sysmonconfig-export.xml

<!--
  sysmon-config | A sysmon configuration focused on default high-quality event tracing and easy customization by the community
  Master version:	50 | Date: 2017-03-02
  Master author:	@SwiftOnSecurity, with contributors also credited in-line or on Git.
  Master project:	https://github.com/SwiftOnSecurity/sysmon-config
  Master license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.

  Fork version:	300
  Fork author:	ionstorm
  Fork project:	https://github.com/ion-storm/sysmon-config
  Fork license:	Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text.

  REQUIRED: Sysmon version 8.00 or higher, it's recommended you stay updated.
-->

<Sysmon schemaversion="4.10">
	<!--SYSMON META CONFIG-->
	<HashAlgorithms>md5,imphash,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
	<CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->

	<!-- <ImageLoad/> --> <!-- Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation. -->
	<!-- <ProcessAccessConfig/> --> <!-- Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation. -->
	<!-- <PipeMonitoringConfig/> --> <!-- Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation. -->

	<EventFiltering>
	<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
		<!--COMMENT:	All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to
			avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
			code signatures to validate, but Sysmon does not support that. Look into Windows Device Guard for whitelisting support. -->
		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine-->
		<ProcessCreate onmatch="include">
			<!--Mitre ATT&CK Rules-->
			<!--MITRE TACTIC: Defense Evasion-->
			<ParentImage name="Alert=Unknown Process Execution" condition="contains">unknown process</ParentImage>
			<Image name="Alert=Unknown Process Execution" condition="contains">unknown process</Image>
			<Image name="MitreRef=T1117,Technique=Regsvr32-Defense Evasion/Execution" condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
			<Image name="MitreRef=T1197,Technique=Bitsadmin File Transfers/Defense Evasion,Alert=BitsAdmin File Transfers" condition="image">bitsadmin.exe</Image>
			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">eventvwr.exe</ParentImage>
			<ParentImage name="MitreRef=T1088,Technique=UAC Bypass,Tactic=Defense Evasion/Privilege Escalation" condition="image">fodhelper.exe</ParentImage>
			<Image name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="image">InstallUtil.exe</Image>
			<CommandLine name="MitreRef=T1118,Technique=InstallUtil,Tactic=Defense Evasion/Execution,Alert=InstallUtil" condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
			<Image name="MitreRef=T1121,Technique=Trusted Developer Utilities,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">MSBuild.exe</Image>
	        <Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regsvcs.exe</Image>
			<Image name="MitreRef=T1121,Technique=Regsvcs/Regasm Bypass,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">regasm.exe</Image>
			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution,Note=MSBuild Applocker Bypass" condition="image">SyncAppvPublishingServer.exe</Image>
			<Image name="MitreRef=T1218,Technique=Signed Binary Proxy Execution,Tactic=Defense Evasion/Execution" condition="image">control.exe</Image>
	        <CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">control.exe /name</CommandLine>
			<CommandLine name="MitreRef=T1196,Technique=Control Panel Items,Tactic=Defense Evasion/Execution,Alert=Control Panel Execution" condition="contains">rundll32.exe shell32.dll,Control_RunDLL</CommandLine>
			<Image name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</Image>
			<ParentImage name="MitreRef=T1170,Technique=MSHTA,Tactic=Defense Evasion/Execution,Alert=MSHTA Execution" condition="image">mshta.exe</ParentImage>
			<Image name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion" condition="image">wevutil.exe</Image>
			<CommandLine name="MitreRef=T1070,Technique=Indicator Removal on Host,Tactic=Defense Evasion,Alert=Eventlog Removal Detected" condition="contains">wevutil cl</CommandLine>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution,Alert=Font Folder execution" condition="begin with">C:\Windows\Fonts\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\htdocs\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Media\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\addins\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\ProgramData</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\system32\config\systemprofile\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\NetworkService\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Debug\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Temp</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Temp</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\PerfLogs\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Default\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Help\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Intel\Logs\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\repair\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\$Recycle.bin\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users\Public\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\security\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Users</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="begin with">C:\Windows\Fonts\</Image>
			<Image name="MitreRef=T1036,Technique=Masquerading,Tactic=Defense Evasion/Execution" condition="contains">\wwwroot\</Image>
			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">MpCmdRun.exe</Image>
			<Image condition="image" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">PsKill.exe</Image>
			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">DisableIOAVProtection</CommandLine>
			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">RemoveDefinitions</CommandLine>
			<CommandLine condition="contains" name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089">Add-MpPreference</CommandLine>
			<!--MITRE TACTIC: Discovery-->
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1  user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe  user</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net localgroup</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  localgroup</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe localgroup</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  localgroup</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1 localgroup</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1  localgroup</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net  group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net.exe  group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="contains">net1.exe group</CommandLine>
			<CommandLine name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=NET.EXE Discovery" condition="begin with">net1.exe  group</CommandLine>
			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsadd </CommandLine>
			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account Creation" condition="begin with">dsmod </CommandLine>
			<Image name="MitreRef=T1087,Technique=Account Discovery,Tactic=Discovery,Alert=DSQuery.EXE Discovery" condition="image">dsquery.exe</Image><!-- Query domain-->
			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsmod" condition="image">dsmod.exe</Image><!-- Query domain-->
			<Image name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=Account creation with dsadd" condition="image">dsadd.exe</Image><!-- Query domain-->
			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Account Discovery,MitreURL= https://attack.mitre.org/wiki/Technique/T1049" condition="image">whoami.exe</Image>
			<Image name="MitreRef=T1049,Technique=Discovery,Tactic=Discovery" condition="image">ipconfig.exe</Image> <!--Microsoft:Windows: shows ip configuration -->
			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">tasklist.exe</Image> <!--Microsoft:Windows: shows current running processes-->
			<Image name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Alert=System Information Discovery" condition="image">sysinfo.exe</Image> <!--Microsoft:Windows: shows systeminformation -->
			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=System Network Connections Discovery" condition="image">netstat.exe</Image> <!--Microsoft:Windows: shows protocol statistics and current TCP/IP network connections -->
			<Image name="MitreRef=T1057,Technique=Process Discovery,Tactic=Discovery,Alert=Process Discovery" condition="image">qprocess.exe</Image> <!--Microsoft:Windows: shows information about processes -->
			<Image name="MitreRef=T1049,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=User enumeration/Discovery" condition="image">quser.exe</Image> <!--Microsoft:Windows: shows logged-on users -->
			<Image name="MitreRef=T1016,Technique=System Network Configuration Discovery,Tactic=Discovery,Alert=Network Configureation discovery with route.exe" condition="image">route.exe</Image> <!--Microsoft:Windows: manipulates network routing tables -->
			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
			<CommandLine name="MitreRef=T1016,Technique=System Information Discovery,Tactic=Discovery,Info=System information discovery with reg.exe" condition="contains">reg.exe query</CommandLine> <!--Microsoft:Windows: reads and modifies the Windows register -->
			<Image name="MitreRef=T1016,Technique=System Network Connections Discovery,Tactic=Discovery,Alert=Network Connection Discovery with netsh" condition="image">netsh.exe</Image> <!--Microsoft:Windows: manipulate the firewall -->
			<!--MITRE TACTIC: Execution-->
			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</Image>
			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</Image>
			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</Image>
			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">wscript.exe</ParentImage>
			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">pcalua.exe</ParentImage>
			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">cscript.exe</ParentImage>
			<CommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</CommandLine>
			<ParentCommandLine name="MitreRef=T1059,Technique=Command-Line Interface,Tactic=Execution,Alert=Metasploit Detection" condition="contains">COMSPEC</ParentCommandLine>
			<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell.exe</ParentImage>
			<ParentImage condition="image" name="MitreRef=T1086,Technique=Powershell,Tactic=Execution">powershell_ise.exe</ParentImage>
			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="begin with">powershell.exe -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
			<ParentCommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution" condition="contains">powershell</ParentCommandLine> <!--Microsoft:Windows: PowerShell interface-->
			<CommandLine name="MitreRef=T1086,Technique=Powershell,Tactic=Execution,Alert=Powershell Downgrade attack" condition="begin with">powershell -Version</CommandLine> <!--Microsoft:Windows: PowerShell interface-->
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">iex</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-Expression" condition="contains">Invoke-Expression</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">iwr</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Invoke-WebRequest" condition="contains">Invoke-WebRequest</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadFile</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">DownloadString</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">Net.WebClient</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.WebRequest</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Powershell Download" condition="contains">System.Net.SecurityProtocolType</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=invoke-shellcode" condition="contains">Shellcode</CommandLine>
			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on Windows Execution" condition="image">bash.exe</Image> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
			<ParentImage name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Bash on windows execution" condition="image">bash.exe</ParentImage> <!--Microsoft:Windows: bash on Windows, Linux subsystem-->
			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=Child Process of psexec" condition="image">psexesvc.exe</ParentImage>
			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="image">psexec.exe</ParentImage>
			<Description name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSexec Execution" condition="contains">Execute processes remotely</Description>
			<ParentImage name="MitreRefS=S0029,Technique=Command execution - Execution/Lateral Movement,Alert=PSKill Execution" condition="image">pskill.exe</ParentImage>
			<Image name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect Command Execution" condition="image">forfiles.exe</Image>
			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution,Alert=Indirect command execution child process" condition="image">forfiles.exe</ParentImage>
			<ParentImage name="MitreRef=T1202,Technique=Indirect Command Execution,Tactic=Execution" condition="image">pcalua.exe</ParentImage>
			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</Image>
			<ParentImage name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management execution" condition="image">wsmprovhost.exe</ParentImage>
			<Image name="MitreRef=T1028,Technique=Windows Remote Management,Tactic=Execution,Alert=Windows Remote Management Execution" condition="end with">winrm.cmd</Image>
			<!--MITRE TACTIC: Persistence-->
			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence Privilege Escalation" condition="image">sethc.exe</ParentImage>
			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">utilman.exe</ParentImage>
			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">osk.exe</ParentImage>
			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Magnify.exe</ParentImage>
			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">DisplaySwitch.exe</ParentImage>
			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">Narrator.exe</ParentImage>
			<ParentImage name="MitreRef=T1015,Technique=Accessibility Features,Tactic=Persistence/Privilege Escalation" condition="image">AtBroker.exe</ParentImage>
			<Image name="MitreRef=T1138,Technique=Application Shimming-Persistence/Privilege Escalation,Alert=Application Shimming" condition="image">sdbinst.exe</Image>
			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Task Scheduler execution" condition="image">schtasks.exe</Image>
			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=Child process from schtasks" condition="image">schtasks.exe</ParentImage>
			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks /create</CommandLine>
			<CommandLine name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=schtasks task created" condition="contains">schtasks.exe /create</CommandLine>
			<Image name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</Image>
			<ParentImage name="MitreRef=T1053,Technique=Scheduled Task,Tactic=Execution/Persistence/Privledge Escalation,Alert=at.exe Task scheduler execution" condition="image">at.exe</ParentImage>
			<CommandLine name="MitreRef=ToDo,Technique=Powershell Injection Persistence Bypass - Execution, Lateral Movement,Alert=Powershell Injection persistence bypass" condition="contains">System.Management.Automation</CommandLine>
			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Account Creation via command line,Alert=User added by Command line" condition="contains">net user /add</CommandLine>
			<CommandLine name="MitreRef=T1136,Technique=Create Account,Tactic=Persistence,Alert=Administrator added via Command Line,Alert=Adminstrator added via command line" condition="contains">net localgroup administrators /add</CommandLine>
			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc create</CommandLine>
			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">sc.exe create</CommandLine>
			<CommandLine name="MitreRef=T1050,Technique=New Service,Tactic=Persistence/Privilege Escalation,Alert=Service added via Command Line,Alert=Service added via command line" condition="contains">new-service</CommandLine>
			<!--MITRE TACTIC: Lateral Movement-->
			<ParentImage name="MitreRef=T1028,Technique=Remote WMIC/Execution, Lateral Movement,Alert=Hacking" condition="image">wmiprvse.exe</ParentImage>
			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow Alert" condition="contains">/shadow</CommandLine>
			<CommandLine name="MitreRef=T0000,Technique=Remote Desktop Shadow,Alert=Hacking/Remote Admin,Alert=Remote Desktop Shadow with no Consent alert" condition="contains">/noConsentPrompt</CommandLine>
			<!--MITRE TECHNIQUE: Obfuscation-->
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">FromBase64String</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect Secure Strings,Alert=Powershell Secure String creation" condition="contains">convertto-securestring</CommandLine>
			<CommandLine name="MitreRef=T1086,Technique=PowerShell,Tactic=Execution,Alert=Detect some more obfuscation,Alert=Powershell Obfuscation with VerbosePreference" condition="contains">VerbosePreference.ToString</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">runtime.interopservices.marshal</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">VerbosePreference.ToString</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyle h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowstyl h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowsty h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windowst h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windows h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-window h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-windo h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wind h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-w h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-wi h</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hi</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hid</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidd</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidde</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-win hidden</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Nop</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-Noni</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">-encodedc</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-ec</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control" condition="contains">-en</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">^c^o^m^S^p^E^c^</CommandLine>
			<CommandLine name="MitreRef=T1001,Technique=Data Obfuscation,Tactic=Command And Control,Alert=Hacking" condition="contains">C^om^S^pEc</CommandLine>
			<!--Native Windows tools - Living off the land-->
			<Image name="MitreRef=ToDo,Technique=,Alert=Process/Session/User Query with query.exe" condition="image">query.exe</Image> <!--Microsoft:Windows: shows information about processes -->
			<Image name="MitreRef=CAPEC-293,Technique=Traceroute Route Enumeration,Alert=Traceroute Enumeration,MitreURL= https://capec.mitre.org/data/definitions/293.html" condition="image">tracert.exe</Image> <!--Microsoft:Windows: shows routing information -->
			<Image name="MitreRef=ToDo,Technique=,Alert=tree of directory structure disclosure" condition="end with">tree.com</Image> <!--Microsoft:Windows: shows recursive directory listing -->
			<Image name="MitreRef=T1134,Technique=Access Token Manipulation,Alert=Token Manipulation with runas.exe" condition="image">runas.exe</Image> <!--Microsoft:Windows: run a process as another user -->
			<Image name="MitreRef=ToDo,Technique=,Alert=Command Line task kill" condition="image">taskkill.exe</Image> <!--Microsoft:Windows: stops processes -->
			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure with klist" condition="image">klist.exe</Image> <!--Microsoft:Windows: show cached kerberos tickets -->
			<Image name="MitreRef=ToDo,Technique=,Alert=Kerberos Ticket Disclosure" condition="image">hh.exe</Image> <!--Microsoft:Windows: HTML Helper-->
			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible driver load with odbcconf" condition="image">odbcconf.exe</Image> <!--Microsoft:Windows: allows for driver loads -->
			<Image name="MitreRef=T1202,Technique=Hacking/LOLBins-Living off the Land,Alert=Program Compatibility bypass" condition="image">pcalua.exe</Image> <!--Microsoft:Windows: Program Compatibility Assistant)-->
			<Image name="MitreRef=T1158,Technique=Hacking/LOLBins-Living off the Land,Alert=Attrib bypass" condition="image">attrib.exe</Image>
			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Possible credential modification or disclosure with cmdkey" condition="image">cmdkey.exe</Image> <!--Microsoft:Windows: creates, lists, and deletes stored user names and passwords or credentials.-->
			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,AlertNLTest=" condition="image">nltest.exe</Image>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=NLTest" condition="contains">nltest.exe</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">ExtExport</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash -c</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">bash.exe -c</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey /list</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=" condition="contains">cmdkey.exe /list</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil.exe -urlcache -split -f</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">certutil -urlcache -split -f</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=csc compile output" condition="contains">csc -out:</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -out:</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc -target:library</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">csc.exe -target:library</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmdkey /list</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmd.exe /k</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp.exe /ni /s</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">cmstp /ni /s</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl.exe /y \\</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">esentutl /y \\</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand \\</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">expand.exe \\</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32 \\</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">extrac32.exe \\</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec.exe http</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">ieexec http</CommandLine>
			<ParentImage name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land,Alert=Hacking" condition="contains">diskshadow</ParentImage>
			<!--LoLBin Applocker bypasses-->
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">advpack.dll,LaunchINFSection</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">/s /n /u /i:http:</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">mshtml,RunHTMLApplication</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">bginfo.bgi /popup /nolicprompt</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">set </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">setx </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">pushd</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">popd</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="contains">subst</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">ren </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">move </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">md </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">del </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">rd </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">expand </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="end with">find.exe</CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">format </CommandLine>
