added new filters

EvtMute/EvtMuteHook/x64/Debug/EvtMuteHook.log

@@ -0,0 +1,15 @@
+  pch.cpp
+  dllmain.cpp
+x:\evtmute\evtmutehook\dllmain.cpp(170): error C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+  c:\program files (x86)\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(1774): note: see declaration of 'sprintf'
+x:\evtmute\evtmutehook\dllmain.cpp(175): error C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+  c:\program files (x86)\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(1774): note: see declaration of 'sprintf'
+x:\evtmute\evtmutehook\dllmain.cpp(183): error C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+  c:\program files (x86)\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(1774): note: see declaration of 'sprintf'
+x:\evtmute\evtmutehook\dllmain.cpp(221): error C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+  c:\program files (x86)\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(1774): note: see declaration of 'sprintf'
+x:\evtmute\evtmutehook\dllmain.cpp(263): warning C4101: 'oldProtect': unreferenced local variable
+x:\evtmute\evtmutehook\dllmain.cpp(260): warning C4101: 'cStringBuffer': unreferenced local variable
+x:\evtmute\evtmutehook\dllmain.cpp(263): warning C4101: 'oldOldProtect': unreferenced local variable
+x:\evtmute\evtmutehook\dllmain.cpp(362): error C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
+  c:\program files (x86)\windows kits\10\include\10.0.17763.0\ucrt\stdio.h(1774): note: see declaration of 'sprintf'

EvtMute/EvtMuteHook/x64/Debug/EvtMuteHook.tlog/EvtMuteHook.lastbuildstate

@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0
+Debug|x64|X:\EvtMute\|

YaraFilters/image.yar

@@ -0,0 +1,9 @@
+rule Block_Image {
+    meta:
+        author = "@_batsec_"
+        description = "Prevent an image from appering in any event logs"
+    strings:
+        $imagename = "hideme.exe"
+    condition:
+        $imagename
+}

YaraFilters/logon.yar

@@ -0,0 +1,12 @@
+rule Block_Logon {
+    meta:
+        author = "@_batsec_"
+        description = "Prevent a users logon being reported"
+    strings:
+        $provider = "Microsoft-Windows-Security-Auditing"
+        $username = "backdoor"
+        $logon1 = "LogonType"
+        $logon2 = "TargetLogonId"
+    condition:
+        $provider and $username and $logon*
+}

YaraFilters/lsassdump.yar

@@ -0,0 +1,12 @@
+rule Block_Lsass_Dump {
+    meta:
+        author = "@_batsec_"
+        description = "Prevent lsass dumping being reported by sysmon"
+    strings:
+        $provider = "Microsoft-Windows-Sysmon"
+        $image = "lsass.exe" nocase
+        $access = "GrantedAccess"
+        $type = "0x1fffff"
+    condition:
+        all of them
+}

YaraFilters/sysmon.yar

@@ -0,0 +1,9 @@
+rule Block_All_Sysmon_Events {
+    meta:
+        author = "@_batsec_"
+        description = "Prevent all sysmon events from being reported"
+    strings:
+        $provider = "Microsoft-Windows-Sysmon"
+    condition:
+        $provider
+}