Windows: KMS activation-->
			<Image condition="is">C:\Windows\system32\PrintIsolationHost.exe</Image> <!--Microsoft:Windows: Printing-->
			<Image condition="is">C:\Windows\system32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_</Image> <!--Microsoft:Defender: Signature updates-->
			<Image condition="is">C:\Windows\System32\dxgiadaptercache.exe</Image>	
			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Licensing service-->
			<Image condition="is">C:\Program Files\Microsoft Office\Office16\msoia.exe</Image> <!--Microsoft:Office: Telemetry collector-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>			
			<Image condition="is">C:\Windows\System32\TokenBrokerCookies.exe</Image> <!--Microsoft:Windows: SSO sign-in assistant for MicrosoftOnline.com-->
			<Image condition="end with">\ngentask.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\ngen.exe</Image> <!--Microsoft:DotNet--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\mscorsvw.exe</Image> <!--Microsoft:DotNet--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\ngentask.exe</Image> <!--Microsoft:DotNet: Spawns thousands of ngen.exe processes--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<!--Microsoft:Visual Studio 2019-->
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\team tools\static analysis tools\fxcop\fxcopcmd.exe</Image>
			<ParentImage condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe</ParentImage>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\DiagnosticsHub.Collection.Service\StandardCollector.Service.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PrivateAssemblies\ScriptedSandbox64.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Roslyn\VBCSCompiler.exe</Image>
			<Image condition="is">C:\Windows\system32\svchost.exe</Image>
			<Image condition="is">c:\program files (x86)\notepad++\updater\gup.exe</Image>
			<Image condition="is">c:\Windows\system32\xblgamesavetask.exe</Image>
			<Image condition="is">c:\Windows\system32\provtool.exe</Image>
			<Image condition="is">c:\Windows\system32\surfaceservice.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft office\root\office16\sdxhelper.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\common7\servicehub\hosts\servicehub.host.clr.anycpu\servicehub.testWindowstorehost.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\installer\resources\app\servicehub\services\microsoft.visualstudio.setup.service\backgrounddownload.exe</Image>
			<!-- Commandline excludes are weak at best -->
			<Image condition="is">C:\Windows\system32\SearchIndexer.exe</Image> <!--Microsoft:Windows: Search Indexer--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\smss.exe</Image> <!--Microsoft:Bootup: Windows Session Manager--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\system32\autochk.exe </Image> <!--Microsoft:Bootup: Auto Check Utility--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image>	
			<!--Microsoft:Office: -->
			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
			<ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage> <!--Microsoft:Office: Background process-->
			<!--SECTION: Microsoft:Windows: Media player-->
			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
			<!--SECTION: Google-->
			<Image condition="is">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> <!--Google:Chrome: massive command-line arguments-->
			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome:Updater: You should experiment with this line since attackers sometimes hide in this folder-->
			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome:Updater: You should experiment with this line since attackers sometimes hide in this folder-->
			<!--SECTION: Firefox-->
			<Image condition="is">"C:\Program Files\Mozilla Firefox\plugin-container.exe</Image> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<Image condition="is">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe</Image> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
			<!--SECTION: Adobe:Acrobat DC-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Acrobat 2015-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Acrobat Reader DC-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Flash-->
			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Updater-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Supporting processes-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
			<ParentCommandLine condition="contains">\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but doesn't provide attribution for what caused it--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<ParentCommandLine condition="begin with">C:\Windows\system32\wermgr.exe -queuereporting</ParentCommandLine> <!--Microsoft:Windows:Windows error reporting/telemetry--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<!--SECTION: Cisco-->
			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
			<!--SECTION: Dropbox-->
			<Image condition="is">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
			<!--SECTION: Dell-->
			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
			<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
			<CurrentDirectory condition="is">C:\Program Files (x86)\ossec-agent\</CurrentDirectory><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<!--Nosie EXEs-->
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\System32\MoUsoCoreWorker.exe</Image>
			<CommandLine condition="begin with">C:\Windows\System32\mousocoreworker.exe -Embedding</CommandLine>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\System32\smartscreen.exe</Image>
			<CommandLine condition="begin with">C:\Windows\System32\smartscreen.exe -Embedding</CommandLine>
			</Rule>
			<Rule groupRelation="and"><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\system32\DllHost.exe</Image>
			<CommandLine condition="begin with"> "C:\WINDOWS\SysWOW64\DllHost.exe" /Processid:</CommandLine>
			</Rule>
			<Rule groupRelation="and"><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\SysWOW64\dllhost.exe</Image>
			<CommandLine condition="begin with">"C:\WINDOWS\SysWOW64\DllHost.exe" /Processid:</CommandLine>
			</Rule>
			<Rule groupRelation="and"><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\dmclient.exe</Image>
			<CommandLine condition="begin with">C:\Windows\System32\dmclient.exe</CommandLine>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\system32\wermgr.exe</Image>
			<CommandLine condition="contains">-p</CommandLine>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\system32\wermgr.exe</Image>
			<CommandLine condition="contains">shared Global</CommandLine>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\system32\rundll32.exe</Image>
			<CommandLine condition="is">C:\Windows\system32\rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup</CommandLine>
			</Rule>		
			<Rule groupRelation="and">
			<Image condition="is">c:\Windows\system32\taskhostw.exe</Image>
			<ParentImage condition="is">c:\Windows\system32\svchost.exe</ParentImage>
			</Rule>	
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\System32\smartscreen.exe</Image>
			<ParentImage condition="is">C:\Windows\System32\svchost.exe</ParentImage>
			</Rule>	
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
			<ParentImage condition="is">C:\Windows\System32\svchost.exe</ParentImage>
			<CommandLine condition="is">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</CommandLine>
			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k DcomLaunch -p</ParentCommandLine>
			<User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
			</Rule>	
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\System32\wermgr.exe</Image>
			<ParentImage condition="is">C:\Windows\System32\svchost.exee</ParentImage>
			<CommandLine condition="is">C:\Windows\system32\wermgr.exe -upload</CommandLine>
			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule</ParentCommandLine>
			</Rule>
			
			<Rule groupRelation="and">
			<Image condition="is">c:\Windows\system32\logonui.exe</Image>
			<ParentImage condition="is">c:\Windows\system32\winlogon.exe</ParentImage>
			</Rule>
			
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\System32\ctfmon.exe</Image>
			<ParentImage condition="is">C:\Windows\System32\svchost.exe</ParentImage>
			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TabletInputService</ParentCommandLine>
			</Rule>
			
			<Rule groupRelation="and">
			<Image condition="is">c:\Windows\syswow64\cmd.exe</Image>
			<ParentImage condition="is">c:\program files (x86)\microsoft visual studio\2019\community\common7\ide\devenv.exe</ParentImage>
			</Rule>
			
			<!--SECTION: Adobe-->
			<Rule groupRelation="and">
			<Image condition="begin with">C:\Program Files (x86)\Adobe\</Image>
			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			</Rule>
			
			<Rule groupRelation="and">
			<Image condition="begin with">C:\Program Files (x86)\Adobe\</Image>
			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			</Rule>
			
			<Rule groupRelation="and">
			<Image condition="is">C:\Program Files\DellTPad\ApMsgFwd.exe</Image>
			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
			</Rule>
			
			<Rule groupRelation="and">
			<Image condition="is">C:\Program Files\DellTPad\ApMsgFwd.exe</Image>
			<CommandLine condition="is">C:\Windows\system32\igfxsrvc.exe -Embedding</CommandLine>
			</Rule>
		</ProcessCreate>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
		<RuleGroup name="FileCreateTime Include" groupRelation="or">
		<FileCreateTime onmatch="include">		 		
			<Image name="FileCreateTime (TimeStomped) changed from file in Windows Temp" condition="begin with">C:\Windows\Temp</Image>
			<Image name="FileCreateTime (TimeStomped) changed from file in ProgramData" condition="begin with">C:\Program Data</Image>
			<Image name="FileCreateTime (TimeStomped) changed from file in RecycleBin" condition="begin with">C:\$Recycle.Bin</Image>
			<Image name="FileCreateTime (TimeStomped) changed from file in ProgramData" condition="begin with">C:\Program Files</Image>
			<Image name="FileCreateTime (TimeStomped) changed from file in Users Folder" condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
			<TargetFilename name="FileCreateTime (TimeStomped) changed a file located in RecycleBin" condition="begin with">C:\$Recycle.Bin</TargetFilename>
			<TargetFilename name="persistence - office templates trusted location" condition="contains" >AppData\Roaming\Microsoft\Templates</TargetFilename>
			<TargetFilename name="KeeFarce.exe default injected DLL name-" condition="end with">BootStrapDLL.dll</TargetFilename><!-- KeeFarce.exe default injected DLL name-->
			<TargetFilename name="persistence - backdoored default docm template" condition="end with" >Templates\Normal.dotm</TargetFilename>
			<TargetFilename name="persistence - backdoored outlook template" condition="end with" >NormalEmail.dotm</TargetFilename>
			<TargetFilename name="persistence - backdoored excel default macro template" condition="end with" >XLSTART\PERSONAL.XLSB</TargetFilename>
			<TargetFilename name="persistence - Word Library Add-Ins" condition="contains" >Roaming\Microsoft\Word\Startup\</TargetFilename>
			<TargetFilename name="persistence - Excel VBA Add-Ins" condition="contains" >Roaming\Microsoft\Excel\XLSTART\</TargetFilename>
			<TargetFilename name="persistence - Powerpoint and Excel VBA Add-Ins Trusted Location" condition="contains" >Roaming\Microsoft\AddIns</TargetFilename>
			<TargetFilename name="FileCreateTime (TimeStomped) changed a file located in Appdata" condition="contains">\AppData\</TargetFilename>
			<TargetFilename name="FileCreateTime (TimeStomped) changed a file located in Users folder" condition="begin with">C:\Users\</TargetFilename>
			<TargetFilename name="FileCreateTime (TimeStomped) changed a file located in Windows folder" condition="begin with">C:\Windows\</TargetFilename>
			<TargetFilename name="Possible Memory dump file" condition="end with">.dmp</TargetFilename>
			<TargetFilename name="Very likely LSASS Memory dump file" condition="contains">lsass</TargetFilename>
			<TargetFilename name="Confirmed LSASS Memory dump file" condition="contains">lsass.dmp</TargetFilename>
			<TargetFilename name="Possible Kerbroasting" condition="end with">.ccache</TargetFilename>
			<TargetFilename name="Possible Kerbroasting" condition="end with">.kirbi</TargetFilename>
			<TargetFilename name="possible wmi persistence" condition="end with">.mof</TargetFilename> <!-- wmi persistence -->
			<TargetFilename name="XML Script file extension" condition="end with">.xsl</TargetFilename> <!-- XML Script -->
			<TargetFilename name="Schedule task creation" condition="begin with">C:\Windows\Tasks\</TargetFilename>
			<TargetFilename name="Schedule task creation" condition="begin with">c:\Windows\system32\tasks\</TargetFilename>
			<TargetFilename name="Web server dir file added" condition="contains">Exchange Server\ClientAccess\Owa\</TargetFilename> <!-- webshell stuff on exchange CAS -->
			<TargetFilename name="Web server dir file added" condition="contains">\inetpub\wwwroot\</TargetFilename><!-- webshell stuff -->			
			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
			<TargetFilename condition="begin with">c:\Windows\AppPatch64\Custom</TargetFilename>			
			<TargetFilename name="Persistence - Outlook VBA Backdoor" condition="end with" >VBAProject.OTM</TargetFilename> <!-- office less famous extensions -->
			<TargetFilename name="UAC Bypass via rogue manifest" condition="end with">wscript.exe</TargetFilename><!-- UAC Bypass via rogue manifest -->
			<TargetFilename name="Possible  persist or hijack exec flow via appcompat shim database" condition="end with">.sdb</TargetFilename> <!-- persist or hijack exec flow via appcompat shim database -->
			<TargetFilename name="UAC Bypass via custom manifest targeting vulnerable trusted programs" condition="end with">.manifest</TargetFilename> <!-- UAC Bypass via custom manifest targeting vulnerable trusted programs -->
			<TargetFilename name="by default bloodhound drops this file to disk if not disabled by cmdline " condition="end with">bloodhound.bin</TargetFilename> <!-- by default bloodhound drops this file to disk if not disabled by cmdline -->
			<TargetFilename name="Persistence - Outlook VBA Backdoor" condition="end with" >VBAProject.OTM</TargetFilename> <!-- office less famous extensions -->
			<TargetFilename name="UAC Bypass via rogue manifest" condition="end with">wscript.exe</TargetFilename><!-- UAC Bypass via rogue manifest -->
			<TargetFilename name="Possible  persist or hijack exec flow via appcompat shim database" condition="end with">.sdb</TargetFilename> <!-- persist or hijack exec flow via appcompat shim database -->
			<TargetFilename name="UAC Bypass via custom manifest targeting vulnerable trusted programs" condition="end with">.manifest</TargetFilename> <!-- UAC Bypass via custom manifest targeting vulnerable trusted programs -->
			<TargetFilename name="by default bloodhound drops this file to disk if not disabled by cmdline " condition="end with">bloodhound.bin</TargetFilename> <!-- by default bloodhound drops this file to disk if not disabled by cmdline -->
			<TargetFilename name="Minidump default file name" condition="contains">minidump</TargetFilename> <!-- by default this is file name for mimikatz and other tools for lsass dump -->
		</FileCreateTime>
		</RuleGroup>
		
		<RuleGroup name="FileCreateTime Exclude" groupRelation="or">
		<FileCreateTime onmatch="exclude">
			<Image condition="end with">\XboxAppServices.exe</Image>
			<TargetFilename condition="end with">\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db</TargetFilename>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Mozilla Firefox\firefox.exe</Image>
			<Image condition="is">C:\program files (x86)\adobe\acrobat reader dc\reader\acrocef\rdrservicesupdater.exe</Image>
			<Image condition="end with">\OneDrive.exe</Image> <!--OneDrive constantly changes file times--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\system32\backgroundTaskHost.exe</Image>
			<Image condition="contains">setup</Image> <!--Ignore setups--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="contains">install</Image> <!--Ignore setups--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="contains">\Update\</Image> <!--Ignore setups--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\redist.exe</Image> <!--Ignore setups--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\notepad++.exe</Image> <!--Ignore setups--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\SWELF.exe</Image> <!--Ignore setups--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-Windows</Image> <!-- Windows: Windows update-->
			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image>
			<TargetFilename condition="begin with">C:\$Windows.~BT\Sources\</TargetFilename> <!-- Windows: Feature updates containing lots of .exe and .sys-->
			<TargetFilename condition="end with">.temp</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="end with">.tmp</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution\Download\</TargetFilename>
		</FileCreateTime>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
		<!--TECHNICAL:	These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST-->
	
		<!-- https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf -->
		<!--<NetworkConnect onmatch="include">
		</NetworkConnect>-->	
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
		<RuleGroup name="NetworkConnect exclude" groupRelation="or">
		<NetworkConnect onmatch="exclude">
			<!--<Image condition="contains">C:\Windows\System32\svchost.exe</Image>-->
			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows.Search</Image>
			<Image condition="begin with">c:\riot games\riot client\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">c:\program files\Windowsapps\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">c:\riot games\league of legends\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">c:\program files (x86)\steam\steam.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\program files\nvidia corporation\nvcontainer\nvcontainer.exe</Image>
			<Image condition="is">C:\program files (x86)\steam\bin\cef\cef.win7x64\steamwebhelper.exe</Image>
			<Image condition="end with">\g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
			<Image condition="end with">\g2mcomm.exe</Image> <!--GoToMeeting-->
			<Image condition="end with">\SWELF.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\chrome.exe</Image><!--Browser--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\firefox.exe</Image><!--Browser--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\iexplore.exe</Image><!--Browser--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">MicrosoftEdge.exe</Image><!--Browser--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\dns.exe</Image><!-- noisy for dns -->
			<Image condition="begin with">c:\program files\oracle\virtualbox\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">c:\program files (x86)\microsoft office\root\office16\sdxhelper.exe</Image>
			<Image condition="is">c:\Windows\system32\usocoreworker.exe</Image>
			<Image condition="is">c:\Windows\system32\dxgiadaptercache.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe</Image>
			<Image condition="is">C:\Windows\System32\smartscreen.exe</Image><!-- noisy -->
			<Image condition="is">C:\Windows\System32\svchost.exe</Image><!-- noisy for dns and ldap -->
			<Image condition="is">C:\Windows\System32\lsass.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\System32\dfsrs.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\System32\taskhost.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\System32\taskhostw.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\CCM\CcmExec.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image><!-- noisy-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\ServiceHub\Hosts\ServiceHub.Host.CLR.x86\ServiceHub.SettingsHost.exe</Image><!-- noisy-->
			<Image condition="is">C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe</Image><!-- noisy for ldap -->
		    	<Image condition="is">C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image><!-- noisy for 5353 MDNS -->
			<Image condition="is">C:\Windows\System32\dfssvc.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\System32\dsregcmd.exe</Image><!-- noisy for ldap -->
			<Image condition="is">C:\Windows\System32\certsrv.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Trend Micro\Control Manager\ReportServer.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Citrix\XenCenter\XenCenterMain.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</Image>
			<Image condition="is">C:\Program Files (x86)\BigFix Enterprise\BES Server\BESRootServer.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Trend Micro\Control Manager\CmdProcessor.exe</Image>
			<Image condition="is">D:\Program Files (x86)\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe</Image>
			<Image condition="begin with">C:\Program Files\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files (x86)\ossec-agent\ossec-agent.exe</Image>			
			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files (x86)\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files (x86)\OpenDNS Updater\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams--><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\HP Inc\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files (x86)\Trend Micro\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\Trend Micro\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files (x86)\Microsoft Visual Studio\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\Microsoft Office\root\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">c:\riot games\league of legends\leagueclient.exe</Image>
			<Image condition="is">c:\Windows\system32\svchost.exe</Image>
			<Image condition="is">c:\program files (x86)\steam\steam.exe</Image>
			<Image condition="is">c:\riot games\riot client\riotclientservices.exe</Image>
			<Image condition="is">c:\riot games\league of legends\game\league of legends.exe</Image>
			<Image condition="is">c:\Windows\sysmon.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">c:\program files\Windowsapps\microsoft.xboxgamingoverlay_3.38.25003.0_x64__8wekyb3d8bbwe\gamebar.exe</Image>
			<Image condition="is">c:\Windows\system32\gamebarpresencewriter.exe</Image>
			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">a-0003.a-msedge.net</DestinationHostname> 
			<DestinationPort condition="is">137</DestinationPort>
			<DestinationPort condition="is">138</DestinationPort>
		</NetworkConnect>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->
		<!--DATA: UtcTime, State, Version, SchemaVersion-->
		<!--Cannot be filtered.-->
		
