From 57312567d9b520e0b4ac94344666125f5d593c75 Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Mon, 13 Jan 2025 21:27:34 -0500
Subject: [PATCH] Delete currentsocsysmon.xml

---
 currentsocsysmon.xml | 1653 ------------------------------------------
 1 file changed, 1653 deletions(-)
 delete mode 100644 currentsocsysmon.xml

diff --git a/currentsocsysmon.xml b/currentsocsysmon.xml
deleted file mode 100644
index 297f88d..0000000
--- a/currentsocsysmon.xml
+++ /dev/null
@@ -1,1653 +0,0 @@
-<Sysmon schemaversion="4.22">
-    <!-- SYSMON META CONFIG -->
-    <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
-    <!--  Both MD5 and SHA256 are the industry-standard algorithms for identifying files  -->
-    <CheckRevocation/>
-    <!--  Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver  -->
-    <!--  <ImageLoad/>  -->
-    <!--  Would manually force-on ImageLoad monitoring, even without configuration below. Included only documentation.  -->
-    <!--  <ProcessAccessConfig/>  -->
-    <!--  Would manually force-on ProcessAccess monitoring, even without configuration below. Included only documentation.  -->
-    <!--  <PipeMonitoringConfig/>  -->
-    <!--  Would manually force-on PipeCreated / PipeConnected events, even without configuration below. Included only documentation.  -->
-    <EventFiltering>
-        <!-- SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate] -->
-        <!-- COMMENT:	All processes launched will be logged, except for what matches a rule below. It's best to be as specific as possible,
-			to avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory.
-			Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created.
-			Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and
-			code signatures to validate, but Sysmon does not support that. Look into AppLocker/WindowsDeviceGuard for whitelisting support.  -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine, RuleName -->
-        <RuleGroup name="" groupRelation="or">
-            <!-- Process Creation INCLUDE SECTION -->
-            <ProcessCreate onmatch="include">
-                <CommandLine name="technique_id=T1087.002,apt=Volt Typhoon" condition="contains">net group /dom</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-                <CommandLine name="technique_id=T1087.001,apt=Volt Typhoon" condition="contains">quser</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-                <CommandLine name="technique_id=T1560.001,apt=Volt Typhoon,Fancy Bear" condition="contains">7z</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=T1059.004,apt=Volt Typhoon,Fancy Bear" condition="contains">\BrightmetricAgent.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=T1046,apt=Volt Typhoon" condition="contains">\ScanLine.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=T1036.005,apt=Volt Typhoon,Fancy Bear" condition="contains">vm3dservice.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=T1090,apt=Volt Typhoon" condition="contains">FRP</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0357,apt=Volt Typhoon,Fancy Bear" condition="contains">\Impacket.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0002,apt=Volt Typhoon" condition="contains">\Mimikatz.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0029,apt=Volt Typhoon,Fancy Bear,Fox Kitten" condition="contains">\PsExec.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <ParentImage name="technique_id=T1059.003,apt=Volt Typhoon,Fox Kitten" condition="contains">\cmd.exe</ParentImage> <!-- added 2025-01-08 by cpl iverson -->
-                <CommandLine name="technique_id=T1071.004,apt=Fancy Bear" condition="contains">dnscat</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-                <CommandLine name="technique_id=T1059.001,apt=Fancy Bear,Fox Kitten" condition="contains">powershell</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-                <CommandLine name="technique_id=T1036.005,apt=Fancy Bear" condition="contains">java</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0521,apt=Fancy Bear" condition="contains">BloodHound.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0508,apt=Fancy Bear,Fox Kitten" condition="contains">ngrok.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <CommandLine name="technique_id=T1124,apt=Volt Typhoon" condition="contains">Get-TimeZone</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-            <CommandLine name="technique_id=S0645,apt=Volt Typhoon,Fancy Bear" condition="contains">Wevtutil</CommandLine> <!-- added 2025-01-08 by cpl iverson -->
-            </ProcessCreate>
-            <!-- Process Creation EXCLUDE SECTION -->
-            <ProcessCreate onmatch="exclude">
-                <!-- SECTION: Microsoft Windows -->
-                <CommandLine condition="begin with"> "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" </CommandLine>
-                <!-- Windows:Windows error reporting/telemetry -->
-                <CommandLine condition="begin with">C:\Windows\system32\DllHost.exe /Processid</CommandLine>
-                <!-- Windows -->
-                <CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</CommandLine>
-                <!-- Windows: WMI provider host -->
-                <CommandLine condition="begin with">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</CommandLine>
-                <!-- Windows: WMI provider host -->
-                <CommandLine condition="is">C:\Windows\system32\wermgr.exe -upload</CommandLine>
-                <!-- Windows:Windows error reporting/telemetry -->
-                <CommandLine condition="is">C:\Windows\system32\SearchIndexer.exe /Embedding</CommandLine>
-                <!-- Windows: Search Indexer -->
-                <CommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</CommandLine>
-                <!-- Windows:Windows error reporting/telemetry -->
-                <CommandLine condition="is">\??\C:\Windows\system32\autochk.exe *</CommandLine>
-                <!-- Microsoft:Bootup: Auto Check Utility -->
-                <CommandLine condition="is">\SystemRoot\System32\smss.exe</CommandLine>
-                <!-- Microsoft:Bootup: Windows Session Manager -->
-                <CommandLine condition="is">C:\Windows\System32\RuntimeBroker.exe -Embedding</CommandLine>
-                <!-- Windows:Apps permissions [ https://fossbytes.com/runtime-broker-process-windows-10/ ]  -->
-                <Image condition="is">C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe</Image>
-                <!-- Windows: Touch Keyboard and Handwriting Panel Helper -->
-                <Image condition="is">C:\Windows\System32\TokenBrokerCookies.exe</Image>
-                <!-- Windows: SSO sign-in assistant for MicrosoftOnline.com -->
-                <Image condition="is">C:\Windows\System32\plasrv.exe</Image>
-                <!-- Windows: Performance Logs and Alerts DCOM Server -->
-                <Image condition="is">C:\Windows\System32\wifitask.exe</Image>
-                <!-- Windows: Wireless Background Task -->
-                <Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image>
-                <!-- Windows: Customer Experience Improvement -->
-                <Image condition="is">C:\Windows\system32\PrintIsolationHost.exe</Image>
-                <!-- Windows: Printing -->
-                <Image condition="is">C:\Windows\system32\SppExtComObj.Exe</Image>
-                <!-- Windows: KMS activation -->
-                <Image condition="is">C:\Windows\system32\audiodg.exe</Image>
-                <!-- Windows: Launched constantly -->
-                <Image condition="is">C:\Windows\system32\conhost.exe</Image>
-                <!-- Windows: Command line interface host process -->
-                <Image condition="is">C:\Windows\system32\mobsync.exe</Image>
-                <!-- Windows: Network file syncing -->
-                <Image condition="is">C:\Windows\system32\musNotification.exe</Image>
-                <!-- Windows: Update pop-ups -->
-                <Image condition="is">C:\Windows\system32\musNotificationUx.exe</Image>
-                <!-- Windows: Update pop-ups -->
-                <Image condition="is">C:\Windows\system32\powercfg.exe</Image>