			<CommandLine name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land" condition="begin with">assoc </CommandLine>
			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect cls in batch scripts" condition="image">cls.exe</Image>
			<Image name="MitreRef=ToDo,Technique=Hacking/LOLBins-Living off the Land-detect aliases" condition="image">doskey.exe</Image>
	  		<!--                                                                                                                                            -->
			<!--Mavinject -->
	        <Image name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="image">Mavinject.exe</Image>
	        <CommandLine name="MitreRef=T1218,Technique=Mavinject,Alert=Process Injection" condition="contains">/INJECTRUNNING</CommandLine>
			<Image name="MitreRef=T1191,Technique=Mavinject" condition="image">CMSTP.exe</Image>
	  		<!--                                                                                                                                            -->
			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil.exe -decode</CommandLine>
			<CommandLine name="MitreRef=T1105,Technique=Command and Control/Lateral Movement" condition="contains">certutil -decode</CommandLine>
	  		<!--                                                                                                                                            -->
			<!--Detect Spawned Adobe Parent Processes-->
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Acrobat" condition="image">acrobat.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Adobe Reader" condition="image">acrord32.exe</ParentImage>
	  		<!--                                                                                                                                            -->
			<!--Detect Spawned Browser Parent Processes-->
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned Process from Chrome" condition="image">chrome.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Firefox" condition="image">firefox.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Internet Explorer" condition="image">iexplore.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdgeCP.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Edge Browser" condition="image">MicrosoftEdge.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Vivaldi Browser" condition="image">vivaldi.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=Process Spawned from Waterfox Browser" condition="image">waterfox.exe</ParentImage>
	  		<!--                                                                                                                                            -->
			<!--Detect Spawned Java Parent Processes-->
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">java.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">javaw.exe</ParentImage>
	  		<!--                                                                                                                                            -->
			<!--Detect Spawned Office Parent Processes & Abuse-->
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">word.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">excel.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">POWERPNT.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">outlook.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">visio.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">msaccess.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">lync.exe</ParentImage>
			<ParentImage name="MitreRef=ToDo,Technique=" condition="image">skype.exe</ParentImage>
	  		<!--                                                                                                                                            -->
			<!--Detect Output Redirection-->
			<CommandLine name="Alert=Output Redirection" condition="contains">2></CommandLine>
			<CommandLine name="Alert=Output Redirection" condition="contains">&lt;</CommandLine>
			<CommandLine name="Alert=Output Redirection" condition="contains">&gt;</CommandLine>
			<CommandLine name="Alert=Output Redirection" condition="contains">^</CommandLine>
	  		<!--                                                                                                                                            -->
			<!--Detect Multiple Commands-->
			<CommandLine name="Alert=Multiple Commands" condition="contains">&amp;</CommandLine>
			<CommandLine name="Alert=Multiple Commands" condition="contains">;</CommandLine>
			<CommandLine name="Alert=Command Pipe" condition="contains">|</CommandLine>
			<CommandLine name="Alert=interactive command to slow output" condition="contains">more</CommandLine>
			<CommandLine name="Alert=Commands run from \\tsclient share ie: samsam ransomware" condition="contains">\\tsclient</CommandLine>
			<CommandLine name="Alert=DotDot Dirs" condition="contains">..</CommandLine>
	  		<!--Hacking Command Line Events-->
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wmic shadowcopy delete</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">wbadmin delete catalog</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation,Note=BCDEdit disabling auto repair" condition="contains">/set {default} recoveryenabled no</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">telnet</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-dumpcr</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">putty</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">bash.exe</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">pssh</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sdelete</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">shareenum</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">sekurlsa</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">reg SAVE</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Shellcode</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WmiCommand</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-TimedScreenshot</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-CredentialInjection</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimikatz</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">VolumeShadowCopyTools</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-UserHunter</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-GPOLocation</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ACLScanner</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DowngradeAccount</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceUnquoted</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServiceFilePermission</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ServicePermission</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ServiceAbuse</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-ServiceBinary</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAutoLogon</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnAutoRun</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VulnSchTask</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-UnattendedInstallFile</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-WebConfig</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ApplicationHost</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RegAlwaysInstallElevated</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Unconstrained</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-RegBackdoor</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-ScrnSaveBackdoor</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Gupt-Backdoor</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ADSBackdoor</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Enabled-DuplicateToken</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsUaCme</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Remove-Update</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Check-VM</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-LSASecret</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-PassHashes</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Show-TargetScreen</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Port-Scan</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">netscan</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">psscan</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PoshRatHttp</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellTCP</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerShellWMI</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Exfiltration</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Add-Persistence</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Do-Exfiltration</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Start-CaptureServer</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DllInjection</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReflectivePEInjection</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ShellCode</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ChromeDump</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-ClipboardContents</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-FoxDump</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-IndexedItem</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Keystrokes</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-Screenshot</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Inveigh</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NetRipper</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-NinjaCopy</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Out-Minidump</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-EgressCheck</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PSInject</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-RunAs</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">MailRaider</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">New-HoneyHash</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-MacAttribute</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-VaultCredential</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-DCSync</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PowerDump</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-TokenManipulation</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Exploit-Jboss</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ThunderStruck</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-VoiceTroll</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Set-Wallpaper</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-InveighRelay</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-PsExec</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-SSHCommand</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SecurityPackages</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Install-SSP</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-BackdoorLNK</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerBreach</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-GPPPassword</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-SiteListPassword</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-System</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">BypassUAC</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Tater</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerUp</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">PowerView</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Get-RickAstley</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-Fruit</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">HTTP-Login</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Find-TrustedDocuments</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Paranoia</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-WinEnum</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ARPScan</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-ReverseDNSLookup</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">smbscanner</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-FruityC2</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Invoke-Stager</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">process call create</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call set priority</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">call terminate</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events/WMIC product listing,Tactic=Privilege Escalation" condition="contains">product get name</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events/WMIC bios serial query,Tactic=Privilege Escalation" condition="contains">bios, get serialNumber</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events/WMIC query vmware,Tactic=Privilege Escalation" condition="contains">onboarddevice get</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events/WMIC User Modifications,Tactic=Privilege Escalation" condition="contains">useraccount where name</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">nteventlog where filename</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events/WMIC Eventlog modifications,Tactic=Privilege Escalation" condition="contains">cleareventlog</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\default</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">FilterToConsumerBinding</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">root\\subscription</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Win32_TaskService</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">stratum+tcp</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-donate-level=</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Wmiclass</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">WmiCl'+'as'+'s</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ntdsutil</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">mimiauth</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Powersploit</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">Mimikittenz</CommandLine>
			<CommandLine name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">-ma lsass.exe</CommandLine>
			<Image name="MitreRef=T1003,Technique=Credential Dumping,Tactic=Credential Access,Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">ProcDump.exe</Image>
			<!--Malicious Keywords Credits: Sean Metcalf (source), Florian Roth (rule)-->
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">AdjustTokenPrivileges</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">IMAGE_NT_OPTIONAL_HDR64_MAGIC</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Management.Automation.RuntimeException</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Microsoft.Win32.UnsafeNativeMethods</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">ReadProcessMemory.Invoke</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Runtime.InteropServices</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SE_PRIVILEGE_ENABLED</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Security.Cryptography</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">System.Runtime.InteropServices</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">LSA_UNICODE_STRING</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">MiniDumpWriteDump</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">PAGE_EXECUTE_READ</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Net.Sockets.SocketFlags</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Reflection.Assembly</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">SECURITY_DELEGATION</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ADJUST_PRIVILEGES</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ALL_ACCESS</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ASSIGN_PRIMARY</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_DUPLICATE</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_ELEVATION</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_IMPERSONATE</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_INFORMATION_CLASS</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_PRIVILEGES</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">TOKEN_QUERY</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Metasploit</CommandLine>
			<CommandLine name="Alert=Malicious Keywords from Exploitation Frameworks,Tactic=Privilege Escalation" condition="contains">Mimikatz</CommandLine>
			<!--Malware IOC's-->
			<CommandLine name="Alert=Potential Ransomware indicator" condition="contains">usn deletejournal</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">^h^t^t^p</CommandLine>
			<CommandLine name="Alert=Hacking Command Line events,Tactic=Privilege Escalation" condition="contains">h"t"t"p</CommandLine>
			<!--Suspicious Windows tools-->
			<CommandLine name="MitreRef=T1216,Technique=Signed Script Proxy Execution,Tactic=Defense Evasion/Execution" condition="contains">script:http</CommandLine> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
			<Image condition="image">mshta.exe</Image>
			<Image name="Alert=Psexec Utilities" condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
			<Image name="Alert=PsKill Command" condition="contains">pskill</Image><!--Detect pskill-->
			<Image name="Alert=Remote Shutdown with Psexec" condition="contains">psshutdown</Image><!--Detect PsShutdown-->
			<Image name="Alert=Sysinternals PSService" condition="contains">psservice</Image><!--Detect PsService-->
			<Image name="Alert=Sysinternals PsPasswd" condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
			<Image name="Alert=MSBuild Applocker bypass" condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
			<Image name="Note=MSI Installer Launched" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
			<Image name="Note=Remote Desktop" condition="image">mstsc.exe</Image><!-- Remote Desktop -->
			<Image name="Alert=Telnet Terminal Emulator" condition="image">telnet.exe</Image><!-- Telnet -->
			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
			<Image name="Alert=Secure Shell Execution" condition="image">ssh.exe</Image><!-- SSH -->
			<Image name="Alert=Secure Shell Execution" condition="image">putty.exe</Image><!-- SSH -->
			<Image name="Alert=Secure Shell Execution" condition="image">kitty.exe</Image><!-- SSH -->
			<Image name="Alert=Secure Shell Execution" condition="image">kitty_portable.exe</Image><!-- SSH -->
			<Image name="Alert=Secure Shell FTP Execution" condition="image">psftp.exe</Image><!-- SFTP -->
			<Image name="Alert=TFTP Execution" condition="image">tftp.exe</Image><!-- TFTP -->
			<Image name="Note=WMI Querying" condition="image">wmic.exe</Image><!-- wmic /node logging -->
			<Image condition="image">nbtstat.exe</Image><!-- Netbios stat-->
			<Image name="Alert=Driver Querying" condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
			<Image condition="image">sc.exe</Image><!-- Service Control Manager-->
			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
			<Image condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
			<Image name="Alert=Linux tools installed on windows" condition="image">curl.exe</Image>
			<Image name="Alert=Linux tools installed on windows" condition="image">wget.exe</Image>
			<Image name="Alert=Linux tools installed on windows" condition="image">www.exe</Image>
			<Image name="Alert=Linux tools installed on windows" condition="image">awk.exe</Image>
			<Image name="Alert=Linux tools installed on windows" condition="image">sed.exe</Image>
			<!--SECTION: Crypto Currency Miners-->
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">stratum+tcp</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">coinhive</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">minergate</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ccminer</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">cgminer</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">sgminer</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">rainbowminer</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">xmrMiner</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolpassword</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolurl</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">ahashpool</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">poolname</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blazepool</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasters</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">nicehash</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">yiimp</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpool</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</CommandLine>
			<CommandLine name="Alert=Crypto Currency Miner" condition="contains">zpool</CommandLine>
			<!--Tor-->
			<Image condition="image">tor.exe</Image><!-- Tor-->
			<!--                                                                                                                                            -->
			<!--Suspicious Command Line Locations-->
			<Image name="MitreRef=T1059,Technique=Command-Line Interface/Execution" condition="end with">.com</Image>
			<Image name="Info=Executables Launched In Temp" condition="contains">\temp\</Image>
			<Image name="Info=Executables Launched In User Dirs" condition="begin with">C:\users</Image>
			<ParentImage condition="image">explorer.exe</ParentImage>
			<Image condition="image">control.exe</Image>
			<Image condition="image">acrord32.exe</Image>
			<Image condition="image">installutil.exe</Image>
			<Image name="Info=Registry modification/queries" condition="image">\reg.exe</Image>
			<Image name="Info=ipconfig discovery" condition="image">ipconfig.exe</Image>
			<Image name="Info=Executables Launched In Appdata" condition="contains">\appdata\</Image>
			<Image condition="contains">\programdata\</Image>
			<Image condition="contains">\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
			<Image condition="contains">\ProgramData</Image>
			<Image condition="contains">\Windows\</Image>
			<Image condition="contains">\Perflogs\</Image>
			<Image condition="contains">\config\systemprofile\</Image>
			<!--Include Everything last to allow rules to apply and to allow previous exclude ruleset to function-->
			<CommandLine name="Note=Windows Firewall Modifications" condition="contains">netsh advfirewall firewall</CommandLine>
			<Image condition="contains">\</Image>
			<CommandLine name="Alert=Windows Defender Disabled" condition="contains">DisableRealtimeMonitoring </CommandLine>
			<CommandLine name="Alert=Ramnit Banker Malware!" condition="contains">--disable-http2 --disable-quic</CommandLine>
			<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">291ff87948e45914424cec9510c297da</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
			<Hashes name="Alert=Ramnit Banker Malware!" condition="contains">304772c80b157a916c7041f2f15939fb</Hashes><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
			<Hashes name="Alert=Docusign Spam/Phishing!" condition="contains">5E022694C0DBD1FBBC263D608E577949</Hashes><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">71345b139166482acaa568ac8816c7bc</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">1b60021baedc3f9201bcdb40e9b87f62</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
			<Hashes name="Alert=Gootkit Banker Malware!" condition="contains">c7c8d584758854bbe0d8e64ef53ae1a8</Hashes><!--Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution: https://www.vkremez.com/2018/03/3-29-2018-malware-traffic-internals.html-->
		</ProcessCreate>
		<ProcessCreate onmatch="exclude">
			<!--SECTION: Microsoft Windows-->
			<IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes-->
			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine> <!--Microsoft:Windows: Search Indexer-->