		<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
		<!--COMMENT:	Useful data in building infection timelines.-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image-->
		<RuleGroup name="ProcessTerminate exclude" groupRelation="or">
		<ProcessTerminate onmatch="exclude">
			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
			<Image condition="is">C:\Windows\System32\smartscreen.exe</Image>
			<Image condition="end with">AppData\Local\Programs\Microsoft VS Code\Code.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\conhost.exe</Image>
			<Image condition="is">C:\Windows\System32\dllhost.exe</Image>
			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
			<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
			<Image condition="is">C:\Windows\SysWOW64\wbem\WMIC.exe</Image>
			<Image condition="is">C:\Windows\system32\RuntimeBroker.exe</Image>
			<Image condition="is">C:\Windows\system32\backgroundtaskhost.exe</Image>
			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
			<Image condition="is">C:\Windows\System32\UsoClient.exe</Image>
			<Image condition="end with">\SWELF.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">c:\Windows\syswow64\cmd.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\ctfmon.exe</Image>
			<Image condition="is">C:\Windows\System32\SpatialAudioLicenseSrv.exe</Image>
			<Image condition="is">C:\Windows\System32\MoUsoCoreWorker.exe</Image>
			<Image condition="begin with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
		</ProcessTerminate>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
			about what you exclude from monitoring. Low event volume, little incentive to exclude.
			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->
		<!--DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<RuleGroup name="DriverLoad exclude" groupRelation="or">
		<DriverLoad onmatch="exclude">
			<Rule groupRelation="and">
			<Signature condition="begin with">Fortinet Technologies (Canada) Inc.</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<!--Exclude signed Microsoft drivers-->
			<Rule groupRelation="and">
			<Signature condition="contains">Microsoft</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Windows</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<!--Exclude signed Inter drivers-->
			<Rule groupRelation="and">
			<Signature condition="begin with">Intel </Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<!--Exclude signed VMware drivers-->
			<Rule groupRelation="and">
			<Signature condition="begin with">VMware</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
		</DriverLoad>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<!--NOTE: There is possibly a huge gap here for LOLbin's. Please add as you find them to the repo-->
		<RuleGroup name="ImageLoad include" groupRelation="or">
		<ImageLoad onmatch="include">
			<Image condition="end with">mshta.exe</Image>
			<Image condition="end with">Dism.exe</Image>  
		    <Image name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence, also it manages Windows firewall." condition="end with">netsh.exe</Image>
		    <ImageLoaded name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="end with">wmiutils.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="comsvcs dll load- Look for Possible minidump or com bypass">comsvcs.dll</ImageLoaded><!-- This DLL is known to be able to minidump lsass using minidump arg -->
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">\\</ImageLoaded><!-- loaded from network file share -->
		    <ImageLoaded condition="contains" name="Execution - Image Loaded from suspicious path">admin$</ImageLoaded><!-- loaded from network file share -->
		    <ImageLoaded condition="contains" name="Execution - Image Loaded from suspicious path">c$</ImageLoaded><!-- loaded from network file share -->
		    <ImageLoaded condition="contains" name="Execution - Image Loaded from suspicious path">\appdata\</ImageLoaded>
		    <ImageLoaded condition="contains" name="Execution - Image Loaded from suspicious path">\temp\</ImageLoaded>
			<ImageLoaded condition="contains" name="Execution - Image Loaded from suspicious path">\Notpad++\plugins</ImageLoaded>
			<ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">c:\Program Files\Microsoft SQL Server\130\Shared\ErrorDumps</ImageLoaded>
			<ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">c:\Program Files\ViPER4Windows\DriverComm</ImageLoaded>
			<ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">c:\Program Files (x86)\Common Files\Adobe\SLCache</ImageLoaded>
			<ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.png</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.jpg</ImageLoaded>
            <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.cpl</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.dat</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.tmp</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.inf</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.ini</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.log</ImageLoaded>
		    <ImageLoaded condition="end with" name="Persistence - Winword Library Addin Loaded">.wll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Persistence - Excel Library Addin Loaded">.xll</ImageLoaded>
			<ImageLoaded condition="end with" name="Persistence - Office Library Addin Loaded">.pll</ImageLoaded>
			<ImageLoaded condition="end with" name="Abnormal dll load with odd extension">.log</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">c:\programdata\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\Media\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\addins\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\system32\config\systemprofile\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\Debug\</ImageLoaded> 
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\Temp</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\PerfLogs\</ImageLoaded>
	        <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\Help\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Intel\Logs\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Temp</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\repair\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\security\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">C:\Windows\Fonts\</ImageLoaded>
		    <ImageLoaded condition="begin with" name="Execution - Image Loaded from suspicious path">file:</ImageLoaded>
		    <ImageLoaded condition="contains" name="Execution - Image Loaded from suspicious path">$Recycle.bin\</ImageLoaded>
		    <ImageLoaded condition="contains" name="Execution - Image Loaded from suspicious path">\Windows\IME\</ImageLoaded>	
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">wwlib.dll</ImageLoaded> <!-- winword.exe -->
            <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">sxsoa.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">BIB.dll</ImageLoaded> <!-- Adobe A3DUtility.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">goopdate.dll</ImageLoaded> <!-- vuln GoogleUpdate.exe version-->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">msfte.dll</ImageLoaded> <!-- searchindexer.exe and searchprotocolhost.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">Flash Video Extension.dll</ImageLoaded> <!-- Adobe AcroTranscoder.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">UxTheme.dll</ImageLoaded> <!-- Adobe FlashPlayerApp.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">WeChatWin.dll</ImageLoaded> <!-- WeChat.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">coccocpdate.dll</ImageLoaded> <!-- CocCocUpdate.exe -->
			<ImageLoaded condition="end with" name="Keefarce attack tool dll load">BootStrapDLL.dll</ImageLoaded> 
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">chrome_elf.dll</ImageLoaded> <!-- 360se.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading, possible minidump of lsass">dbghelp.dll</ImageLoaded> <!-- 360 SoftManager.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">FaultRep.dll</ImageLoaded> <!-- FontsSet.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">McVsoCfg.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - RDP DLL's used for lateral movement.">MSTSCLib.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - RDP DLL's used for lateral movement.">AxMSTSCLib.dll</ImageLoaded>
            <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">ActCtx.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - Teams DLL HIJACK">WINSTA.dll</ImageLoaded>
			<!--TEAMS DLL Hijack rules -->
			<ImageLoaded condition="end with" name="Defense Evasion - Teams DLL HIJACK Teams">\AppData\Local\Microsoft\Teams\current\WINSTA.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - Teams DLL HIJACK">\AppData\Local\Microsoft\Teams\current\ntshrui.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - Teams DLL HIJACK">\AppData\Local\Microsoft\Teams\current\ntshrui.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - Teams DLL HIJACK">\AppData\Local\Microsoft\Teams\current\cscapi.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - Teams DLL HIJACK">\AppData\Local\Microsoft\Teams\current\WindowsCodecs.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - Teams DLL HIJACK">\AppData\Local\Microsoft\Teams\current\TextInputFramework.dll</ImageLoaded>
            <!--BOO DLL rules -->
			<ImageLoaded condition="end with" name="Defense Evasion - DLL Boo Lang">Boo.Lang.Compiler.dll</ImageLoaded>
            <ImageLoaded condition="end with" name="Defense Evasion - DLL Boo Lang">Boo.Lang.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - DLL Boo Lang">Boo.Lang.Parser.dll</ImageLoaded>

            <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">CLRJIT.DLL</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading - dcdiag.exe">msftedit.DLL</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">dwmapi.DLL</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">product_info.dll</ImageLoaded> <!-- Kasper avpla.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">wsc.dll</ImageLoaded> <!-- Avast wsc_proxy.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">winspool.drv</ImageLoaded><!-- loaded by avz.exe free AV https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/ -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">WptsExtensions.dll</ImageLoaded> <!-- https://remoteawesomethoughts.blogspot.com/2019/05/Windows-10-task-schedulerservice.html -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">NvSmartMax.dll</ImageLoaded> <!--https://quequero.org/2013/09/quick-analysissome-observation-about-a-low-detection-flash_update-exe/ -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">Duser.dll</ImageLoaded> <!-- https://app.any.run/tasks/3fcfd265-ef80-4749-a24b-39364a079802 loaded by credwiz.exe -->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">AShldRes.DLL</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">CommFunc.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">chrome_frame_helper.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">DESqmWrapper.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">fslapi.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Hijack">vulkan-1.dll</ImageLoaded>
			<!--DLL PROC DUMP rules -->
			<ImageLoaded condition="end with" name="Debugging DLL Loaded">dbgeng.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Debugging DLL Loaded">dbghelp.dll</ImageLoaded>
            <ImageLoaded condition="end with" name="Debuging DLL Loaded">dbgcore.dll</ImageLoaded>
			<!--Loading c#/.Net rule -->
		    <ImageLoaded condition="end with" name="Possible Defense Evasion - .Net Code loaded">clr.dll</ImageLoaded><!-- This is a dll loaded often by both good ware and .Net malware. Its required for .Net --><!-- https://www.youtube.com/watch?v=FuxpMXTgV9s&feature=emb_logo-->
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">FSPMAPI.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading service IKEET">wlbsctrl.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">Sidebar.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">hha.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">hccutils.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">NtUserEx.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">McUtil.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">MpSvc.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">mPclient.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">NvSmartMax.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">OInfo11.ocx</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">ACLUI.DLL</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">iviewers.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">NtUserEx.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">RasTls.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">rc.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">ssMUIDLL.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">winmm.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">msi.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">Ushata.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">libvlc.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">AhnI2.dll</ImageLoaded>
		    <ImageLoaded condition="contains" name="Possible MSBUILD Payload">Microsoft.Build.Tasks</ImageLoaded>
		    <ImageLoaded condition="contains" name="Possible MSBUILD Payload">Microsoft.Build.Framework</ImageLoaded>
		    <ImageLoaded condition="contains" name="Possible MSBUILD Payload">Microsoft.Build.Utilities</ImageLoaded>
		    <ImageLoaded condition="contains" name=".Net Lib InstallAssembly to register the dll as a COM+ obj">System.EnterpriseServices.RegistrationHelper</ImageLoaded>
		    <ImageLoaded condition="end with" name="Evasion - Possible DLL Side Loading via jjs.exe">jli.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Evasion - Possible DLL Side Loading via jjs.exe">tapi32.dll</ImageLoaded>
		    <ImageLoaded condition="is" name="Suspicious image load - ntoskrnl.exe. Possible Exploit">C:\Windows\System32\ntoskrnl.exe</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">sspisrv.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">ftllib.dll</ImageLoaded>
		    <ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading">userenv.dll</ImageLoaded>
		    <ImageLoaded condition="contains" name="DLL loaded from suspicious location (\Temp\)">\Temp\</ImageLoaded>
			<ImageLoaded condition="begin with" name="DLL loaded from suspicious location (C:\Users\)">C:\Users</ImageLoaded>
			<ImageLoaded condition="contains" name="Powershell DLL loaded, Possible Powershell use without Powershell.exe" >system.management.automation</ImageLoaded> 
			<ImageLoaded condition="contains" name="PLoad of .Net Reflection DLL. Could be used for injection.">System.Runtime.InteropServices.</ImageLoaded>
			<ImageLoaded condition="contains" name="Attempts to ID by name the DLL that deals with Certificate and Cryptographic Messaging functions" >Crypt</ImageLoaded> 
			<ImageLoaded condition="contains" name="Javascript Lib was loaded into process">jscript</ImageLoaded> 
			<ImageLoaded condition="contains" name="Visual basic Lib">vbscript</ImageLoaded> 
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL that contains a set of services that allowed applications written in JScript, VBScript, and Microsoft development tools to build Windows-native XML-based applications.">msxm</ImageLoaded>
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL that contains a library which contains core OLE functions">ole32</ImageLoaded>
			<ImageLoaded condition="contains" name="Possible unaltered Mimikatz DLL Load">mimi</ImageLoaded>
			<ImageLoaded condition="contains" name="DLL lxssmanager loaded. Microsoft recommends blocking it.">lxssmanager</ImageLoaded> 
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL used to Download and upload">WebClient</ImageLoaded> 
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL used to allow injection and other suspicious activities.">Reflection</ImageLoaded> 
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL loaded that is often used in Malware to add functionality to do things like injection">runtime</ImageLoaded> 
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL loaded that is often used in Malware to add functionality to do things like injection">InteropServices</ImageLoaded>
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL loaded that is often used in Malware to add functionality to do things like native Windows execution and injection">Win32</ImageLoaded>
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL loaded that is often used in Malware to add functionality to do things like encrypt and encrypt data, files, and other things in memory and on disk.">Cryptography</ImageLoaded>
			<ImageLoaded condition="contains" name="Attempts to ID Microsoft DLL loaded that is often used in Malware to add functionality to do things like encrypt and encrypt data, files, and other things in memory and on disk.">System.Security.Cryptography.X509Certificates</ImageLoaded>
			<ImageLoaded condition="end with" name="Alert=Ramnit Banker Malware!" >rmnsoft.dll</ImageLoaded>
			<ImageLoaded condition="begin with" name=".Net Assembly used">C:\Windows\assembly\NativeImages</ImageLoaded>
			<ImageLoaded condition="contains" name="Mitre: https://attack.mitre.org/wiki/Technique/T1098">samlib.dll</ImageLoaded>
			<ImageLoaded condition="contains" name="Mitre: https://attack.mitre.org/wiki/Technique/T1098">WinSCard.dll</ImageLoaded>
			<ImageLoaded condition="is" name="fxsst.dll loaded">C:\Windows\system32\fxsst.dll</ImageLoaded>
			<ImageLoaded condition="contains" name="Powershell Lib loaded" >powershell</ImageLoaded> 
			<ImageLoaded condition="contains" name="CSharp(C#) Lib loaded" >clr.dll</ImageLoaded> 
			<ImageLoaded condition="end with" name="oci.dll loaded">oci.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - DLL Hijack - UACME 32">osksupport.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - DLL Hijack - UACME 30">wow64log.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - DLL Hijack - UACME 23">DismCore.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - DLL Hijack - UACME 22">comctl32.dll</ImageLoaded>
			<ImageLoaded condition="contains" name="PrivEsc - DLL Hijack - UACME 54">AppData\Local\Microsoft\WindowsApps\srrstr.dll</ImageLoaded>
		    <ImageLoaded condition="begin with" name="PrivEsc - UACBypass Mocking Trusted WinFolders">C:\Windows \</ImageLoaded>
			<ImageLoaded condition="begin with" name="PrivEsc - UACBypass Mocking Trusted WinFolders">C:\ Windows \</ImageLoaded>
			<ImageLoaded condition="begin with" name="PrivEsc - UACBypass Mocking Trusted WinFolders">C:\ Windows</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - UACBypass - DiskCleanup">logprovider.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - Possible UACBypass - mcx2prov DLL">CRYPTBASE.dll</ImageLoaded><!-- UACBypass via mcx2prov executable and rogue CRYPTBASE.dll-->
			<ImageLoaded condition="end with" name="Defense Evasion - DLL Side Loading or UACBypass">Duser.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - UACBypass - UACME 39">pe386.dll</ImageLoaded>
			<ImageLoaded condition="end with" name="PrivEsc - UACBypass - DLL hijack Cliconfig">NTWDBLIB.dll</ImageLoaded>
			<ImageLoaded condition="contains" name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence,Alert=Cobalt Strike Netsh Helper Beacon">NetshHelperBeacon</ImageLoaded>
			<ImageLoaded name="technique_id=T1170,technique_name=MSHTA with AMSI Bypass" condition="end with">jscript9.dll</ImageLoaded>
			<ImageLoaded name="technique_id=T1047,technique_name=Windows Scheduled Tasks" condition="end with">mstask.dll</ImageLoaded>
			<ImageLoaded name="technique_id=T1059,technique_name=Command and Scripting Interpreter" condition="end with">wshom.ocx</ImageLoaded>
			<OriginalFileName condition="is">scrrun.dll</OriginalFileName>
			<OriginalFileName condition="is">vbscript.dll</OriginalFileName>
			<OriginalFileName condition="is">urlmon.dll</OriginalFileName>
			<ImageLoaded name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="end with">wmiutils.dll</ImageLoaded>
			<OriginalFileName name="technique_id=T1112,technique_name=Modify Registry" condition="is">regsvc.dll</OriginalFileName>
			<!--Detect execution of HTA using the IE Javascript engine to bypass AMSI-->
			<!--Note: Rule placed before Windows Scriptingh to ensure it triggers on this on case any other component is used.-->
			<!---Thanks to Carlos Perez-->
			<Rule groupRelation="and">
			<OriginalFileName name="technique_id=T1218.005,technique_name=MSHTA with AMSI Bypass" condition="is">jscript.dll</OriginalFileName>
			<Image condition="end with">mshta.exe</Image>
			</Rule>
			<Rule groupRelation="and">
			<OriginalFileName name="technique_id=T1218.005,technique_name=MSHTA with AMSI Bypass" condition="is">jscript9.dll</OriginalFileName>
			<Image condition="end with">mshta.exe</Image>
			</Rule>   
			<!--Check for loading of the PowerShell engine-->
			<ImageLoaded name="technique_id=T1086,technique_name=PowerShell Engine" condition="end with">System.Management.Automation.ni.dll</ImageLoaded>
			<ImageLoaded name="technique_id=T1086,technique_name=PowerShell Engine" condition="end with">System.Management.Automation.dll</ImageLoaded>
			<ImageLoaded name="Load of a suspicious runtime Library" condition="end with">mscoree.dll</ImageLoaded>
			<ImageLoaded name="Load of a dll used in Discord DLL Hijack" condition="end with">ffmpeg.dll</ImageLoaded>
			<ImageLoaded name="Load of a dll used in dotnet process dumping" condition="end with">dotnet-dump.dll</ImageLoaded>
			<Rule groupRelation="and">
					<OriginalFileName name="technique_id=T1059.001,technique_name=PowerShell" condition="is">amsi.dll</OriginalFileName>
					<Image condition="excludes any">powershell.exe;powershell_ise.exe</Image>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="end with">rundll32.exe</Image>
			<OriginalFileName name="technique_id=T1003.004,technique_name=LSASS Memory" condition="is">comsvcs.dll</OriginalFileName>
			</Rule>
			<!--Default named C# OffSec Tooling, Google name with Word Github at the end to find it-->
			<Rule groupRelation="and">
			<Image condition="end with">Control.exe</Image>
			<ImageLoaded condition="end with" name="Defense Evasion -Application Whitelisting Bypasses. Lolbins">.cpl</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="end with">rundll32.exe</Image>
			<ImageLoaded condition="end with" name="Defense Evasion - Unusual Module Extension">.cpl</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="end with">SubWCRev.exe</Image>
			<ImageLoaded condition="end with" name="Defense Evasion - Application Whitelisting Bypasses">crshhndl.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="end with">PotPlayer.exe</Image>
			<ImageLoaded condition="end with" name="Defense Evasion - Application Whitelisting Bypasses">PotPlayer.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="or">
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">Sharphound</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">SharpUp</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">SharpDump</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">Internal-Monologue</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">Seatbelt</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">SharpSploit</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">SharpDPAPI</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">SharpWMI</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">SafetyKatz</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">Kiwi</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">Katz</ImageLoaded>
				<ImageLoaded name="Possible Default named CSharp Offensive Sec Tool" condition="contains">Sharp</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">Inveigh</ImageLoaded>
				<ImageLoaded name="Default named CSharp Offensive Sec Tool" condition="contains">Rubeus</ImageLoaded>
			</Rule>
			<!--Capture components used by malicious macros and scripts.-->
			<Rule groupRelation="or">
				<ImageLoaded name="technique_id=T1064,technique_name=Windows Scripting Host Component" condition="end with">wshom.ocx</ImageLoaded>
				<ImageLoaded name="technique_id=T1064,technique_name=Windows Scripting Host Component" condition="end with">scrrun.dll</ImageLoaded>
				<ImageLoaded name="technique_id=T1064,technique_name=Windows Scripting Host Component" condition="end with">vbscript.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="or">
				<ImageLoaded condition="end with" name="Defense Evasion - Unusual EXE Extension loaded as DLL">.exe</ImageLoaded>
				<Signed condition="is" name="Unsigned DLL loaded" >false</Signed>
			</Rule>
			<Rule groupRelation="and">
				<ImageLoaded name="technique_id=T1003,technique_name=Credential Dumping mimikatz_inmem" condition="is">C:\Windows\System32\samlib.dll</ImageLoaded> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003-->
				<ImageLoaded name="technique_id=T1003,technique_name=Credential Dumping mimikatz_inmem" condition="is">C:\Windows\System32\WinSCard.dll</ImageLoaded> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003-->
				<ImageLoaded name="technique_id=T1003,technique_name=Credential Dumping mimikatz_inmem" condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003-->
				<ImageLoaded name="technique_id=T1003,technique_name=Credential Dumping mimikatz_inmem" condition="is">C:\Windows\System32\hid.dll</ImageLoaded> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003-->
				<ImageLoaded name="technique_id=T1003,technique_name=Credential Dumping mimikatz_inmem" condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003-->
				<ImageLoaded name="technique_id=T1003,technique_name=Credential Dumping mimikatz_inmem" condition="is">C:\Windows\System32\wlanapi.dll</ImageLoaded> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003-->      
				<ImageLoaded name="technique_id=1137,technique_name=Office Application Startup" condition="end with">.wll</ImageLoaded>
				<ImageLoaded name="technique_id=T1137,technique_name=Office Application Startup" condition="end with">.xll</ImageLoaded>
			</Rule>
			