-                <!-- Microsoft:Power configuration management -->
-                <Image condition="is">C:\Windows\system32\sndVol.exe</Image>
-                <!-- Windows: Volume control -->
-                <Image condition="is">C:\Windows\system32\sppsvc.exe</Image>
-                <!-- Windows: Software Protection Service -->
-                <Image condition="is">C:\Windows\system32\wbem\WmiApSrv.exe</Image>
-                <!-- Windows: WMI performance adapter host process -->
-                <IntegrityLevel condition="is">AppContainer</IntegrityLevel>
-                <!-- Windows: Don't care about sandboxed processes right now. Will need to revisit this decision. -->
-                <ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine>
-                <!-- Windows:CommandShell: Triggered when programs use the command shell, but doesn't provide attribution for what caused it -->
-                <ParentCommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</ParentCommandLine>
-                <!-- Windows:Windows error reporting/telemetry -->
-                <CommandLine condition="is">C:\WINDOWS\system32\devicecensus.exe UserCxt</CommandLine>
-                <CommandLine condition="is">C:\Windows\System32\usocoreworker.exe -Embedding</CommandLine>
-                <ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage>
-                <!-- Windows:Search: Launches many uninteresting sub-processes -->
-                <!-- SECTION: Windows:svchost -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -s StateRepository</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel</CommandLine>
-                <!-- Windows 10 -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k camera -s FrameServer</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k defragsvc</CommandLine>
-                <!-- Windows defragmentation -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k imgsvc</CommandLine>
-                <!-- Microsoft:The Windows Image Acquisition Service -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s EventSystem</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s bthserv</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s nsi</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localService -s w32Time</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService</CommandLine>
-                <CommandLine condition="is">C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService</CommandLine>
-                <!-- Win10:1903:Network Connection Broker -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV</CommandLine>
-                <!-- Windows:SSDP [ https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol ]  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNoNetwork</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc</CommandLine>
-                <!-- Microsoft:Passport -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc</CommandLine>
-                <!-- Microsoft:Passport Container -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</CommandLine>
-                <CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv</CommandLine>
-                <!-- Windows:Remote desktop configuration -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost</CommandLine>
-                <!-- Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ]  -->
-                <CommandLine condition="is">C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost</CommandLine>
-                <!-- Windows: Diagnostic System Host [ http://www.blackviper.com/windows-services/diagnostic-system-host/ ]  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</CommandLine>
-                <!-- Windows -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc</CommandLine>
-                <!-- Windows: Windows Live Sign-In Assistant [ https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ ]  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc</CommandLine>
-                <!-- Windows: Network Connectivity Assistant [ http://www.blackviper.com/windows-services/network-connectivity-assistant/ ]  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC</CommandLine>
-                <!-- Windows:Network: BitLocker Drive Encryption -->
-                <CommandLine condition="is">C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC</CommandLine>
-                <!-- Microsoft:Win10:1903:Network: BitLocker Drive Encryption -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS</CommandLine>
-                <!-- Windows:Network: Background Intelligent File Transfer (BITS)  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s BITS</CommandLine>
-                <!-- Windows:Network: Background Intelligent File Transfer (BITS)  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc</CommandLine>
-                <!-- Windows:Network: Group Policy  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SENS</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Themes</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt</CommandLine>
-                <!-- Windows: Windows Management Instrumentation (WMI)  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s Dnscache</CommandLine>
-                <!-- Windows:Network: DNS caching, other uses  -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation</CommandLine>
-                <!-- Windows:Network: "Workstation" service, used for SMB file-sharing connections and RDP -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s NlaSvc</CommandLine>
-                <!-- Windows:Network: Network Location Awareness -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService -s TermService</CommandLine>
-                <!-- Windows:Network: Terminal Services (RDP) -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkService</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted</CommandLine>
-                <!-- Windows: Network services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k rPCSS</CommandLine>
-                <!-- Windows Services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k secsvcs</CommandLine>
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k swprv</CommandLine>
-                <!-- Microsoft:Software Shadow Copy Provider -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k unistackSvcGroup</CommandLine>
-                <!-- Windows 10 -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k utcsvc</CommandLine>
-                <!-- Windows Services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wbioSvcGroup</CommandLine>
-                <!-- Windows Services -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k werSvcGroup</CommandLine>
-                <!-- Windows: ErrorReporting -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc</CommandLine>
-                <!-- Windows: Update Medic Service [ https://www.thewindowsclub.com/windows-update-medic-service ]  -->
-                <CommandLine condition="is">C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC</CommandLine>
-                <!-- Windows:Apps: Client License Service -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</CommandLine>
-                <!-- Windows:Apps: AppX Deployment Service -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC</CommandLine>
-                <!-- Windows:Apps: Client License Service -->
-                <CommandLine condition="is">C:\Windows\system32\svchost.exe -k wsappx</CommandLine>
-                <!-- Windows:Apps [ https://www.howtogeek.com/320261/what-is-wsappx-and-why-is-it-running-on-my-pc/ ]  -->
-                <ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine>
-                <!-- Windows: Network services: Spawns Consent.exe -->
-                <ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine>
-                <!-- Windows -->
-                <CommandLine condition="is">C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM</CommandLine>
-                <!-- Windows: AzureAD device enrollment agent -->
-                <!-- SECTION: Microsoft:Edge -->
-                <CommandLine condition="begin with">"C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type=</CommandLine>