			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image> <!--Microsoft:Windows: Update popups-->
			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image> <!--Microsoft:Windows: Update popups-->
			<Image condition="is">C:\Windows\System32\audiodg.exe</Image> <!--Microsoft:Windows: Launched constantly-->
			<Image condition="is">C:\Windows\System32\conhost.exe</Image> <!--Microsoft:Windows: Command line interface host process-->
			<Image condition="is">C:\Windows\System32\powercfg.exe</Image> <!--Microsoft:Power configuration management-->
			<Image condition="is">C:\Windows\System32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adpater host process-->
			<Image condition="is">C:\Windows\servicing\TrustedInstaller.exe</Image> <!--Microsoft:Windows: TrustedInstaller-->
			<Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service-->
			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
			<CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine> <!--Microsoft:Windows-->
			<ParentCommandLine condition="begin with">C:\Windows\system32\svchost.exe -k DcomLaunch</ParentCommandLine> <!--Microsoft:Windows-->
			<ParentCommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</ParentCommandLine> <!--Microsoft:Windows 10 Noise-->
			<CommandLine condition="contains">\SystemRoot\System32\smss.exe 00000100 0000007c</CommandLine> <!--Microsoft:Windows 10 Noise-->
			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font Cache Service-->
			<ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but without attribution-->
			<ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes-->
			<Image condition="is">C:\Windows\system32\vssvc.exe</Image><!-- Microsoft Windows: Volume Shadow Copy Service -->
			<CommandLine condition="contains">net.exe use</CommandLine> <!-- Silence domain login scripts -->
			<CommandLine condition="contains">net use</CommandLine> <!-- Silence domain login scripts -->
			<CommandLine condition="contains">net1 use</CommandLine> <!-- Silence domain login scripts -->
			<CommandLine condition="contains">net.exe time</CommandLine> <!-- Silence domain login scripts -->
			<CommandLine condition="contains">net time</CommandLine> <!-- Silence domain login scripts -->
			<CommandLine condition="contains">net1 time</CommandLine> <!-- Silence domain login scripts -->
			<!--SECTION: Microsoft:Windows:Defender-->
			<Image condition="begin with">C:\Program Files\Windows Defender</Image> <!--Microsoft:Windows:Defender in Win10-->
			<Image condition="end with">C:\Windows\System32\CompatTelRunner.exe</Image> <!--Microsoft:Windows:Customer Experience Improvement-->
			<Image condition="is">C:\Windows\System32\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<Image condition="is">C:\Windows\SysWOW64\wermgr.exe</Image> <!--Microsoft:Windows:Windows error reporting/telemetry-->
			<Image condition="is">C:\Windows\System32\MpSigStub.exe</Image> <!--Microsoft:Windows: Microsoft Malware Protection Signature Update Stub-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Delta</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Engine</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
			<Image condition="begin with">C:\Windows\SoftwareDistribution\Download\Install\AM_Base</Image> <!--Microsoft:Windows: Microsoft Malware Protection Delta Updates-->
			<Image condition="is">C:\Windows\System32\MusNotification.exe</Image><!--Microsoft:Windows: Update Popups-->
			<Image condition="is">C:\Windows\System32\MusNotificationUx.exe</Image><!--Microsoft:Windows: Update Popups-->
			<CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine><!--Microsoft:Windows: Search Indexer-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx</CommandLine><!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k appmodel</CommandLine><!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k UnistackSvcGroup</CommandLine><!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k defragsvc</CommandLine><!--Microsoft:Windows Defrag-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k RPCSS</CommandLine><!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k utcsvc</CommandLine><!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k wbioSvcGroup</CommandLine><!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k DcomLaunch</CommandLine><!--Microsoft:Windows Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k swprv</CommandLine><!--Microsoft:Software Shadow Copy Provider-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k imgsvc</CommandLine><!--Microsoft:The Windows Image Acquisition Service-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k NetworkServiceNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -p -s NcaSvc</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine> <!--Microsoft:Windows:Network: BitLocker Drive Encryption-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine> <!--Microsoft:Windows:Network: Background Intelligent File Transfer (BITS) -->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine> <!--Microsoft:Windows: Windows Management Instrumentation (WMI) -->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs -s gpsvc</CommandLine> <!--Microsoft:Windows:Network: Group Policy -->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine> <!--Microsoft:Windows:Network: DNS caching, other uses -->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine> <!--Microsoft:Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine> <!--Microsoft:Windows:Network: Network Location Awareness-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine> <!--Microsoft:Windows:Network: Terminal Services (RDP)-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkService</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine> <!--Microsoft:Windows: Network services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k swprv</CommandLine> <!--Microsoft:Software Shadow Copy Provider-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine> <!--Microsoft:Windows 10-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine> <!--Microsoft:Windows Services-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine> <!--Microsoft:Windows: ErrorReporting-->
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
			<CommandLine condition="end with">C:\Windows\system32\svchost.exe -k wsappx</CommandLine> <!--Microsoft:Windows 10-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted</CommandLine><!--Microsoft:Windows Network Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation</CommandLine><!--Microsoft:Windows Network Services-->
			<CommandLine condition="is">C:\Windows\system32\svchost.exe -k NetworkService</CommandLine><!--Microsoft:Windows Network Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</CommandLine><!--Microsoft:Windows Network Services-->
			<CommandLine condition="is">C:\WINDOWS\system32\svchost.exe -k GPSvcGroup</CommandLine><!--Microsoft:Windows Network Services-->
			<CommandLine condition="is">C:\Windows\System32\svchost.exe -k tapisrv</CommandLine><!--Microsoft:Windows Network Services-->
			<ParentCommandLine condition="is">C:\WINDOWS\System32\svchost.exe -k wsappx</ParentCommandLine> <!-- Windows 10 AppX Deployment Noise -->
			<ParentCommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs</ParentCommandLine><!--Microsoft:Windows Network Services: Spawns Consent.exe-->
			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted</ParentCommandLine><!--Microsoft:Windows Network Services-->
			<Image condition="is">C:\Windows\System32\powercfg.exe</Image><!--Microsoft:Power Management-->
			<ParentImage condition="is">C:\Windows\System32\taskeng.exe</ParentImage><!--Microsoft:Scheduled Task noise, we already detect creation-->
			<!--SECTION: Microsoft dotNet-->
			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
			<Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image> <!--Microsoft:Windows: Font cache service-->
			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage> <!--Microsoft:DotNet-->
			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage> <!--Microsoft:DotNet-->
			<ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
			<!--SECTION: Microsoft Office-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!--Microsoft:Office: Background process-->
			<ParentImage condition="end with">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage> <!--Microsoft:Office: Background process-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image> <!--Microsoft:Office: Background process-->
			<Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
			<Image condition="is">C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process for SharePoint/Office365 connectivity-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE</Image> <!--Microsoft:Office: Background process-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
			<Image condition="is">C:\Windows\splwow64.exe</Image> <!--Microsoft:Office: Print Driver Host spam -->
			<!--SECTION: Microsoft:Windows: Media player-->
			<Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image> <!--Microsoft:Windows: Windows Media Player Network Sharing Service Configuration Application-->
			<!--SECTION: Microsoft Exchange-->
			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe</ParentImage>
			<ParentImage condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</ParentImage>
			<CommandLine condition="contains">C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1</CommandLine>
			<!--SECTION: Microsoft Misc-->
			<Image condition="is">C:\Windows\System32\ddpcli.exe</Image> <!--Scheduled dedupe jobs on server 2012-->
			<!--SECTION: Google-->
			<CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
			<CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine> <!--Google:Chrome: massive command-line arguments-->
			<Image condition="begin with">C:\Program Files (x86)\Google\Update\</Image> <!--Google:Chrome: Updater-->
			<ParentImage condition="begin with">C:\Program Files (x86)\Google\Update\</ParentImage> <!--Google:Chrome: Updater-->
			<!--SECTION: Firefox-->
			<CommandLine condition="begin with">"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<CommandLine condition="begin with">"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel</CommandLine> <!-- Mozilla:Firefox: Large command-line arguments | Credit @Darkbat91 -->
			<!--SECTION: Adobe-->
			<CommandLine condition="contains">AcroRd32.exe" /CR </CommandLine> <!--Adobe:AcrobatReader: Uninsteresting sandbox subprocess-->
			<CommandLine condition="contains">AcroRd32.exe" --channel=</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			<CommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			<CommandLine condition="contains">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /ac /id</CommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			<ParentCommandLine condition="contains">"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id</ParentCommandLine> <!--Adobe:AcrobatReader: Uninteresting sandbox subprocess-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe</ParentImage>
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image>
			<!--SECTION: Adobe:Acrobat DC-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Acrobat 2015-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\AcroCEF\AcroCEF.exe</Image> <!--Adobe:Acrobat: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat 2015\Acrobat\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Acrobat Reader DC-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image> <!--Adobe:AcrobatReader: Sandbox subprocess, still evaluating security exposure-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe</Image> <!--Adobe: Telemetry [ https://forums.adobe.com/thread/1006701 ] -->
			<!--SECTION: Adobe:Flash-->
			<Image condition="end with">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <!--Adobe:Flash: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Updater-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe</ParentImage> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe</Image> <!--Adobe:Updater: Properly hardened updater, not a risk-->
			<!--SECTION: Adobe:Supporting processes-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe</Image> <!--Adobe:Creative Cloud-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</Image> <!--Adobe:License utility-->
			<ParentImage condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe</ParentImage> <!--Adobe:License utility-->
			<Image condition="end with">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</Image>
			<ParentImage condition="is">C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe</ParentImage>
			<!--SECTION: Adobe:Creative Cloud-->
			<!--SECTION: Cisco-->
			<ParentImage condition="end with">C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe</ParentImage> <!--Cisco: Calls netsh to change settings on connect-->
			<Image condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</Image>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe</ParentImage>
			<ParentImage condition="end with">C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe</ParentImage>
			<!--SECTION: Drivers-->
			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
			<Image condition="begin with">C:\Program Files\NVIDIA Corporation\</Image> <!--Nvidia:Driver: routine actions-->
			<Image condition="end with">\NVIDIA\NvBackend\ApplicationOntology\OAWrapper.exe</Image> <!--Nvidia:Driver: routine actions-->
			<ParentImage condition="is">C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamuseragent.exe</ParentImage> <!--Nvidia:Driver: routine actions-->
			<Image condition="begin with">C:\Program Files\Realtek\</Image> <!--Realtek:Driver: routine actions-->
			<ParentImage condition="end with">C:\Program Files\DellTPad\HidMonitorSvc.exe</ParentImage>
			<CommandLine condition="begin with">"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{</CommandLine>
			<ParentImage condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</ParentImage><!--Synaptics Touchpad -->
			<ParentImage condition="end with">C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe</ParentImage> <!--Realtek:Driver: routine actions-->
			<!--SECTION: Dropbox-->
			<Image condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</Image> <!--Dropbox:Updater: Lots of command-line arguments-->
			<ParentImage condition="end with">C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe</ParentImage>
			<!--SECTION: Dell-->
			<ParentImage condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
			<Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <!--Dell:SupportAssist: routine actions-->
			<Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <!--Dell:SupportAssist: routine actions-->
			<ParentCommandLine condition="end with">"-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16" </ParentCommandLine>			
			<!-- <ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> --> <!--Dell:CommandUpdate: Detection process-->
			<!--SECTION: Lenovo-->
			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\ConfigService.exe</Image> <!--Lenovo: System Update-->
			<ParentImage condition="is">C:\PROGRA~3\Lenovo\SYSTEM~1\SESSIO~1\REPOSI~1\fwdphb06\fwdphb06_version.exe</ParentImage><!--Lenovo: System Update-->
			<Image condition="is">C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe</Image><!--Lenovo: Thinkpad Utilities-->
			<Image condition="is">C:\Windows\system32\LPlatSvc.exe</Image> <!--Lenovo: Platform Services-->
			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</ParentImage><!--Lenovo: Hotkey Tools-->
			<ParentImage condition="is">C:\Program Files\Lenovo\HOTKEY\micmute.exe</ParentImage><!--Lenovo: Hotkey Tools-->
			<Image condition="is">C:\Program Files\Lenovo\InstantOn\InstantOnSrv.exe</Image> <!--Lenovo: Instant-On-->
			<Image condition="is">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe</Image> <!--Lenovo: Mouse Suite-->
			<Image condition="is">C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image> <!--Lenovo: Modern Apps Plugin Host-->
			<ParentCommandLine condition="contains">C:\Program Files\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</ParentCommandLine> <!--Lenovo: Modern Apps Plugin Host-->
			<ParentCommandLine condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsukernel.exe</ParentCommandLine> <!--Lenovo: System Update-->
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\UACSdk.exe</ParentImage> <!--Lenovo: System Update-->
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</ParentImage> <!--Lenovo: System Update-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\Pelico.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Ultraslim Plus Wireless Keyboard &amp; Mouse\LeDaemon.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe</ParentImage> <!--Lenovo: Mouse & Keyboard Tools-->
			<ParentImage condition="contains">C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe</ParentImage>
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe</ParentImage>
			<ParentImage condition="contains">C:\Program Files (x86)\Lenovo\System Update\tvsu.exe</ParentImage>
			<Image condition="contains">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
			<!--SECTION: MSI: Micro-Star International Computers-->
			<ParentImage condition="is">C:\Program Files (x86)\SCM\SCM.exe</ParentImage><!--MSI: Hotkey & Power Management-->
			<Image condition="is">C:\Program Files (x86)\SCM\SCM_Notice.exe</Image><!--MSI: Hotkey & Power Management-->
			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
			<ParentImage condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</ParentImage><!-- MSI: Helpdesk Updater-->
			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
			<ParentImage condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</ParentImage><!-- MSI: Dragon Center Updater-->
			<!--SECTION: Intel-->
			<Image condition="is">C:\Program Files\Intel\Telemetry 2.0\lrio.exe</Image> <!--Intel: Telemetry-->
			<Image condition="is">C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe</Image> <!--Intel: Driver Update-->
			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxCUIService.exe</Image><!--Intel: Graphics Driver-->
			<Image condition="is">C:\Windows\System32\DriverStore\FileRepository\ki120591.inf_amd64_7a2f7b04e15632c2\igfxEM.exe</Image><!--Intel: Graphics Driver-->
			<!--SECTION: Antivirus-->
			<CommandLine condition="begin with">"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc</CommandLine> <!--Webroot-->
			<CommandLine condition="contains">C:\Program Files (x86)\Webroot\WRSA.exe" -ul</CommandLine> <!--Webroot-->
			<ParentCommandLine condition="is">"C:\Program Files (x86)\Webroot\WRSA.exe" -service</ParentCommandLine> <!--Webroot-->
			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image><!--Webroot-->
			<!--SECTION: Synaptics Touchpad-->
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
			<!--SECTION: Custom Apps-->
			<Image condition="end with">ScreenConnect.WindowsClient.exe</Image><!--Screenconnect Remote Desktop Client-->
			<Image condition="begin with">C:\Program Files (x86)\SmartGit</Image> <!--SmartGit-->
			<ParentImage condition="begin with">C:\Program Files (x86)\SmartGit</ParentImage> <!--SmartGit-->
			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser-->
			<Image condition="end with">controls\cef\ConnectWise.exe</Image> <!--Connectwise-->
			<!-- VMware vSphere spawns child processes to svtres.exe and csc.exe, currently unable to exclude those child processes, csc and cvtres.exe are used by some malware-->
			<ParentCommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</ParentCommandLine> <!--VMware vSphere spawns subprocesses-->
			<CommandLine condition="contains">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</CommandLine><!--VMware vSphere spawns subprocesses-->
			<ParentImage condition="is">C:\Program Files (x86)\SyncedTool\bin\agent_service.exe</ParentImage><!--eFolder Synced Tool-->
			<Image condition="is">C:\Program Files (x86)\Notepad++\notepad++.exe</Image><!-- Notepad++ -->
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
			<ParentImage condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</ParentImage> <!--Enpass Password Manager-->
			<Image condition="contains">C:\Program Files (x86)\Enpass\Enpass.exe</Image> <!--Enpass Password Manager-->
			<ParentImage condition="image">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</ParentImage> <!--Dell:CommandUpdate: Detection process-->
			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe</ParentImage> <!--FortiClient Noise -->
			<ParentImage condition="contains">C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe</ParentImage> <!--FortiClient Noise -->
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image> <!-- Forticlient Updater -->
			<Image condition="contains">C:\Program Files (x86)\SyncedTool\bin\agent_gui.exe</Image>
			<Image condition="is">C:\Anchor Server\penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
			<ParentImage condition="is">C:\Anchor Server\redis\redis-server.exe</ParentImage> <!-- eFolder Anchor Server -->
			<Image condition="is">C:\Anchor Server\redis\redis-server.exe</Image> <!-- eFolder Anchor Server -->
			<ParentImage condition="is">C:\PostgreSQL9.1\bin\postgres.exe</ParentImage> <!-- eFolder Anchor Server -->
			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Anchor Server -->
			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image> <!-- Exclude Sysmon Process events -->
			<!--Exclude: MSPaint.exe-->
			<Hashes condition="contains">56BFB300BA379181CE09C3130775DFBBCAFF9DB764BDC39086C2FEC2547EE900</Hashes>
			<!--Exclude: N-Able/N-Central-->
			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
			<Image condition="is">C:\Program Files\N-able Technologies\Windows Agent\bin\bitsadmin.exe</Image>
			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentImage>
			<ParentCommandLine condition="contains">N-able Technologies\Windows Software Probe\bin\wsp.exe</ParentCommandLine>
			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</ParentImage>
			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</ParentImage>			
			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>			
			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\installer\installer.exe	</ParentImage>
			<ParentImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epupdateservice.exe</ParentImage>
			<ParentImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\ShadowProtectDataReader.exe</ParentImage>
			<Hashes condition="contains">3070E798134A11ADB01129F06A36CD924267E6DA95DAB2E3196105264D2BF818</Hashes><!--Winlogbeat-->
			<!--Exclude: Sysmon Auto-Update-->
			<ParentCommandLine condition="contains">\sysmon\Auto_Update.bat</ParentCommandLine>
			<CommandLine condition="contains">\sysmon\Auto_Update.bat</CommandLine>
			<CommandLine condition="contains">ion-storm/sysmon-config</CommandLine>
			 <!--Exclude: Netlogon scripts-->
			<ParentCommandLine name="MitreRef=T1037,Technique=Logon Scripts,Tactic=Lateral Movement Persistence" condition="contains">\netlogon\</ParentCommandLine>
			<CommandLine condition="contains">\netlogon\</CommandLine>
			<ParentImage condition="is">C:\PROGRA~2\SAAZOD\SAAZMSMACTL.EXE</ParentImage>
			 <!--Exclude: Too noisy in a domain environment with legacy logon scripts-->
			<CommandLine condition="contains">net use</CommandLine>
			<CommandLine condition="contains">net.exe use</CommandLine>
			<CommandLine condition="contains">net1 use</CommandLine>
			<CommandLine condition="contains">net1.exe use</CommandLine>
			<CommandLine condition="contains">net time</CommandLine>
			<CommandLine condition="contains">net.exe time</CommandLine>
			<CommandLine condition="contains">net1 time</CommandLine>
			<CommandLine condition="contains">C:\Windows\system32\cmd.exe /c UsrLogon.cmd</CommandLine>
			<ParentImage condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</ParentImage>
			<ParentImage condition="is">C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe</ParentImage>
			<CommandLine condition="contains">chrome.nativeMessaging.out</CommandLine>
		</ProcessCreate>