			<Rule groupRelation="and">
				<ImageLoaded condition="contains" name="Execution - Image Loaded CSharp Dll used in Red Team Tooling">System.Diagnostics</ImageLoaded>
				<ImageLoaded condition="contains" name="Execution - Image Loaded CSharp Dll used in Red Team Tooling">System.Runtime.InteropServices</ImageLoaded>
			</Rule>
			
			<Rule groupRelation="and">
				<Image condition="is not">C:\Windows\System32\vaultcmd.exe</Image>
				<ImageLoaded name="technique_id=T1003,technique_name=Credential Dumping via access to Windows cred vault by Suspicious Process" condition="is">C:\Windows\System32\vaultcli.dll</ImageLoaded> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003-->
			</Rule>
			<ImageLoaded name="technique_id=T1073,technique_name=DLL Side-Loading" condition="contains any" >admin$;c$;\\;\appdata\;\temp\</ImageLoaded><!-- loaded from network file share -->   
			<!--Detect execution of HTA using the IE Javascript engine to bypass AMSI-->
			<!--Note: Rule placed before Windows Scriptingh to ensure it triggers on this on case any other component is used.-->
			<Rule groupRelation="and">
				<ImageLoaded name="technique_id=T1170,technique_name=MSHTA with AMSI Bypass" condition="end with">jscript9.dll</ImageLoaded>
				<Image condition="end with">mshta.exe</Image>
			</Rule>
			<!--Detect the Squiblydoo technique-->
			<Rule groupRelation="or">
				<ImageLoaded name="technique_id=T1117,technique_name=Regsvr32" condition="end with">scrobj.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">excel.exe</Image>
				<ImageLoaded condition="end with" name="MS Excel loading task scheduler functionality">taskschd.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">winword.exe</Image>
				<ImageLoaded condition="end with" name="MS Word loading task scheduler functionality">taskschd.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">powerpnt.exe</Image>
				<ImageLoaded condition="end with" name="MS Powerpoint loading task scheduler functionality">taskschd.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">outlook.exe</Image>
				<ImageLoaded condition="end with" name="MS Outlook loading task scheduler functionality">taskschd.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">excel.exe</Image>
				<ImageLoaded condition="end with" name="MS Excel loading WMI">wmiutils.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">winword.exe</Image>
				<ImageLoaded condition="end with" name="MS Word loading WMI">wmiutils.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">powerpnt.exe</Image>
				<ImageLoaded condition="end with" name="MS powerpoint loading WMI">wmiutils.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">outlook.exe</Image>
				<ImageLoaded condition="end with" name="MS outlook loading WMI">wmiutils.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">excel.exe</Image>
				<ImageLoaded condition="end with" name="MS Excel loading WMI">wbemsvc.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">winword.exe</Image>
				<ImageLoaded condition="end with" name="MS Word loading WMI">wbemsvc.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">powerpnt.exe</Image>
				<ImageLoaded condition="end with" name="MS powerpoint loading WMI">wbemsvc.dll</ImageLoaded>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">outlook.exe</Image>
				<ImageLoaded condition="end with" name="MS outlook loading WMI">wbemsvc.dll</ImageLoaded>
			</Rule>
			<!-- Begin Rules from https://github.com/XForceIR/SideLoadHunter/blob/main/Sysmon-SideLoadHunter/sideloadhunter.xml -->
			<Rule name="AppVStreamingUX_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">AppVStreamingUX.exe</Image>
					<ImageLoaded condition="contains">DWMAPI.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="AppVStreamingUX_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">AppVStreamingUX.exe</Image>
					<ImageLoaded condition="contains">d3d9.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="AppVStreamingUX_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">AppVStreamingUX.exe</Image>
					<ImageLoaded condition="contains">igdumdim64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="calc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">calc.exe</Image>
					<ImageLoaded condition="contains">PROPSYS.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="calc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">calc.exe</Image>
					<ImageLoaded condition="contains">Secur32.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="calc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">calc.exe</Image>
					<ImageLoaded condition="contains">MLANG.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="calc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">calc.exe</Image>
					<ImageLoaded condition="contains">WININET.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="certreq_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">certreq.exe</Image>
					<ImageLoaded condition="contains">rdpendp.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="change_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">change.exe</Image>
					<ImageLoaded condition="contains">utildll.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="charmap_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">charmap.exe</Image>
					<ImageLoaded condition="contains">MSFTEDIT.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="chglogon_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">chglogon.exe</Image>
					<ImageLoaded condition="contains">utildll.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">dcntel.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">rdpendp.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">igd10iumd64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">igd12umd64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">igd12umd64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">igdusc64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">dxilconv.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">utcutil.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">appraiser.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="DeviceCensus_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">DeviceCensus.exe</Image>
					<ImageLoaded condition="contains">updatepolicy.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dispdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dispdiag.exe</Image>
					<ImageLoaded condition="contains">DXVA2.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dispdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dispdiag.exe</Image>
					<ImageLoaded condition="contains">DXVA2.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="djoin_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">djoin.exe</Image>
					<ImageLoaded condition="contains">wdscore.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dnscacheugc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dnscacheugc.exe</Image>
					<ImageLoaded condition="contains">wdscore.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dxdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dxdiag.exe</Image>
					<ImageLoaded condition="contains">dsound.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dxdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dxdiag.exe</Image>
					<ImageLoaded condition="contains">dsound.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dxdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dxdiag.exe</Image>
					<ImageLoaded condition="contains">rdpendp.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dxdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dxdiag.exe</Image>
					<ImageLoaded condition="contains">DispBroker.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="dxdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">dxdiag.exe</Image>
					<ImageLoaded condition="contains">MSFTEDIT.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="fixmapi_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">fixmapi.exe</Image>
					<ImageLoaded condition="contains">mapistub.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="FXSCOVER_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">FXSCOVER.exe</Image>
					<ImageLoaded condition="contains">FXSRESM.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="licensingdiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">licensingdiag.exe</Image>
					<ImageLoaded condition="contains">cryptnet.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="logman_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">logman.exe</Image>
					<ImageLoaded condition="contains">pdh.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="mcbuilder_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">mcbuilder.exe</Image>
					<ImageLoaded condition="contains">mrmcoreR.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="msdtc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">msdtc.exe</Image>
					<ImageLoaded condition="contains">COMRES.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="msdtc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">msdtc.exe</Image>
					<ImageLoaded condition="contains">msdtcVSp1res.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="mspaint_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">mspaint.exe</Image>
					<ImageLoaded condition="contains">MSFTEDIT.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="MuiUnattend_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">MuiUnattend.exe</Image>
					<ImageLoaded condition="contains">wdscore.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netbtugc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netbtugc.exe</Image>
					<ImageLoaded condition="contains">wdscore.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">IFMON.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">RASMONTR.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">AUTHFWCFG.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">DHCPCMONITOR.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">DOT3CFG.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">FWCFG.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">HNETMON.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">NETIOHLP.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">NETTRACE.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">NSHHTTP.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">NSHIPSEC.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">NSHWFP.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">P2PNETSH.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">PEERDISTSH.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">RPCNSH.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">WCNNETSH.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">WHHELPER.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">WLANCFG.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">WSHELPER.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">WWANCFG.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">userenv.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">userenv.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="netsh_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">netsh.exe</Image>
					<ImageLoaded condition="contains">wcmapi.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="oobeldr_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">oobeldr.exe</Image>
					<ImageLoaded condition="contains">wdscore.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="phoneactivate_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">phoneactivate.exe</Image>
					<ImageLoaded condition="contains">igdusc64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="PnPUnattend_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">PnPUnattend.exe</Image>
					<ImageLoaded condition="contains">wdscore.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="powershell_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">powershell.exe</Image>
					<ImageLoaded condition="contains">amsi.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="powershell_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">powershell.exe</Image>
					<ImageLoaded condition="contains">USERENV.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="powershell_ise_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">powershell_ise.exe</Image>
					<ImageLoaded condition="contains">DWMAPI.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="powershell_ise_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">powershell_ise.exe</Image>
					<ImageLoaded condition="contains">igdumdim64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="powershell_ise_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">powershell_ise.exe</Image>
					<ImageLoaded condition="contains">amsi.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="powershell_ise_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">powershell_ise.exe</Image>
					<ImageLoaded condition="contains">USERENV.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="powershell_ise_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">powershell_ise.exe</Image>
					<ImageLoaded condition="contains">avrt.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="PrintIsolationHost_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">PrintIsolationHost.exe</Image>
					<ImageLoaded condition="contains">PrintIsolationProxy.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="de" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">de</Image>
					<ImageLoaded condition="contains">cscapi.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="query_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">query.exe</Image>
					<ImageLoaded condition="contains">utildll.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="ReAgentc_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">ReAgentc.exe</Image>
					<ImageLoaded condition="contains">wdscore.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="RMActivate_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">RMActivate.exe</Image>
					<ImageLoaded condition="contains">msdrm.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="RMActivate_isv_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">RMActivate_isv.exe</Image>
					<ImageLoaded condition="contains">msdrm.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="RMActivate_ssp_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">RMActivate_ssp.exe</Image>
					<ImageLoaded condition="contains">msdrm.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="RMActivate_ssp_isv_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">RMActivate_ssp_isv.exe</Image>
					<ImageLoaded condition="contains">msdrm.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="RpcPing_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">RpcPing.exe</Image>
					<ImageLoaded condition="contains">rpchttp.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="rwinsta_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">rwinsta.exe</Image>
					<ImageLoaded condition="contains">utildll.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="SlideToShutDown_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">SlideToShutDown.exe</Image>
					<ImageLoaded condition="contains">igd10iumd64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="SlideToShutDown_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">SlideToShutDown.exe</Image>
					<ImageLoaded condition="contains">igdusc64.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="stordiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">stordiag.exe</Image>
					<ImageLoaded condition="contains">wldp.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="stordiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">stordiag.exe</Image>
					<ImageLoaded condition="contains">amsi.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="stordiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">stordiag.exe</Image>
					<ImageLoaded condition="contains">USERENV.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="stordiag_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">stordiag.exe</Image>
					<ImageLoaded condition="contains">storageusage.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="tscon_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">tscon.exe</Image>
					<ImageLoaded condition="contains">utildll.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="tskill_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">tskill.exe</Image>
					<ImageLoaded condition="contains">utildll.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="UNPUXHost_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">UNPUXHost.exe</Image>
					<ImageLoaded condition="contains">PROPSYS.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="UNPUXHost_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">UNPUXHost.exe</Image>
					<ImageLoaded condition="contains">MLANG.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="UNPUXHost_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">UNPUXHost.exe</Image>
					<ImageLoaded condition="contains">WININET.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="WFS_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">WFS.exe</Image>
					<ImageLoaded condition="contains">WfsR.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="WFS_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">WFS.exe</Image>
					<ImageLoaded condition="contains">mapistub.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="WFS_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">WFS.exe</Image>
					<ImageLoaded condition="contains">MSI.DLL</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="WFS_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">WFS.exe</Image>
					<ImageLoaded condition="contains">srpapi.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="WFS_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">WFS.exe</Image>
					<ImageLoaded condition="contains">FxsCompose.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="WFS_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">WFS.exe</Image>
					<ImageLoaded condition="contains">scansetting.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="WFS_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">WFS.exe</Image>
					<ImageLoaded condition="contains">WindowsCodecs.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>
			<Rule name="wsqmcons_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">wsqmcons.exe</Image>
					<ImageLoaded condition="contains">KtmW32.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
				