-                <!-- SECTION: Microsoft:dotNet -->
-                <CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine>
-                <!-- Microsoft:DotNet -->
-                <CommandLine condition="begin with">C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe</CommandLine>
-                <!-- Microsoft:DotNet -->
-                <Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image>
-                <!-- Microsoft:DotNet -->
-                <Image condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Image>
-                <!-- Microsoft:DotNet -->
-                <Image condition="is">C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe</Image>
-                <!-- Windows: Font cache service -->
-                <ParentCommandLine condition="contains">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentCommandLine>
-                <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage>
-                <!-- Microsoft:DotNet -->
-                <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe</ParentImage>
-                <!-- Microsoft:DotNet -->
-                <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</ParentImage>
-                <!-- Microsoft:DotNet -->
-                <ParentImage condition="is">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe</ParentImage>
-                <!-- Microsoft:DotNet: Spawns thousands of ngen.exe processes -->
-                <!-- SECTION: Microsoft:Office -->
-                <Image condition="is">C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE</Image>
-                <!-- Microsoft:Office: Background process for SharePoint/Office365 connectivity -->
-                <Image condition="is">C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE</Image>
-                <!-- Microsoft:Office: Background process for SharePoint/Office365 connectivity -->
-                <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE</Image>
-                <!-- Microsoft:Office: Licensing service -->
-                <Image condition="is">C:\Program Files\Microsoft Office\Office16\msoia.exe</Image>
-                <!-- Microsoft:Office: Telemetry collector -->
-                <Image condition="is">C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe</Image>
-                <!-- SECTION: Microsoft:Office:Click2Run -->
-                <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image>
-                <!-- Microsoft:Office: Background process -->
-                <ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe</ParentImage>
-                <!-- Microsoft:Office: Background process -->
-                <ParentImage condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</ParentImage>
-                <!-- Microsoft:Office: Background process -->
-                <!-- SECTION: Windows: Media player -->
-                <Image condition="is">C:\Program Files\Windows Media Player\wmpnscfg.exe</Image>
-                <!-- Windows: Windows Media Player Network Sharing Service Configuration Application -->
-                <!-- SECTION: Google -->
-                <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
-                <!-- Google:Chrome: massive command-line arguments -->
-                <CommandLine condition="begin with">"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=</CommandLine>
-                <!-- Google:Chrome: massive command-line arguments -->
-            </ProcessCreate>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime] -->
-        <!-- COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1099 ]  -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime -->
-        <RuleGroup name="" groupRelation="or">
-            <FileCreateTime onmatch="include">
-                <Image name="T1099 - C:\Users" condition="begin with">C:\Users</Image>
-                <!-- Look for timestomping in user area, usually nothing should be doing that here -->
-                <TargetFilename name="T1099 - .exe" condition="end with">.exe</TargetFilename>
-                <!-- Look for backdated executables anywhere -->
-                <Image name="T1099 - Shadow Copy Write" condition="begin with">\Device\HarddiskVolumeShadowCopy</Image>
-                <!-- Nothing should be written here | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ]  -->
-            </FileCreateTime>
-        </RuleGroup>
-        <RuleGroup name="" groupRelation="or">
-            <FileCreateTime onmatch="exclude">
-                <Image condition="image">OneDrive.exe</Image>
-                <!-- OneDrive constantly changes file times -->
-                <Image condition="image">C:\Windows\system32\backgroundTaskHost.exe</Image>
-                <Image condition="contains">setup</Image>
-                <!-- Ignore setups -->
-                <Image condition="contains">install</Image>
-                <!-- Ignore setups -->
-                <Image condition="contains">Update\</Image>
-                <!-- Ignore setups -->
-                <Image condition="end with">redist.exe</Image>
-                <!-- Ignore setups -->
-                <Image condition="is">msiexec.exe</Image>
-                <!-- Ignore setups -->
-                <Image condition="is">TrustedInstaller.exe</Image>
-                <!-- Ignore setups -->
-                <TargetFilename condition="contains">\NVIDIA\NvBackend\ApplicationOntology\</TargetFilename>
-                <!-- NVIDIA GeForce Experience Application Ontology, 1000's of events in user profile -->
-            </FileCreateTime>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect] -->
-        <!-- COMMENT:	By default this configuration takes a very conservative approach to network logging, limited to only extremely high-signal events. -->
-        <!-- COMMENT:	[ https://attack.mitre.org/wiki/Command_and_Control ] [ https://attack.mitre.org/wiki/Exfiltration ] [ https://attack.mitre.org/wiki/Lateral_Movement ]  -->
-        <!-- TECHNICAL:	For the DestinationHostname, Sysmon uses the GetNameInfo API, which will often not have any information, and may just be a CDN. This is NOT reliable for filtering. -->
-        <!-- TECHNICAL:	For the DestinationPortName, Sysmon uses the GetNameInfo API for the friendly name of ports you see in logs. -->
-        <!-- TECHNICAL:	These exe do not initiate their connections, and thus includes do not work in this section: BITSADMIN NLTEST -->
-        <!--  https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf  -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpV6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName -->
-        <RuleGroup name="" groupRelation="or">
-            <NetworkConnect onmatch="include">
-                <Image name="technique_id=T1090.001,apt=Volt Typhoon" condition="contains">netsh</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0508,apt=Fancy Bear,Fox Kitten" condition="contains">ngrok.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <DestinationIp name="technique_id=S0508,apt=Fancy Bear,Fox Kitten" condition="contains">tunnel.ngrok.io</DestinationIp> <!-- added 2025-01-08 by cpl iverson -->
-                <DestinationIp name="technique_id=T1102,apt=Fox Kitten" condition="contains">amazonaws.com</DestinationIp> <!-- added 2025-01-08 by cpl iverson -->
-                <!-- Suspicious sources for network-connecting binaries -->
-                <Image name="Usermode" condition="begin with">C:\Users</Image>
-                <!-- Tools downloaded by users can use other processes for networking, but this is a very valuable indicator. -->
-                <Image name="Caution" condition="begin with">C:\Recycle</Image>
-                <!-- Nothing should operate from the RecycleBin locations. -->
-                <Image condition="begin with">C:\ProgramData</Image>
-                <!-- Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at -->
-                <Image condition="begin with">C:\Windows\Temp</Image>
-                <!-- Suspicious anything would communicate from the system-level temp directory -->
-                <Image name="Caution" condition="begin with">\</Image>
