source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
OriginalFileName IN ("*cmstp.exe", "*certutil.exe", "*cscript.exe", "*cmd.exe" , "*net.exe", "*powershell.exe" , "*powershell_ise.exe" , "*psexec.exe" , "*msiexec.exe", "*mshta.exe" , "*rundll32.exe", "*regsvr32.exe" , "*wmic.exe" , "*wscript.exe")
NOT Image IN ("*cmstp.exe", "*certutil.exe", "*cscript.exe", "*cmd.exe" , "*net.exe", "*powershell.exe" , "*powershell_ise.exe" , "*psexec.exe" , "*msiexec.exe", "*mshta.exe" , "*rundll32.exe", "*regsvr32.exe" , "*wmic.exe" , "*wscript.exe")
Short prescription
Based on sysmon Event ID 1 ( process creation ) and 7 (image loaded)
If there is an information in PE header ( for most if not all Microsoft binaries) then OriginalFileName will show true binary executable name and can be compared to Image field
Not bulletproof, PE header can be changed by any hex editor but this will change hash
Having golden workstation or gold hashes repository is always good thing
All hashes can be stored in lookuptable or KV store
Comments