			</Rule>	
			<Rule name="onedrivestandaloneupdater_sideload" groupRelation="and">
				<!-- Log only image loads where modules match these conditions -->
				
					<Image condition="contains">onedrivestandaloneupdater.exe</Image>
					<ImageLoaded condition="contains">wofutil.dll</ImageLoaded>
					<Signature condition="is not">Microsoft Windows</Signature>
			</Rule>
				<SignatureStatus condition="is" name="DLL loaded with unknown/cant confirm signature. Suspicous.">Unavailable</SignatureStatus>
				<SignatureStatus name="DLL loaded with Invalid signature. Sooo Suspicous.">Invalid</SignatureStatus>
				<Signed condition="is" name="DLL loaded with Invalid Hash Signature. Suspicous.">Invalid hash</Signed>
				<Signed condition="is" name="Unsigned DLL loaded">false</Signed>
			</ImageLoad>
		</RuleGroup>

		<!-- END Rules from https://github.com/XForceIR/SideLoadHunter/blob/main/Sysmon-SideLoadHunter/sideloadhunter.xml -->
		<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
		<RuleGroup name="ImageLoad exclude" groupRelation="or">
		<ImageLoad onmatch="exclude">
			  <ImageLoaded condition="is">C:\Windows\System32\duser.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\Syswow64\duser.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\osksupport.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\Syswow64\osksupport.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\DismCore.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\Syswow64\DismCore.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\Syswow64\comctl32.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\comctl32.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\Dism\LogProvider.dll</ImageLoaded>
			  <ImageLoaded condition="is">c:\Windows\SysWOW64\dism\LogProvider.dll</ImageLoaded>
			  <!-- <Image condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image> -->
			  <ImageLoaded condition="begin with">C:\Program Files\Microsoft Office\root\Office</ImageLoaded> <!-- wwlib.dll side loading FP -->
			  <Image condition="is">C:\Windows\System32\WinSAT.exe</Image>
			  <Image condition="is">c:\Windows\system32\surfacedtx.exe</Image>
			  <Image condition="is">c:\riot games\riot client\ux\riotclientuxrender.exe</Image>
			  <Image condition="is">c:\riot games\riot client\riotclientcrashhandler.exe</Image>
			  <Image condition="is">c:\riot games\league of legends\game\league of legends.exe</Image>
			  <Image condition="is">c:\riot games\league of legends\leagueclientuxrender.exe</Image>
			  <Image condition="is">c:\riot games\riot client\ux\riotclientux.exe</Image>
			  <Image condition="is">c:\riot games\league of legends\leagueclientux.exe</Image>
			  <ImageLoaded condition="is">c: \riot games\riot client\riotclientcrashhandler.exe</ImageLoaded>
			  <Image condition="is">c:\Windows\system32\cavs\intel(r) audio service\intelaudioservice.exe</Image>
			  <Image condition="is">c:\program files (x86)\keepass password safe 2\keepass.exe</Image>
			  <Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!-- FP for schtask COM -->
			  <Image condition="is">C:\Windows\System32\sdiagnhost.exe</Image><!-- FPs for wmiutil -->
			  <ImageLoaded condition="is">C:\Windows\System32\cryptbase.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\SysWOW64\winspool.drv</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
			  <ImageLoaded condition="begin with">C:\Windows\WinSxS</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\amsi.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\msi.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\userenv.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\winmm.dll</ImageLoaded>
			  <ImageLoaded condition="end with">.exe</ImageLoaded><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
			  <Image condition="is">C:\Windows\System32\taskeng.exe</Image>
			  <Image condition="is">C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe</Image>
			  <Image condition="is">C:\Program Files\Windows Defender\NisSrv.exe</Image>
			  <Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
			  <Image condition="is">C:\Windows\System32\dllhost.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="begin with">C:\Windows\Microsoft.NET\Framework64\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\DeviceCensus.exe</Image>
			  <Image condition="is">C:\Windows\System32\systeminfo.exe</Image>
			  <Image condition="is">C:\Windows\System32\LockAppHost.exe</Image>
			  <Image condition="is">C:\Program Files\Google\Update\GoogleUpdate.exe</Image>
			  <Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\SrTasks.exe</Image>
			  <Image condition="begin with">C:\Windows\Microsoft.NET\Framework\</Image>
			  <Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image>
			  <Image condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</Image>
			  <Image condition="is">C:\Program Files\Microsoft Policy Platform\policyHost.exe</Image>
			  <Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
			  <Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="begin with">C:\Windows\System32\taskhost</Image>
			  <Image condition="is">C:\Windows\System32\LogonUI.exe</Image>
			  <Image condition="is">C:\Windows\System32\wifitask.exe</Image>
			  <Image condition="is">C:\Program Files\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe</Image>
			  <Image condition="is">C:\Windows\System32\VSSVC.exe</Image>
			  <Image condition="is">C:\Windows\System32\netsh.exe</Image>
			  <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
			  <Image condition="is">C:\Windows\System32\raserver.exe</Image>
			  <Image condition="is">C:\Windows\System32\RuntimeBroker.exe</Image>
			  <Image condition="begin with">C:\Windows\SystemApps\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
			  <Image condition="is">C:\Windows\explorer.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\sppsvc.exe</Image><!-- noisy for taskschd.dll-->
			  <Image condition="is">C:\Program Files\Internet Explorer\iexplore.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="begin with">C:\Windows\CCM\</Image>
			  <Image condition="is">C:\Program Files\Manufacturer\Endpoint Agent\edpa.exe</Image>
			  <Image condition="is">C:\Program Files\Microsoft Data Protection Manager\DPM\bin\DPMClientService.exe</Image>
			  <Image condition="begin with">C:\Program Files (x86)\Microsoft Visual Studio\</Image>
			  <Image condition="is">C:\Windows\System32\provtool.exe</Image>
			  <Image condition="is">C:\Program Files\CONEXANT\SA3\HP-NB-AIO\SmartAudio3.exe</Image>
			  <Image condition="is">C:\Windows\System32\mmc.exe</Image>
			  <Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
			  <Image condition="is">C:\Windows\System32\wlanext.exe</Image>
			  <Image condition="begin with">C:\Program Files\Microsoft SQL Server\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\ibtsiva.exe</Image>
			  <Image condition="is">C:\Windows\System32\lsass.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="is">C:\Windows\System32\dwm.exe</Image>
			  <Image condition="is">C:\Windows\System32\MicTray64.exe</Image>
			  <Image condition="is">C:\Program Files\Intel\WiFi\bin\EvtEng.exe</Image>
			  <Image condition="is">C:\Program Files\Intel\WiFi\bin\iWrap.exe</Image>
			  <Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
			  <Image condition="begin with">C:\Program Files\WindowsApps\</Image>
			  <Image condition="is">C:\Windows\System32\SystemSettingsBroker.exe</Image>
			  <Image condition="is">C:\Windows\System32\smartscreen.exe</Image>
			  <Image condition="is">C:\Windows\System32\services.exe</Image>
			  <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image>
			  <Image condition="begin with">C:\Program Files\Microsoft Forefront Identity Manager\</Image>
			  <Image condition="is">C:\Windows\System32\sihost.exe</Image>
			  <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
			  <Image condition="is">C:\Windows\System32\SettingSyncHost.exe</Image>
			  <Image condition="is">c:\Windows\system32\schtasks.exe</Image>
			  <Image condition="is">c:\Windows\syswow64\schtasks.exe</Image>
			  <Image condition="is">C:\Program Files (x86)\Kontiki\KHost.exe</Image>
			  <Image condition="is">C:\Windows\System32\tasklist.exe</Image>
			  <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
			  <Image condition="end with">procexp64.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="end with">procmon.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="end with">procexp.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="end with">wmic.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <Image condition="end with">AppData\Local\Microsoft\OneDrive\OneDrive.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <ImageLoaded condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</ImageLoaded>
			  <Image>C:\Windows\System32\ClipRenew.exe</Image>
			  <ImageLoaded condition="is">C:\Windows\SysWOW64\msi.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\SysWOW64\cryptbase.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\aclui.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\syswow64.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\SysWOW64\userenv.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\SysWOW64\winmm.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\winmm.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\duser.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\Syswow64\duser.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Windows\System32\Dism\LogProvider.dll</ImageLoaded>
			  <ImageLoaded condition="is">C:\Program Files\Windows Defender\MpClient.dll</ImageLoaded>
			<Image condition="is">C:\Program Files\Microsoft Policy Platform\policyHost.exe</Image>
		    	<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
			<Image condition="begin with">C:\Program Files\Fortinet\</Image>
			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
			<Image condition="is">C:\Windows\sysmon64.exe</Image>
			<Image condition="is">C:\Windows\sysmon.exe</Image>
			<Image condition="end with">\SWELF.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
			<Image condition="contains">SQL Server</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="contains">Exchange Server</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<ImageLoaded condition="contains">Exchange Server</ImageLoaded>
			<ImageLoaded condition="contains">SQL Server</ImageLoaded>
			<ImageLoaded condition="begin with">C:\Program Files\WindowsApps</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded><!-- Often loaded in both malware and goodware -->
			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
			<ImageLoaded condition="end with">ntdll.dll</ImageLoaded><!-- Often loaded in both malware and goodware -->
			<ImageLoaded condition="end with">advapi32.dll</ImageLoaded><!-- Often loaded in both malware and goodware -->
			<ImageLoaded condition="end with">Secur32.dll</ImageLoaded><!-- Often loaded in both malware and goodware -->
			<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded><!-- Often loaded in both malware and goodware -->
			<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded><!-- Often loaded in both malware and goodware -->
			<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
			<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
			<ImageLoaded condition="begin with">C:\Program Files\WindowsApps</ImageLoaded>
			<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
			<!-- Exclude SPLUNK HEY! NOTE This needs to point to the exact path of your splunk install to avoid a blind spot if you dont want to log it-->
			<Image condition="end with">splunkd.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">splunk-MonitorNoHandle.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">splunk-regmon.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">splunk-netmon.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">splunk-powershell.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">splunk-winprintmon.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">splunk-admon.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Rule groupRelation="and">
                <Image condition="is">c:\Windows\system32\Windowspowershell\v1.0\powershell.exe</Image>
            <ImageLoaded condition="end with">system.management.automation.ni.dll</ImageLoaded>
            </Rule>
            <Rule groupRelation="and">
            <Image condition="is">c:\Windows\system32\Windowspowershell\v1.0\powershell.exe</Image>
            <ImageLoaded condition="begin with">C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\</ImageLoaded>
            </Rule>
            <Rule groupRelation="and">
            <Image condition="is">c:\Windows\system32\Windowspowershell\v1.0\powershell.exe</Image>
            <ImageLoaded condition="begin with">C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\</ImageLoaded>
            </Rule>
            <Rule groupRelation="and">
			<Signature condition="contains">Microsoft</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">NVIDIA</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Intel</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Lenovo</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Synaptic</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Broadcom</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">AMD</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">VMware</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Realtek</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Micro-Star</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Logitech</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Asmedia</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">SteelSeries</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<Rule groupRelation="and">
			<Signature condition="contains">Fortinet</Signature>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			</Rule>
			<SignatureStatus condition="is">Valid</SignatureStatus>
			<Hashes condition="end with">AA02A4789AEBC104EA53E559F824A5B4</Hashes> <!-- IMPHASH of OneDriveStandaloneUpdater.exe -->
			<Hashes condition="end with">727B32239F3556C6C9E82ADE6087C4AC</Hashes><!-- Microsoft OneDrive Shell Extension -->
		</ImageLoad>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->
		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
		<RuleGroup name="CreateRemoteThread exclude" groupRelation="or">
		<CreateRemoteThread onmatch="exclude">
			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
			<SourceImage condition="begin with">C:\Program Files\HP Inc\</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="begin with">C:\Program Files (x86)\Trend Micro\</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="is">C:\Windows\Explorer.EXE</SourceImage>
			<SourceImage condition="is">C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
			<!--<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>This does createremote thread for injection as well as other things-->
			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
			<SourceImage condition="begin with">C:\Program Files (x86)\Fortinet\FortiClient\</SourceImage>
			<SourceImage condition="begin with">C:\Program Files (x86)\</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="begin with">C:\Program Files\</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
		    <StartFunction>EtwpNotificationThread</StartFunction><!-- observed as FP from -->
			<StartFunction>RtlpQueryProcessDebugInformationRemote</StartFunction><!-- observed as a FP from procexp64.exe -->
		</CreateRemoteThread>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
		<!--EVENT 9: "RawAccessRead detected"-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, Device-->
		<RuleGroup name="RawAccessRead exclude" groupRelation="or">
		<RawAccessRead onmatch="exclude">
			<Image condition="begin with">C:\Program Files (x86)\</Image> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files \</Image> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Windows\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">system</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1907.4-0\MsMpEng.exe</Image>
			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
			<Image condition="is">C:\Program Files\VMWare\VMWare Tools\vmtoolsd.exe</Image>
		</RawAccessRead>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
		<!--EVENT 10: "Process accessed"-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
		<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
		<RuleGroup name="ProcessAccess include" groupRelation="or">
		<ProcessAccess onmatch="include">	
			<CallTrace name="Call of DLL used for injection and powershell with out powershell.exe" condition="contains">System.Management.Automation.ni</CallTrace>
			<CallTrace name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbghelp.dll</CallTrace>
			<CallTrace name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">dbgcore.dll</CallTrace>
			<!--<CallTrace name="Call of DLL used for injection and powershell with out powershell.exe" condition="contains">UNKNOWN</CallTrace>-->
			<CallTrace name="Seen doing process minidump with rundll32, taskmanager, and custom bins" condition="contains">\dbghelp.dll</CallTrace>
			<CallTrace name="Seen doing process minidump with rundll32, taskmanager, and custom bins" condition="contains">minidump</CallTrace>
			<SourceImage name="Process access from RecycleBin, SUSPICIOUS action" condition="begin with">C:\$Recycle.Bin</SourceImage>
			<TargetImage name="Possible LSASS Process access, SUSPICIOUS action" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
			<TargetImage name="Possible browser inject, often done to dump passwords from browser" condition="end with">\chrome.exe</TargetImage>
			<TargetImage name="Possible browser inject, often done to dump passwords from browser" condition="end with">\firefox.exe</TargetImage>
			<GrantedAccess name="Possible suspicious process access,PROCESS_SUSPEND_RESUME (GrantedAccess)" condition="is">0x800</GrantedAccess>
			<GrantedAccess name="Possible suspicious process access (GrantedAccess)" condition="is">0x010</GrantedAccess>
			<GrantedAccess name="Possible suspicious process access (GrantedAccess)" condition="is">0x1FFFFF</GrantedAccess>
			<GrantedAccess name="Possible suspicious process access (GrantedAccess)" condition="is">0x1010</GrantedAccess>
			<GrantedAccess name="Possible suspicious process access (GrantedAccess)" condition="is">0x0400</GrantedAccess>
			<GrantedAccess name="Possible suspicious process access (GrantedAccess)" condition="is">0x1410</GrantedAccess>
			<GrantedAccess name="Possible suspicious process access (GrantedAccess)" condition="is">0x0010</GrantedAccess>
			<GrantedAccess name="technique_id=T1055.012,technique_name=Process Hollowing">0x21410</GrantedAccess> 
			<GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping (GrantedAccess)">0x0810</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ - possible memory dump to extract sensitive information -->
			<GrantedAccess name="technique_id=T1055,technique_name=Process Injection (GrantedAccess)">0x0820</GrantedAccess> <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE - possible memory injection -->
			<GrantedAccess name="Defense Evasion - Possible Process Suspended" condition="is">0x800</GrantedAccess><!-- minimum required OpenProcess access rights to suspend a target process -->
			<GrantedAccess name="technique_id=T1055.012,technique_name=Process Hollowing">0x0800</GrantedAccess>            <!-- PROCESS_SUSPEND_RESUME -->
            <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x0810</GrantedAccess>            <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ - possible memory dump to extract sensitive information -->
            <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x0820</GrantedAccess>            <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_WRITE - possible memory injection -->
            <GrantedAccess name="technique_id=T1055.012,technique_name=Process Hollowing">0x800</GrantedAccess>            <!-- PROCESS_SUSPEND_RESUME -->
            <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x810</GrantedAccess>            <!-- PROCESS_SUSPEND_RESUME + PROCESS_VM_READ - possible memory dump to extract sensitive information -->
            <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x820</GrantedAccess>   
			<SourceImage condition="end with">jjs.exe</SourceImage>
			<SourceImage condition="end with">cscript.exe</SourceImage>
			<TargetImage condition="end with" name="Credential Access - Lsass MemAccess">lsass.exe</TargetImage>
			<TargetImage condition="end with">winlogon.exe</TargetImage>
			<SourceImage condition="contains">powershell.exe</SourceImage>
			<TargetImage condition="contains">verclsid.exe</TargetImage>
			<CallTrace condition="contains">VBE7.dll</CallTrace>
			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
			<SourceImage condition="begin with">c:\users\</SourceImage><!-- if too noisy, replace it with AppData and contains as condition -->
			<SourceImage condition="begin with">c:\programdata\</SourceImage>
			<SourceImage condition="begin with">C:\Windows\Media\</SourceImage>
			<SourceImage condition="begin with">C:\Windows\addins\</SourceImage>
			<SourceImage condition="begin with">C:\Windows\system32\config\systemprofile\</SourceImage>
			<SourceImage condition="begin with">C:\Windows\Debug\</SourceImage> 
			<SourceImage condition="begin with">C:\Windows\Temp</SourceImage>
			<SourceImage condition="begin with">C:\PerfLogs\</SourceImage>
			<SourceImage condition="begin with">C:\Windows\Help\</SourceImage>
			<SourceImage condition="begin with">C:\Intel\Logs\</SourceImage>
			<SourceImage condition="begin with">C:\Temp</SourceImage>
			<SourceImage condition="begin with">C:\Windows\repair\</SourceImage>
			<SourceImage condition="begin with">C:\ProgramData</SourceImage>
			<SourceImage condition="begin with">C:\Windows\security\</SourceImage>
			<SourceImage condition="begin with">C:\Windows\Fonts\</SourceImage>
			<SourceImage condition="begin with">C:\$Recycle.bin\</SourceImage>
			<SourceImage condition="contains">\Windows\IME\</SourceImage>
			<SourceImage condition="contains">AppData\Local\Programs\Opera</SourceImage>
			<Rule groupRelation="and"><!-- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 -->
			<CallTrace name="technique_id=T1055,technique_name=Process Injection" condition="not begin with">C:\Windows\SYSTEM32\ntdll.dll</CallTrace>
			<CallTrace name="technique_id=T1055,technique_name=Process Injection" condition="not begin with">C:\Windows\SYSTEM32\win32u.dll</CallTrace>
			<CallTrace name="technique_id=T1055,technique_name=Process Injection" condition="not begin with">C:\Windows\SYSTEM32\wow64win.dll</CallTrace>
			</Rule>
			<Rule groupRelation="and">
			<CallTrace name="technique_id=T1055.001,technique_name=Dynamic-link Library Injection" condition="contains all">C:\Windows\SYSTEM32\ntdll.dll;C:\Windows\System32\kernelbase.dll;UNKNOWN</CallTrace>          <!--@darkquassar-->
			<GrantedAccess name="technique_id=T1055.001,technique_name=Dynamic-link Library Injection" condition="contains any">0x1F0FFF;0x1F1FFF;0x143A;0x1410;0x1010;0x1F2FFF;0x1F3FFF;0x1FFFFF;0x147A</GrantedAccess>
			</Rule>
			<Rule groupRelation="and" name="technique_id=T1055,technique_name=Process Injection">
			<SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
			<CallTrace condition="contains">\Microsoft Shared\VBA</CallTrace>
			</Rule>
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
			<GrantedAccess>0x1FFFFF</GrantedAccess>
			</Rule>
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
			<GrantedAccess>0x1F1FFF</GrantedAccess>
			</Rule>
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
			<GrantedAccess>0x1010</GrantedAccess>
			</Rule>
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
			<GrantedAccess>0x143A</GrantedAccess>
			</Rule>
			<!--Dumping credentials from services or setting up a keylogger-->
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\csrss.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
			<GrantedAccess>0x1F1FFF</GrantedAccess>
			</Rule>
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\wininit.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
			<GrantedAccess>0x1F1FFF</GrantedAccess>
			</Rule>
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\winlogon.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
			<GrantedAccess>0x1F1FFF</GrantedAccess>
			</Rule>
			<Rule groupRelation="and">
			<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\services.exe</TargetImage> <!--Mitre T1098--> <!--Mitre T1075--> <!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
			<GrantedAccess>0x1F1FFF</GrantedAccess>
			</Rule>
			<Rule groupRelation="or">
			<GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x0810</GrantedAccess>
			</Rule>
			<!-- Detect process hollowing-->
			<Rule groupRelation="or">
            <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x0800</GrantedAccess>
            <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x800</GrantedAccess>
			</Rule>
			<!-- Detect process process injection-->
			<Rule groupRelation="or">
            <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x0820</GrantedAccess>
            <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x820</GrantedAccess>
			</Rule>
			<Rule groupRelation="and">
          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>          <!--Mitre T1098-->          <!--Mitre T1550.002-->          <!--Mitre T1003-->          <!-- depending on what you're running on your host, this might be noisy-->
          <GrantedAccess>0x1FFFFF</GrantedAccess>          <!--Expect EDRs/AVs to also trigger this-->
        </Rule>
			<Rule groupRelation="and">
          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>          <!--Mitre T1098-->          <!--Mitre T1550.002-->          <!--Mitre T1003-->          <!-- depending on what you're running on your host, this might be noisy-->
          <GrantedAccess>0x1F1FFF</GrantedAccess>
        </Rule>
			<Rule groupRelation="and">
          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>          <!--Mitre T1098-->          <!--Mitre T1550.002-->          <!--Mitre T1003-->          <!-- depending on what you're running on your host, this might be noisy-->
          <GrantedAccess>0x1010</GrantedAccess>
        </Rule>
			<Rule groupRelation="and">
          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>          <!--Mitre T1098-->          <!--Mitre T1550.002-->          <!--Mitre T1003-->          <!-- depending on what you're running on your host, this might be noisy-->
          <GrantedAccess>0x143A</GrantedAccess>
        </Rule>
			<Rule groupRelation="and">
          <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="image">lsass.exe</TargetImage>          <!--https://pentestlab.blog/2018/05/15/lateral-movement-winrm/-->
          <SourceImage name="technique_id=T1003,technique_name=Credential Dumping" condition="image">wsmprovhost.exe</SourceImage>
        </Rule> 
		</ProcessAccess>
		</RuleGroup>
		