-                <!-- Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ]  -->
-                <Image name="Caution" condition="begin with">C:\perflogs</Image>
-                <!--  Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ]  -->
-                <Image name="Caution" condition="begin with">C:\intel</Image>
-                <!--  Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ]  -->
-                <Image name="Caution" condition="begin with">C:\Windows\fonts</Image>
-                <!--  Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ]  -->
-                <Image name="Caution" condition="begin with">C:\Windows\system32\config</Image>
-                <!--  Credit @blu3_team [ https://blu3-team.blogspot.com/2019/05/netconn-from-suspicious-directories.html ]  -->
-                <!-- Suspicious Windows tools -->
-                <Image condition="image">at.exe</Image>
-                <!-- Windows: Remote task scheduling, removed in Win10 | Credit @ion-storm  -->
-                <Image condition="image">certutil.exe</Image>
-                <!-- Windows: Certificate tool can contact outbound | Credit @ion-storm @FVT [ https://twitter.com/FVT/status/834433734602530817 ]  -->
-                <Image condition="image">cmd.exe</Image>
-                <!-- Windows: Remote command prompt -->
-                <Image condition="image">cmstp.exe</Image>
-                <!-- Windows: Connection manager profiles can launch executables from WebDAV [ https://twitter.com/NickTyrer/status/958450014111633408 ] | Credit @NickTyrer @Oddvarmoe @KyleHanslovan @subTee  -->
-                <Image condition="image">cscript.exe</Image>
-                <!-- WindowsScriptingHost: | Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ]  -->
-                <Image condition="image">driverquery.exe</Image>
-                <!-- Windows: Remote recognisance of system configuration, oudated/vulnerable drivers  -->
-                <Image condition="image">dsquery.exe</Image>
-                <!-- Microsoft: Query Active Directory  -->
-                <Image condition="image">hh.exe</Image>
-                <!-- Windows: HTML Help Executable, opens CHM files  -->
-                <Image condition="image">infDefaultInstall.exe</Image>
-                <!-- Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan  -->
-                <Image condition="image">java.exe</Image>
-                <!-- Java: Monitor usage of vulnerable application and init from JAR files | Credit @ion-storm  -->
-                <Image condition="image">javaw.exe</Image>
-                <!-- Java: Monitor usage of vulnerable application and init from JAR files  -->
-                <Image condition="image">javaws.exe</Image>
-                <!-- Java: Monitor usage of vulnerable application and init from JAR files  -->
-                <Image condition="image">mmc.exe</Image>
-                <!-- Windows:  -->
-                <Image condition="image">msbuild.exe</Image>
-                <!-- Windows: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ]  -->
-                <Image condition="image">mshta.exe</Image>
-                <!-- Windows: HTML application executes scripts without IE protections | Credit @ion-storm [ https://en.wikipedia.org/wiki/HTML_Application ]  -->
-                <Image condition="image">msiexec.exe</Image>
-                <!-- Windows: Can install from http:// paths | Credit @vector-sec  -->
-                <Image condition="image">nbtstat.exe</Image>
-                <!-- Windows: NetBIOS statistics, attackers use to enumerate local network  -->
-                <Image condition="image">net.exe</Image>
-                <!-- Windows: Note - May not detect anything, net.exe is a front-end to lower APIs | Credit @ion-storm  -->
-                <Image condition="image">net1.exe</Image>
-                <!-- Windows: Launched by "net.exe", but it may not detect connections either  -->
-                <Image condition="image">notepad.exe</Image>
-                <!-- Windows: [ https://secrary.com/ReversingMalware/CoinMiner/ ] [ https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ ]  -->
-                <Image condition="image">nslookup.exe</Image>
-                <!-- Windows: Retrieve data over DNS  -->
-                <Image condition="image">powershell.exe</Image>
-                <!-- Windows: PowerShell interface -->
-                <Image condition="image">qprocess.exe</Image>
-                <!-- Windows: [ https://www.first.org/resources/papers/conf2017/APT-Log-Analysis-Tracking-Attack-Tools-by-Audit-Policy-and-Sysmon.pdf ]  -->
-                <Image condition="image">qwinsta.exe</Image>
-                <!-- Windows: Query remote sessions | Credit @ion-storm  -->
-                <Image condition="image">qwinsta.exe</Image>
-                <!-- Windows: Remotely query login sessions on a server or workstation | Credit @ion-storm  -->
-                <Image condition="image">reg.exe</Image>
-                <!-- Windows: Remote Registry editing ability | Credit @ion-storm  -->
-                <Image condition="image">regsvcs.exe</Image>
-                <!-- Windows: [ https://www.hybrid-analysis.com/sample/3f94d7080e6c5b8f59eeecc3d44f7e817b31562caeba21d02ad705a0bfc63d67?environmentId=100 ]  -->
-                <Image condition="image">regsvr32.exe</Image>
-                <!-- Windows: [ https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html ]  -->
-                <Image condition="image">rundll32.exe</Image>
-                <!-- Windows: [ https://blog.cobaltstrike.com/2016/07/22/why-is-rundll32-exe-connecting-to-the-internet/ ]  -->
-                <Image condition="image">rwinsta.exe</Image>
-                <!-- Windows: Disconnect remote sessions | Credit @ion-storm  -->
-                <Image condition="image">sc.exe</Image>
-                <!-- Windows: Remotely change Windows service settings | Credit @ion-storm  -->
-                <Image condition="image">schtasks.exe</Image>
-                <!-- Windows: Command-line interface to local and remote tasks  -->
-                <Image condition="image">taskkill.exe</Image>
-                <!-- Windows: Kill processes, has remote ability  -->
-                <Image condition="image">tasklist.exe</Image>
-                <!-- Windows: List processes, has remote ability  -->
-                <Image condition="image">wmic.exe</Image>
-                <!-- WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ]  -->
-                <Image condition="image">wscript.exe</Image>
-                <!-- WindowsScriptingHost: | Credit @arekfurt  -->
-                <!-- Relevant 3rd Party Tools -->
-                <Image condition="image">nc.exe</Image>
-                <!--  Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ]  -->
-                <Image condition="image">ncat.exe</Image>
-                <!--  Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ]  -->
-                <Image condition="image">psexec.exe</Image>
-                <!-- Sysinternals:PsExec client side | Credit @Cyb3rOps  -->
-                <Image condition="image">psexesvc.exe</Image>
-                <!-- Sysinternals:PsExec server side | Credit @Cyb3rOps  -->
-                <Image condition="image">tor.exe</Image>
-                <!-- Tor [ https://www.hybrid-analysis.com/sample/800bf028a23440134fc834efc5c1e02cc70f05b2e800bbc285d7c92a4b126b1c?environmentId=100 ]  -->
-                <Image condition="image">vnc.exe</Image>
-                <!--  VNC client | Credit @Cyb3rOps  -->
-                <Image condition="image">vncservice.exe</Image>
-                <!--  VNC server | Credit @Cyb3rOps  -->
-                <Image condition="image">vncviewer.exe</Image>
-                <!--  VNC client | Credit @Cyb3rOps  -->
-                <Image condition="image">winexesvc.exe</Image>
-                <!--  Winexe service executable | Credit @Cyb3rOps  -->
-                <Image condition="image">nmap.exe</Image>
-                <Image condition="image">psinfo.exe</Image>
-                <!-- Ports: Suspicious -->
-                <DestinationPort name="SSH" condition="is">22</DestinationPort>
