From a9ff298f6d228c181be71b213c73d111c6096f41 Mon Sep 17 00:00:00 2001
From: Azure Pipeline <azure-pipeline@olafhartong.nl>
Date: Wed, 20 Sep 2023 07:33:03 +0000
Subject: [PATCH] Updated after successful CICD run 09/20/2023 07:33:02 UTC

---
 .../all_exclude_modules.txt                   | Bin 15190 -> 15474 bytes
 0_custom_configuration/all_modules.txt        | Bin 38170 -> 38454 bytes
 sysmonconfig-excludes-only.xml                |  24 ++++++++++++++++++
 sysmonconfig-mde-augment.xml                  |  24 ++++++++++++++++++
 sysmonconfig-with-filedelete.xml              |  24 ++++++++++++++++++
 sysmonconfig.xml                              |  24 ++++++++++++++++++
 6 files changed, 96 insertions(+)

diff --git a/0_custom_configuration/all_exclude_modules.txt b/0_custom_configuration/all_exclude_modules.txt
index 5908b0af9d9772056a949cfb8191c0a2337acc74..241bebfc247de3b6004989d07ca9d75e0835162d 100644
GIT binary patch
delta 86
zcmcas_Niin7}w-8j6B@A4EYRs44Dii4Ed86a=C7n;4)#F{6$)eQ-L8FC{@5vIXRKr
kakCH4E#1j2mRh1^45<u743!M=3=mclP*L$_aVvX90FlcWtpET3

delta 25
hcmexVajk5F7}w?kE;FXhQoOfxC-1X%nA~Lj0RWH23fTYv

diff --git a/0_custom_configuration/all_modules.txt b/0_custom_configuration/all_modules.txt
index 99bae4e9ea58ba855e15becdf3bb53d33bdd4ab5..350b396461c80e9089149c5530ffb106ab614243 100644
GIT binary patch
delta 94
zcmbQWifP*#rVUvllg}{n@a8h)GvqO3GL!)6qREV6&YN>YOqeFuX|hc&u~gwyU`Pf^
r6fjgyz9{Utd4X6~>Ew)V0nsvsRE8pkN``m_2rCJwsCe_kZc9!8N`)Kx

delta 35
tcmV+;0Nnq!tOA;<0<dZnv&0lO0+WD!8k61=G_$-H9CeeBjS!<YjR^~G4nzO|

diff --git a/sysmonconfig-excludes-only.xml b/sysmonconfig-excludes-only.xml
index 4a7b4acb..463a83f8 100644
--- a/sysmonconfig-excludes-only.xml
+++ b/sysmonconfig-excludes-only.xml
@@ -330,6 +330,22 @@
           <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
           <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
         </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
+        </Rule>
       </ImageLoad>
     </RuleGroup>
     <!-- Event ID 8 == CreateRemoteThread - Excludes -->
@@ -365,6 +381,12 @@
         <SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
         <TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
         <TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
+        <Rule groupRelation="and">
+          <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
+          <TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
+        </Rule>
+        <SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
         <SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
         <Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
           <SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -384,6 +406,8 @@
         <SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
+        <SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>
diff --git a/sysmonconfig-mde-augment.xml b/sysmonconfig-mde-augment.xml
index c83aa4ca..c09fc6ac 100644
--- a/sysmonconfig-mde-augment.xml
+++ b/sysmonconfig-mde-augment.xml
@@ -906,6 +906,22 @@
           <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
           <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
         </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
+        </Rule>
       </ImageLoad>
     </RuleGroup>
     <!-- Event ID 8 == CreateRemoteThread - Sysmon will not provide notable additional visibility over MDE. -->
@@ -1020,6 +1036,12 @@
         <SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
         <TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
         <TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
+        <Rule groupRelation="and">
+          <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
+          <TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
+        </Rule>
+        <SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
         <SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
         <Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
           <SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -1039,6 +1061,8 @@
         <SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
+        <SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>
diff --git a/sysmonconfig-with-filedelete.xml b/sysmonconfig-with-filedelete.xml
index 1feded8c..93f4547b 100644
--- a/sysmonconfig-with-filedelete.xml
+++ b/sysmonconfig-with-filedelete.xml
@@ -1112,6 +1112,22 @@
           <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
           <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
         </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
+        </Rule>
       </ImageLoad>
     </RuleGroup>
     <!-- Event ID 8 == CreateRemoteThread - Excludes -->
@@ -1237,6 +1253,12 @@
         <SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
         <TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
         <TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
+        <Rule groupRelation="and">
+          <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
+          <TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
+        </Rule>
+        <SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
         <SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
         <Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
           <SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -1256,6 +1278,8 @@
         <SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
+        <SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>
diff --git a/sysmonconfig.xml b/sysmonconfig.xml
index e390a2aa..30331a65 100644
--- a/sysmonconfig.xml
+++ b/sysmonconfig.xml
@@ -1112,6 +1112,22 @@
           <Image condition="contains all"> C:\Users\;\AppData\Local\Microsoft\OneDrive;\FileCoAuth.exe</Image>
           <ImageLoaded condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\;\FileCoAuth.exe</ImageLoaded>
         </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\netapi32.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\msvcp110_win.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\dsreg.dll</ImageLoaded>
+        </Rule>
+        <Rule groupRelation="and">
+          <Image condition="is">C:\Windows\System32\svchost.exe</Image>
+          <ImageLoaded condition="is">C:\Windows\System32\perfctrs.dll</ImageLoaded>
+        </Rule>
       </ImageLoad>
     </RuleGroup>
     <!-- Event ID 8 == CreateRemoteThread - Excludes -->
@@ -1237,6 +1253,12 @@
         <SourceImage condition="is">C:\Program Files\Adobe\Adobe Photoshop 2021\Photoshop.exe</SourceImage>
         <TargetImage condition="begin with">C:\Program Files\Autodesk\Autodesk Desktop App</TargetImage>
         <TargetImage condition="begin with">C:\Program Files (x86)\Autodesk\Autodesk Desktop App</TargetImage>
+        <Rule groupRelation="and">
+          <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe</SourceImage>
+          <TargetImage condition="is">C:\Windows\system32\cscript.exe</TargetImage>
+        </Rule>
+        <SourceImage condition="contains all">C:\WindowsAzure\GuestAgent_;CollectGuestLogs.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe</SourceImage>
         <SourceImage condition="is">C:\Windows\CarbonBlack\cb.exe</SourceImage>
         <Rule name="Exclude Chrome SW Reporter into Reporter" groupRelation="and">
           <SourceImage condition="image">software_reporter_tool.exe</SourceImage>
@@ -1256,6 +1278,8 @@
         <SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe</SourceImage>
         <SourceImage condition="is">c:\Program Files\Couchbase\Server\bin\sigar_port.exe</SourceImage>
+        <SourceImage condition="is">C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</SourceImage>
+        <SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\;\OpenHandleCollector.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files\Elastic\Agent\data\;\metricbeat.exe</SourceImage>
         <SourceImage condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</SourceImage>
         <SourceImage condition="is">C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe</SourceImage>