		<RuleGroup name="ProcessAccess exclude" groupRelation="or">
		<ProcessAccess onmatch="exclude">
		  <Rule groupRelation="and">
			 <TargetImage condition="end with">\chrome.exe</TargetImage>
			 <SourceImage condition="end with">\chrome.exe</SourceImage> 
		  </Rule>
		  <SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\Bin\FMS.exe</SourceImage> <!-- Exchange Process --><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">C:\Windows\System32\smss.exe</SourceImage>
		  <SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe</SourceImage>
		  <SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
		  <SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
		  <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
		  <TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
		  <TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
		  <SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
		  <SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
		  <SourceImage condition="end with">\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
		  <SourceImage condition="end with">\Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
		  <SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
		  <SourceImage condition="begin with">b:\steamlibrary\steamapps\</SourceImage><!-- Could miss things if you leave this uncommented, but it also reduces noise for me-->
		  <SourceImage condition="end with">\Dropbox\Update\DropboxUpdate.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">Adobe\AdobeGCClient\AGMService.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">NT-ware Shared\MomAdmSvc\MomAdmSvc.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">c:\Windows\system32\wbem\wmiprvse.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\vmtoolsd.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\VBoxService.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\LTSVC.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\taskmgr.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\procexp64.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\procmon.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">\procexp.exe</SourceImage> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage> 
		  <SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage> 
		  <SourceImage condition="is">C:\Windows\System32\lsm.exe</SourceImage>
		  <SourceImage condition="is">C:\Windows\system32\MRT.exe</SourceImage> 
		  <SourceImage condition="end with">\Citrix\System32\wfshell.exe</SourceImage> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">C:\Program Files (x86)\Kontiki\KService.exe</SourceImage>
		  <SourceImage condition="is">C:\Windows\system32\dgagent\DSAGENT.exe</SourceImage>
		  <SourceImage condition="is">C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe</SourceImage>
		  <SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe</SourceImage> 
		  <SourceImage condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="end with">Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</SourceImage>
		  <SourceImage condition="end with">Commvault\ContentStore\Base\cvd.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		  <SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
		  <SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
		  <SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
		  <TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
		  <SourceImage condition="is">C:\Windows\CCM\CcmExec.exe</SourceImage>
		  <SourceImage condition="begin with">C:\Program Files\HP Inc\</SourceImage>
		  <SourceImage condition="begin with">C:\Program Files (x86)\Trend Micro\</SourceImage>
		  <SourceImage condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</SourceImage> 
		  <SourceImage condition="is">C:\Windows\System32\msiexec.exe</SourceImage> <!-- temp -->
		  <SourceImage condition="is">C:\Program Files\Internet Explorer\iexplore.exe</SourceImage> <!-- temp -->
		  <SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
			  <SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
			  <SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
			  <SourceImage condition="is">C:\Program Files\Manufacturer\Endpoint Agent\edpa.exe</SourceImage><!-- symantec dlp -->
			  <SourceImage condition="begin with">C:\Windows\syswow64\</SourceImage>
			  <SourceImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
			  <SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe</SourceImage>
			  <SourceImage condition="end with">\EMET_Service.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="end with">\EMET_GUI.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="end with">\procexp64.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="end with">\procmon64.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="end with">\software_reporter_tool.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="end with">\NGenTask.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="end with">\Autoruns.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="end with">\Autorunsc.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			  <SourceImage condition="contains">\processhacker</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="end with">\AppData\Local\Programs\Microsoft VS Code\Code.exe</SourceImage><!--VSCode path for default install-->
			<SourceImage condition="is">C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files\Microsoft Security Client\MsMpEng.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe</SourceImage><!--McAfee:Endpoint Security Platform-->
			<SourceImage condition="is">C:\Program Files\McAfee\Agent\x86\macompatsvc.exe</SourceImage><!--McAfee:Agent-->
			<SourceImage condition="is">C:\Program Files\WinZip\FAHWindow64.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\CCM\CcmExec.exe</SourceImage>
			<SourceImage condition="end with">\procexp64.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="begin with">C:\Windows\</SourceImage> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="begin with">C:\Program Files (x86)\</SourceImage> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="begin with">C:\Program Files\</SourceImage> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="begin with">C:\programdata\microsoft\Windows defender\platform\</SourceImage>
			<SourceImage condition="end with">\GoogleUpdate.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="end with">\LTSVC.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="end with">\SWELF.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="end with">\taskmgr.exe</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="begin with">C:\Program Files\Fortinet\FortiClient\</SourceImage><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="end with">\VBoxService.exe</SourceImage> <!-- Virtual Box --><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="end with">\vmtoolsd.exe</SourceImage> <!-- VMWare --><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<SourceImage condition="end with">\Citrix\System32\wfshell.exe</SourceImage> <!--Citrix process in C:\Program Files (x86)\Citrix\System32\wfshell.exe -->
			<SourceImage condition="is">C:\Windows\System32\lsm.exe</SourceImage> <!-- System process under C:\Windows\System32\lsm.exe -->
			<SourceImage condition="end with">\Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage> <!-- Microsoft Azure AD Connect Health Sync Agent -->
			<SourceImage condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</SourceImage> <!-- Symantec -->
			<GrantedAccess>0x1000</GrantedAccess> <!-- PROCESS_QUERY_LIMITED_INFORMATION Generic call, quite noisy and tells not much-->
			<GrantedAccess>0x1400</GrantedAccess> <!-- PROCESS_QUERY_LIMITED_INFORMATION + PROCESS_QUERY_INFORMATION Generic call, quite noisy and tells nothing-->
			<GrantedAccess>0x101400</GrantedAccess> <!-- PROCESS_QUERY_LIMITED_INFORMATION + PROCESS_QUERY_INFORMATION + SYNCHRONIZE Generic call, quite noisy and tells nothing-->
			<GrantedAccess>0x101000</GrantedAccess>
			<GrantedAccess condition="is">0x40</GrantedAccess><!-- noisy -->
			<GrantedAccess condition="is">0x3200</GrantedAccess><!-- generic access rights -->
			<GrantedAccess condition="end with">0x101000</GrantedAccess><!-- generic access rights -->
			<GrantedAccess condition="end with">0x101001</GrantedAccess> <!-- generic access rights -->
			<GrantedAccess condition="end with">0x100000</GrantedAccess><!-- generic access rights -->
			<GrantedAccess condition="end with">0x101400</GrantedAccess><!-- generic access rights -->
			<GrantedAccess condition="end with">0x100040</GrantedAccess><!-- generic access rights -->
			<GrantedAccess condition="end with">0x1000000</GrantedAccess><!-- generic access rights -->
			<CallTrace condition="contains">Windows defender</CallTrace> <!-- windefender -->
		    <CallTrace condition="contains">mpengine.dll</CallTrace> <!-- Windefender -->
		    <CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
		    <CallTrace condition="contains">appresolver.dll</CallTrace>
		    <CallTrace condition="contains">sysmain.dll</CallTrace>
		</ProcessAccess>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
		<!--EVENT 11: "File created"-->
		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
		<RuleGroup name="FileCreate exclude" groupRelation="or">
		<FileCreate onmatch="exclude">
			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows.Search</Image>
			<Image condition="is">C:\Windows\System32\mousocoreworker.exe</Image>
			<Image condition="is">C:\program files (x86)\steam\steam.exe</Image>
			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</Image>
			<Image condition="is">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1907.4-0\MsMpEng.exe</Image>
			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</Image>
			<Image condition="begin with">C:\Program Files\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\SearchUI.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\Fortinet\FortiClient\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="end with">\AppData\Local\Microsoft\Teams\current\Teams.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="begin with">C:\Program Files\Mozilla Firefox\</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\Fortinet\FortiClient\</Image> 
			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image> 
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> 
			<Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> 
			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
			<Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-Windows</Image> <!-- Microsoft:Windows: Windows update-->
			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
			<Image condition="begin with">C:\Program Files (x86)\Microsoft Visual Studio\</Image> 
			<Image condition="is">c:\Windows\system32\svchost.exe</Image>
			<Image condition="is">c:\riot games\league of legends\leagueclient.exe</Image>
			<Image condition="is">c:\riot games\league of legends\game\league of legends.exe</Image>
			<Image condition="is">c:\program files (x86)\autodesk\autodesk desktop app\adappmgrsvc.exe</Image>
			<Image condition="is">c:\Windows\system32\lsass.exe</Image>
			<Image condition="is">c:\Windows\system32\cleanmgr.exe</Image>
			<Image condition="is">c:\Windows\system32\backgroundtaskhost.exe</Image>		
			<Rule groupRelation="and">
			<Image condition="is">c:\Windows\system32\svchost.exe</Image>
			<TargetFilename condition="begin with">C:\programdata\diagnosis\</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\system32\wermgr.exe</Image>
			<TargetFilename condition="begin with">C:\ProgramData\Microsoft\Windows\WER</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Root\Office16\SDXHelper.exe</Image>
			<TargetFilename condition="contains">\AppData\Local\Microsoft\Office\SolutionPackages</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.14729.20260\OfficeClickToRun.exe</Image>
			<TargetFilename condition="contains">C:\Program Files\Microsoft Office\Updates\Download\PackageFiles</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="end with">\AppData\Local\Programs\Microsoft VS Code\Code.exe</Image>
			<TargetFilename condition="contains">AppData\Roaming\Code\Backups\</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">c:\Windows\system32\werfault.exe</Image>
			<TargetFilename condition="begin with">c:\programdata\microsoft\Windows\wer\reportarchive\</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\program files (x86)\steam\bin\cef\cef.win7x64\steamwebhelper.exe</Image>
			<TargetFilename condition="contains">\appdata\local\steam\htmlcache\code cache\</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="end with">\XboxAppServices.exe</Image>
			<TargetFilename condition="end with">\LocalState\DiagOutputDir\XboxAppServices\ftc_log.txt.~tmp</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image>
			<TargetFilename condition="contains">\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\</TargetFilename>
			</Rule>
			<Rule groupRelation="and"><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files (x86)\Mozilla Firefox\firefox.exe</Image>
			<TargetFilename condition="contains">\AppData\Local\Mozilla\Firefox\Profiles\</TargetFilename>
			</Rule>
			<Rule groupRelation="and"><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\WINDOWS\Sysmon.exe</Image>
			<TargetFilename condition="is">C:\Sysmon\CLIP-</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="begin with">C:\Program Files\Symantec\Symantec Endpoint Protection</Image>
			<TargetFilename condition="begin with">C:\ProgramData\Symantec\Symantec Endpoint Protection</TargetFilename>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="is">C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Microsoft:Windows: WMI Performance updates-->
				<TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename>
			</Rule>
			<Image condition="is">c:\riot games\riot client\riotclientservices.exe</Image>
			<TargetFilename condition="begin with">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
			<TargetFilename condition="begin with">C:\Program Files\WindowsApps\</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
			<TargetFilename condition="end with">.cdownload</TargetFilename> 
			<TargetFilename condition="end with">.tmp</TargetFilename> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="end with">.etl</TargetFilename>
			<TargetFilename condition="end with">.pf</TargetFilename>
			<TargetFilename condition="end with">.log</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="end with">.rslc</TargetFilename> 
			<TargetFilename condition="begin with">C:\Windows\SoftwareDistribution\Download\</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
			<TargetFilename condition="begin with">C:\$Windows.~BT\Sources\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
			<TargetFilename condition="begin with">C:\Windows\System32\LogFiles\</TargetFilename>
			<TargetFilename condition="is">C:\Tools\SysinternalsSuite\Sysmon64.exe</TargetFilename> 
			<TargetFilename condition="is">C:\Windows\microsoft.net\ngennicupdatelock.dat</TargetFilename>
			<TargetFilename condition="begin with">C:\Program Files\Fortinet\FortiClient\</TargetFilename> <!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="contains">\AppData\Roaming\Mozilla\Firefox\Profiles\</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<TargetFilename condition="contains">\AppData\Roaming\Microsoft\Teams\</TargetFilename><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
		</FileCreate>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
		<!--EVENT 12: "Registry object added or deleted"-->
		<!--EVENT 13: "Registry value set-->
		<!--EVENT 14: "Registry objected renamed"-->
		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->
		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->
		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->
		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
		<RuleGroup name="RegistryEvent include" groupRelation="or">
		<RegistryEvent onmatch="include">
			<!--Credential providers-->
			<TargetObject name="Modification on WMI logging method ETW Tracer" condition="contains">\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME\</TargetObject>
			<TargetObject name="Unwanted/Suspicious Reg modification" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
			<TargetObject name="Unwanted/Suspicious Reg modification" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa</TargetObject>
			<TargetObject name="Unwanted/Suspicious Reg modification" condition="begin with">HKLM\SYSTEM\ControlSet001\Services\Npfs\Aliases</TargetObject>
			<TargetObject name="Outlook Homepage Persistence Reg Key" condition="contains">\Software\Microsoft\Office\16.0\Outlook\Today\Stamp</TargetObject>
			<TargetObject name="AutoRun Reg Key Creation" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load</TargetObject>
			<TargetObject name="Outlook Homepage Persistence Reg Key" condition="contains">\Outlook\Today\UserDefinedUrl</TargetObject>
			<TargetObject name="Outlook Homepage Persistence Reg Key" condition="contains">\Outlook\WebView\Inbox</TargetObject>
			<TargetObject name="Outlook Homepage Persistence Reg Key" condition="contains">\Outlook\Security</TargetObject>
			<TargetObject name="Outlook Homepage Persistence Reg Key" condition="contains">\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook</TargetObject>
			<TargetObject name="technique_id=T1003,technique_name=Credential Dumping" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject><!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-Windows-8-1/ ] -->
			<TargetObject name="technique_id=T1003,technique_name=Credential Dumping" condition="contains">\Control\SecurityProviders\WDigest</TargetObject>
			<TargetObject name="technique_id=T1103,technique_name=Appinit DLLs" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject><!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/Windows/desktop/dd744762(v=vs.85).aspx ] -->
			<TargetObject name="technique_id=T1103,technique_name=Appinit DLLs PERSISTENCE VIA REGISTRY MODIFICATION" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject><!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/Windows/desktop/dn280412(v=vs.85).aspx ] -->
			<TargetObject name="technique_id=T1076,technique_name=Remote Desktop Protocol" condition="is">HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</TargetObject>
			<!-- Win32_OSRecoveryConfiguration class C2 maps to a change in values within the following key: -->
			<TargetObject name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains">SYSTEM\CurrentControlSet\Control\CrashControl</TargetObject>
			<!--Windows UAC tampering-->
			<TargetObject name="technique_id=T1088,technique_name=Bypass User Account Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<TargetObject name="technique_id=T1088,technique_name=Bypass User Account Control" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<TargetObject name="technique_id=T1088,technique_name=Bypass User Account Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
			<TargetObject name="technique_id=T1088,technique_name=Bypass User Account Control" condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
            <TargetObject name="technique_id=T1122,technique_name=Component Object Model Hijacking" condition="contains">Software\Classes\CLSID</TargetObject><!--Appears in HKLM and HKCU-->
			<TargetObject condition="contains" name="PrivEsc - UACBypass - mscfile">mscfile\shell\open\command\(Default)</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass - SDCLT">exefile\shell\runas\command\IsolatedCommand</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass UACME-34">\environment\windir</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass Perfmon">\Volatile Environment\SYSTEMROOT</TargetObject>
			<TargetObject condition="contains" name="Defense Evasion - Macro Auto Open Warning Disbaled">\Security\AccessVBOM</TargetObject>
			<TargetObject condition="contains" name="Cred Gathering - RDP BMC cache files access">\Local\Microsoft\Terminal Server Client\Cache</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass UACME-45">\exefile\shell\open\command\(Default)</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass UACME-53">\Folder\shell\open\command\(Default)</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass UACME-33">\ms-settings\shell\open\command</TargetObject>
			<TargetObject condition="contains" name="Defensive Evasino - DLL Safe Search Order setting accessed">\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass">Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe</TargetObject>	 
			<TargetObject condition="begin with" name="Defense Evasion - UAC Config Changed">SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
			<TargetObject condition="begin with" name="Defense Evasion - UACBypass">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass mscfile reg_hijack">\mscfile\shell\open\command</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass UACME-56">AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command</TargetObject>
			<TargetObject condition="contains" name="PrivEsc - UACBypass - AppPathControl">Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe\(Default)</TargetObject>
			<Image name="Something from RecycleBin touched the registry, SUSPICIOUS" condition="begin with">C:\$Recycle.Bin</Image>
			<Image name="Suspicious,Image Begin with Backslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
			<TargetObject name="Persistence via SilentProcessExit hijack" condition="contains">CurrentVersion\SilentProcessExit</TargetObject>
			<TargetObject name="Persistence - Outlook COM Addins" condition="contains">\Outlook\Addins</TargetObject>
		    <TargetObject name="Persistence - Excel COM Addins" condition="contains">\Excel\Addins</TargetObject>
		    <TargetObject name="Persistence - Excel Addins" condition="contains">Excel\Options\OPEN</TargetObject>
		    <TargetObject name="Persistence - Word COM Addins" condition="contains">\Word\Addins</TargetObject>
		    <TargetObject name="Persistence - Access COM Addins" condition="contains">\Access\Addins\</TargetObject>
		    <TargetObject name="Persistence - Powerpoint COM Addins" condition="contains">\Powerpoint\Addins\</TargetObject>
		    <TargetObject name="Persistence - VBE Addins" condition="contains">Software\Microsoft\VBA\VBE\6.0\Addins</TargetObject>
		    <TargetObject name="Persistence - Office Test RegKey" condition="contains">Software\Microsoft\Office test\Special\Perf</TargetObject><!-- http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ -->
		    <TargetObject name="Persistence - Macro Auto Loading enabled on outlook" condition="end with">Outlook\LoadMacroProviderOnBoot</TargetObject>
			<TargetObject name="Defense Evasion - PowerShell ExecPolicy Changed" condition="end with">Microsoft.PowerShell\ExecutionPolicy</TargetObject>
		    <TargetObject name="Defense Evasion - PowerShell Audit Settings Changed" condition="end with">EnableModuleLogging</TargetObject>
		    <TargetObject name="Defense Evasion - PowerShell Audit Settings Changed" condition="end with">EnableScriptBlockLogging</TargetObject>
		    <TargetObject name="Defense Evasion - PowerShell Audit Settings Changed" condition="contains">PowerShell\Transcription</TargetObject>
		    <TargetObject name="Defense Evasion - access to the VBA project object model in the Macro Settings changed" condition="end with">AccessVBOM</TargetObject><!--https://www.stigviewer.com/stig/microsoft_powerpoint_2007/2014-04-03/finding/V-17522 -->
		    <TargetObject name="Defense Evasion - Changes to ProtectedView Security Setting" condition="contains">Security\ProtectedView</TargetObject>
		    <TargetObject name="Defense Evasion - Office Trusted Locations changed" condition="contains">Security\Trusted Locations</TargetObject> <!-- can be abused to execute unrestricted vba from specific desired locations -->
		    <TargetObject name="Defense Evasion - Lsa Protection changed" condition="end with">SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</TargetObject>			
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="contains">CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
			<TargetObject name="DNS Query location was changed" condition="begin with">HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\</TargetObject> <!--Microsoft:Windows:DNS: ServerLevelPluginDll Issue https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 -->
			<TargetObject name="Reg AutoRun Key" condition="contains">Policies\Explorer\Run</TargetObject>
			<TargetObject name="Possible adding a rogue named pipe" condition="end with">NullSessionPipes</TargetObject>
			<TargetObject name="Reg Key used in DLL Hijack, if disabled possible DLL hijack." condition="end with">\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode</TargetObject>
			<TargetObject name="Reg AutoRun Key" condition="contains">\Software\Microsoft\Internet Explorer\Main</TargetObject> 
			<!--<TargetObject name="Alternate runs keys" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</TargetObject>--> <!--Microsoft:Windows: Alternate runs keys | Credit @ion-storm-->
			<TargetObject name="Reg key for Group policy scripts" condition="contains">Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
			<TargetObject name="Reg Key for Wildcard for Logon, Loggoff, Shutdown scripts" condition="contains">Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Wildcard for Logon, Loggoff, Shutdown-->
			<TargetObject name="Reg Key for Microsoft:Windows: Autorun location" condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
			<TargetObject name="Reg Key for Microsoft:Windows: Autorun location" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
			<TargetObject name="Reg Key for Microsoft:Windows: Autorun location" condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
			<TargetObject name="Reg Key for Microsoft:Windows: Autorun location" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject> <!--Microsoft:Windows: Autorun location [ https://attack.mitre.org/wiki/Technique/T1004 ] [ https://www.cylance.com/Windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="Reg Key for Microsoft:Windows: Autorun location" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
			<TargetObject name="Reg Key for Microsoft:Windows: Autorun location" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/Windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="Reg Keys for Legacy driver loading" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
			<TargetObject name="Reg Key for Microsoft:Windows: Autorun location" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject>
			<TargetObject name="Reg key for persistance Microsoft:Windows: Autorun" condition="contains">\SYSTEM\CurrentControlSet\Services\NTDS</TargetObject><!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/Windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="Microsoft:Windows: Automatic program crash debug program" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!--Microsoft:Windows: Automatic program crash debug program [ https://www.symantec.com/security_response/writeup.jsp?docid=2007-050712-5453-99&tabid=2 ] -->
			<TargetObject name="Reg Key for Legacy logon script environment variable" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
			<!--Services-->
			<TargetObject name="Points to a service's DLL" condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/Windows-registry-persistence-part-1-introduction-attack-phases-and-Windows-services ] -->
			<TargetObject name="Manifest pointing to service's DLL" condition="end with">\ServiceManifest</TargetObject> <!--Microsoft:Windows: Manifest pointing to service's DLL [ https://www.geoffchappell.com/studies/Windows/win32/services/svchost/index.htm ] -->
			<TargetObject name="Points to a service's EXE" condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://attack.mitre.org/wiki/Technique/T1050 ] -->
			<TargetObject name="Services start mode changes (Disabled, Automatically, Manual)" condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
			<TargetObject name="Changes to file extension mapping" condition="contains">Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
			<TargetObject name="Tooltip handler" condition="contains">{86C86720-42A0-1069-A2E8-08002B30309D}</TargetObject> <!--Microsoft:Windows: Tooltip handler-->
			<TargetObject name="Windows Executable handler, to ensure any changes not generally monitored, for less-common shell command types like runas" condition="contains">exefile</TargetObject> <!--Microsoft:Windows Executable handler, to ensure any changes not generally monitored, for less-common shell command types like "runas"-->
			<!--Windows COM-->
			<TargetObject name="COM Object Hijacking" condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
			<!--Windows shell visual modifications-->
			<TargetObject name="Some types of malware try to hide their hidden system files from the users" condition="end with">\Hidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event -->
			<TargetObject name="Some types of malware try to hide their hidden system files from the users" condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
			<TargetObject name="Microsoft:Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users" condition="end with">\HideFileExt</TargetObject> <!--Microsoft:Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users -->
			<!--Windows shell hijack and modifications-->
			<TargetObject name="Windows shell hijack and modifications location" condition="contains">Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject name="Windows shell hijack and modifications location" condition="contains">Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject name="Windows shell hijack and modifications location" condition="contains">Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/Windows-shell-context-menu-option ] -->
			<TargetObject name="Windows shell hijack and modifications location" condition="contains">Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/Windows-shell-context-menu-option ] -->
			<TargetObject name="Windows shell hijack and modifications location" condition="contains">Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/Windows-shell-context-menu-option ] -->
			<TargetObject name="Windows shell hijack and modifications location" condition="contains">ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject name="Windows shell hijack and modifications location" condition="contains">CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject name="Windows shell hijack and modifications location" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<TargetObject name="Windows shell hijack and modifications location" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<TargetObject name="Windows shell hijack and modifications location" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<!--AppPaths hijacking-->
			<TargetObject name="AppPaths hijacking reg key" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
			<!--Terminal service boobytrap-->
			<TargetObject name="Terminal Server run keys RDP-Tcp\InitialProgram" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject> <!--Microsoft:Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already-->
			<!--Group Policy integrity-->
			<TargetObject name="Group Policy integrity change" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying-->
			<!--Winsock and Winsock2-->
			<TargetObject name="Reg Winsocks service add" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
			<TargetObject name="System and user proxy server add or change" condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
			<!--Credential providers-->
			<TargetObject name="Credential Providers and Credential Provider Filters" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credential Providers and Credential Provider Filters-->
			<TargetObject name="Reg key used to detect https://attack.mitre.org/wiki/Technique/T1131 and https://attack.mitre.org/wiki/Technique/T1101" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1131 ] [ https://attack.mitre.org/wiki/Technique/T1101 ] -->
			<TargetObject name="Changes to WDigest-UseLogonCredential for password scraping" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-Windows-8-1/ ] -->
			<TargetObject name="Netsh helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!--Microsoft:Windows: Netsh helper DLL [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
			<TargetObject name="Account password set to not expire" condition="contains">\CurrentVersion\Policies\System\DisableChangePassword</TargetObject>
			<!--Networking-->
			<TargetObject name="Order of network providers that are checked to connect to destination" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
			<TargetObject name="Monitor for firewall disablement, all firewall profiles" condition="end with">\EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Microsoft:Windows: Monitor for firewall disablement, all firewall profiles" condition="end with">\DoNotAllowExceptions</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Windows Firewall authorized applications for all networks" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for all networks| Credit @ion-storm -->
			<TargetObject name="Windows Firewall authorized applications for domain networks" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for domain networks -->
			<!--DLLs that get injected into every process at launch-->
			<TargetObject name="DLLs that get injected into every process at launch" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
			<TargetObject name="DLLs that get injected into every process at launch" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows:  Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
			<TargetObject name="DLLs that get injected into every process at launch,PERSISTENCE VIA REGISTRY MODIFICATION" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ] -->
			<!--Office-->
			<TargetObject name="Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues" condition="contains">Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues-->
			<TargetObject name="Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ]" condition="contains">Office Test\</TargetObject> <!-- Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
			<TargetObject name="Microsoft:Office: Monitor when Enable editing or Enable macros is used" condition="contains">Security\Trusted Documents\TrustRecords</TargetObject> <!--Microsoft:Office: Monitor when "Enable editing" or "Enable macros" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ] -->
			<!--IE-->
			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
			<TargetObject name="-Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone " condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
			<TargetObject name="Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone" condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
			<TargetObject name="Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone " condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
			<!--Magic registry keys-->
			<TargetObject name="Thumbnail cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
			<!--Install/Infection artifacts-->
			<TargetObject name="Microsoft:ClickOnce: Source URL is stored in this value" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
			<TargetObject name="Source folder for certain program and component installations" condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
			<!--Windows UAC tampering-->
			<TargetObject name="Windows UAC tampering" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<TargetObject name="Windows UAC tampering" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<!--Microsoft Security Center tampering | Credit @ion-storm -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089 " condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089 " condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089 " condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089 " condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089 " condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089 " condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Reg key for detection of https://attack.mitre.org/wiki/Technique/T1089 " condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="Microsoft:Windows:Security Center: Malware sometimes disables" condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth</TargetObject> <!--Microsoft:Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
			<!--Windows application compatibility-->
			<TargetObject name="Microsoft:Windows: AppCompat used for SHIM database persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
			<TargetObject name="Microsoft:Windows: AppCompat used for SHIM database persistence" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ] -->
			<TargetObject name="Reg key for Microsoft:Windows: Registry virtualization" condition="contains">VirtualStore</TargetObject> <!--Microsoft:Windows: Registry virtualization [ https://msdn.microsoft.com/en-us/library/Windows/desktop/aa965884(v=vs.85).aspx ] -->
			<!--Windows internals integrity monitoring-->
			<TargetObject name="CFG modification" condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject> 
			<TargetObject name="Malware likes changing IFEO, like adding Debugger to disable antivirus EXE" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE-->
			<TargetObject name="Event log system integrity and ACLs" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
			<TargetObject name="Services approved to load in safe mode" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
			<TargetObject name="Providers notified by WinLogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
			<TargetObject condition="contains">VirtualStore</TargetObject> <!--Microsoft:Windows: Registry virtualization [ https://msdn.microsoft.com/en-us/library/Windows/desktop/aa965884(v=vs.85).aspx ] -->
			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> 
			<TargetObject condition="contains">\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> 
			<TargetObject condition="contains">\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject> 
			<TargetObject condition="contains">\SYSTEM\CurrentControlSet\Control\WMI\Autologger\</TargetObject> 
			<TargetObject condition="contains">\StartupItems</TargetObject> 
			<TargetObject condition="contains">\SOFTWARE\Wow6432Node\Google\Update\ClientState\</TargetObject> 
			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</TargetObject> 
			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</TargetObject> 
			<TargetObject condition="contains">\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject> 
			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</TargetObject> 
			<TargetObject condition="contains">\InProcServer32</TargetObject> 
			<TargetObject condition="contains">\SOFTWARE\MICROSOFT\Windows NT\CURRENTVERSION\WINLOGON\</TargetObject> 
			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
			<TargetObject name="Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\currentversion\image file execution options</TargetObject>
			<TargetObject name="WDigest reg location. Value should not be = 1" condition="contains">\CurrentControlSet\Control\SecurityProviders\WDigest</TargetObject>
			<TargetObject condition="contains">\CurrentControlSet\Control\WMI\Autologger\</TargetObject>
			<TargetObject name="Attempts to ID reg persistance location usage" condition="contains">\RunOnce\</TargetObject>
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="contains">\Explorer\Run</TargetObject>
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="contains">\CurrentVersion\Run</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Wow6432Node\Google\Update\ClientState\</TargetObject>
			<TargetObject condition="contains">\StartupItems</TargetObject>
			<TargetObject condition="contains">CurrentControlSet\Control\Lsa\Security Packages</TargetObject>
			<TargetObject condition="contains">\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject>
			<TargetObject condition="contains">\Shell\</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject>
			<TargetObject condition="contains">\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4</TargetObject>
			<TargetObject condition="contains">\ShellEx\</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Classes\Directory\Shellex\</TargetObject>
			<TargetObject condition="begin with">HKCR\CLSID</TargetObject>
			<TargetObject name="Microsoft:Office: Outlook add-ins" condition="contains">\Microsoft\Office\Outlook\Addins</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
			<TargetObject name="Uncommon place to load add-ins, especially in HKCU" condition="contains">\Software\Microsoft\VSTO\Security\Inclusion</TargetObject> <!-- Uncommon place to load add-ins, especially in HKCU-->
			<TargetObject name="Uncommon place to declare add-in metadata, especially in HKCU" condition="contains">\Software\Microsoft\VSTO\SolutionMetadata</TargetObject><!--Uncommon place to declare add-in metadata, especially in HKCU-->
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="contains">\CurrentVersion\Run</TargetObject><!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
			<TargetObject name="Group policy scripts" condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
			<TargetObject name="technique_id=T1037,technique_name=Logon Scripts" condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="contains">\Policies\Explorer\Run</TargetObject><!--Microsoft:Windows -->
			<TargetObject condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/Windows-registry-persistence-part-1-introduction-attack-phases-and-Windows-services ] -->
			<TargetObject condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
			<TargetObject condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
			<TargetObject name="technique_id=T1004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject><!--Microsoft:Windows: Autorun location [ https://www.cylance.com/Windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="technique_id=T1004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/Windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="technique_id=T1004,technique_name=Winlogon Helper DLL" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
			<TargetObject name="Microsoft:Windows: Legacy driver loading" condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Microsoft:Windows: Legacy driver loading | Credit @ion-storm -->
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/Windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="technique_id=T1042,technique_name=Change Default File Association" condition="contains">\Explorer\FileExts</TargetObject><!--Microsoft:Windows: Changes to file extension mapping-->
			<TargetObject name="Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command" condition="contains">\shell\install\command</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
			<TargetObject name="Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command" condition="contains">\shell\open\command</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
			<TargetObject name="Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command" condition="contains">\shell\open\ddeexec</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
			<TargetObject name="technique_id=T1060,technique_name=Registry Run Keys / Start Folder" condition="contains">Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup</TargetObject>
			<TargetObject condition="contains">\Classes\AllFilesystemObjects</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject condition="contains">\Classes\Directory</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/Windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">\Classes\Drive</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/Windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">\Classes\Folder</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/Windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">\ContextMenuHandlers</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<TargetObject name="technique_id=T1130,technique_name=Install Root Certificate" condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</TargetObject>
			<TargetObject name="technique_id=T1130,technique_name=Install Root Certificate" condition="contains">\Microsoft\SystemCertificates\Root\Certificates</TargetObject>
			<TargetObject name="technique_id=T1103,technique_name=Appinit DLLs" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject><!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/Windows/desktop/dd744762(v=vs.85).aspx ] -->
			<TargetObject name="technique_id=T1103,technique_name=Appinit DLLs" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls</TargetObject><!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/Windows/desktop/dn280412(v=vs.85).aspx ] -->
			<TargetObject name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="contains">SYSTEM\CurrentControlSet\Control\CrashControl</TargetObject>
			<!--Networking-->
			<TargetObject name="Order of network providers that are checked to connect to destination " condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Windows: | Credit @ion-storm -->
			<TargetObject name="T1089 Monitor for firewall disablement, all firewall profiles" condition="end with">\EnableFirewall</TargetObject> <!--Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089 Windows: Monitor for firewall disablement, all firewall profiles" condition="end with">\DoNotAllowExceptions</TargetObject> <!--Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for all networks| Credit @ion-storm -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List</TargetObject> <!--Windows Firewall authorized applications for domain networks -->
			<!--DLLs that get injected into every process at launch-->
			<TargetObject name="T1103 DLLs that get injected into every process at launch-" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
			<TargetObject name="T1103 DLLs that get injected into every process at launch-" condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ] -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ] -->
			<!--Magic registry keys-->
			<TargetObject name="cache autostart" condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
			<TargetObject name="Alert,Sysinternals Tool Used. Watch for SDelete and ProcDump" condition="end with">\EulaAccepted</TargetObject> <!--Sysinternals tool launched first time. Lots of useful abilities for attackers -->
			<!--Install/Infection artifacts-->
			<TargetObject name="Source URL is stored in this value" condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
			<TargetObject name="Source folder for certain program and component installations" condition="end with">\InstallSource</TargetObject> <!--Windows: Source folder for certain program and component installations-->
			<!--Antivirus tampering-->
			<TargetObject name="T1089,Tamper-Defender Antivirus tampering" condition="end with">\DisableAntiSpyware</TargetObject> <!--Windows:Defender: State modified via registry-->
			<TargetObject name="T1089,Tamper-Defender Antivirus tampering" condition="end with">\DisableAntiVirus</TargetObject> <!--Windows:Defender: State modified via registry-->
			<!--Windows UAC tampering-->
			<TargetObject name="T1088 Windows UAC tampering" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<TargetObject name="T1088 Windows UAC tampering" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
			<!--Microsoft Security Center tampering | Credit @ion-storm -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<TargetObject name="T1089,Tamper-SecCenter" condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth</TargetObject> <!--Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
			<!--Windows application compatibility-->
			<TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
			<TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ] -->
			<TargetObject name="Registry virtualization, something's wrong if it's in use" condition="contains">VirtualStore</TargetObject> <!--Windows: Registry virtualization, something's wrong if it's in use [ https://msdn.microsoft.com/en-us/library/Windows/desktop/aa965884(v=vs.85).aspx ] -->
			<!--Windows internals integrity monitoring-->
			<TargetObject name="T1183,IFEO" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE-->
			<TargetObject name="Event log system integrity and ACLs" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Windows: Event log system integrity and ACLs-->
			<TargetObject name="Tamper-Safemode" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Windows: Services approved to load in safe mode. Almost nothing should ever modify this.-->
			<TargetObject name="Tamper-Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Windows: Providers notified by WinLogon-->
			<TargetObject name="Context,DeviceConntectedOrUpdated" condition="end with">\FriendlyName</TargetObject> <!--Windows: New devices connected and remembered-->
			<TargetObject name="Context,MsiInstallerStarted" condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
			<TargetObject name="Tamper-Tracing" condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Windows: Malware sometimes disables tracing to obfuscate tracks-->
			<!--Windows inventory events-->
			<TargetObject name="InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject> <!-- [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ] -->
			<TargetObject name="InvDB-Pub" condition="end with">\Publisher</TargetObject> <!-- [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ] -->
			<TargetObject name="InvDB-Ver" condition="end with">\ProductVersion</TargetObject> <!-- [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ] -->
			<TargetObject name="InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject> <!-- Compile time of EXE, may not be reliable [ https://en.wikipedia.org/wiki/Link_time ] -->
			<TargetObject name="InvDB" condition="contains">Compatibility Assistant\Store\</TargetObject>
			<TargetObject name=".Net Usage Logging" condition="contains">\SOFTWARE\Microsoft.NETFramework</TargetObject>
		</RegistryEvent>
		</RuleGroup>
		