	<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ] -->

		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime-->
		<FileCreateTime onmatch="include">
			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="begin with">C:\ProgramData</Image> <!--Look for timestomping in user area-->
			<Image name="MitreRef=T1099,Technique=Timestomp,Tactic=Defense Evasion,Alert=Timestomp/File creation time retroactively changed!" condition="contains">\Temp\</Image> <!--Mitre T1099--><!--Look for timestomping in temp folders-->
		</FileCreateTime>

		<FileCreateTime onmatch="exclude">
			<Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
			<Image condition="is">TrustedInstaller.exe</Image> <!--Ignore setups-->
			<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
			<Image condition="image">vivaldi.exe</Image> <!--Vivaldi constantly changes file times-->
			<Image condition="image">chrome.exe</Image> <!--Chrome constantly changes file times-->
			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Chrome constantly changes file times-->
			<Image condition="contains">setup</Image> <!--Ignore setups-->
		</FileCreateTime>

	<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
		<!--COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events.-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ] -->
		<!--TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering.-->
		<!--TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs.-->
		<!--TECHNICAL:	These exe do not initiate their connections, and thus including does not work in this section: BITSADMIN.exe-->

		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName-->
		<NetworkConnect onmatch="include">
			<!--Suspicious sources for network-connecting binaries-->
			<Image condition="begin with">C:\Users</Image> <!--Tools downloaded by users can use other processes for networking, but this is a very valuable indicator.-->
			<Image name="Alert=Temp file location network connection,suspicious_net_event=True" condition="contains">\temp\</Image> <!--Network Connection in Temp Directories-->
			<Image name="Alert=Network connection in Recycle Bin,suspicious_net_event=True" condition="contains">$RECYCLE.BIN</Image> <!--Network Connection in Temp Directories-->
			<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
			<Image condition="begin with">C:\Perflogs\</Image>
			<Image condition="contains">config\systemprofile\</Image>
			<Image condition="contains">\Windows\Fonts\</Image>
			<Image condition="contains">\Windows\IME\</Image>
			<Image name="Alert=Network connection in addins,suspicious_net_event=True" condition="contains">\Windows\addins\</Image>
			<Image condition="contains">chrome.exe</Image>
			<Image condition="contains">iexplore.exe</Image>
			<Image condition="contains">firefox.exe</Image>
			<Image condition="contains">MicrosoftEdgeCP.exe</Image>
			<Image condition="contains">MicrosoftEdge.exe</Image>
			<Image condition="contains">explorer.exe</Image>
			<!--<Image name="Info=Non-Exe Connecting to network" condition="excludes">.exe</Image>-->
			<Image name="Info=Unknown Process Connecting to network" condition="contains">unknown process</Image>
			<!--Suspicious Windows tools-->
			<Image name="Alert=AT.EXE Task Scheduler Network Connection,suspicious_net_event=True" condition="image">at.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
			<Image name="Alert=SCHTasks.exe Task Scheduler Network Connection,suspicious_net_event=True" condition="image">schtasks.exe</Image> <!--Microsoft:Windows: Remote task scheduling | Credit @ion-storm -->
			<Image name="Alert=Certutil Connecting to network,suspicious_net_event=True" condition="image">certutil.exe</Image> <!--Microsoft:Windows: Certificate tool can contact outbound | Credit @ion-storm and @FVT [ https://twitter.com/FVT/status/834433734602530817 ] -->
			<Image name="Alert=CMD Prompt network Connection,suspicious_net_event=True" condition="image">cmd.exe</Image> <!--Microsoft:Windows: Command prompt-->
			<Image name="Alert=Cscript network Connection,suspicious_net_event=True" condition="image">cscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @Neo23x0 [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
			<Image name="Alert=WSCRIPT Network connection,suspicious_net_event=True" condition="image">wscript.exe</Image><Image condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
			<Image condition="image">rundll32.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">notepad.exe</Image> <!--Microsoft:Windows: [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ] -->
			<Image condition="image">regsvr32.exe</Image> <!--Microsoft:Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ] -->
			<Image condition="image">regsvcs.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ] -->
			<Image condition="image">C:\Windows\system32\svchost.exe</Image> <!--Windows Services hidden by Svchost.exe, BITS File Transfer program-->
			<Image name="Alert=MSHTA Network Connection,suspicious_net_event=True" condition="image">mshta.exe</Image>
			<Image name="Info=Powershell Network Connection,suspicious_net_event=True" condition="image">powershell.exe</Image> <!--Microsoft:WindowsPowerShell: | Credit @Cyb3rOps -->
			<Image condition="contains">psexe</Image><!--Detect PSExec, PSexec services-->
			<Image condition="contains">pskill</Image><!--Detect pskill-->
			<Image condition="contains">psshutdown</Image><!--Detect PsShutdown-->
			<Image condition="contains">psservice</Image><!--Detect PsService-->
			<Image condition="contains">PsPasswd</Image><!--Detect PsPasswd-->
			<Image condition="image">java.exe</Image>
			<Image condition="image">msbuild.exe</Image> <!--Microsoft:Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
			<Image condition="image">installutil.exe</Image>
			<Image name="Alert=MSIExec Network connection,suspicious_net_event=True" condition="image">msiexec.exe</Image> <!-- msiexec /i http://pathtomsi -->
			<Image name="Alert=REG.EXE Network Connection,suspicious_net_event=True" condition="image">reg.exe</Image><!-- Remote Registry -->
			<Image condition="image">mstsc.exe</Image><!-- Remote Desktop -->
			<Image name="Alert=Telnet Connection,suspicious_net_event=True" condition="image">telnet.exe</Image><!-- Telnet -->
			<Image condition="image">SyncAppvPublishingServer.exe</Image><!--Mitre T1218-->
			<Image condition="image">Mavinject.exe</Image><!--Mitre T1218-->
			<Image name="Alert=SSH Connection with ssh.exe,suspicious_net_event=True" condition="image">ssh.exe</Image><!-- SSH -->
			<Image name="Alert=SSH Connection with Putty,suspicious_net_event=True" condition="image">putty.exe</Image><!-- SSH -->
			<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty.exe</Image><!-- SSH -->
			<Image name="Alert=SSH Connection with Kitty,suspicious_net_event=True" condition="image">kitty_portable.exe</Image><!-- SSH -->
			<Image name="Alert=PSFTP Connection" condition="image">psftp.exe</Image><!-- SFTP -->
			<Image name="Alert=PSFTP Connection" condition="image">tftp.exe</Image><!-- TFTP -->
			<Image condition="image">wmic.exe</Image><!-- wmic /node logging -->
			<Image condition="image">net.exe</Image><!-- net use/net view-->
			<Image name="Alert=NBTSTAT Query" condition="image">nbtstat.exe</Image><!-- Netbios stat-->
			<Image condition="image">dsquery.exe</Image><!-- Query domain-->
			<Image condition="image">driverquery.exe</Image><!-- Remote Driver querying-->
			<Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->
			<Image name="Alert=SC.exe Network Connection,suspicious_net_event=True" condition="image">sc.exe</Image><!-- Service Control Manager-->
			<Image condition="image">auditpol.exe</Image><!-- Auditpol-->
			<Image name="Alert=User enumeration,suspicious_net_event=True" condition="image">qwinsta.exe</Image><!-- Query Remote Sessions-->
			<Image condition="image">rwinsta.exe</Image><!-- Reset Remote Sessions-->
			<!--Tor-->
			<Image name="Alert=Tor Connection" condition="image">tor.exe</Image>
			<DestinationIp name="Alert=Tor Connection" condition="is">185.41.154.130</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">37.252.190.176</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">82.118.17.235</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">83.163.164.15</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">69.163.34.173</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">159.89.151.231</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">212.47.246.229</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">84.40.112.70</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">2.137.16.245</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">199.249.223.62</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">185.22.172.237</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">88.99.216.194</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">185.13.39.197</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">162.247.72.201</DestinationIp>
			<DestinationIp name="Alert=Tor Connection" condition="is">174.127.217.73</DestinationIp>
			<!-- Tor-->
			<!--Hack tools hosting-->
			<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">githubusercontent.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
			<DestinationHostname name="Alert=Connection to Github,suspicious_net_event=True" condition="contains">github.com</DestinationHostname> <!--Github: Malicious tools often loaded from here, not used except by developers-->
			<!--Suspicious destinations-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ipify.org</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">whatismyipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">edns.ip-api.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.dyndns.org</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">icanhazip.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.me</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ifconfig.co</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipaddress.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipinfo.io</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ident.me</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">www.myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip.anysrc.net</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">wtfismyip.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">myexternalip.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">api.ip.sb</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ipecho.net</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">checkip.amazonaws.com</DestinationHostname> <!--Malware uses to get external IP address-->
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">goo.gl</DestinationHostname>
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">git.io</DestinationHostname>
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">bit.ly</DestinationHostname>
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">t.co</DestinationHostname>
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ow.ly</DestinationHostname>
			<DestinationHostname name="Alert=Malware IP Check,suspicious_net_event=True" condition="begin with">ip-api.com</DestinationHostname> <!--Ransomware using ip-api for geolocation tracking-->
			<!--Dynamic DNS Providers-->
			<DestinationHostname condition="contains">dlinkddns.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">no-ip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">no-ip.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">no-ip.biz</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">no-ip.info</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">noip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">afraid.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">duckdns.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">changeip.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">ddns.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">hopto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">zapto.org</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">servehttp.com</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<DestinationHostname condition="contains">sytes.net</DestinationHostname> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--Tor2Web Providers-->
			<DestinationHostname condition="contains">onion.to</DestinationHostname>
			<DestinationHostname condition="contains">onion.cab</DestinationHostname>
			<DestinationHostname condition="contains">onion.sh</DestinationHostname>
			<DestinationHostname condition="contains">onion.nu</DestinationHostname>
			<DestinationHostname condition="contains">onion.direct</DestinationHostname>
			<DestinationHostname condition="contains">tor2web.org</DestinationHostname>
			<DestinationHostname condition="contains">tor2web.fi</DestinationHostname>
			<DestinationHostname condition="contains">tor2web.io</DestinationHostname>
			<DestinationHostname condition="contains">tor2web.blutmagie.de</DestinationHostname>
			<DestinationHostname condition="contains">tor-gateways.de</DestinationHostname>
			<DestinationHostname condition="contains">hiddenservice.net</DestinationHostname>
			<!--Public Port Scan Detection-->
			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shodan</DestinationHostname>
			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">shadow</DestinationHostname>
			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">researchscan</DestinationHostname>
			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">census</DestinationHostname>
			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">sl-reverse</DestinationHostname>
			<DestinationHostname name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">scanhub</DestinationHostname>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">.edu</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">71.6.216.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">137.226.113.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">138.246.252.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">128.32.30.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">208.93.152.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">162.216.46.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">169.229.3.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.254.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">98.143.148.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">155.94.222.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">134.147.203.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">69.170.62.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">159.203.213.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">209.236.120.</DestinationIp>
			<DestinationIp name="MitreRef=T1046,Technique=Network Service Scanning/Reconnaissance,Tactic=Discovery" condition="contains">158.130.6</DestinationIp>
			<!--Crypto Currency Mining pools-->
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blazepool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasters</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">blockmasterscoins</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashrefinery</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miningpoolhubcoins</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nicehash</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">yiimp</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zergpoolcoins</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">zpool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">slushpool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minexmr</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minergate</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">dwarfpool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">nanopool.org</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">viaxmr.com</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">hashvault.pro</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">moriaxmr.com</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">suprnova.cc</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mixpools.org</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">usxmrpool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">xmrpool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">poolto.be</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">prohash.net</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mine.bz</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mypool.online</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">bohemianpool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">iwanttoearn.money</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">pool.xmr</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">crypto-pool</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">miners.pro</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">minercircle.com</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">monero.lindon-pool.win</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">teracycle.net</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">ratchetmining.com</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">cryptmonero</DestinationHostname>
			<DestinationHostname name="Alert=Crypto Currency Miner" condition="contains">mineXMR</DestinationHostname>
			<!--Ports-->
			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">80</DestinationPort>
			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">443</DestinationPort>
			<DestinationPort name="Service=Remote Desktop Connection" condition="is">3389</DestinationPort>
			<DestinationPort condition="is">3540</DestinationPort> <!--Remote Assistance Port-->
			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">22</DestinationPort>
			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">23</DestinationPort>
			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">25</DestinationPort>
			<DestinationPort name="Technique=Commonly Used Port,Tactic=Command and Control,MitreRef=1043" condition="is">139</DestinationPort>
			<!--<DestinationPort condition="is">445</DestinationPort> SMB Port: Removed because of noise-->
			<DestinationPort name="Service=VNC" condition="is">5800</DestinationPort>
			<DestinationPort name="Service=VNC" condition="is">5900</DestinationPort>
			<DestinationPort name="Service=OpenVPN,suspicious_net_event=True" condition="is">1194</DestinationPort>
			<DestinationPort name="Service=L2TP,suspicious_net_event=True" condition="is">1701</DestinationPort>
			<DestinationPort name="Service=TOR,suspicious_net_event=True" condition="is">1723</DestinationPort>
			<DestinationPort name="Service=IPSec" condition="is">1293</DestinationPort>
			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">4500</DestinationPort>
			<DestinationPort name="Service=Socks Proxy Port" condition="is">1080</DestinationPort>
			<DestinationPort name="Service=Socks Proxy Port" condition="is">8080</DestinationPort>
			<DestinationPort name="Service=Socks Proxy Port" condition="is">3128</DestinationPort>
			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9001</DestinationPort>
			<DestinationPort name="Service=Tor,suspicious_net_event=True" condition="is">9030</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4443</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2448</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">8143</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1777</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1443</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">243</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65535</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13506</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">200</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">198</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">49180</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13507</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3360</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">6625</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4444</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4438</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1904</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13505</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13504</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12102</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9631</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5445</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">2443</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">777</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13394</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">13145</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12103</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5552</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3939</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">3675</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">666</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">473</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">5649</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4455</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4433</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1817</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">100</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">65520</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1960</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">1515</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">743</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">700</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14154</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14103</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">14102</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">12322</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">10101</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">7210</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">4040</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo,suspicious_net_event=True" condition="is">9943</DestinationPort>
			<!--Ports: Threats-->
			<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:7777,suspicious_net_event=True" condition="is">7777</DestinationPort>
			<DestinationPort name="Info=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:9943,suspicious_net_event=True" condition="is">9943</DestinationPort>
			<DestinationPort name="Note=Suspicious Ports: https://www.hybrid-analysis.com/search?query=port:666,suspicious_net_event=True" condition="is">666</DestinationPort>
		</NetworkConnect>
		<NetworkConnect onmatch="exclude">
			<!--SECTION: Microsoft -->
			<Image condition="is">C:\Windows\System32\dns.exe</Image> <!-- Exclude Microsoft DNS Server DNS requests -->
			<Image condition="is">C:\Windows\System32\find.exe</Image><!-- Oddly find.exe connects to localhost and creates spam -->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe</Image> <!-- Exclude Microsoft Exchange connecting to locahost -->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image> <!--Exchange Transport-->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe</Image> <!--Exchange Edge Transport-->
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe</Image>
			<!--Ignore Microsoft Connections-->
			<!--Microsoft Net Connections-->
			<!--Microsoft ASN IP Block-->
			<DestinationHostname condition="end with">aps.windows.com</DestinationHostname>
			<DestinationHostname condition="end with">arc.msn.com</DestinationHostname>
			<DestinationHostname condition="end with">arc.msn.com.nsatc.net</DestinationHostname>
			<DestinationHostname condition="end with">atson.telemetry.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">au.download.windowsupdate.com</DestinationHostname>
			<DestinationHostname condition="end with">b.akamaiedge.net</DestinationHostname>
			<DestinationHostname condition="end with">bing.com</DestinationHostname>
			<DestinationHostname condition="end with">cdn.onenote.net</DestinationHostname>
			<DestinationHostname condition="end with">client-office365-tas.msedge.net</DestinationHostname>
			<DestinationHostname condition="end with">config.edge.skype.com</DestinationHostname>
			<DestinationHostname condition="end with">csp.digicert.com</DestinationHostname>
			<DestinationHostname condition="end with">ctldl.windowsupdate.com</DestinationHostname>
			<DestinationHostname condition="end with">cy2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">cy2.settings.data.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">displaycatalog.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">download.windowsupdate.com</DestinationHostname>
			<DestinationHostname condition="end with">e3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
			<DestinationHostname condition="end with">e-msedge.net</DestinationHostname>
			<DestinationHostname condition="end with">emdl.ws.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">ettings-win.data.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">fe2.update.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">fe3.delivery.dsp.mp.microsoft.com.nsatc.net</DestinationHostname>
			<DestinationHostname condition="end with">fe3.delivery.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">g.akamaiedge.net</DestinationHostname>
			<DestinationHostname condition="end with">g.live.com</DestinationHostname>
			<DestinationHostname condition="end with">g.msn.com.nsatc.net</DestinationHostname>
			<DestinationHostname condition="end with">geo-prod.do.dsp.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">geo-prod.dodsp.mp.microsoft.com.nsatc.net</DestinationHostname>
			<DestinationHostname condition="end with">ile-service.weather.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">ip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
			<DestinationHostname condition="end with">ipv4.login.msa.akadns6.net</DestinationHostname>
			<DestinationHostname condition="end with">licensing.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">m3p.wns.notify.windows.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">modern.watson.data.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">msn.com.nsatc.net</DestinationHostname>
			<DestinationHostname condition="end with">ocation-inference-westus.cloudapp.net</DestinationHostname>
			<DestinationHostname condition="end with">ocos-office365-s2s.msedge.net</DestinationHostname>
			<DestinationHostname condition="end with">ocsp.digicert.com</DestinationHostname>
			<DestinationHostname condition="end with">odern.watson.data.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">oneclient.sfx.ms</DestinationHostname>
			<DestinationHostname condition="end with">pv4.login.msa.akadns6.net</DestinationHostname>
			<DestinationHostname condition="end with">query.prod.cms.rt.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">ris.api.iris.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">ris.api.iris.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">s-msedge.net</DestinationHostname>
			<DestinationHostname condition="end with">settings.data.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">sfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">sls.update.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">storecatalogrevocation.storequality.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">storeedgefd.dsx.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">telecommand.telemetry.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">tile-service.weather.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">tlu.dl.delivery.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">tsfe.trafficshaping.dsp.mp.microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">vip5.afdorigin-prod-am02.afdogw.com</DestinationHostname>
			<DestinationHostname condition="end with">vip5.afdorigin-prod-ch02.afdogw.com</DestinationHostname>
			<DestinationHostname condition="end with">windowsupdate.com</DestinationHostname>
			<DestinationHostname condition="end with">y2.displaycatalog.md.mp.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">y2.licensing.md.mp.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">y2.settings.data.microsoft.com.akadns.net</DestinationHostname>
			<DestinationHostname condition="end with">msedge.net</DestinationHostname>
			<DestinationHostname condition="end with">windows.net</DestinationHostname>
			<DestinationHostname condition="end with">msn.com</DestinationHostname>
			<DestinationHostname condition="end with">virtualearth.net</DestinationHostname>
			<DestinationHostname condition="end with">bingforbusiness.com</DestinationHostname>
			<DestinationHostname condition="end with">outlook.com</DestinationHostname>
			<DestinationHostname condition="end with">lync.com</DestinationHostname>
			<DestinationHostname condition="end with">cloudapp.net</DestinationHostname>
			<DestinationHostname condition="end with">microsoft.com</DestinationHostname>
			<DestinationHostname condition="end with">ec2-34-204-73-148.compute-1.amazonaws.com</DestinationHostname>
			<DestinationHostname condition="end with">ec2-52-201-35-219.compute-1.amazonaws.com</DestinationHostname>
			<DestinationHostname condition="end with">ec2-34-230-137-236.compute-1.amazonaws.com</DestinationHostname>
			<DestinationHostname condition="end with">ec2-52-45-9-47.compute-1.amazonaws.com</DestinationHostname>
			<DestinationHostname condition="end with">ec2-52-71-74-246.compute-1.amazonaws.com</DestinationHostname>
			<DestinationHostname condition="end with">ec2-54-89-54-171.compute-1.amazonaws.com</DestinationHostname>
			<DestinationHostname condition="end with">eset.com</DestinationHostname>
			<DestinationHostname condition="end with">n-able.com</DestinationHostname>
			<DestinationHostname condition="end with">www.agentexchange.com</DestinationHostname>
			<DestinationHostname condition="end with">map2.hwcdn.net</DestinationHostname>
			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
			<DestinationIsIpv6 condition="is">true </DestinationIsIpv6> <!-- IPv6 Exclusion: Re-Enable if you use ipv6 -->
			<Image condition="image">OneDrive.exe</Image> <!--Microsoft:OneDrive-->
			<Image condition="image">Spotify.exe</Image> <!--Spotify-->
			<Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image> <!--Dropbox-->
			<Image condition="image">OneDriveStandaloneUpdater.exe</Image> <!--Microsoft:OneDrive-->
			<Image condition="image">ConnectWise.exe</Image> <!--ConnectWise Noise-->
			<Image condition="image">ScreenConnect.WindowsClient.exe</Image> <!--ScreenConnect Noise-->
			<Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
			<Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <!--Dashlane Password Manager | Credit: @awfulyprideful-->
			<Image condition="end with">Vivaldi\Application\vivaldi.exe</Image> <!--Vivaldi Browser Installed in User profile-->
			<DestinationHostname condition="end with">microsoft.com</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname> <!--Microsoft:Update delivery-->
			<DestinationHostname condition="end with">.search.msn.com</DestinationHostname> <!--Bing & Cortana Searches-->
			<DestinationHostname condition="end with">.wns.windows.com</DestinationHostname> <!-- Windows communication -->
			<DestinationHostname condition="end with">akamaitechnologies.com</DestinationHostname> <!-- CDN for Microsoft, Apple, Valve, & More -->
			<SourcePortName condition="is">llmnr</SourcePortName> <!--Silence Link-Local Multicast Name Resolution-->
			<SourcePortName condition="is">ldap</SourcePortName> <!--Silence LDAP-->
			<DestinationPortName condition="is">ldap</DestinationPortName> <!--Silence LDAP-->
			<DestinationPortName condition="is">epmap</DestinationPortName> <!--Silence LDAP-->
			<SourcePortName condition="is">epmap</SourcePortName> <!--Silence LDAP-->
			<SourcePort condition="is">135</SourcePort>  <!--epmap Port-->
			<DestinationPort condition="is">135</DestinationPort>  <!--epmap Port-->
			<SourcePortName condition="is">ntp</SourcePortName> <!--Silence NTP-->
			<DestinationPortName condition="is">ntp</DestinationPortName> <!--Silence NTP-->
			<DestinationPortName condition="is">llmnr</DestinationPortName> <!--Silence Link-Local Multicast Name Resolution-->
			<DestinationPortName condition="is">ssdp</DestinationPortName> <!--Simple Service Discovery Protocol (SSDP-->
			<SourcePortName condition="is">ssdp</SourcePortName> <!--Simple Service Discovery Protocol (SSDP-->
			<DestinationPort condition="is">5353</DestinationPort> <!--Bonjour/Avahi Discovery-->
			<DestinationPortName condition="is">netbios-ns</DestinationPortName> <!--Netbios DNS Resolution-->
			<DestinationPortName condition="is">netbios-dgm</DestinationPortName> <!--Netbios Datagram Services-->
			<DestinationHostname condition="end with">1e100.net</DestinationHostname> <!--Google Chrome Safe Search checks-->
			<DestinationPort condition="is">5228</DestinationPort> <!--Google Chrome Safe Search checks-->
			<DestinationPort condition="is">5357</DestinationPort> <!--WSD API noise-->
			<DestinationPort condition="is">3544</DestinationPort> <!--Teredo-->
			<DestinationPort condition="is">3702</DestinationPort> <!--Windows: WS-Discovery noise-->
			<SourcePort condition="is">3702</SourcePort> <!--Windows: WS-Discovery noise-->
			<SourcePort condition="is">50646</SourcePort> <!--Windows: WS-Discovery noise-->
			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
			<SourcePort condition="is">53</SourcePort>  <!--DNS Lookups-->
			<SourcePort condition="is">67</SourcePort>  <!--Bootp Lookups-->
			<DestinationPort condition="is">67</DestinationPort>  <!--Bootp Lookups-->
			<SourcePort condition="is">1812</SourcePort> <!--Radius-->
			<DestinationPort condition="is">1812</DestinationPort> <!--Radius-->
			<SourcePort condition="is">49154</SourcePort>  <!--DFRS/ADFS Replication spam-->
			<DestinationPort condition="is">49154</DestinationPort>  <!--DFRS/ADFS Replication spam-->
			<SourcePort condition="is">59241</SourcePort>  <!--DFRS/ADFS Replication spam-->
			<DestinationPort condition="is">59241</DestinationPort>  <!--DFRS/ADFS Replication spam-->
			<SourcePort condition="is">52176</SourcePort>  <!--DFRS/ADFS Replication spam-->
			<DestinationPort condition="is">52176</DestinationPort>  <!--DFRS/ADFS Replication spam-->
			<SourcePort condition="is">49209</SourcePort>  <!--DFRS/ADFS Replication spam-->
			<DestinationPort condition="is">49209</DestinationPort>  <!--DFRS/ADFS Replication spam-->
			<SourcePort condition="is">6007</SourcePort>  <!--Exchange WMI Spam-->
			<DestinationPort condition="is">6007</DestinationPort>  <!--Exchange WMI Spam-->
			<Image condition="end with">C:\Program Files (x86)\SmartGit\jre\bin\java.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image>
			<Image condition="end with">penv\Scripts\python.exe</Image> <!-- eFolder Anchor Server -->
			<DestinationHostname condition="begin with">efolder01</DestinationHostname> <!-- eFolder Noise -->
			<DestinationPort condition="is">2080</DestinationPort><!--eFolder Noise -->
			<Image condition="end with">g2mcomm.exe</Image> <!-- gotomeeting noise -->
			<Image condition="end with">C:\Program Files (x86)\LabTech Client\LTClient.exe</Image>
			<Image condition="end with">C:\Windows\LTSvc\LTSVC.exe</Image>
			<Image condition="end with">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
			<Image condition="begin with">C:\Program Files (x86)\SmartGit\</Image>
			<Image condition="end with">DSPro\Programs\pr001Celery98.exe</Image>
			<Image condition="image">g2ax_comm_expert.exe</Image> <!--GoToMeeting-->
			<Image condition="image">g2mcomm.exe</Image> <!--GoToMeeting-->
			<Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image> <!--Microsoft: Teams-->
			<DestinationPort condition="is">53</DestinationPort>   <!--DNS Lookups-->
		</NetworkConnect>
	<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES-->

		<!--DATA: UtcTime, State, Version, SchemaVersion-->
		<!--Cannot be filtered.-->

	<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
		<!--COMMENT:	Useful data in building infection timelines.-->

		<!--DATA: Rulename, UtcTime, ProcessGuid, ProcessId, Image-->
		<ProcessTerminate onmatch="include">
		<!--COMMENT:	Useful data in building infection timelines.-->
			<Image condition="begin with">C:\Users</Image> <!--Process terminations by user binaries-->
			<Image condition="begin with">C:\ProgramData</Image> <!--Process terminations by user binaries-->
			<Image condition="contains">\Temp\</Image> <!--Process terminations in temp directories-->
			<Image condition="end with">Sysmon.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
			<Image condition="end with">Sysmon64.exe</Image> <!--Detect killing Sysmon, Credit: @vector_sec-->
		</ProcessTerminate>

	<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
			about what you exclude from monitoring. Low event volume, little incentive to exclude.
			[ https://attack.mitre.org/wiki/Technique/T1014 ] -->
		<!--TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude.-->