-                <!-- SSH protocol, monitor admin connections -->
-                <DestinationPort name="Telnet" condition="is">23</DestinationPort>
-                <!-- Telnet protocol, monitor admin connections, insecure -->
-                <DestinationPort name="SMTP" condition="is">25</DestinationPort>
-                <!-- SMTP mail protocol port, insecure, used by threats -->
-                <DestinationPort name="IMAP" condition="is">143</DestinationPort>
-                <!-- IMAP mail protocol port, insecure, used by threats -->
-                <DestinationPort name="RDP" condition="is">3389</DestinationPort>
-                <!-- Windows:RDP: Monitor admin connections -->
-                <DestinationPort name="VNC" condition="is">5800</DestinationPort>
-                <!-- VNC protocol: Monitor admin connections, often insecure, using hard-coded admin password -->
-                <DestinationPort name="VNC" condition="is">5900</DestinationPort>
-                <!-- VNC protocol Monitor admin connections, often insecure, using hard-coded admin password -->
-                <DestinationPort name="Alert,Metasploit" condition="is">4444</DestinationPort>
-                <!-- Ports: Proxy -->
-                <DestinationPort name="Proxy" condition="is">1080</DestinationPort>
-                <!-- Socks proxy port | Credit @ion-storm -->
-                <DestinationPort name="Proxy" condition="is">3128</DestinationPort>
-                <!-- Socks proxy port | Credit @ion-storm -->
-                <DestinationPort name="Proxy" condition="is">8080</DestinationPort>
-                <!-- Socks proxy port | Credit @ion-storm -->
-                <!-- Ports: Tor -->
-                <DestinationPort name="Tor" condition="is">1723</DestinationPort>
-                <!-- Tor protocol [ https://attack.mitre.org/wiki/Technique/T1090 ] | Credit @ion-storm -->
-                <DestinationPort name="Tor" condition="is">9001</DestinationPort>
-                <!-- Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ]  -->
-                <DestinationPort name="Tor" condition="is">9030</DestinationPort>
-                <!-- Tor protocol [ http://www.computerworlduk.com/tutorial/security/tor-enterprise-2016-blocking-malware-darknet-use-rogue-nodes-3633907/ ]  -->
-            </NetworkConnect>
-        </RuleGroup>
-        <RuleGroup name="" groupRelation="or">
-            <NetworkConnect onmatch="exclude">
-                <!-- SECTION: Microsoft -->
-                <Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
-                <Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
-                <!-- Microsoft: Teams -->
-                <DestinationHostname condition="end with">.microsoft.com</DestinationHostname>
-                <!-- Microsoft:Update delivery -->
-                <DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
-                <!-- Microsoft:Update delivery -->
-                <DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
-                <!-- Microsoft:Update delivery -->
-                <!-- Section: Loopback Addresses -->
-                <DestinationIp condition="is">127.0.0.1</DestinationIp>
-                <!-- Credit @ITProPaul -->
-                <DestinationIp condition="begin with">fe80:0:0:0</DestinationIp>
-                <!-- Credit @ITProPaul -->
-            </NetworkConnect>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 4 : RESERVED FOR SYSMON SERVICE STATUS MESSAGES -->
-        <!-- DATA: UtcTime, State, Version, SchemaVersion -->
-        <!-- Cannot be filtered. -->
-        <!-- SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate] -->
-        <!-- COMMENT:	Useful data in building infection timelines. -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, Image -->
-        <RuleGroup name="" groupRelation="or">
-            <ProcessTerminate onmatch="include">
-                <Image condition="begin with">C:\Users</Image>
-                <!-- Process terminations by user binaries -->
-                <Image condition="begin with">\</Image>
-                <!-- Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ]  -->
-            </ProcessTerminate>
-        </RuleGroup>
-        <RuleGroup name="" groupRelation="or">
-            <ProcessTerminate onmatch="exclude"></ProcessTerminate>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad] -->
-        <!-- COMMENT:	Because drivers with bugs can be used to escalate to kernel permissions, be extremely selective
-			about what you exclude from monitoring. Low event volume, little incentive to exclude.
-			[ https://attack.mitre.org/wiki/Technique/T1014 ]  -->
-        <!-- TECHNICAL:	Sysmon will check the signing certificate revocation status of any driver you don't exclude. -->
-        <!-- DATA: UtcTime, ImageLoaded, Hashes, Signed, Signature, SignatureStatus -->
-        <RuleGroup name="" groupRelation="or">
-            <DriverLoad onmatch="exclude">
-                <Signature condition="contains">microsoft</Signature>
-                <!-- Exclude signed Microsoft drivers -->
-                <Signature condition="contains">windows</Signature>
-                <!-- Exclude signed Microsoft drivers -->
-                <Signature condition="begin with">Intel </Signature>
-                <!-- Exclude signed Intel drivers -->
-            </DriverLoad>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad] -->
-        <!-- COMMENT:	Can cause high system load, disabled by default. -->
-        <!-- COMMENT:	[ https://attack.mitre.org/wiki/Technique/T1073 ] [ https://attack.mitre.org/wiki/Technique/T1038 ] [ https://attack.mitre.org/wiki/Technique/T1034 ]  -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus -->
-        <RuleGroup name="" groupRelation="or">
-            <ImageLoad onmatch="include">
-                <Image name="technique_id=T1547,apt=Volt Typhoon" condition="contains">ScanLine</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S1154,apt=Volt Typhoon" condition="contains">VersaMem</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0357,apt=Volt Typhoon,Fancy Bear" condition="contains">Impacket.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0029,apt=Volt Typhoon,Fancy Bear,Fox Kitten" condition="contains">PsExec.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-                <Image name="technique_id=S0508,apt=Fancy Bear,Fox Kitten" condition="contains">ngrok.exe</Image> <!-- added 2025-01-08 by cpl iverson -->
-            </ImageLoad>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread] -->
-        <!-- COMMENT:	Monitor for processes injecting code into other processes. Often used by malware to cloak their actions. Also when Firefox loads Flash.
-		[ https://attack.mitre.org/wiki/Technique/T1055 ]  -->
-        <!-- DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction -->
-        <RuleGroup name="" groupRelation="or">
-            <CreateRemoteThread onmatch="exclude">
-                <!-- COMMENT: Exclude mostly-safe sources and log anything else. -->
-                <SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
-                <SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
-                <SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
-                <SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
-                <SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
-                <SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
-                <SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
-                <StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
-                <TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage>
-            </CreateRemoteThread>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead] -->
-        <!-- EVENT 9: "RawAccessRead detected" -->
-        <!-- COMMENT:	Can cause high system load, disabled by default. -->
-        <!-- COMMENT:	Monitor for raw sector-level access to the disk, often used to bypass access control lists or access locked files.
-			Disabled by default since including even one entry here activates this component. Reward/performance/rule maintenance decision.