		<RuleGroup name="RegistryEvent exclude" groupRelation="or">
		<RegistryEvent onmatch="exclude">
		<!--COMMENT:	Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently.-->
			<!--SECTION: Microsoft binaries-->
			<Image condition="is">c:\program files\oracle\virtualbox\virtualboxvm.exe</Image>
            <Image condition="is">c:\Windows\system32\lsass.exe</Image>
            <Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\common7\servicehub\hosts\servicehub.host.clr.x86\servicehub.settingshost.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\msbuild\current\bin\msbuild.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\msbuild\current\bin\roslyn\vbcscompiler.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\ServiceHub\Hosts\ServiceHub.Host.CLR.x86\ServiceHub.RoslynCodeAnalysisService32.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\ServiceHub\Hosts\ServiceHub.Host.CLR.x86\ServiceHub.Host.CLR.x86.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\ServiceHub\Hosts\ServiceHub.Host.CLR.x64\ServiceHub.DataWarehouseHost.exe</Image>
			<Image condition="end with">\SWELF.exe</Image><!-- Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\SDXHelper.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\PrivateAssemblies\ScriptedSandbox64.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
			<Image condition="contains">C:\Program Files\Fortinet\FortiClient\</Image>
			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
			<Image condition="is">C:\Windows\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image> <!--Microsoft:Windows:Defender-->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Cortana-->
			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Routinely refreshes EMET configuration keys from Group Policy-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PrivateAssemblies\ScriptedSandbox64.exe</Image>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\system32\taskhostw.exe</Image>
			<TargetObject condition="contains">\Software\Microsoft\SystemCertificates\Root\Certificates</TargetObject>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">c:\Windows\system32\taskhostw.exe</Image><!--noisy-->
			<TargetObject condition="end with">\Root\Certificates</TargetObject>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!--noisy-->
			<TargetObject condition="contains">}\Root\InventoryApplicationFile\</TargetObject>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image><!--noisy-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Google\Update\ClientState</TargetObject>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\WINDOWS\Explorer.EXE</Image><!--noisy-->
			<TargetObject condition="end with">\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop\IconLayouts</TargetObject>
			</Rule>
            <Rule groupRelation="and">
			<Image condition="is">C:\Windows\system32\svchost.exe</Image><!--noisy-->
			<TargetObject condition="contains">\software\microsoft\enterprisecertificates\root\certificates</TargetObject>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\Explorer.EXE</Image><!--noisy-->
			<TargetObject condition="contains">\Local Settings\Software\Microsoft\Windows\Shell\</TargetObject><!--This is normal(and loud), BUT leaves you blind to an injected malware attempting to do UAC bypass or shellbaging-->
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Program Files (x86)\Mozilla Firefox\firefox.exe</Image>
			<TargetObject condition="contains">\Local Settings\Software\Microsoft\Windows\Shell\Bags\</TargetObject>
			</Rule>
			<Rule groupRelation="and">
			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
			<TargetObject condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\</TargetObject>
			</Rule>
			<TargetObject condition="contains">\{CAFEEFAC-</TargetObject>
			<TargetObject condition="contains">Local Settings\Software\Microsoft\Windows\Shell\BagMRU</TargetObject>
			<TargetObject condition="contains">\appdata\local\microsoft\vault</TargetObject>
			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
			<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
			<TargetObject condition="end with">\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join-->
			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system-->
			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise-->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10-->
			<Image condition="is">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</Image>
			<!--Bootup Control noise-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<!--Services startup settings noise, some low-risk services routinely change it and this can be ignored-->
			<TargetObject condition="end with">\services\bits\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
			<TargetObject condition="end with">\services\deviceAssociationService\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\fhsvc\Start</TargetObject> <!--Microsoft:Windows: File History Service-->
			<TargetObject condition="end with">\services\nal\Start</TargetObject> <!--Intel: Network adapter diagnostic driver-->
			<TargetObject condition="end with">\services\trustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\usoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<!--FileExts noise filtering-->
			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\UserChoice</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
			<!--Group Policy noise-->
			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Microsoft:Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it-->
			<!--SECTION: 3rd party-->
			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
		</RegistryEvent>
		</RuleGroup>
	