		<!--DATA: RuleName, UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<DriverLoad onmatch="exclude">
		<!--COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
				about what you exclude from monitoring. Low event volume, little incentive to exclude.-->
			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft drivers-->
			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft drivers-->
			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft drivers-->
			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel drivers-->
			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo drivers-->
			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic drivers-->
			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia drivers-->
			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom drivers-->
			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD drivers-->
			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware drivers-->
			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek drivers-->
			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI drivers-->
			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech drivers-->
			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia drivers-->
			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI drivers-->
			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed Fortinet drivers-->
			<Signature condition="contains">Webroot</Signature> <!--Exclude signed Webroot drivers-->
			<Signature condition="is">NoVirusThanks Company Srl</Signature> <!--Exclude signed drivers-->
			<Signature condition="contains">Invincea</Signature> <!--Exclude signed drivers-->
			<Signature condition="contains">ShoreTel</Signature> <!--Exclude signed drivers-->
			<Signature condition="contains">Synology</Signature> <!--Exclude signed drivers-->
			<Signature condition="contains">Citrix</Signature> <!--Exclude signed drivers-->
			<Signature condition="contains">SonicWall</Signature> <!--Exclude signed drivers-->
			<Signature condition="contains">Sophos</Signature> <!--Exclude signed drivers-->
			<Signature condition="contains">OpenVPN</Signature> <!--Exclude signed drivers-->
		</DriverLoad>

	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ] -->

		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<ImageLoad onmatch="include">
			<Signed condition="is">false</Signed> <!-- Lets Only show Unsigned DLL's loaded-->
			<SignatureStatus condition="is">Invalid</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
			<SignatureStatus condition="is">Unavailable</SignatureStatus> <!--Lets Show DLL's where their Signature's are Invalid-->
			<ImageLoaded condition="contains">C:\windows\system32\fxsst.dll</ImageLoaded> <!-- CIA Vault7 Leak: Fax DLL Injection -->
			<ImageLoaded condition="contains">C:\Windows\System32\wbem\oci.dll</ImageLoaded> <!-- CIA Vault7 Leak: Distributed Transaction Coordinator DLL Injection -->
			<ImageLoaded condition="contains">\Temp\</ImageLoaded>
			<ImageLoaded name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence,Alert=Cobalt Strike Netsh Helper Beacon" condition="contains">NetshHelperBeacon</ImageLoaded>
			<Image name="MitreRef=T1128,Technique=Netsh Helper Beacon DLL,Tactic=Persistence" condition="contains">netsh.exe</Image>
			<ImageLoaded name="Alert=Ramnit Banker Malware!" condition="contains">rmnsoft.dll</ImageLoaded>
		</ImageLoad>
		<ImageLoad onmatch="exclude">
			<SignatureStatus condition="is">Valid</SignatureStatus>
			<ImageLoaded condition="end with">System32\samlib.dll</ImageLoaded> <!-- Spam -->
			<ImageLoaded condition="end with">System32\cryptdll.dlll</ImageLoaded> <!-- Spam -->
			<Signature condition="contains">microsoft</Signature> <!--Exclude signed Microsoft libraries-->
			<Signature condition="is">Microsoft Windows</Signature> <!--Exclude signed Microsoft libraries-->
			<Signature condition="contains">windows</Signature> <!--Exclude signed Microsoft libraries-->
			<Signature condition="begin with">Intel</Signature> <!--Exclude signed Intel libraries-->
			<Signature condition="contains">Lenovo</Signature> <!--Exclude signed Lenovo libraries-->
			<Signature condition="contains">Synaptic</Signature> <!--Exclude signed Synaptic libraries-->
			<Signature condition="contains">Nvidia</Signature> <!--Exclude signed Nvidia libraries-->
			<Signature condition="contains">Broadcom</Signature> <!--Exclude signed Broadcom libraries-->
			<Signature condition="contains">AMD</Signature> <!--Exclude signed AMD libraries-->
			<Signature condition="contains">VMware</Signature> <!--Exclude signed VMware libraries-->
			<Signature condition="contains">Realtek</Signature> <!--Exclude signed Realtek libraries-->
			<Signature condition="contains">Micro-Star</Signature> <!--Exclude signed MSI libraries-->
			<Signature condition="contains">Logitech</Signature> <!--Exclude signed Logitech libraries-->
			<Signature condition="contains">Asmedia</Signature> <!--Exclude signed Asmedia libraries-->
			<Signature condition="contains">SteelSeries</Signature> <!--Exclude signed MSI libraries-->
			<Signature condition="contains">Fortinet</Signature> <!--Exclude signed MSI libraries-->
			<Company condition="contains">Microsoft</Company>
			<Product condition="contains">Microsoft</Product>
			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
			<Signature condition="contains">Webroot</Signature> <!--Exclude signed MSI libraries-->
			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
			<Image condition="is">C:\Windows\System32\mmc.exe</Image>
			<Image condition="is">C:\Windows\System32\SearchFilterHost.exe</Image>
			<Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image>
			<Image condition="is">C:\Windows\sysmon64.exe</Image>
			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
			<ImageLoaded condition="is">C:\Windows\sysmon64.exe</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\conhost.exe</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\winspool.drv</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\wshqos.</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\clusapi.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\wow64win.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\wow64.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\pcwum.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\kernel32.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\user32.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\cryptdll.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\dns.exe</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\zvprtmon5.dll</ImageLoaded>
			<ImageLoaded condition="is">C:\Windows\System32\termsrv.dll</ImageLoaded>
			<ImageLoaded condition="begin with">C:\Windows\System32\spool\</ImageLoaded>
			<ImageLoaded condition="end with">samlib.dll</ImageLoaded>
			<ImageLoaded condition="contains">C:\Program Files (x86)\SmartGit</ImageLoaded> <!--SmartGit-->
			<ImageLoaded condition="contains">syntevo\SmartGit</ImageLoaded> <!--SmartGit-->
			<ImageLoaded condition="contains">Labtech Client</ImageLoaded>
			<ImageLoaded condition="contains">CrystalDecisions</ImageLoaded>
			<ImageLoaded condition="contains">ShoreWare</ImageLoaded>
			<ImageLoaded condition="is">C:\Program Files\Microsoft SQL Server\100\Shared\dbghelp.dll</ImageLoaded>
			<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <!-- Windows Store apps unsigned -->
			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
			<Image condition="begin with">C:\Program Files</Image> <!-- NOTICE: Not good for security but good on cutting down the noise, we do log dropped dll's -->
			<ImageLoaded condition="contains">C:\Windows\assembly\NativeImages</ImageLoaded> <!-- Event Viewer -->
			<ImageLoaded condition="contains">C:\Program Files\WindowsApps</ImageLoaded> <!-- Windows Store Apps: Apparently most dll's here are unsigned and causes noise -->
			<!-- Custom App Exclusions -->
			<ImageLoaded condition="is">C:\Program Files (x86)\AutoSizer\AutoSizer.dll</ImageLoaded> <!-- I use autosizer to re-arrange my windows -->
			<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded> <!--Notepad++ Plugins Are unsigned-->
			<Image condition="is">C:\Program Files (x86)\SyncedTool\bin\autoupdate.exe</Image> <!-- eFolder SyncedTool -->
			<Image condition="is">C:\PostgreSQL9.1\bin\postgres.exe</Image> <!-- eFolder Server loading unsigned dll's -->
			<Image condition="is">C:\Windows\System32\VSSVC.</Image>
			<Image condition="is">C:\Windows\System32\conhost.exe</Image>
			<Image condition="is">C:\Windows\System32\svchost.exe</Image>
			<Image condition="is">C:\Windows\System32\NETSTAT.EXE</Image>
			<Image condition="is">C:\Windows\System32\inetsrv\w3wp.exe</Image>
			<Image condition="is">C:\Windows\System32\tasklist.exe</Image>
			<Image condition="is">C:\Windows\System32\nslookup.exe</Image>
			<Image condition="is">C:\Windows\System32\find.exe</Image>
			<Image condition="is">C:\cs\tools\php\php-cgi.exe</Image>
			<Image condition="is">C:\Windows\System32\nbtstat.exe</Image>
			<Image condition="is">C:\Windows\System32\dsquery.exe</Image>
			<Image condition="is">C:\Windows\System32\netsh.exe</Image>
			<Image condition="is">C:\Windows\System32\taskeng.exe</Image>
			<Image condition="is">C:\ProgramData\sysmon\sysmon64.exe</Image>
			<Image condition="contains">SQL Server</Image>
			<ImageLoaded condition="contains">SQL Server</ImageLoaded>
			<Image condition="contains">Exchange Server</Image>
			<ImageLoaded condition="contains">Exchange Server</ImageLoaded>
		</ImageLoad>

	<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
		<!--COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
		[ https://attack.mitre.org/wiki/Technique/T1055 ] -->

		<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction-->
		<CreateRemoteThread onmatch="include">
			<StartFunction name="MitreRef=T1055,Technique=DLL Injection via LoadLibrary API Call,Tactic=Defense Evasion,Alert=DLL Injection via LoadLibrary API Call" condition="contains">LoadLibrary</StartFunction>
			<SourceImage condition="contains">\</SourceImage>
			<StartAddress name="Alert=Cobalt Strike Detected!"  condition="end with">0B80</StartAddress>
		</CreateRemoteThread>
		<CreateRemoteThread onmatch="exclude">
			<!--COMMENT: Exclude mostly-safe sources and log anything else.-->
			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\SysWOW64\wbem\WmiPrvSE.exe</SourceImage>			
			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
			<TargetImage condition="end with">Google\Chrome\Application\chrome.exe</TargetImage>
			<SourceImage condition="contains">FireSvc.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
			<TargetImage condition="end with">controls\cef\ConnectWise.exe</TargetImage>
			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\epsecurityservice.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\avp.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\Remote Debugger\x64\msvsmon.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\System32\rdpclip.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\sysmon64.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\sysmon.exe</SourceImage>
		</CreateRemoteThread>

	<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
		<!--EVENT 9: "RawAccessRead detected"-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ] -->
		<!--COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads.-->

		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, Device-->
		<RawAccessRead onmatch="include">
		</RawAccessRead>

	<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
		<!--EVENT 10: "Process accessed"-->
		<!--COMMENT:	Can cause high system load, disabled by default.-->
		<!--COMMENT:	Monitor for processes accessing other process' memory.-->
		<!--DATA: RuleName, UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
		<ProcessAccess onmatch="include">
			<TargetImage condition="end with">:\Windows\System32\lsass.exe</TargetImage>
			<TargetImage condition="end with">:\Windows\System32\winlogon.exe</TargetImage>
			<SourceImage condition="contains">powershell.exe</SourceImage>
			<TargetImage condition="contains">verclsid.exe</TargetImage>
			<CallTrace condition="contains">VBE7.dll</CallTrace>
			<CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
		<!--COMMENT:	Monitor for processes accessing other process' memory. This can be valuable, but can cause massive event glut.
				Disabled by default since including even one entry here activates this component. Reward/performance decision.
				Encourage you to experiment with this feature yourself.
				Uses 4mbs+ IO -->
		</ProcessAccess>
		<ProcessAccess onmatch="exclude">
			<!-- Filter out common access masks
			A reference is available here for the mask: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880%28v=vs.85%29.aspx
			Ideally an access mask with any of the following is useful:
			PROCESS_VM_WRITE (0x0020)
			PROCESS_VM_READ (0x0010)
			PROCESS_VM_OPERATION (0x0008)
			0x1410 (potential memory read) is common activity. E.g. by taskmgr.exe. We only want to capture this against lsass.exe and winlogon.exe, but this logic is in the subscription.
			-->
			<GrantedAccess condition="is">0x40</GrantedAccess>
			<GrantedAccess condition="is">0x101000</GrantedAccess>
			<GrantedAccess condition="is">0x1000</GrantedAccess>
			<GrantedAccess condition="is">0x1400</GrantedAccess>
			<GrantedAccess condition="is">0x100000</GrantedAccess>
			<GrantedAccess condition="is">0x3200</GrantedAccess>
			<GrantedAccess condition="is">0x101400</GrantedAccess>
			<GrantedAccess condition="is">0x101001</GrantedAccess>
			<!-- These binaries appear to access lsass legitimately -->
			<SourceImage condition="is">C:\Windows\sysWOW64\wbem\wmiprvse.exe</SourceImage>
			<SourceImage condition="begin with">C:\ProgramData\Microsoft\Windows Defender\platform\</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\msiexec.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\spoolsv.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\agent.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe</SourceImage>
			<SourceImage condition="contains">taskmgr</SourceImage>
			<SourceImage condition="end with">wbem\wmiprvse.exe</SourceImage>
			<SourceImage condition="end with">\EMET_Service.exe</SourceImage>
			<SourceImage condition="end with">\EMET_GUI.exe</SourceImage>
			<SourceImage condition="end with">\procexp64.exe</SourceImage>
			<SourceImage condition="contains">processhacker</SourceImage>
			<SourceImage condition="end with">\Bin\FMS.exe</SourceImage> <!-- Exchange Process -->
			<SourceImage condition="contains">\Exchange Server\</SourceImage>
			<SourceImage condition="contains">SQL</SourceImage>
			<SourceImage condition="end with">:\Windows\System32\smss.exe</SourceImage>
			<SourceImage condition="end with">:\Windows\system32\csrss.exe</SourceImage>
			<SourceImage condition="end with">:\Windows\system32\wininit.exe</SourceImage>
			<SourceImage condition="end with">\Google\Update\GoogleUpdate.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files\Webroot\WRSA.exe</SourceImage>
			<SourceImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</SourceImage>
			<TargetImage condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</TargetImage>
			<TargetImage condition="is">C:\Windows\Sysmon.exe</TargetImage>
			<TargetImage condition="is">C:\Windows\Sysmon64.exe</TargetImage>
			<!-- ScreenConnect Querying lsass/winlogon SPAM -->
			<SourceImage condition="contains">ScreenConnect</SourceImage>
			<!-- These binaries get or access processes running .NET -->
			<SourceImage condition="end with">:\Windows\system32\sppsvc.exe</SourceImage>
			<SourceImage condition="end with">:\Windows\system32\sdiagnhost.exe</SourceImage>
			<!-- In testing a common false-positive is memory space that DLLS would be expected to mapped to. -->
			<CallTrace condition="contains">UNKNOWN(00007F</CallTrace>
			<SourceImage condition="contains">ShadowProtect</SourceImage>
			<SourceImage condition="is">C:\Hlthpnt\bin\IM.exe</SourceImage>
			<SourceImage condition="end with">Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe</SourceImage>
			<SourceImage condition="end with">Common Files\Adobe\AdobeGCClient\AGSService.exe</SourceImage>
			<SourceImage condition="begin with">C:\ProgramData\WebEx\webex\</SourceImage>
			<SourceImage condition="end with">Dropbox\Update\DropboxUpdate.exe</SourceImage>
			<SourceImage condition="end with">LTSvc\LTSVC.exe</SourceImage>
			<SourceImage condition="end with">\Trusteer\Rapport\bin\RapportMgmtService.exe</SourceImage>
			<SourceImage condition="end with">Adobe\AdobeGCClient\AGMService.exe</SourceImage>
			<SourceImage condition="end with">NT-ware Shared\MomAdmSvc\MomAdmSvc.exe</SourceImage>
			<SourceImage condition="end with">\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe</SourceImage>
		</ProcessAccess>

	<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
		<!--EVENT 11: "File created"-->
		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
		<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->

