Posh-Sysmon

0.4

schema1.xml

                                <Sysmon schemaversion="2.0">

  <HashAlgorithms>SHA256</HashAlgorithms>

  <EventFiltering>

    <NetworkConnect onmatch="exclude">

      <Image condition="Image">C:\Windows\System32\svchost.exe</Image>

      <Image condition="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>

      <Image condition="Image">C:\Windows\explorer.exe</Image>

      <Image condition="Image">C:\Program Files (x86)\Atlassian\SourceTree\tools\putty\plink.exe</Image>

      <Image condition="Image">C:\Windows\WinStore\WSHost.exe</Image>

      <SourcePortName condition="is">netbios-ns</SourcePortName>

      <DestinationHostname condition="Is">github.com</DestinationHostname>

    </NetworkConnect>

    <DriverLoad onmatch="exclude">

    </DriverLoad>

    <ImageLoad onmatch="include">

    </ImageLoad>

    <ProcessCreate onmatch="exclude">

      <CommandLine condition="Contains">cmd.exe</CommandLine>

      <CommandLine condition="Contains">notepad.exe</CommandLine>

    </ProcessCreate>

    <ProcessTerminate onmatch="exclude">

    </ProcessTerminate>

    <FileCreateTime onmatch="exclude">

      <Image condition="Is">C:\Program Files (x86)\Atlassian\SourceTree\SourceTree.exe</Image>

      <Image condition="Is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>

      <Image condition="Is">C:\Program Files (x86)\Skype\Phone\Skype.exe</Image>

      <Image condition="Is">C:\Program Files\Internet Explorer\iexplore.exe</Image>

      <Image condition="Is">C:\Windows\Explorer.EXE</Image>

      <Image condition="Is">C:\Windows\system32\msiexec.exe</Image>

      <Image condition="Is">C:\Windows\system32\svchost.exe</Image>

    </FileCreateTime>

    <CreateRemoteThread onmatch="exclude" />

  </EventFiltering>

</Sysmon>