		<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
		<!--EVENT 15: "File stream created"-->
		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
		[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
		ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
		[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
		<RuleGroup name="ALTERNATE DATA STREAM include" groupRelation="or">
        <FileCreateStreamHash onmatch="include">
            <TargetFilename condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
            <TargetFilename name="File stream created 7zip extractions" condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
            <TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
            <TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting | Credit @ion-storm -->
            <TargetFilename condition="end with">\Temp\debug.bin</TargetFilename> <!--Bin files https://github.com/GhostPack/SafetyKatz creates debug.bin in a temp folder-->
            <TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
            <TargetFilename condition="end with">.exe</TargetFilename>
            <TargetFilename condition="end with">.dll</TargetFilename>
            <TargetFilename condition="end with">.zip</TargetFilename>
            <TargetFilename condition="end with">.txt</TargetFilename>
            <TargetFilename condition="end with">.sct</TargetFilename>
            <TargetFilename condition="end with">.js</TargetFilename>
            <TargetFilename condition="end with">.jse</TargetFilename>
            <TargetFilename condition="end with">.ini</TargetFilename>
            <TargetFilename condition="end with">.bin</TargetFilename>
            <TargetFilename condition="end with">.doc</TargetFilename> <!--Office doc potentially with macro -->
            <TargetFilename condition="end with">.xls</TargetFilename> <!--Office doc potentially with macro -->
            <TargetFilename condition="end with">.ppt</TargetFilename> <!--Office doc potentially with macros-->
            <TargetFilename name="File stream created Mitre T1170" condition="end with">.hta</TargetFilename> <!--Mitre T1170--><!--Scripting-->
            <TargetFilename condition="end with">.lnk</TargetFilename> <!--Shortcut file | Credit @ion-storm -->
            <TargetFilename condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
            <TargetFilename name="technique_id=T1086,technique_name=PowerShell" condition="end with">.ps1</TargetFilename> <!--Powershell-->
            <TargetFilename name="technique_id=T1086,technique_name=PowerShell" condition="end with">.ps2</TargetFilename> <!--Powershell-->
            <TargetFilename condition="end with">.reg</TargetFilename> <!--Registry File-->
            <TargetFilename condition="end with">.jse</TargetFilename> <!--Registry File-->
            <TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
            <TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting files-->
            <TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting files-->	
		</FileCreateStreamHash>
		</RuleGroup>	
		
		<RuleGroup name="ALTERNATE DATA STREAM exclude" groupRelation="or">
			<FileCreateStreamHash onmatch="exclude">
			</FileCreateStreamHash>
		</RuleGroup>
		