		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
		<FileCreate onmatch="include">
			<TargetFilename condition="begin with">C:\Windows\Prefetch</TargetFilename> <!--Microsoft:Windows: Prefetch Forensics that may possibly bypass sysmon-->
			<TargetFilename condition="begin with">C:\Windows\System32\drivers</TargetFilename> <!--Microsoft:Windows: Monitor Driver Drops & hosts location-->
			<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification-->
			<TargetFilename condition="contains">\Startup</TargetFilename> <!--Microsoft:Office: Changes to user's autoloaded files under AppData-->
			<TargetFilename name="MitreRef=T1060,Technique=Autorun Folder Entries,Tactic=Persistence" condition="contains">\Programs\Startup</TargetFilename> <!--Microsoft:Windows: Autorun Startup Folder-->
			<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments--> <!--PRIVACY WARNING-->
			<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE--> <!--PRIVACY WARNING-->
			<TargetFilename condition="contains">$RECYCLE.BIN</TargetFilename> <!--Files created in Recycle bin-->
			<TargetFilename condition="contains">\Microsoft\Office\Recent</TargetFilename> <!--Recent Office History-->
			<TargetFilename condition="end with">.dll</TargetFilename> <!-- Lets detect DLL's being dropped in locations and to detect DLL Search Order Hijacking -->
			<TargetFilename condition="end with">.ocx</TargetFilename>
			<TargetFilename condition="end with">.sys</TargetFilename> <!-- Lets detect Drivers's being dropped in locations -->
			<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
			<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
			<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
			<TargetFilename condition="end with">.com</TargetFilename> <!--Batch scripting: Batch scripts can also use the .com extension -->
			<TargetFilename condition="end with">.btm</TargetFilename> <!--Batch scripting: Batch scripts can also use the .btm extension -->
			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
			<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
			<TargetFilename condition="end with">.msc</TargetFilename> <!--Executable-->
			<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
			<TargetFilename condition="end with">.ws</TargetFilename> <!--Scripting-->
			<TargetFilename condition="end with">.wsf</TargetFilename> <!--Scripting-->
			<TargetFilename condition="end with">.wsh</TargetFilename> <!--Scripting-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
			<TargetFilename condition="end with">.ps1xml</TargetFilename> <!--PowerShell's other file extensions: -->
			<TargetFilename condition="end with">.psc1</TargetFilename> <!--PowerShell's other file extensions: -->
			<TargetFilename condition="end with">.psd1</TargetFilename> <!--PowerShell's other file extensions: -->
			<TargetFilename condition="end with">.psm1</TargetFilename> <!--PowerShell's other file extensions: -->
			<TargetFilename condition="end with">.pssc</TargetFilename> <!--PowerShell's other file extensions: -->
			<TargetFilename condition="end with">.cdxml</TargetFilename> <!--PowerShell's other file extensions: -->
			<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
			<TargetFilename condition="end with">.reg</TargetFilename> <!--Registry files-->
			<TargetFilename condition="end with">.docm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.xlam</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.potm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.sldm</TargetFilename> <!--Office Macros-->
			<TargetFilename condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
			<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
			<TargetFilename condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
			<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename condition="end with">.vb</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename condition="end with">.vbsript</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename condition="end with">.js</TargetFilename> <!--Java Scripting-->
			<TargetFilename condition="end with">.jse</TargetFilename> <!--Java Scripting-->
			<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
			<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script More information: https://twitter.com/subTee/status/885919612969394177-->
			<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
			<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
			<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
			<TargetFilename condition="end with">.SettingContent-ms</TargetFilename> <!--More info: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39-->
			<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
			<TargetFilename condition="contains">\Desktop</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
			<TargetFilename condition="contains">\Documents</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
			<TargetFilename condition="begin with">C:\Windows\System32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks-->
			<TargetFilename condition="begin with">C:\Windows\System32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
			<TargetFilename condition="begin with">C:\Windows\System32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks -->
			<TargetFilename condition="begin with">C:\Windows\System32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
			<TargetFilename condition="begin with">C:\Windows\SysWow64\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks -->
			<TargetFilename condition="begin with">C:\Windows\Minidump</TargetFilename> <!--Windows Minidumps -->
			<TargetFilename condition="contains">Microsoft\Windows\WER\</TargetFilename> <!--Windows Minidumps -->
			<TargetFilename condition="end with">MEMORY.dmp</TargetFilename> <!--Microsoft:ScheduledTasks -->
			<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
			<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
			<TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename> <!--Microsoft: Files dropped here -->
			<!--SECTION: Other suspicious file types to monitor-->
			<TargetFilename condition="end with">.ICL</TargetFilename>
			<TargetFilename condition="end with">.FON</TargetFilename>
			<TargetFilename condition="end with">.FOT</TargetFilename>
			<TargetFilename condition="end with">.ico</TargetFilename>
			<TargetFilename condition="end with">.lnk</TargetFilename>
			<TargetFilename condition="end with">.eml</TargetFilename>
			<TargetFilename condition="end with">.msg</TargetFilename>
			<TargetFilename condition="end with">.SCT</TargetFilename>
			<TargetFilename condition="end with">.SCR</TargetFilename>
			<TargetFilename condition="end with">.SHB</TargetFilename>
			<TargetFilename condition="end with">.SHS</TargetFilename>
			<TargetFilename condition="end with">.PAF</TargetFilename>
			<TargetFilename condition="end with">.JSE</TargetFilename>
			<TargetFilename condition="end with">.gadget</TargetFilename>
			<TargetFilename condition="end with">.cpl</TargetFilename>
			<TargetFilename condition="end with">.inf</TargetFilename>
			<!--SECTION: Ransomware-->
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_file_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_Files</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRAB</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.cerber</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore_files</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ReadDecryptFilesHere</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_file</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Recovery_File_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptAllFiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">encryptor_raas_readme_liesmich</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTUCCIONES_DESCRIFRADO</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILE.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowtoRestore_File</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+ recoveryfile_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoverfile_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_ReCoVeRy_+</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.zzzzz </TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">aeroware</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_recover_file</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RESTORE_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_my_files</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES.url</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Coin.Locker.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_secret_code.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt_readme.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILESAREGONE.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IAMREADYTOPAY.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELLOTHERE.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READTHISNOW!!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRETIDHERE.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IHAVEYOURSECRET.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SECRET.KEY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELPDECRYPT_YOUR_FILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RECOVERY_FILES.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howrecover+</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">contains(to_string($message.file_created), "howrecover+</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restorefiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!READ_TO_UNLOCK!!!.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">openforyou@india.com</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.warn_wallet</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">hacks.at.sigaint.org</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.MATRIX</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Crytp0l0cker</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypted_files.dat</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">padcrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Vape Launcher.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_ME_!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.enjey</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Aescrypt.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PINGY@INDIA.COM</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WORMKILLER@INDIA.COM.XTBL</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CEBER3</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IF_WANT_FILES_BACK_PLS_READ.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zXz.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_ME_PLEASE.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_RECOVERY_HELP_!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">.filegofprencrp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COME_RIPRISTINARE_I_FILE.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">fattura_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_steaveiwalker@india.com_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_ABRIR_ARQUIVOS.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">info@kraken.cc_worldcza@email.cz</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">COMO_RESTAURAR_ARCHIVOS</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">What happen to my files.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ASSISTANCE_IN_RECOVERY</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_ASSISTANCE_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_HELP_HELP_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BTC_DECRYPT_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.TheTrumpLocker</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weencedufiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.powned</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">[KASISKI]</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_USE_TO_FIX_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.happydayzz</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">001-READ-FOR-DECRYPT-FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INFORMATION</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Rans0m_N0te_Read_ME</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowwhereismyfiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptional</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wowreadfordecryp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.HERMES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_szesnl</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-IF-YOU-WANT-DEC-FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.evillock</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.letmetrydecfiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.yourransom</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lambda_l0cked</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gefickt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.sigaint.org</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.HakunaMatata</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CRYPTOSHIELD</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.weareyourfriends</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MERRY_I_LOVE_YOU_BRUCE.hta</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How decrypt files.hta</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">unCrypte</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decipher_ne</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.paytounlock</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">protonmail.ch</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">LEER_INMEDIATAMENTE</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.killedXXX</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.doomed</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-No-PROBLEM-WE-DEC-FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.noproblemwedecfiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">powerfulldecrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">opensourcemail.org</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_ME_TO_DECRYPT_YOU_INFORMA</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">file0locked</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">CryptoRansomware</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VBRANSOM</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_Recover_Files_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.oops</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.deria</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.RMCM1</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Locked-by-Mafia</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">-filesencrypted</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_Globe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.hnumkhotep</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.decrypt2017</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptFile</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.L0CKED</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">1025-7152.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">firstransomware.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">helpmeencedfiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">EdgeLocker</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.XBTL</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.firecrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_DEAD</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.airacropencrypted!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">@mail.ru</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WHERE-YOUR-FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Whereisyourfiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">india.com</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.hta</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_README.jpg</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_OPEN_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.gangbang</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GJENOPPRETTING_AV_FILER</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!! HOW TO DECRYPT FILES !!!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.braincrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTION RESTORE FILE</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Survey Locker.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Receipt.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">WindowsApplication1.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HWID Lock.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">VIP72.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DALE_FILES.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_YOUR_DATA</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_CORUPTED_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Cyber SpLiTTer Vbs.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">000-PLEASE-READ-WE-HELP</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.VforVendetta</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">popcorn_time.exe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OSIRIS-</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DesktopOsiris</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">inbox.ru</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.no_more_ransom</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.lovewindows</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.osiris</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.R.i.P</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Important!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!_HOW_TO_RESTORE_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ThxForYurTyme</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOW_TO_Decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_RECOVER_INSTRUCTIONS</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION INSTRUCTIONS.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt explanations.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_WHAT_is.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_liesmich_encryptor_raas</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Adatok_visszaallitasahoz_utasitasok</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_TO_RECURE_YOUR_FILES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files encrypted by our friends !!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README HOW TO DECRYPT YOUR FILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_IT.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION.url</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README!!!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">email-salazar_slytherin10</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">._AiraCropEncrypted!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_RECOVER_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HOWDO_text.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zzzzzzzzzzzzzzzzzyyy</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">zycrypt.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt your file</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_H_e_l_p_RECOVER_INSTRUCTIONS+</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW-TO-DECRYPT-FILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_DECRYPT.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">exit.hhr.obleep</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UnblockFiles.vbs</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_HYDRA_ID_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_Readme.TXT.ReadMe</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Decrypt All Files</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowDecrypt.gif</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOURFILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW TO DECRYPT FILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BitCryptorFileList.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_decrypt_your_files.jpg</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How_to_restore_files.hta</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Como descriptografar seus arquivos.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Recovery_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Read_this_file.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ATTENTION!!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.lnk</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to decrypt aes files.lnk</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">restore_files.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HowDecrypt.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">wie_zum_Wiederherstellen_von_Dateien.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">paycrypt.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">maxcrypt.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_decrypt.gif</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to get data.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help-file-decrypt.enc</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enigma_encr.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enigma.hta</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">default432643264.jpg</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">default32643264.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decypt_your_files.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cryptinfo.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">crjoker.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover_instructions.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_H_e_l_p_RECOVER_INSTRUCTIONS</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_instructions.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_HELP_instructions.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_DECRYPT_INFO_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files encrypted by our friends !!! txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Your files are locked !!!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_LOCKED.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_ENCRYPTED.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUR_FILES_ARE_ENCRYPTED.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">YOUGOTHACKED.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UNLOCK_FILES_INSTRUCTIONS.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">UNLOCK_FILES_INSTRUCTIONS.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SIFRE_COZME_TALIMATI.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">SHTODELATVAM.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Read Me (How Decrypt) !!!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">RESTORE_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ_THIS_TO_DECRYPT.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_HOW_TO_UNLOCK.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_HOW_TO_UNLOCK.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_UMBRE_ID_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">README_DECRYPT_HYRDA_ID_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ ME FOR DECRYPT.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">READ IF YOU WANT YOUR FILES BACK.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Payment_Instructions.jpg</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ONTSLEUTELINGS_INSTRUCTIES.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">OKSOWATHAPPENDTOYOURFILES.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">MENSAGEM.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">KryptoLocker_README.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Instructionaga.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ISTRUZIONI_DECRITTAZIONE.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCTIONS_DE_DECRYPTAGE.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTRUCCIONES_DESCIFRADO.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">INSTALL_TOR.URL</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IMPORTANT.README</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">IMPORTANT READ ME.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Howto_RESTORE_FILES.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How to decrypt your data.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">How to decrypt LeChiffre files.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Help Decrypt.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Hacked_Read_me_to_decrypt_files.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_UNLOCK_FILES_README_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_TO_RESTORE_FILES.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.URL</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW_DECRYPT.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOWTO_RECOVER_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HOW TO DECRYPT FILES.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_YOUR_FILES.PNG</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_TO_SAVE_FILES.bmp</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_RESTORE_FILES_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.URL</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.PNG</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">HELP_DECRYPT.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">GetYouFiles.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">File Decrypt Help.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">FILES_BACK.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">ENTSCHLUSSELN_HINWEISE.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DecryptAllFiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DESIFROVANI_POKYNY.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_YOUR_FILES.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_YOUR_FILES.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_ReadMe1.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTIONS.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTION.URL</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPT_INSTRUCTION.HTML</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">DECRYPTION_HOWTO.Notepad</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Comment débloquer mes fichiers.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">BUYUNLOCKCODE.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">AllFilesAreLocked</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">@ukr.net</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.fuckyourdata</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.encrypted.locked</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.Where_my_files.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.RSplited</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.KEYZ.KEYH0LES</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.How_To_Get_Back.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.How_To_Decrypt.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.Contact_Here_To_Recover_Your_Files.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.31392E30362E32303136_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.vbs</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains"># DECRYPT MY FILES #.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!Where_are_my_files!.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!README!!!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!!!-WARNING-!!!.html</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.magic_software_syndicate</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">maestro@pizzacrypts.info</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howtodecryptaesfiles.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.SecureCrypted</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt-instruct</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">files_are_encrypted.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decryptmyfiles</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_instructions.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">de_crypt_readme.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">!recover!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover}-</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_help_instruct</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_recover_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">+recover+</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">warning-!!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt my file</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_file_</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery+</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_for_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">install_tor</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">readme_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howtodecrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">howto_restore</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how_to_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">how to decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_restore</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_your_file</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_decrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">decrypt_instruct</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">cryptolocker.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recover_instruction</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.hydracrypt_ID</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.cryptotorlocker</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.one-we_can-help_you</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.OMG!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.nochance</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.LOL!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.CryptoTorLocker2015!</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.{CRYPTENDBLACKDC}</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.key</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery_key.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">vault.hta</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">message.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recovery_file.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">confirmation.key</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">enc_files.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">last_chance.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">want your files back.</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_Locky_recover_instructions.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">help_recover_instructions</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoverfile</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">Howto_Restore_FILES.TXT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">recoveryfile</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">_how_recover.txt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.SUPERCRYPT</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.helpdecrypt</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">only-we_can-help_you</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.fileiscryptedhard</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.blocatto</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="end with">.8lock8</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">==READ==THIS==PLEASE==</TargetFilename>
			<TargetFilename name="Alert=Ransomware Detected!,ransomware_detected=True" condition="contains">randomname</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weapologize</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">SORRY-FOR-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READ-WE-HELP.</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">CHECK-IT-HELP-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">HAPPEN-ENCED-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">HELP-ME-ENCED-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLS-DEC-MY-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">WE-MUST-DEC-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">No-PROBLEM-WE-DEC-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">TRY-READ-ME-TO-DEC</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">IF-YOU-WANT-DEC-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">LET-ME-TRY-DEC-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-FOR-DECRYPT-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-READIT-IF_YOU-WANT</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-READ-READ</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">WANT_FILES_BACK</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">READ-FOR-DECCCC-FILESSS</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">PLEASE-README-AFFECTED-FILES</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="contains">_DEC_FILES.</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.notfoundrans</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.VforVendetta</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.theworldisyours</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.helpmeencedfiles</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.wowwhereismyfiles</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.wowreadfordecryp</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.powerfulldecrypt</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.noproblemwedecfiles</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weareyourfriends</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.otherinformation</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.letmetrydecfiles</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.encryptedyourfiles</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.weencedufiles</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.filegofprencrp</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.iaufkakfhsaraf</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.cifgksaffsfyghd</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.skjdthghh</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.ransom</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.breeding123</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.mention9823</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.suppose666</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.moments2900</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.country82000</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.supported2017</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.prosperous666</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.disposed2017</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.myrandsext2017</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.loveransisgood</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.areyoulovemyrans</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.stubbin</TargetFilename>
			<TargetFilename name="Alert=Samsam Ransomware Detected!,ransomware_detected=True" condition="end with">.berkshire</TargetFilename>
			<!--SamSam Ransomware File drops -->
			<TargetFilename name="Alert=SamSam file created!" condition="end with">\www.exe</TargetFilename>
			<TargetFilename name="Alert=SamSam file created!" condition="end with">\ps.exe</TargetFilename>
			<TargetFilename name="Alert=SamSam file created!" condition="end with">\nt.exe</TargetFilename>
			<TargetFilename name="Alert=SamSam file created!" condition="end with">\doliohdyjkajd.dll</TargetFilename>
			<TargetFilename name="Alert=SamSam file created!" condition="end with">\run2.exe</TargetFilename>
			<TargetFilename name="Alert=SamSam file created!" condition="end with">\ping2.exe</TargetFilename>
			<!--END: SamSam Ransomware File drops -->
			<!--SECTION: Certificates -->
			<TargetFilename condition="contains">.pem</TargetFilename>
			<TargetFilename condition="contains">.crt</TargetFilename>
			<TargetFilename condition="contains">.ca-bundle</TargetFilename>
			<TargetFilename condition="contains">.cer</TargetFilename>
			<TargetFilename condition="contains">.csr</TargetFilename>
			<TargetFilename condition="contains">.der</TargetFilename>
			<TargetFilename condition="contains">.p7b</TargetFilename>
			<TargetFilename condition="contains">.p7r</TargetFilename>
			<TargetFilename condition="contains">.p7s</TargetFilename>
			<TargetFilename condition="contains">.pfx</TargetFilename>
			<TargetFilename condition="contains">.sto</TargetFilename>
			<TargetFilename condition="contains">.p12</TargetFilename>
			<TargetFilename condition="contains">.crl</TargetFilename>
			<TargetFilename condition="contains">.sst</TargetFilename>
			<TargetFilename condition="contains">.key</TargetFilename>
			<!--SECTION: CIA Vault7 Leak -->
			<TargetFilename name="Info=CIA Vault7 file created: https://wikileaks.org/ciav7p1/cms/page_16384212.html" condition="contains">.mht</TargetFilename> <!-- Vault7 CIA Leak: Possible malformed file will escape IE sandbox -->
			<TargetFilename condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
			<TargetFilename condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
			<TargetFilename condition="contains">.manifest</TargetFilename>
			<TargetFilename condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
			<TargetFilename condition="contains">HammerDrillStatus.dll</TargetFilename> <!-- Vault7 CIA Leak: HammerDrill DLL -->
			<TargetFilename condition="contains">PSReadLine\ConsoleHost_history.txt</TargetFilename> <!-- Powershell History -->
			<!--SECTION: Mimikatz-->
			<!--Default-disable <TargetFileName condition="end with">.kirbi</TargetFileName> --> <!-- [ https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos ] -->
		</FileCreate>
		<FileCreate onmatch="exclude">
			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates\</TargetFilename> <!--Microsoft:Windows: taskhostw re-creates certificate store constantly-->
			<TargetFilename condition="end with">\Downloads</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
			<TargetFilename condition="end with">\Start Menu</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
			<TargetFilename condition="end with">\Start Menu\Programs</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
			<TargetFilename condition="end with">\Start Menu\Programs\Startup</TargetFilename> <!-- Microsoft:Windows: Cleanup noise of stub folder creation -->
			<!--SECTION: Microsoft-->
			<Image condition="contains">C:\Windows\System32\svchost.exe</Image> <!-- Microsoft:Windows: Svchost creating thousands of files, creating new profiles on TS's -->
			<Image condition="contains">C:\Windows\System32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\IE</TargetFilename> <!-- Microsoft:Windows: Creates thousands of files including new profiles -->
			<Image condition="is">\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Request\Certificates</Image>
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost -->
			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe -->
			<TargetFilename condition="begin with">C:\Windows\System32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
			<TargetFilename condition="begin with">C:\Windows\System32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
			<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
			<TargetFilename condition="end with">.SQM</TargetFilename> <!-- Ignore Exchange files created -->
			<TargetFilename condition="end with">.SPL</TargetFilename> <!-- Ignore Spooled Print Jobs -->
			<TargetFilename condition="end with">.SHD</TargetFilename> <!-- Ignore Spooled Print Jobs -->
			<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
			<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
			<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
			<!--SECTION: Microsoft:Office-->
			<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
			<!--SECTION: Microsoft:Windows:Updates-->
			<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
			<TargetFilename condition="end with">.etl</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
			<TargetFilename condition="end with">.log</TargetFilename> <!-- Microsoft:Windows: Logs and Trace files -->
			<Image condition="begin with">C:\WINDOWS\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
			<Image condition="begin with">Firefox Setup </Image> <!-- Firefox:Installer -->
			<TargetFilename condition="is">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive</TargetFilename> <!--Powershell spam!-->
			<TargetFilename condition="is">C:\Windows\System32\config\netlogon.ftl</TargetFilename> <!-- Microsoft:Windows: Domain login cache-->
			<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image><!-- Microsoft:Windows: WMI Performance updates-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image><!-- Microsoft:Office Click2Run-->
			<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image><!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
			<Image condition="is">C:\Program Files\Microsoft SQL Server\110\LocalDB\Binn\sqlservr.exe</Image><!-- Microsoft:SQL Server: Creating tons of files-->
			<Image condition="is">C:\Windows\System32\smss.exe</Image><!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
			<Image condition="is">C:\Program Files (x86)\MSI\Help Desk\MSI Update Agent.exe</Image><!-- MSI: Helpdesk Updater-->
			<Image condition="is">C:\Program Files (x86)\MSI\Dragon Center\Dragon Center.exe</Image><!-- MSI: Dragon Center Updater-->
			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image><!-- VMware:vSphere: Creates .cmdline apps in appdata\*\Temp-->
			<!--SECTION: Dell-->
			<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
			<!--SECTION: Intel-->
			<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
			<!--SECTION: Chrome Noise-->
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlUws.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalBin.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlMalware.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSoceng.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeExtMalware.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\ChromeUrlClientIncident.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\IpMalware.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlSubresourceFilter.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdWhitelist.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\UrlCsdDownloadWhitelist.store_new</TargetFilename>
			<TargetFilename condition="end with">Google\Chrome\User Data\Safe Browsing\CertCsdDownloadWhitelist.store_new</TargetFilename>
			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
			<!--SECTION: Adobe-->
			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
			<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
			<!--SECTION: Connectwise-->
			<Image condition="is">C:\Program Files (x86)\ConnectWise\PSA.net\ConnectWise.exe</Image>
			<!--SECTION: Datto-->
			<Image condition="is">C:\Program Files\Datto\Datto Windows Agent\DattoBackupAgent.exe</Image>
			<!--SECTION: Toshiba Print Drivers-->
			<TargetFilename condition="begin with">C:\Windows\System32\config\systemprofile\TOSHIBA\</TargetFilename>
			<TargetFilename condition="contains">TOSHIBA\eSTUDIOX\UNIDRV</TargetFilename>
			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\bdcore.dll</TargetFilename>
			<TargetFilename condition="end with">N-able Technologies\AVDefender\ThreatScanner\Antivirus-NewTemp\scanclient.dll</TargetFilename>
			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Software Probe\Repository\nagent</TargetFilename>
			<TargetFilename condition="begin with">C:\Program Files (x86)\N-able Technologies\Windows Agent\Temp\</TargetFilename>
			<Image condition="is">C:\Program Files (x86)\MaaS360\Cloud Extender\EMSAgent.exe</Image>
			<Image condition="is">C:\Program Files\graylog\collector-sidecar\winlogbeat.exe</Image>
			<Image condition="is">C:\Program Files\N-able Technologies\Endpoint Update Server\bin\EPUpdateServer.exe</Image>
			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\AVDefender\Installer.exe</Image>
			<Image condition="is">C:\Program Files (x86)\N-able Technologies\Windows Agent\bin\AutomationManager.ScriptRunner64.exe</Image>
			<Image condition="is">C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe</Image>
			<Image condition="is">C:\Windows\system32\printfilterpipelinesvc.exe</Image>
			<Image condition="is">C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe</Image>
			<Image condition="end with">\Runtime\1.0\NodeRunner.exe</Image><!--Exchange NodeRunner-->
		</FileCreate>