-			Encourage you to experiment with this feature yourself. [ https://attack.mitre.org/wiki/Technique/T1067 ]  -->
-        <!-- COMMENT:	You will likely want to set this to a full capture on domain controllers, where no process should be doing raw reads. -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, Image, Device -->
-        <RuleGroup name="" groupRelation="or">
-            <RawAccessRead onmatch="include">
-                <!-- NOTE: Using "include" with no rules means nothing in this section will be logged -->
-            </RawAccessRead>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess] -->
-        <!-- EVENT 10: "Process accessed" -->
-        <!-- COMMENT:	Can cause high system load, disabled by default. -->
-        <!-- COMMENT:	Monitor for processes accessing other process' memory. -->
-        <!-- DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace -->
-        <RuleGroup name="" groupRelation="or">
-            <ProcessAccess onmatch="include">
-                <SourceImage name="technique_id=T1055,apt=Volt Typhoon" condition="contains">\BrightmetricAgent.exe</SourceImage> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetImage name="technique_id=T1003.001,apt=Volt Typhoon,Fancy Bear,Fox Kitten" condition="contains">\lsass.exe</TargetImage> <!-- added 2025-01-08 by cpl iverson -->
-                <SourceImage name="technique_id=S0029,apt=Fancy Bear,Fox Kitten" condition="contains">PsExec.exe</SourceImage> <!-- added 2025-01-08 by cpl iverson -->
-                <!--  Detect Access to LSASS -->
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
-                    <GrantedAccess>0x1FFFFF</GrantedAccess>
-                </Rule>
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
-                    <GrantedAccess>0x1F1FFF</GrantedAccess>
-                </Rule>
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
-                    <GrantedAccess>0x1010</GrantedAccess>
-                </Rule>
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
-                    <GrantedAccess>0x143A</GrantedAccess>
-                </Rule>
-                <!-- Dumping credentials from services or setting up a keylogger -->
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\csrss.exe</TargetImage>
-                    <!-- Mitre T1098 -->
-                    <!-- Mitre T1075 -->
-                    <!-- Mitre T1003 -->
-                    <!--  depending on what you're running on your host, this might be noisy -->
-                    <GrantedAccess>0x1F1FFF</GrantedAccess>
-                </Rule>
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\wininit.exe</TargetImage>
-                    <!-- Mitre T1098 -->
-                    <!-- Mitre T1075 -->
-                    <!-- Mitre T1003 -->
-                    <!--  depending on what you're running on your host, this might be noisy -->
-                    <GrantedAccess>0x1F1FFF</GrantedAccess>
-                </Rule>
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\winlogon.exe</TargetImage>
-                    <!-- Mitre T1098 -->
-                    <!-- Mitre T1075 -->
-                    <!-- Mitre T1003 -->
-                    <!--  depending on what you're running on your host, this might be noisy -->
-                    <GrantedAccess>0x1F1FFF</GrantedAccess>
-                </Rule>
-                <Rule groupRelation="and">
-                    <TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\services.exe</TargetImage>
-                    <!-- Mitre T1098 -->
-                    <!-- Mitre T1075 -->
-                    <!-- Mitre T1003 -->
-                    <!--  depending on what you're running on your host, this might be noisy -->
-                    <GrantedAccess>0x1F1FFF</GrantedAccess>
-                </Rule>
-                <Rule groupRelation="or">
-                    <GrantedAccess name="technique_id=T1003,technique_name=Credential Dumping">0x0810</GrantedAccess>
-                </Rule>
-                <!--  Detect process hollowing -->
-                <Rule groupRelation="or">
-                    <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x0800</GrantedAccess>
-                    <GrantedAccess name="technique_id=T1093,technique_name=Process Hollowing">0x800</GrantedAccess>
-                </Rule>
-                <!--  Detect process process injection -->
-                <Rule groupRelation="or">
-                    <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x0820</GrantedAccess>
-                    <GrantedAccess name="technique_id=T1055,technique_name=Process Injection">0x820</GrantedAccess>
-                </Rule>
-            </ProcessAccess>
-            <!-- NOTE: Using "include" with no rules means nothing in this section will be logged -->
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 11 : FILE CREATED [FileCreate] -->
-        <!-- EVENT 11: "File created" -->
-        <!-- NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich. -->
-        <!-- NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written. -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime -->
-        <RuleGroup name="" groupRelation="or">
-            <FileCreate onmatch="include">
-                <TargetFilename name="technique_id=T1003.003,apt=Volt Typhoon,Fox Kitten" condition="contains">C:\Windows\Temp\ntds.dit</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=T1070.004,apt=Volt Typhoon,Fancy Bear" condition="contains">systeminfo.dat</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=T1005,apt=Volt Typhoon" condition="contains">*.log</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=S0002,apt=Volt Typhoon" condition="contains">Mimikatz.exe</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=T1560.001,apt=Fox Kitten,Fancy Bear" condition="contains">*.7z</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=T1555.005,apt=Fox Kitten" condition="contains">KeePass.db</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=T1505.003,apt=Fox Kitten" condition="contains">webshell.aspx</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=S0598,apt=Fancy Bear" condition="contains">webshell.aspx</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=S1040,apt=Fancy Bear" condition="contains">rclone.conf</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="T1023" condition="contains">\Start Menu</TargetFilename>
-                <!-- Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ]  -->
-                <TargetFilename name="T1165 - \startup" condition="contains">\Startup\</TargetFilename>
-                <!-- Microsoft:Changes to user's auto-launched files and shortcuts -->
-                <TargetFilename name="OutlookAttachment" condition="contains">\Content.Outlook\</TargetFilename>
-                <!-- Microsoft:Outlook: attachments -->
-                <TargetFilename name="Downloads" condition="contains">\Downloads\</TargetFilename>
-                <!-- Downloaded files. Does not include "Run" files in IE -->
-                <TargetFilename condition="end with">.application</TargetFilename>
-                <!-- Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ]  -->
-                <TargetFilename condition="end with">.appref-ms</TargetFilename>
-                <!-- Microsoft:ClickOnce application | Credit @ion-storm  -->
-                <TargetFilename condition="end with">.bat</TargetFilename>
-                <!-- Batch scripting -->
-                <TargetFilename condition="end with">.chm</TargetFilename>
-                <TargetFilename condition="end with">.cmd</TargetFilename>
-                <!-- Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec  -->
-                <TargetFilename condition="end with">.cmdline</TargetFilename>
-                <!-- Microsoft:dotNet: Executed by cvtres.exe -->
-                <TargetFilename name="T1176" condition="end with">.crx</TargetFilename>
-                <!-- Chrome extension -->
-                <TargetFilename condition="end with">.dmp</TargetFilename>
-                <!-- Process dumps [ (fr) http://blog.gentilkiwi.com/securite/mimikatz/minidump ]  -->
-                <TargetFilename condition="end with">.docm</TargetFilename>
-                <!-- Microsoft:Office:Word: Macro -->
-                <TargetFilename name="DLL" condition="end with">.dll</TargetFilename>
-                <!-- Microsoft:Office:Word: Macro -->
-                <TargetFilename name="EXE" condition="end with">.exe</TargetFilename>
-                <!-- Executable -->
-                <TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename>
-                <!--  [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ]   -->
-                <TargetFilename condition="end with">.jar</TargetFilename>