		<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
		<!--SYSMON EVENT ID 17 & 18 : PipeEvent MONITORING [PipeEvent]-->
		<RuleGroup name="PipeEvent exclude" groupRelation="or">		
		<PipeEvent onmatch="exclude">
			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows.Search</Image>
			<Image condition="is">C:\Program Files (x86)\Mozilla Firefox\firefox.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\common7\servicehub\controller\microsoft.servicehub.controller.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\msbuild\current\bin\msbuild.exe</Image>
			<Image condition="is">c:\program files (x86)\microsoft visual studio\2019\community\msbuild\current\bin\roslyn\vbcscompiler.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PrivateAssemblies\ScriptedSandbox64.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe</Image>
			<Image condition="begin with">C:\Program Files\Fortinet\FortiClient\</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\ServiceHub\Hosts\</Image>
			<Image condition="is">C:\Program Files\Fortinet\FortiClient\FCVbltScan.exe</Image>
			<Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image> 
			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> 
			<Image condition="is">C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe</Image> 
			<Image condition="begin with">c:\program files (x86)\opendns updater\</Image> 
			<Image condition="begin with">C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\</Image> 
			<Image condition="is">c:\Windows\system32\smartscreen.exe</Image> 
			<Image condition="is">c:\Windows\system32\sppsvc.exe</Image> 
			<Image condition="is">C:\Windows\system32\vmms.exe</Image>
			<Image condition="begin with">c:\programdata\microsoft\Windows defender\</Image> 
			<Image condition="is">c:\Windows\system32\logonui.exe</Image>
			<Image condition="is">c:\program files (x86)\google\update\googleupdate.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\Fortinet\FortiClient\</Image>
			<Image condition="is">C:\Program Files\Mozilla Firefox\firefox.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\VMware Player\vmplayer.exe</Image>
			<Image condition="end with">\SWELF.exe</Image>
			<Image condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image>
			<Image condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image>
			<Image condition="is">C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image>
			<Image condition="is">c:\Windows\system32\inetsrv\w3wp.exe</Image> 
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe</Image>
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe</Image>
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe</Image>                    
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe</Image>  
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe</Image>  
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe</Image>
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe</Image>
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe</Image>
			<Image condition="is">c:\Program Files\Trend\SPROTECT\x64\tsc.exe</Image>
			<Image condition="is">c:\Program Files\Trend\SPROTECT\x64\tsc64.exe</Image>
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe</Image>
			<Image condition="is">c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe</Image>
			<Image condition="is">c:\Program Files\Qlik\Sense\Engine\Engine.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe</Image>
			<Image condition="is">c:\Windows\system32\inetsrv\w3wp.exe</Image>
			<PipeName condition="contains">Anonymous Pipe</PipeName>
			<PipeName condition="begin with">\Vivisimo Velocity</PipeName>
			<!-- Normal WIN10 Named Pipes-->
			<PipeName condition="is">\ntapvsrq</PipeName>
			<PipeName condition="is">\srvsvc</PipeName>
			<PipeName condition="is">\wkssvc</PipeName>
			<PipeName condition="is">\lsass</PipeName>
  			<PipeName condition="is">\winreg</PipeName>
		    <PipeName condition="is">\spoolss</PipeName>
			<!-- MSSQL Named Pipes-->
			<PipeName condition="is">\SQLLocal\MSSQLSERVER</PipeName>
			<PipeName condition="is">\SQLLocal\INSTANCE01</PipeName>
			<PipeName condition="is">\SQLLocal\SQLEXPRESS</PipeName>
  			<PipeName condition="is">\SQLLocal\COMMVAULT</PipeName>
			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
			<PipeName condition="is">\SQLLocal\RTC</PipeName>
			<PipeName condition="is">\SQLLocal\TMSM</PipeName>
			<Rule groupRelation="and">
				<Image condition="is">C:\WINDOWS\system32\sihost.exe</Image>
				<PipeName condition="contains">\AppContracts_</PipeName>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">\AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
				<PipeName condition="begin with">\mojo.</PipeName>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="end with">\AppData\Local\Google\Chrome\Application\chrome.exe</Image>
				<PipeName condition="begin with">\mojo.</PipeName>
			</Rule>
			<Rule groupRelation="and">
				<Image condition="is">C:\WINDOWS\system32\SearchIndexer.exe</Image>
				<PipeName condition="is">\MsFteWds</PipeName>
			</Rule>
		</PipeEvent>
		</RuleGroup>
	    
	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
		<!--EVENT 19: "WmiEventFilter activity detected"-->
		<!--EVENT 20: "WmiEventConsumer activity detected"-->
		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
		<!--ADDITIONAL REFERENCE: [ https://www.darkoperator.com/blog/2017/10/15/sysinternals-sysmon-610-tracking-of-permanent-wmi-events ] -->
		<!--ADDITIONAL REFERENCE: [ https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ ] -->
		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
		<RuleGroup name="WMIEvent exclude" groupRelation="or">
			<WmiEvent onmatch="exclude">
				<!--NOTE: Using exclude with no rules means everything will be logged-->
			</WmiEvent>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 22 : DNS QUERY [DnsQuery]-->
		<!--EVENT 22: "Dns query"-->
		<!--NOTE:	Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover. -->
		<!--COMMENT:	DNS logging is a very nuanced challenge in monitoring due to event volume. Legitimate domains can be used to host malware/C2, but lookup itself is not very informative.
						It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2.
						This section of Sysmon configuration will require your full judgement and knowledge of your org's priorities. There is no correct answer.-->
		<!--OPERATIONS:	Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
						Search for Group Policy for these browsers to configure this.-->
		<!--OPERATIONS:	Most DNS traffic is web advertising. To significantly reduce DNS queries and malware ads, enable client-side advertising filtering via Group Policy. This is easy.
				Internet Explorer: https://decentsecurity.com/adblocking-for-internet-explorer-deployment/
				Chrome: https://decentsecurity.com/ublock-for-google-chrome-deployment/
				Firefox: ToDo
						Also note, this configuration is designed for United States computers. Your country's users will may need customization to reduce noise.
			-->
		<!--CONFIG:	DNS poisoning is an issue during threat investigations. Try to only exclude ROUTINE system-level queries you know are strongly validated with HTTPS or code signing.-->
		<!--CONFIG:	If you exclude microsoft.com, someone could register malware-microsoft.com and it wouldn't be logged. Use "END WITH" with leading . or "IS" operators.-->
		<!--CONFIG:	Be very specific in exclusions. Threat actors use legitimate services, too. Dont exclude all of AWS or Azure or Google or CDNs!-->
		<!--CONFIG: Popularity data: [ http://s3-us-west-1.amazonaws.com/umbrella-static/index.html ] [ https://better.fyi/trackers/alexa-top-500-news/ ] -->
		<!--CRITICAL:	Do NOT exclude "wpad" lookups. This is a MitM vector routinely used by attackers. Disable WPAD or enforce client-side DNSSEC for AD domain lookups.-->
		<!--CRITICAL:	Do NOT exclude IPv6 lookups.-->
		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryType, QueryStatus, QueryResults (can't filter on)-->
		<!--BELOW: These domains should not be excluded at the top level. Be specific if you want to reduce noise under them.-->
		<!-- Rejected: .cloudapp.net, customer content [ https://blogs.technet.microsoft.com/ptsblog/2012/06/18/security-consideration-when-using-cloudapp-net-domain-as-production-environment-in-Windows-azure/ ] -->
		<!-- Rejected: .googleapis.com, customer content [ https://www.zdnet.com/article/this-business-email-scam-spreads-trojans-through-google-cloud-storage/ ] -->
		<!-- Rejected: .cloudfront.net, customer content -->
		<!-- Rejected: .Windows.net, customer content -->
		<!-- Rejected: *github.com, customer content, including open-source malware components -->

		<RuleGroup name="DnsQuery exclude" groupRelation="or">
		<DnsQuery onmatch="exclude">
			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows.Search</Image>
			<Image condition="is">c:\program files\fortinet\forticlient\fortiwf.exe</Image>
			<Image condition="is">C:\Program Files\Fortinet\FortiClient\update_task.exe</Image>
			<Image condition="is">C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe</Image>
			<Image condition="is">c:\Windows\sysmon.exe</Image>
			<Image condition="is">c:\riot games\league of legends\leagueclient.exe</Image>
			<!--Network noise-->
			<QueryName condition="end with">.suite.office.com</QueryName>
			<QueryName condition="is">cdn.onenote.net</QueryName>
			<QueryName condition="is">catalog.gamepass.com</QueryName>
			<QueryName condition="is">t.co</QueryName>
			<QueryName condition="end with">.arpa.</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
			<QueryName condition="end with">.arpa</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
			<QueryName condition="is">..localmachine</QueryName>
			<QueryName condition="is">localhost</QueryName>
			<!--Microsoft-->
			<QueryName condition="end with">.msftconnecttest.com</QueryName>
			<QueryName condition="end with">.riotgames.com</QueryName>
			<QueryName condition="end with">.riotcdn.net</QueryName>
			<QueryName condition="end with">.microsoft.com</QueryName>
			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->			
			<QueryName condition="end with">.githubusercontent.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.Windowsupdate.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.Windows.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.Windows.net.nsatc.net</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.Windowsupdate.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
			<QueryName condition="is">login.Windows.net</QueryName> <!--Microsoft-->
			<QueryName condition="is">officecdn.microsoft.com.edgesuite.net</QueryName> <!--Microsoft-->
			<!--Microsoft:Office365/AzureAD-->
			<QueryName condition="end with">.activedirectory.Windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
			<QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint-->
			<QueryName condition="end with">.msauth.net</QueryName>
			<QueryName condition="end with">.msftauth.net</QueryName>
			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
			<!--3rd-party applications-->
			<QueryName condition="end with">.twimg.com</QueryName> 
			<QueryName condition="end with">.fortinet.com</QueryName> 
			<QueryName condition="end with">.twitter.com</QueryName>
			<QueryName condition="end with">.umbrella.com</QueryName>
			<QueryName condition="end with">.opendns.com</QueryName>
			<QueryName condition="is">twitter.com</QueryName> 
			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
			<QueryName condition="is">.akamaized.net</QueryName>
			<!--Goodlist CDN-->
			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.netflix.com</QueryName>
			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
			<QueryName condition="is">ajax.googleapis.com</QueryName>
			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
			<QueryName condition="end with">.stackoverflow.com</QueryName>
			<QueryName condition="end with">.akamaiedge.net</QueryName>
			<!--Personal-->
			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware C2 in game binaries in Steam, I give up-->
			<QueryName condition="end with">.adblockplus.org</QueryName> 
			<!--Web resources-->
			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
			<QueryName condition="end with">.fontawesome.com</QueryName>
			<QueryName condition="is">.disqus.com</QueryName> <!--Microsoft default exclusion-->
			<!--Ads-->
			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.domdex.com</QueryName> 
			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
			<QueryName condition="end with">.google.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.quantcount.com</QueryName>
			<QueryName condition="end with">.quantserve.com</QueryName>
			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.Windowsupdate.com</QueryName>
			<QueryName condition="end with">.vo.msecnd.net</QueryName>
			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
			<QueryName condition="end with">.tapad.com</QueryName>
			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
			<QueryName condition="end with">.youtube.com</QueryName>
			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
			<QueryName condition="is">1rx.io</QueryName>
			<QueryName condition="end with">.visualstudio.com</QueryName>
			<QueryName condition="is">www.googletagservices.com</QueryName>
			<!--SocialNet-->
			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
			<!--OSCP/CRL Common-->
			<QueryName condition="is">detectportal.firefox.com</QueryName>
			<QueryName condition="end with">.doubleclick.net</QueryName>
			<QueryName condition="is">nexusrules.officeapps.live.com</QueryName>
			<QueryName condition="is">ctldl.Windowsupdate.com</QueryName>
			<QueryName condition="is">self.events.data.microsoft.com</QueryName>
			<QueryName condition="is">tlu.dl.delivery.mp.microsoft.com</QueryName>
			<QueryName condition="is">ardownload.adobe.com</QueryName>
			<QueryName condition="end with">.digicert.com</QueryName>
			<QueryName condition="end with">.globalsign.com</QueryName>
			<QueryName condition="end with">.globalsign.net</QueryName>
			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
			<QueryName condition="end with">pki.goog</QueryName>
			<QueryName condition="is">ocsp.godaddy.com</QueryName>
			<QueryName condition="end with">.amazontrust.com</QueryName>
			<QueryName condition="is">ocsp.sectigo.com</QueryName>
			<QueryName condition="is">pki-goog.l.google.com</QueryName>
			<QueryName condition="end with">.usertrust.com</QueryName>
			<QueryName condition="is">ocsp.comodoca.com</QueryName>
			<QueryName condition="is">ocsp.verisign.com</QueryName>
			<QueryName condition="is">ctldl.Windowsupdate.com</QueryName>
			<QueryName condition="is">twitter.com</QueryName>
			<QueryName condition="is">ocsp.entrust.net</QueryName>
			<QueryName condition="end with">ocsp.identrust.com</QueryName>
			<QueryName condition="is">status.rapidssl.com</QueryName>
			<QueryName condition="is">status.thawte.com</QueryName>
			<QueryName condition="end with">.googlevideo.com</QueryName>
			<QueryName condition="end with">.googleusercontent.com</QueryName>
			<QueryName condition="end with">.googleapis.com</QueryName>
		</DnsQuery>
		</RuleGroup>
    	
		<!--SYSMON EVENT ID 23 : FILE DELETE [FileDelete]-->
		<!--EVENT 22: "File Delete"-->
		<!--COMMENT:	Sandbox usage. When a program signals to Windows a file should be deleted or wiped, Sysmon may be able to capture it. 
			[ https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/ ]
		-->
		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable, Archived -->
		<!--
		<RuleGroup name="" groupRelation="or">
			<FileDelete onmatch="include">
			</FileDelete>
		</RuleGroup>
		-->

		<!--SYSMON EVENT ID 24 : CLIPBOARD EVENT MONITORING [ClipboardChange]-->
		<!--EVENT 24: "Clipboard changed"-->
		<!--COMMENT:	Sandbox usage.  Sysmon can capture the contents of clipboard events.
				An  example of what could be a production usage on restricted desktops is provided below, but it is commented-out. -->
		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, Session, ClientInfo, Hashes, Archived -->
		<RuleGroup name="Clipboard Monitoring exclude" groupRelation="or">
			<ClipboardChange onmatch="exclude">
			</ClipboardChange>
		</RuleGroup>

		<!--SYSMON EVENT ID 25 : PROCESS TAMPERING [ProcessTampering]-->
		<!--EVENT 25: "Process Tampering"-->
		<!--COMMENT:	This event is generated when a process image is changed from an external source, such as a different process.
		This may or may not provide value in your environment as it requires tuning and a SIEM to correlate the ProcessGuids.
		[ https://medium.com/falconforce/sysmon-13-process-tampering-detection-820366138a6c ] -->
		<!--DATA: EventType, RuleName, UtcTime, ProcessGuid, ProcessId, Image, Type -->
		<RuleGroup name="PROCESS TAMPERING exclude" groupRelation="or">
			<ProcessTampering onmatch="exclude">
				<Image condition="is">C:\Windows\System32\wbem\WMIADAP.exe</Image>
				<Image condition="begin with">C:\Program Files (x86)\Microsoft\Edge\Application\</Image> <!--Design decision Could find more things if you comment this, but as it is it also reduces noise when its uncommented.-->
			</ProcessTampering>
		</RuleGroup>

		<!--SYSMON EVENT ID 26 : FileDeleteDetected -->


		<!--SYSMON EVENT ID 27 : FileBlockExecutable -->
		
		<!--SYSMON EVENT ID 28 : FileBlockShredding -->
		<RuleGroup name="FileBlockShredding exclude" groupRelation="or">
			<FileBlockShredding onmatch="exclude">
				<Image condition="end with">AppData\Local\Microsoft\OneDrive\onedrive.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\chrome.exe</Image><!--Browser--><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\firefox.exe</Image><!--Browser--><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\iexplore.exe</Image><!--Browser--><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\MicrosoftEdge.exe</Image><!--Browser--><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\notepad.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\word.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\excel.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\powerpoint.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\notepad++.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\outlook.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\code.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\devenv.exe</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="end with">\msedge.exe</Image><!--Browser--><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</Image><!-- Design decision  Could find more things if you comment this, but as it is it also reduces noise when its uncommented-->
				<Image condition="is">C:\WINDOWS\System32\svchost.exe</Image>
			</FileBlockShredding>
		</RuleGroup>
		
		<!--SYSMON EVENT ID 29 : FileExecutableDetected -->

		<!--SYSMON EVENT ID 255 : ERROR-->
		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
			Sysinternals forum or over Twitter (@markrussinovich)."-->
		<!--Cannot be filtered.-->
	</EventFiltering>
	</Sysmon>