	<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
		<!--EVENT 12: "Registry object added or deleted"-->
		<!--EVENT 13: "Registry value set-->
		<!--EVENT 14: "Registry objected renamed"-->
		<!--NOTE:	"contains" conditions below are formatted to reduce CPU load, so they may appear written inconsistently, but this is on purpose from tuning.-->
		<!--NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible.-->
		<!--NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run.-->
		<!--NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost.-->
		<!--NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ] -->

		<!--TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats-->
		<!--TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU-->
		<!--CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001"-->
		<!--CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30-->
		<!--NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation-->

		<!-- ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.-->

		<!--DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on)-->
		<RegistryEvent onmatch="include">
			<!--Autorun or Startups-->
				<!--ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ] -->
				<!--ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ] -->
				<!--ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Run keys, incld RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server] -->
			<TargetObject condition="contains">\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows: Group policy scripts-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Windows\System\Scripts</TargetObject> <!--Microsoft:Windows: Logon, Loggoff, Shutdown-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Microsoft\System\Scripts</TargetObject> <!--Microsoft:Windows: Legacy Logon, Loggoff, Shutdown Scripts-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ServiceDll</TargetObject> <!--Microsoft:Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\ImagePath</TargetObject> <!--Microsoft:Windows: Points to a service's EXE [ https://github.com/crypsisgroup/Splunkmon/blob/master/sysmon.cfg ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="end with">\Start</TargetObject> <!--Microsoft:Windows: Services start mode changes (Disabled, Automatically, Manual)-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\Setup\CmdLine</TargetObject>
			<TargetObject condition="contains">Session Manager\KnownDlls</TargetObject>
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</TargetObject> <!-- Print Monitor DLL's loaded at startup can be malicious, lets monitor those -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers</TargetObject> <!-- Print Provider DLL's loaded at startup can be malicious, lets monitor those -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Notification Packages</TargetObject>  <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Authentication Packages</TargetObject> <!-- Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. -->
			<TargetObject condition="begin with">HKLM\HARDWARE\ACPI\DSDT</TargetObject> <!--Detect ACPI Rootkits -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\</TargetObject> <!--Microsoft:Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\Execute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup</TargetObject> <!--Microsoft:Windows: Legacy Autorun Location-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject> <!--Microsoft:Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath</TargetObject><!--Microsoft:Windows: Legacy Autorun may exist in server 2003-2008-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLU\Software\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun</TargetObject> <!-- Legacy Autorun location -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject> <!-- Windows Debugger Hijack Autorun -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">UserInitMprLogonScript</TargetObject> <!--Microsoft:Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ] -->
			<TargetObject condition="end with">\CurrentVersion\Font Drivers</TargetObject>
			<TargetObject condition="contains">Active Setup\Installed Components</TargetObject>
			<TargetObject condition="contains">Windows CE Services\AutoStartOnConnect</TargetObject>
			<TargetObject condition="contains">Windows CE Services\AutoStartOnDisconnect</TargetObject>
			<TargetObject condition="contains">CurrentVersion\Windows\IconServiceLib</TargetObject>
			<TargetObject condition="contains">Winlogon\AlternateShells\AvailableShells</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence,Alert=AutoRun Keys" condition="contains">Terminal Server\Wds\rdpwd\StartupPrograms</TargetObject>
			<TargetObject condition="contains">SafeBoot\AlternateShell</TargetObject>
			<TargetObject condition="contains">Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject>
			<TargetObject condition="contains">Policies\System\Shell</TargetObject>
			<TargetObject condition="contains">Desktop\Scrnsave.exe</TargetObject>
			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit</TargetObject> <!--Persistence using GlobalFlags in Image File Execution Options: [ https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ ] -->
			<!--CLSID launch commands and file association changes-->
			<TargetObject condition="contains">\Explorer\FileExts\</TargetObject> <!--Microsoft:Windows: Changes to file extension mapping-->
			<TargetObject condition="contains">\shell\install\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
			<TargetObject condition="contains">\shell\open\command\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
			<TargetObject condition="contains">\shell\open\ddeexec\</TargetObject> <!--Microsoft:Windows: Sensitive subkey under file associations and CLSID that map to launch command-->
			<TargetObject condition="contains">SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\</TargetObject><!--Lets Get SID History and other info for Forensics, this is created on logon-->
			<!--Windows COM-->
			<TargetObject condition="end with">\InprocServer32\(Default)</TargetObject> <!--Microsoft:Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm -->
			<!--Windows shell hijack-->
			<TargetObject condition="contains">\PropertySheetHandlers</TargetObject>
			<TargetObject condition="contains">\CopyHookHandlers</TargetObject>
			<TargetObject condition="contains">\ColumnHandlers</TargetObject>
			<TargetObject condition="contains">\ExtShellFolderViews</TargetObject>
			<TargetObject condition="contains">\ShellServiceObjects</TargetObject>
			<TargetObject condition="contains">\ShellServiceObjectDelayLoad</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Filter</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Classes\Protocols\Handler</TargetObject>
			<TargetObject condition="contains">\Software\Microsoft\Ctf\LangBarAddin</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components</TargetObject>
			<TargetObject condition="contains">\SharedTaskScheduler</TargetObject>
			<TargetObject condition="contains">\ContextMenuHandlers\</TargetObject> <!--Microsoft:Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject condition="contains">\CurrentVersion\Shell</TargetObject> <!--Microsoft:Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ] -->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks -->
			<TargetObject condition="contains">\Classes\Folder\</TargetObject> <!--Microsoft:Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">\Classes\*\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject condition="contains">\Classes\AllFilesystemObjects\</TargetObject> <!--Microsoft:Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ] -->
			<TargetObject condition="contains">\Classes\Directory\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
			<TargetObject condition="contains">\Classes\Drive\</TargetObject> <!--Microsoft:Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ] -->
			<TargetObject condition="end with">\ShowSuperHidden</TargetObject> <!--Microsoft:Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject> <!--Microsoft:Windows: ShellExecuteHooks-->
			<!--AppPaths hijacking-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand</TargetObject> <!--Microsoft:Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] -->
			<!--Terminal service boobytraps-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
			<!--Group Policy interity-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject> <!--Microsoft:Windows: Group Policy internally uses a plugin architecture that nothing should be modifying-->
			<!--Winsock and Winsock2-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock\</TargetObject> <!--Microsoft:Windows: Wildcard, includes Winsock and Winsock2-->
			<TargetObject condition="end with">\ProxyServer</TargetObject> <!--Microsoft:Windows: System and user proxy server-->
			<TargetObject condition="begin with">Software\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy</TargetObject>  <!--Microsoft:InternetExplorer: Wildcard for ProxyEnable, ProxyServer, ProxyOverride - Threats sometimes change proxy server -->
			<TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
			<TargetObject condition="end with">\3\1206</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
			<TargetObject condition="end with">\3\2500</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
			<TargetObject condition="end with">\3\1809</TargetObject> <!--Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ] -->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64</TargetObject>
			<!--Credential providers-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject> <!--Wildcard, includes Credental Providers and Credential Provider Filters-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject> <!--Microsoft:Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject> <!-- [ https://attack.mitre.org/wiki/Technique/T1128 ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers</TargetObject>
			<!--Networking-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject> <!--Microsoft:Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject> <!--Microsoft:Windows: | Credit @ion-storm -->
			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089" condition="end with">EnableFirewall</TargetObject> <!--Microsoft:Windows: Monitor for firewall disablement [ https://attack.mitre.org/wiki/Technique/T1089 ] -->
			<!--DLLs that get injected into every process launch-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx ] -->
			<!--Office-->
			<!--Microsoft Office-->
			<TargetObject condition="contains">Office Test\</TargetObject> <!-- [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
			<TargetObject condition="contains">\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins-->
			<TargetObject condition="contains">\Excel\Addins\</TargetObject> <!--Microsoft:Office: Excel add-ins-->
			<TargetObject condition="contains">\Word\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
			<TargetObject condition="contains">\Access\Addins\</TargetObject> <!--Microsoft:Office: Word add-ins-->
			<TargetObject condition="contains">\Powerpoint\Addins\</TargetObject> <!--Microsoft:Office: Powerpoint add-ins-->
			<!--IE-->
			<TargetObject condition="contains">\Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
			<TargetObject condition="contains">\Internet Explorer\Extensions\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user-->
			<!--Magic registry keys-->
			<TargetObject condition="contains">\Browser Helper Objects\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ] -->
			<TargetObject condition="contains">{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\</TargetObject> <!--Microsoft:Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ] -->
			<!--Infection artifacts-->
			<TargetObject condition="end with">\UrlUpdateInfo</TargetObject> <!--Microsoft:ClickOnce: [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ] -->
			<TargetObject condition="end with">\InstallSource</TargetObject> <!--Microsoft:Windows: Source folder for certain program and component installations-->
			<!--Windows internals integrity monitoring-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\</TargetObject> <!--Microsoft:Windows: Malware likes changing IFEO-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject> <!--Microsoft:Windows: Event log system integrity and ACLs-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\</TargetObject> <!--Microsoft:Defender: Detect changes to Defender administrative settings to monitor for disablement-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\</TargetObject> <!--Microsoft:Windows:UAC: Detect malware changes to UAC prompt level -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject> <!--Detect Legacy Driver loading-->
			<!--Common Malware Persistence locations-->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\RunService</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="begin with">HKLM\SOFTWARE\Classes\ CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32</TargetObject>
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Windows\Load</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Windows\Run</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject> <!--Microsoft:Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ] -->
			<TargetObject name="MitreRef=T1060,Technique=Registry Autorun Keys,Tactic=Persistence" condition="contains">CurrentVersion\Winlogon\System</TargetObject> <!--Microsoft:Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ] -->
			<!--Group Policy Scripts-->
			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logon</TargetObject>
			<TargetObject condition="contains">\Software\Policies\Microsoft\Windows\System\Scripts\Logoff</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown</TargetObject>
			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff</TargetObject>
			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup</TargetObject>
			<!--Detect Network History-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
			<TargetObject condition="end with">Domain</TargetObject><!--Networking: Watch Domain Changes-->
			<TargetObject condition="end with">DefaultGateway</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DHCPDefaultGateway</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DhcpIPAddress</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DhcpNameserver</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">Nameserver</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">Dhcpserver</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">DhcpSubnetMask</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">SubnetMask</TargetObject><!--Networking: Detect changes-->
			<TargetObject condition="end with">PersistentRoutes</TargetObject><!--Networking: Detect persistent routes-->
			<TargetObject condition="end with">}\Category</TargetObject><!--Networking: Detect Network type change-->
			<!--Detect User Activity-->
			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</TargetObject>
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</TargetObject>
			<!--RDP History Tracking-->
			<TargetObject condition="contains">\Software\Microsoft\Terminal Server Client</TargetObject>
			<!--Detect Threats from Webroot Antivirus-->
			<!--Active threats show like so: c:\users\JohnDoe\downloads\w10privacy\w10privacy.exe|W32.Backdoor.Gen|5880BC38 Reg Key Location: HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active-->
			<TargetObject condition="contains">\WRData\Threats\Active</TargetObject><!--Detect Active Threats-->
			<TargetObject condition="contains">\WRData\Threats\History</TargetObject><!--Detect Threat History & Auto-Removed Threats-->
			<!--Detect Changes to Proxy Server Setting-->
			<TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL</TargetObject>
			<!--Detect Browser Hijackers-->
			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\DOMStorage\</TargetObject>-->
			<!--<TargetObject condition="contains">\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\</TargetObject>-->
			<!--<TargetObject condition="contains">\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage</TargetObject>-->
			<!--Detect Unauthorized Firewall Changes-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject> <!--Check for apps added to Firewall Auth List-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering-->
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering-->
			<!--Detect Malware & Unauthorized Changes to Outlook, Excel, Powerpoint, and Access Security to enable execution of scripts/Macros -->
			<TargetObject condition="contains">\Security\Level</TargetObject>
			<TargetObject condition="contains">\Security\Level1Remove</TargetObject>
			<!--Detect if Microsoft Security Center is Disabled or Enabled-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify</TargetObject>
			<TargetObject condition="end with">\HideSCAHealth</TargetObject> <!--Microsoft:Windows:Security Center: Malware timestimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ] -->
			<!--Detect if Windows Defender is Disabled-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable</TargetObject>
			<TargetObject name="Technique=Disabling Security Tools,Tactic=Defense Evasion,MitreRef=1089" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange</TargetObject> <!-- Detect disabling of machine password change -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange</TargetObject> <!-- Causes the domain controller to refuse password change requests only from workstations or member servers -->
			<!-- Detect Root Certificate Store Hijacking and Unauthorized changes -->
			<!-- Lots of noise from multiple locations, need a better monitor
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Microsoft\SystemCertificates</TargetObject>
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\CertSvc</TargetObject>
			-->
			<!-- Other Stuff -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\OID</TargetObject> <!--Mitre T1198-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID</TargetObject><!--Mitre T1198-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust</TargetObject><!--Mitre T1198-->
			<TargetObject condition="contains">\Software\Classes\mscfile\shell\open\command</TargetObject> <!-- Fileless Bypass of UAC: http://resources.infosecinstitute.com/new-born-macro-malware-dropping-rootkits-using-fileless-infection-vector -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree</TargetObject><!--Identify Rogue Scheduled Task ID's -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon</TargetObject><!--Identify Rogue Scheduled Task ID's added to Logon -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot</TargetObject><!--Identify Rogue Scheduled Task ID's added to Boot -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</TargetObject>
			<TargetObject condition="contains">\comfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\htafile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\batfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\exefile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">Classes\exefile\shell\runas\command\isolatedCommand</TargetObject> <!-- Detect: UAC Bypass via sdclt: https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ -->
			<TargetObject condition="contains">\piffile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\regfile\shell\open\command</TargetObject> <!-- Detect: Open Command Hijacks -->
			<TargetObject condition="contains">\mscfile\shell\open\command</TargetObject> <!-- Detect: Event Viewer UAC Bypass: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ -->
			<TargetObject condition="contains">\InprocServer32</TargetObject> <!--Detect: COMObject Hijacking: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject> <!--Microsoft:Windows: Services approved to load in safe mode-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject> <!--Microsoft:Windows: Providers notified by WinLogon-->
			<TargetObject condition="end with">\FriendlyName</TargetObject> <!--Microsoft:Windows: New devices connected and remembered-->
			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged-->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}</TargetObject> <!-- Detect Keyloggers & new Keyboards -->
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> <!-- Detect: Dns Server dll injection -->
			<!--Windows application compatibility shims-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject> <!--Microsoft:Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
			<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject> <!--Microsoft:Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32</TargetObject> <!--Microsoft:Windows: Malware sometimes disables tracing to obfuscate tracks-->
			<!-- NOTICE: Detect New USB Network Devices: Poison Tap - Creates lots of noise, disabled for now
			<TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}</TargetObject>
			-->
			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NtlmMinClientSec</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
			<TargetObject name="NetNTLM downgrade attack" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictSendingNTLMTraffic</TargetObject> <!--Detects post exploitation using NetNTLM downgrade attacks-->
		</RegistryEvent>
		<RegistryEvent onmatch="exclude">
		<!--COMMENT:	Remove low-information noise. Often these hide a process recreating an empty key and do not hide the values created subsequently.-->
			<!--SECTION: Microsoft binaries-->
			<Image condition="end with">Office\root\integration\integrator.exe</Image> <!--Microsoft:Office: C2R client-->
			<Image condition="image">C:\WINDOWS\system32\backgroundTaskHost.exe</Image> <!--Microsoft:Windows: Changes association registry keys-->
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</Image> <!--Microsoft:Office: C2R client-->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
			<Image condition="is">C:\Program Files (x86)\Microsoft Office\Office15\lync.exe</Image> <!-- Lync Adding registry values to network adapter.. facepalm -->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image>
			<Image condition="is">C:\Program Files\Windows Defender\MsMpEng.exe</Image>
			<Image condition="contains">\Microsoft\Exchange Server</Image>
			<TargetObject condition="contains">Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\</TargetObject> <!-- Edge Extensions Creating Reg entries on launch -->
			<!--Misc-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\ExchangeServer\</TargetObject>
			<TargetObject condition="begin with">HKLM\CLUSTER\ExchangeActiveManager</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Schedule\TaskCache\Tree\User_Feed_Synchronization-</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--SvcHost Noise-->
			<TargetObject condition="end with">Toolbar\WebBrowser</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Height</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Microsoft:IE: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\ShellBrowser\ITBar7Layout</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject> <!--Microsoft:Windows:Explorer: Extraneous activity-->
			<TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject> <!--Adobe PDF Browser Toolbar-->
			<TargetObject condition="end with">Toolbar\WebBrowser\{724D43A0-0D85-11D4-9908-00400523E39A}</TargetObject> <!--RoboForms Browser toolbar-->
			<TargetObject condition="end with">Toolbar\WebBrowser\ITBar7Layout</TargetObject> <!--Misc IE Activity-->
			<TargetObject condition="end with">ShellBrowser</TargetObject> <!--Microsoft:InternetExplorer: Noise-->
			<TargetObject condition="end with">\CurrentVersion\Run</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\RunOnce</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Run" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\App Paths</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\App Paths" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Image File Execution Options</TargetObject> <!--Microsoft:Windows: Remove noise from the "\Windows\CurrentVersion\Image File Execution Options" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Cached</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Cached" wildcard-->
			<TargetObject condition="end with">\CurrentVersion\Shell Extensions\Approved</TargetObject> <!--Microsoft:Windows: Remove noise from the "\CurrentVersion\Shell Extensions\Approved" wildcard-->
			<TargetObject condition="end with">\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
			<TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject> <!--Microsoft:Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe-->
			<TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject> <!--Microsoft:Windows: Sensitive value during domain join-->
			<TargetObject condition="end with">\Components\TrustedInstaller\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\TrustedInstaller</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\Wlansvc</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="end with">\Components\Wlansvc\Events</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Winlogon-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject> <!--Microsoft:Windows: Remove noise monitoring installations run as system-->
			<TargetObject condition="end with">\Directory\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Directory\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Drive\shellex</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="end with">\Drive\shellex\DragDropHandlers</TargetObject> <!--Microsoft:Windows: Remove noise monitoring Classes-->
			<TargetObject condition="contains">_Classes\AppX</TargetObject> <!--Microsoft:Windows: Remove noise monitoring "Shell\open\command"--> <!--Win8+-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject> <!--Microsoft:Windows: SvcHost Noise-->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <!--Microsoft:Windows: Remove noise from Windows 10 Cortana | Credit @ion-storm--> <!--Win10-->
			<!--Bootup Control noise-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<TargetObject condition="end with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit</TargetObject> <!--Microsoft:Windows:lsass.exe: Boot noise--> <!--Win8+-->
			<!--Services autostart noise-->
			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
			<TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 7-->
			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
			<TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject> <!--Microsoft:dotNet: Windows 10-->
			<TargetObject condition="end with">\services\DeviceAssociationService\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\BITS\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\TrustedInstaller\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\tunnel\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<TargetObject condition="end with">\services\UsoSvc\Start</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "\Start"-->
			<!--FileExts noise filtering-->
			<TargetObject condition="contains">\OpenWithProgids</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\OpenWithList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\UserChoice</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">\UserChoice\ProgId</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
			<TargetObject condition="end with">\UserChoice\Hash</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"--> <!--Win8+-->
			<TargetObject condition="end with">\OpenWithList\MRUList</TargetObject> <!--Microsoft:Windows: Remove noise from monitoring "FileExts"-->
			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys--> <!--Win8+-->
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jxr</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrw</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac</TargetObject>
			<TargetObject condition="end with">Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf</TargetObject>
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{955C0D7D-042E-4034-9D54-EBD52477A6DB}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{BEACC58F-E643-4e97-B19E-95F6EE3500FA}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{07598BD3-ABBE-4bee-959F-7B90253EADFF}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{31240348-66EE-4F14-A42A-39F373A834C7}\</TargetObject> <!--Too much noise -->
			<TargetObject condition="contains">SOFTWARE\Classes\Wow6432Node\CLSID\{8C8EC235-0786-4DAD-A957-1A6CD76C28F5}\</TargetObject> <!--Too much noise -->
			<!--Group Policy noise-->
			<TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject> <!--Microsoft:Windows: Routinely set through Group Policy, not especially important to log-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject> <!--Microsoft:Windows:Group Policy: Noise below the actual key while building-->
			<TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject> <!--Microsoft:Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it--> <!--OPTIONAL FILTER-->
			<!--Autoruns noise-->
			<!--<Details condition="is">c:\program files (x86)\microsoft office\office16\lync.exe</Details> Microsoft:Office: SkypeForBusiness autorun--> 
			<!--<Details condition="is">"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized</Details> Cisco: AnyConnect autorun-->
			<!--<Details condition="contains">ScanToPCActivationApp.exe" -deviceID "</Details> HP: Printer-->
			<!--SECTION: 3rd party-->
			<TargetObject condition="end with">} 0xFFFF</TargetObject> <!--Microsoft:Windows: Remove noise from explorer.exe from monitoring ShellCached binary keys--> <!--Win8+ -->
			<Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image><!--Microsoft:Windows Remove noise from Windows 10 Cortana--> <!--Win10 -->
			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
			<TargetObject condition="contains">HKLM\System\CurrentControlSet\Services\DeviceAssociationService\Start</TargetObject><!--Device Association Service Noise-->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}\</TargetObject><!-- HD Audio Noise-->
			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe</Image> <!--VMWare: Horizon View Client Noise-->
			<Image condition="is">C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe</Image> <!--PGP: Noise-->
			<!--SECTION: Labtech-->
			<TargetObject condition="end with">\LTSvcMon\Start</TargetObject>
			<TargetObject condition="end with">\LTService\Start</TargetObject>
			<!--SECTION: ShadowProtect-->
			<TargetObject condition="contains">{F2C2787D-95AB-40D4-942D-298F5F757874}</TargetObject>
			<Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image> <!--Constantly writes to HKLM-->
			<!-- Search Protocol Host & Sysmon spam the SystemCertificates keystores, adding exclusions below -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\</TargetObject>
			<TargetObject condition="contains">\Software\Policies\Microsoft\SystemCertificates\</TargetObject>
			<TargetObject condition="begin with">HKLM\Software\Microsoft\Cryptography\Services\ServiceName\SystemCertificates\</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
			<TargetObject condition="contains">\SOFTWARE\Microsoft\EnterpriseCertificates\</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\SystemCertificates\</TargetObject>
			<Image condition="is">C:\Windows\SysWOW64\SearchProtocolHost.exe</Image>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports</TargetObject> <!-- Spooler Noise -->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnotice</TargetObject> <!-- Group Policy spam -->
			<TargetObject condition="begin with">HKCR\VLC.</TargetObject> <!--VLC update noise-->
			<TargetObject condition="begin with">HKCR\iTunes.</TargetObject> <!--Apple: iTunes update noise-->
			<!--SECTION: Nitro Pro Spam-->
			<TargetObject condition="contains">\Software\NITRO\PRO</TargetObject>
			<!--SECTION: Webroot Spam-->
			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\WRData\Status</TargetObject>
			<!--MITRE Autorun Exclusions-->
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\RapportIaso</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\gzflt</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\trufos</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\wudfsvc</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EFS</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\avc3</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\NableRemoteService</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\TabletInputService</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\AdobeARMservice</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPUpdateService</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\ScreenConnect </TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPSecurityService</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\EPIntegrationService</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\wrUrlFlt</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\avckf</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\services\NableRemoteService</TargetObject>
			<TargetObject condition="begin with">HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC</TargetObject>
			<TargetObject condition="begin with">HKLM\System\CurrentControlSet\Services\BDElam</TargetObject>
		</RegistryEvent>