-                <!-- Java applets -->
-                <TargetFilename condition="end with">.jnlp</TargetFilename>
-                <!-- Java applets -->
-                <TargetFilename condition="end with">.jse</TargetFilename>
-                <!-- Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ]  -->
-                <TargetFilename condition="end with">.hta</TargetFilename>
-                <!-- Scripting -->
-                <TargetFilename condition="end with">.job</TargetFilename>
-                <!-- Scheduled task -->
-                <TargetFilename condition="end with">.pptm</TargetFilename>
-                <!-- Microsoft:Office:Word: Macro -->
-                <TargetFilename condition="end with">.ps1</TargetFilename>
-                <!-- PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ]  -->
-                <TargetFilename condition="end with">.sys</TargetFilename>
-                <!-- System driver files -->
-                <TargetFilename condition="end with">.scr</TargetFilename>
-                <!-- System driver files -->
-                <TargetFilename condition="end with">.vbe</TargetFilename>
-                <!-- VisualBasicScripting -->
-                <TargetFilename condition="end with">.vbs</TargetFilename>
-                <!-- VisualBasicScripting -->
-                <TargetFilename condition="end with">.xlsm</TargetFilename>
-                <!-- Microsoft:Office:Word: Macro -->
-                <TargetFilename condition="end with">proj</TargetFilename>
-                <!-- Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177 -->
-                <TargetFilename condition="end with">.sln</TargetFilename>
-                <!-- Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177 -->
-                <TargetFilename name="DefaultUserModified" condition="begin with">C:\Users\Default</TargetFilename>
-                <!-- Windows: Changes to default user profile -->
-                <TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename>
-                <!-- Microsoft: Drivers dropped here -->
-                <TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename>
-                <!-- Microsoft: Drivers dropped here -->
-                <TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename>
-                <!-- Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ]  -->
-                <TargetFilename name="T1037,T1484" condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename>
-                <!-- Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ]  -->
-                <TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename>
-                <!-- Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ]  -->
-                <TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename>
-                <!-- Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ]  -->
-                <TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename>
-                <!-- Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ]  -->
-                <TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename>
-                <!-- Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ]  -->
-                <TargetFilename name="T1053 - C:\Windows\Tasks\" condition="begin with">C:\Windows\Tasks\</TargetFilename>
-                <!-- Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ]  -->
-                <TargetFilename name="T1053 - C:\Windows\system32\Tasks" condition="begin with">C:\Windows\system32\Tasks</TargetFilename>
-                <!-- Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ]  -->
-                <TargetFilename name="T1053 - C:\Windows\SysWOW64\Tasks" condition="begin with">C:\Windows\SysWOW64\Tasks</TargetFilename>
-                <!-- Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ]  -->
-                <Image condition="begin with">\Device\HarddiskVolumeShadowCopy</Image>
-                <!-- Nothing should be executing from VSC | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1133030955407630336 ]  -->
-                <!-- Windows application compatibility -->
-                <TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename>
-                <!-- Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ]  -->
-                <TargetFilename condition="contains">VirtualStore</TargetFilename>
-                <!-- Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ]  -->
-                <!-- Exploitable file names -->
-                <TargetFilename condition="end with">.xls</TargetFilename>
-                <!-- Legacy Office files are often used for attacks -->
-                <TargetFilename condition="end with">.ppt</TargetFilename>
-                <!-- Legacy Office files are often used for attacks -->
-                <TargetFilename condition="end with">.rtf</TargetFilename>
-                <!-- RTF files often 0day malware vectors when opened by Office -->
-            </FileCreate>
-        </RuleGroup>
-        <RuleGroup name="" groupRelation="or">
-            <FileCreate onmatch="exclude">
-                <!-- SECTION: Microsoft -->
-                <Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image>
-                <!-- Microsoft:EMET: Writes to C:\Windows\AppPatch\ -->
-                <!-- SECTION: Microsoft:Office:Click2Run -->
-                <Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image>
-                <!--  Microsoft:Office Click2Run -->
-                <!-- SECTION: Windows -->
-                <Image condition="is">C:\Windows\system32\smss.exe</Image>
-                <!--  Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys -->
-                <Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image>
-                <!--  Windows: Windows 10 app, creates tons of cache files -->
-                <Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image>
-                <!--  Windows: WMI Performance updates -->
-                <Image condition="is">C:\Windows\system32\mobsync.exe</Image>
-                <!-- Windows: Network file syncing -->
-                <TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename>
-                <!--  Windows: Temp files by DrvInst.exe -->
-                <TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename>
-                <!--  Windows: Created in wbem by WMIADAP.exe -->
-                <TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename>
-                <!-- Windows:Installer: Ignore MSI installer files caching -->
-                <!-- SECTION: Windows:Updates -->
-                <TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename>
-                <!--  Windows: Feature updates containing lots of .exe and .sys -->
-                <Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image>
-                <!--  Windows: Windows update -->
-            </FileCreate>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent] -->
-        <!-- EVENT 12: "Registry object added or deleted" -->
-        <!-- EVENT 13: "Registry value set" -->
-        <!-- EVENT 14: "Registry objected renamed" -->
-        <!-- NOTE:	Windows writes hundreds or thousands of registry keys a minute, so just because you're not changing things, doesn't mean these rules aren't being run. -->
-        <!-- NOTE:	You do not have to spend a lot of time worrying about performance, CPUs are fast, but it's something to consider. Every rule and condition type has a small cost. -->
-        <!-- NOTE:	"contains" works by finding the first letter, then matching the second, etc, so the first letters should be as low-occurrence as possible. -->
-        <!-- NOTE:	[ https://attack.mitre.org/wiki/Technique/T1112 ]  -->
-        <!-- TECHNICAL:	You cannot filter on the "Details" attribute, due to performance issues when very large keys are written, and variety of data formats -->
-        <!-- TECHNICAL:	Possible prefixes are HKLM, HKCR, and HKU -->
-        <!-- CRITICAL:	Schema version 3.30 and higher change HKLM\="\REGISTRY\MACHINE\" and HKU\="\REGISTRY\USER\" and HKCR\="\REGISTRY\MACHINE\SOFTWARE\Classes\" and CurrentControlSet="ControlSet001" -->
-        <!-- CRITICAL:	Due to a bug, Sysmon versions BEFORE 7.01 may not properly log with the new prefix style for registry keys that was originally introduced in schema version 3.30 -->
-        <!-- NOTE:	Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation -->
-        <!--  ! CRITICAL NOTE !:	It may appear this section is MISSING important entries, but SOME RULES MONITOR MANY KEYS, so look VERY CAREFULLY to see if something is already covered.
-								Sysmon's wildcard monitoring along with highly-tuned generic strings cuts the rulesets down immensely, compared to doing this in other tools.
