Skip to content

Commit dac3cce

Browse files
darkoperatordarkoperator
authored
Create NetConnBaseline.xml
1 parent 32c11a6 commit dac3cce

1 file changed

Lines changed: 80 additions & 0 deletions

File tree

examples/NetConnBaseline.xml

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
<User condition='is'>NT AUTHORITY\SYSTEM</User>
2+
</Rule>
3+
<Rule groupRelation="and">
4+
<Image condition='is'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image>
5+
<DestinationPort condition="contains any">443;80</DestinationPort>
6+
</Rule>
7+
<Rule groupRelation="and">
8+
<Image condition="contains all">C:\Windows\SystemApps\Microsoft.Windows.Search_;\SearchApp.exe</Image>
9+
<DestinationPort condition="contains any">443;80</DestinationPort>
10+
</Rule>
11+
<Rule groupRelation="and">
12+
<Image condition='is'>C:\Windows\System32\smartscreen.exe</Image>
13+
<DestinationPort condition='is'>443</DestinationPort>
14+
</Rule>
15+
<Rule groupRelation="and">
16+
<Image condition="contains all">C:\Program Files\WindowsApps\;\LocalBridge.exe</Image>
17+
<DestinationPort condition='is'>443</DestinationPort>
18+
</Rule>
19+
<Rule groupRelation="and">
20+
<Image condition='is'>C:\Windows\System32\taskhostw.exe</Image>
21+
<DestinationPort condition="contains any">443;389</DestinationPort>
22+
<User condition='is'>NT AUTHORITY\SYSTEM</User>
23+
</Rule>
24+
<Rule groupRelation="and">
25+
<Image condition='is'>C:\Windows\System32\lsass.exe</Image>
26+
<DestinationPort condition="contains any">88;135;389</DestinationPort>
27+
<User condition='is'>NT AUTHORITY\SYSTEM</User>
28+
</Rule>
29+
<Rule groupRelation="and">
30+
<Image condition="contains all">C:\Program Files\WindowsApps\Microsoft.YourPhone;\YourPhone.exe</Image>
31+
<DestinationPort condition='is'>443</DestinationPort>
32+
</Rule>
33+
<Rule groupRelation="and">
34+
<Image condition='is'>C:\Windows\System32\taskhostw.exe</Image>
35+
<DestinationPort condition='is'>389</DestinationPort>
36+
<User condition='is'>NT AUTHORITY\SYSTEM</User>
37+
</Rule>
38+
<Rule groupRelation="and">
39+
<Image condition="contains all">C:\Program Files\WindowsApps\Microsoft.Windows.Photos;\Microsoft.Photos.exe</Image>
40+
<DestinationPort condition='is'>443</DestinationPort>
41+
</Rule>
42+
<Rule groupRelation="and">
43+
<Image condition='is'>C:\Windows\System32\CompatTelRunner.exe</Image>
44+
<DestinationPort condition='is'>443</DestinationPort>
45+
<User condition='is'>NT AUTHORITY\SYSTEM</User>
46+
</Rule>
47+
<Rule groupRelation="and">
48+
<Image condition='is'>C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe</Image>
49+
<DestinationPort condition='is'>443</DestinationPort>
50+
<User condition='is'>NT AUTHORITY\SYSTEM</User>
51+
</Rule>
52+
<Rule groupRelation="and">
53+
<Image condition="contains all">C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay;\GameBar.exe</Image>
54+
<DestinationPort condition='is'>443</DestinationPort>
55+
</Rule>
56+
<Rule groupRelation="and">
57+
<Image condition='is'>C:\Windows\System32\BackgroundTransferHost.exe</Image>
58+
<DestinationPort condition='is'>443</DestinationPort>
59+
</Rule>
60+
<Rule groupRelation="and">
61+
<Image condition='is'>C:\Windows\System32\RuntimeBroker.exe</Image>
62+
<DestinationPort condition='is'>443</DestinationPort>
63+
</Rule>
64+
<Rule groupRelation="and">
65+
<Image condition='is'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Image>
66+
<DestinationPort condition="contains any">80;443</DestinationPort>
67+
</Rule>
68+
<Rule groupRelation="and">
69+
<Image condition='is'>C:\Windows\System32\backgroundTaskHost.exe</Image>
70+
<DestinationPort condition="contains any">135;389</DestinationPort>
71+
</Rule>
72+
<Rule groupRelation="and">
73+
<Image condition='is'>C:\Windows\System32\MoUsoCoreWorker.exe</Image>
74+
<DestinationPort condition='is'>443</DestinationPort>
75+
<User condition='is'>NT AUTHORITY\SYSTEM</User>
76+
</Rule>
77+
</NetworkConnect>
78+
</RuleGroup>
79+
</EventFiltering>
80+
</Sysmon>

0 commit comments

Comments
 (0)