	<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
		<!--EVENT 15: "File stream created"-->
		<!--COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ] -->
		<!--NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->

		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash-->
		<FileCreateStreamHash onmatch="include">
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Content.Outlook</TargetFilename> <!--Microsoft:Outlook: Attachments--> <!--PRIVACY WARNING-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Downloads</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Temp\7z</TargetFilename> <!--7zip extractions-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">Startup</TargetFilename> <!--ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ] -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vb</TargetFilename> <!--VisualBasicScripting files-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.bat</TargetFilename> <!--Batch scripting-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.exe</TargetFilename> <!--Executable-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.dll</TargetFilename> <!--Executable-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--Executable-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.hta</TargetFilename> <!--Scripting-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sys</TargetFilename> <!--System driver files-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.reg</TargetFilename> <!--Registry files-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.docm</TargetFilename> <!--Office Macros-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlsm</TargetFilename> <!--Office Macros-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.xlam</TargetFilename> <!--Office Macros-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.potm</TargetFilename> <!--Office Macros-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.pptm</TargetFilename> <!--Office Macros-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.sldm</TargetFilename> <!--Office Macros-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.scf</TargetFilename> <!--Explorer Command File-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.appref-ms</TargetFilename> <!--ClickOnce Application-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.rdp</TargetFilename> <!--Remote Desktop file-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="end with">.js</TargetFilename> <!--Java-->
			<!--SECTION: Certificates -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pem</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crt</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.ca-bundle</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cer</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.csr</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.der</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7b</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7r</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p7s</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.pfx</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sto</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.p12</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.crl</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.sst</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.key</TargetFilename>
			<!--SECTION: CIA Vault7 Leak -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.mht</TargetFilename> <!-- Possible malformed file will escape IE sandbox -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.manifest</TargetFilename>
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.cpl</TargetFilename> <!-- Vault7 CIA Leak: Control Panel Persistence -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.scr</TargetFilename> <!-- Vault7 CIA Leak: Screensaver Persistence -->
			<TargetFilename name="MitreRef=T1096,Technique=Alternate Data Stream,Tactic=Defense Evasion,MitreURL= https://attack.mitre.org/wiki/Technique/T1096" condition="contains">.inf</TargetFilename> <!-- Vault7 CIA Leak: Sandworm: Uses INF File to bypass UAC on windows 7 -->
			<Hash name="Alert=Ramnit Banker Trojan!" condition="contains">291ff87948e45914424cec9510c297da</Hash><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
			<Hash name="Alert=Ramnit Banker Trojan!" condition="contains">304772c80b157a916c7041f2f15939fb</Hash><!--Ramnit Banker Malware: https://www.virustotal.com/#/file/7f054300fa64e7bcdec7f5538876e6008d6164f21ff21c6375e36dfe04a63412/details-->
			<Hash name="Alert=Docusign Phish!" condition="contains">5E022694C0DBD1FBBC263D608E577949</Hash><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
			<Hash name="Alert=Docusign Phish!" condition="contains">88ce6c0affcdbdc82abe53957dddfa12</Hash><!--Docusign Spam:https://www.vkremez.com/2018/03/malware-spam-internals-docusign-spam.html -->
		</FileCreateStreamHash>
		<FileCreateStreamHash onmatch="exclude">
			<TargetFilename condition="end with">.default\prefs-1.js</TargetFilename> <!--Exclude: Firefox prefs update spam-->
			<TargetFilename condition="contains">\Mozilla\Firefox\Profiles\</TargetFilename>
			<TargetFilename condition="contains">\Microsoft\Windows\INetCache\</TargetFilename> <!--Exclude: IE Cache Spam-->
			<TargetFilename condition="contains">\Microsoft\Windows\Temporary Internet Files\Content.IE5</TargetFilename> <!--Exclude: IE Cache Spam-->
		</FileCreateStreamHash>

	<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
		<!--EVENT 16: "Sysmon config state changed"-->
		<!--COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16-->
		
		<!--DATA: RuleName, UtcTime, Configuration, ConfigurationFileHash-->
		<!--Cannot be filtered.-->

	<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
		<!--EVENT 17: "Pipe Created"-->
		<!--EVENT 18: "Pipe Connected"-->

		<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, PipeName, Image-->
		<PipeEvent onmatch="include">
	  	 	<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_dg</PipeName><!-- Credits @Cyb3rops & @olafhartong-->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_dg2</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\isapi_http</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\sdlrpc</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\ahexec</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\winsession</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\lsassw</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\rpchlp_3</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\NamePipe_MoreWindows</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName name="MitreRef=T1055,Technique=Process Injection" condition="contains">\pcheap_reuse</PipeName><!-- Credits @Cyb3rops & @olafhartong -->
			<PipeName condition="contains">\</PipeName><!--Include Everything else to mark above rules-->
		</PipeEvent>
		<PipeEvent onmatch="exclude">
		<!--COMMENT: Exclude known-good pipe users-->
				<!--ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ] -->
				<!--ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ] -->
			<!--SECTION: Microsoft-->
			<PipeName condition="contains">lsass</PipeName>
			<PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
			<PipeName condition="is">\spoolss</PipeName>
			<!--SECTION: Microsoft IIS -->
			<PipeName condition="begin with">\M.E.C.Core.WinRMDataCommunicator.NamedPipe.</PipeName>
			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
			<Image condition="is">C:\Windows\syswow64\snmp.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN\OWSTIMER.EXE</Image>
			<!--SECTION: Microsoft Exchange Server -->
			<Image condition="contains">Exchange Server</Image>
			<!--SECTION: Microsoft DNS Server -->
			<Image condition="is">C:\Windows\system32\dns.exe</Image>
			<!--SECTION: Microsoft SQL Server -->
			<PipeName condition="is">\sql\query</PipeName>
			<Image condition="is">C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe</Image>
			<!--SECTION: Microsoft Skype For Business Server -->
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exee</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\AV Conferencing\AVMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Health Agent\HealthAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\LysSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\File Transfer Agent\FileTransferAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Application Host\OcsAppServerHost.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ABServer.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Master Replicator Agent\MasterReplicatorAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\IM Conferencing\IMMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\Skype for Business Server 2015\ClsAgent\ClsAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\ReplicationApp.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\OCSMCU\Application Sharing\ASMCUSvc.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe</Image>
			<Image condition="is">C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.exe</Image>
			<!--SECTION: Microsoft DFS Replication -->
			<Image condition="is">C:\Windows\system32\DFSRs.exee</Image>
			<Image condition="begin with">C:\Windows\SystemApps\Microsoft.Windows</Image>
			<Image condition="is">C:\Windows\system32\SearchProtocolHost.exe</Image>
			<Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</Image>
			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe</Image>
			<Image condition="is">C:\Windows\System32\LxRun.exe</Image> <!--Bash On Windows -->
			<PipeName condition="contains">vmware-</PipeName>
			<Image condition="is">\System</Image>
			<PipeName condition="is">\InitShutdown</PipeName>
			<Image condition="is">C:\Windows\System32\wininit.exe</Image>
			<Image condition="is">C:\Windows\System32\SearchIndexer.exe</Image>
			<Image condition="is">C:\Windows\System32\services.exe</Image>
			<PipeName condition="is">\ntsvcs</PipeName>
			<PipeName condition="is">\scerpc</PipeName>
			<Image condition="is">C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe</Image>
			<Image condition="is">C:\Windows\System32\smss.exe</Image>
			<Image condition="is">C:\Windows\System32\spoolsv.exe</Image>
			<PipeName condition="is">\epmapper</PipeName>
			<PipeName condition="is">\atsvc</PipeName>
			<PipeName condition="is">\browser</PipeName>
			<PipeName condition="is">\srvsvc</PipeName>
			<PipeName condition="is">\Winsock2CatelogChangeListener</PipeName>
			<PipeName condition="contains">ProtectedPrefix\LocalService\FTHPIPE</PipeName>
			<PipeName condition="is">\W32TIME_ALT</PipeName>
			<PipeName condition="is">\eventlog</PipeName>
			<PipeName condition="is">\wkssvc</PipeName>
			<PipeName condition="contains">\TDLN-</PipeName>
			<PipeName condition="is">\WiFiNetworkManagerTask</PipeName>
			<PipeName condition="is">\MsFteWds</PipeName>
			<!--SECTION: Webroot-->
			<PipeName condition="is">\WRSVCPipe</PipeName>
			<PipeName condition="is">\WRSynUM2</PipeName>
			<PipeName condition="is">\wrUrl</PipeName><!--Webroot Webfiltering Pipe-->
			<Image condition="is">C:\Program Files (x86)\Webroot\WRSA.exe</Image>
			<!--SECTION: Google-->
			<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image>
			<Image condition="contains">AppData\Local\Google\Chrome\User Data\SwReporter\</Image>
			<PipeName condition="contains">mojo.</PipeName>
			<PipeName condition="contains">crashpad_</PipeName>
			<PipeName condition="contains">chrome.</PipeName>
			<PipeName condition="contains">GoogleCrashServices</PipeName>
			<!--SECTION: Other-->
			<Image condition="end with">slack.exe</Image>
			<!--SECTION: ConnectWise-->
			<PipeName condition="contains">booma\</PipeName>
			<!--SECTION: EnPass-->
			<PipeName condition="contains">qtsingleapp-enpass-</PipeName>
			<Image condition="contains">qtsingleapp-enpass-</Image>
			<!--SECTION: RoyalTS-->
			<PipeName condition="contains">eo.ipc.</PipeName>
			<!--SECTION: Windows Firewall Control-->
			<Image condition="is">C:\Program Files\Windows Firewall Control\wfc.exe</Image>
			<!--SECTION: Everything Search-->
			<PipeName condition="contains">Everything Service</PipeName>
			<PipeName condition="contains">anchor_gui_agent</PipeName>
			<!--SECTION: Adobe-->
			<Image condition="end with">Adobe\ARM\1.0\AdobeARM.exe</Image>
			<!--SECTION: Lenovo-->
			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\SUService.exe</Image>
			<Image condition="is">C:\Program Files\Common Files\VMware\DeviceRedirectionCommon\ftnlsv.exe</Image>
			<Image condition="is">C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe</Image>
			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\shtctky.exe</Image>
			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE</Image>
			<Image condition="is">C:\Windows\System32\LPlatSvc.exe</Image>
			<Image condition="is">C:\PROGRA~1\Lenovo\HOTKEY\TPOSD.EXE</Image>
			<Image condition="is">C:\Program Files (x86)\Lenovo\iMController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Lenovo\System Update\TvsuCommandLauncher.exe</Image>
			<!--SECTION: Fortinet-->
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe</Image>
			<!--SECTION: Sophos VPN Client-->
			<Image condition="is">c:\program files (x86)\sophos\sophos ssl vpn client\bin\openvpnserv.exe</Image>
			<!--SECTION: Labtech-->
			<Image condition="contains">ScreenConnect.WindowsClient.exe</Image>
			<Image condition="contains">ScreenConnect.ClientService.exe</Image>
			<!--SECTION: N-Able -->
			<Image condition="end with">N-able Technologies\Windows Agent\bin\agent.exe</Image>
			<Image condition="end with">N-able Technologies\AVDefender\EPIntegrationService.exe</Image>
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn.exe</Image>
			<Image condition="is">C:\Program Files\OpenVPN\bin\openvpnserv.exe</Image>
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</Image>
			<Image condition="is">C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe</Image>
			<Image condition="is">C:\Program Files\Lenovo\HOTKEY\tphkload.exe</Image>
			<Image condition="contains">C:\Program Files\Lenovo\</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\SerialPortRedirection\Client\vmwsprrdpwks.exe</Image>
			<Image condition="contains">Graylog-collector-sidecar.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git-remote-https.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\bin\git.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\git\mingw32\libexec\git-core\git.exe</Image>
			<Image condition="is">C:\Program Files (x86)\SmartGit\bin\smartgit.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\update_task.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Enpass\Enpass.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\ScannerRedirection\ftscanmgrhv.exe</Image>
			<Image condition="is">C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Internet Explorer\vmware-vmrc.exe</Image>
			<PipeName condition="contains">SQLAnywhereLRM</PipeName> <!-- Quickbooks -->
			<PipeName condition="contains">pgsignal</PipeName> <!-- Postgres SQL -->
			<Image condition="is">postgres.exe</Image>
			<PipeName condition="contains">MICROSOFT##WID\tsql\query</PipeName> <!-- Microsoft SQL writer-->
			<PipeName condition="contains">TSVCPIPE-</PipeName> <!-- Terminal Services Pipe-->
			<PipeName condition="contains">BB4BB19A178C25D1</PipeName>
			<PipeName condition="contains">SQLAnywhereLRM</PipeName>
			<PipeName condition="contains">SQLLocal</PipeName>
			<PipeName condition="contains">DropboxPipe_</PipeName>
			<Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\mfcesd.exe</Image>
			<Image condition="is">C:\Pfx Engagement\WM\PFXEngagement.exe</Image>
			<Image condition="is">C:\Pfx Engagement\WM\Pfx.KnowledgeCoach.SharedServices.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Micro Focus\COBOL Server 2012\bin\mfds.exe</Image>
			<Image condition="is">ScreenConnect.WindowsClient.exe</Image>
			<Image condition="is">ScreenConnect.ClientService.exe</Image>
			<Image condition="is">QBW32.EXE</Image>
			<Image condition="end with">EXCEL.EXE</Image>
			<Image condition="end with">ADCUpdate.exe</Image>
			<Image condition="end with">Hydrous.Host.exe</Image>
			<Image condition="end with">TNSLSNR.exe</Image>
			<Image condition="contains">ShoreWare Server</Image>
		</PipeEvent>

	<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
		<!--EVENT 19: "WmiEventFilter activity detected"-->
		<!--EVENT 20: "WmiEventConsumer activity detected"-->
		<!--EVENT 21: "WmiEventConsumerToFilter activity detected"-->
		<!--DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter-->
		<WmiEvent onmatch="exclude">
		</WmiEvent>

	<!--SYSMON EVENT ID 255 : ERROR-->
		<!--"This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
			Sysinternals forum or over Twitter (@markrussinovich)."-->
		<!--Cannot be filtered.-->

	</EventFiltering>
</Sysmon>