-								For example, most COM hijacking in CLSID's across the registry is covered by a single rule monitoring a InProcServer32 wildcard -->
-        <!-- DATA: EventType, UtcTime, ProcessGuid, ProcessId, Image, TargetObject, Details (can't filter on), NewName (can't filter on) -->
-        <RuleGroup name="" groupRelation="or">
-            <RegistryEvent onmatch="include">
-                <!-- Autorun or Startups -->
-                <!-- ADDITIONAL REFERENCE: [ http://www.ghacks.net/2016/06/04/windows-automatic-startup-locations/ ]  -->
-                <!-- ADDITIONAL REFERENCE: [ https://view.officeapps.live.com/op/view.aspx?src=https://arsenalrecon.com/downloads/resources/Registry_Keys_Related_to_Autorun.ods ]  -->
-                <!-- ADDITIONAL REFERENCE: [ http://www.silentrunners.org/launchpoints.html ]  -->
-                <!-- ADDITIONAL REFERENCE: [ https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 ]  -->
-                <!-- ADDITIONAL REFERENCE: [ https://web.archive.org/web/20200116001643/http://scholarworks.rit.edu/cgi/viewcontent.cgi?article=1533&context=theses | Understanding malware autostart techniques - Matthew Gottlieb ]  -->
-                <TargetObject name="technique_id=T1012,apt=Fox Kitten" condition="contains">\ntuser.dat</TargetObject> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetObject name="technique_id=T1012,apt=Fox Kitten" condition="contains">\UserClass.dat</TargetObject> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetObject name="technique_id=T1112,apt=Volt Typhoon,Fancy Bear" condition="contains">\PortProxy</TargetObject> <!-- added 2025-01-08 by cpl iverson -->
-                <Details name="technique_id=S0075,apt=Volt Typhoon" condition="contains">Reg.exe</Details> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\Run</TargetObject>
-                <!-- Windows: Wildcard for Run keys, including RunOnce, RunOnceEx, RunServices, RunServicesOnce [Also covers terminal server]  -->
-                <TargetObject name="T1060,RunPolicy" condition="contains">Policies\Explorer\Run</TargetObject>
-                <!-- Windows: Alternate runs keys | Credit @ion-storm -->
-                <TargetObject name="T1484" condition="contains">Group Policy\Scripts</TargetObject>
-                <!-- Windows: Group policy scripts -->
-                <TargetObject name="T1484" condition="contains">Windows\System\Scripts</TargetObject>
-                <!-- Windows: Wildcard for Logon, Loggoff, Shutdown -->
-                <TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Load</TargetObject>
-                <!-- Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ]  -->
-                <TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Run</TargetObject>
-                <!-- Windows: [ https://msdn.microsoft.com/en-us/library/jj874148.aspx ]  -->
-                <TargetObject name="T1060" condition="contains">CurrentVersion\Winlogon\Shell</TargetObject>
-                <!-- Windows: [ https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx ]  -->
-                <TargetObject name="T1060" condition="contains">CurrentVersion\Winlogon\System</TargetObject>
-                <!-- Windows [ https://www.exterminate-it.com/malpedia/regvals/zlob-dns-changer/118 ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify</TargetObject>
-                <!-- Windows: Autorun location [ https://attack.mitre.org/wiki/Technique/T1004 ] [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</TargetObject>
-                <!-- Windows: [ https://technet.microsoft.com/en-us/library/ee851671.aspx ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</TargetObject>
-                <!-- Windows: Autorun location [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ]  -->
-                <TargetObject condition="begin with">HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32</TargetObject>
-                <!-- Windows: Legacy driver loading | Credit @ion-storm  -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute</TargetObject>
-                <!-- Windows: Autorun | Credit @ion-storm | [ https://www.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug</TargetObject>
-                <!-- Windows: Automatic program crash debug program [ https://www.symantec.com/security_response/writeup.jsp?docid=2007-050712-5453-99&tabid=2 ]  -->
-                <TargetObject condition="contains">UserInitMprLogonScript</TargetObject>
-                <!-- Windows: Legacy logon script environment variable [ http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ ]  -->
-                <TargetObject name="T1112,ChangeStartupFolderPath" condition="end with">user shell folders\startup</TargetObject>
-                <!-- Monitor changes to Startup folder location for monitoring evasion | Credit @SBousseaden -->
-                <!-- Services -->
-                <TargetObject name="T1031,T1050 - servicedll" condition="end with">\ServiceDll</TargetObject>
-                <!-- Windows: Points to a service's DLL [ https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services ]  -->
-                <TargetObject name="T1031,T1050 - ServiceManifest" condition="end with">\ServiceManifest</TargetObject>
-                <!-- Windows: Manifest pointing to service's DLL [ https://www.geoffchappell.com/studies/windows/win32/services/svchost/index.htm ]  -->
-                <TargetObject name="T1031,T1050 - ImagePath" condition="end with">\ImagePath</TargetObject>
-                <!-- Windows: Points to a service's EXE [ https://attack.mitre.org/wiki/Technique/T1050 ]  -->
-                <TargetObject name="T1031,T1050 -  Start" condition="end with">\Start</TargetObject>
-                <!-- Windows: Services start mode changes (Disabled, Automatically, Manual) -->
-                <!-- RDP -->
-                <TargetObject name="RDP port change" condition="end with">Control\Terminal Server\WinStations\RDP-Tcp\PortNumber</TargetObject>
-                <!-- Windows: RDP port change under Control [ https://blog.menasec.net/2019/02/of-rdp-hijacking-part1-remote-desktop.html ] -->
-                <TargetObject name="RDP port change" condition="end with">Control\Terminal Server\fSingleSessionPerUser</TargetObject>
-                <!-- Windows: Allow same user to have mutliple RDP sessions, to hide from admin being impersonated -->
-                <TargetObject name="ModifyRemoteDesktopState" condition="end with">fDenyTSConnections</TargetObject>
-                <!-- Windows: Attacker turning on RDP -->
-                <TargetObject condition="end with">LastLoggedOnUser</TargetObject>
-                <!-- Windows: Changing last-logged in user -->
-                <TargetObject name="ModifyRemoteDesktopPort" condition="end with">RDP-tcp\PortNumber</TargetObject>
-                <!-- Windows: Changing RDP port to evade IDS -->
-                <TargetObject condition="end with">Services\PortProxy\v4tov4</TargetObject>
-                <!-- Windows: Changing RDP port to evade IDS -->
-                <!-- CLSID launch commands and Default File Association changes -->
-                <TargetObject name="T1042 - command" condition="contains">\command\</TargetObject>
-                <!-- Windows: Sensitive sub-key under file associations and CLSID that map to launch command -->
-                <TargetObject name="T1122" condition="contains">\ddeexec\</TargetObject>
-                <!-- Windows: Sensitive sub-key under file associations and CLSID that map to launch command -->
-                <TargetObject name="T1122" condition="contains">{86C86720-42A0-1069-A2E8-08002B30309D}</TargetObject>
-                <!-- Windows: Tooltip handler -->
-                <TargetObject name="T1042 - exefile" condition="contains">exefile</TargetObject>
-                <!-- Windows Executable handler, to log any changes not already monitored -->
-                <!-- Windows COM -->
-                <TargetObject name="T1122" condition="end with">\InprocServer32\(Default)</TargetObject>
-                <!-- Windows:COM Object Hijacking [ https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence ] | Credit @ion-storm  -->
-                <!-- Windows shell visual modifications used by malware -->
-                <TargetObject name="T1158" condition="end with">\Hidden</TargetObject>
-                <!-- Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event  -->
-                <TargetObject name="T1158" condition="end with">\ShowSuperHidden</TargetObject>
-                <!-- Windows:Explorer: Some types of malware try to hide their hidden system files from the user, good signal event [ Example: https://www.symantec.com/security_response/writeup.jsp?docid=2007-061811-4341-99&tabid=2 ]  -->
-                <TargetObject name="T1158" condition="end with">\HideFileExt</TargetObject>
-                <!-- Windows:Explorer: Some malware hides file extensions to make diagnosis/disinfection more daunting to novice users  -->
-                <!-- Windows shell hijack and modifications -->
-                <TargetObject condition="contains">Classes\*\</TargetObject>
-                <!-- Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ]  -->
-                <TargetObject condition="contains">Classes\AllFilesystemObjects\</TargetObject>
-                <!-- Windows:Explorer: [ http://www.silentrunners.org/launchpoints.html ]  -->
-                <TargetObject condition="contains">Classes\Directory\</TargetObject>
-                <!-- Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ]  -->
-                <TargetObject condition="contains">Classes\Drive\</TargetObject>
-                <!-- Windows:Explorer: [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ]  -->
-                <TargetObject condition="contains">Classes\Folder\</TargetObject>
-                <!-- Windows:Explorer: ContextMenuHandlers, DragDropHandlers, CopyHookHandlers, [ https://stackoverflow.com/questions/1323663/windows-shell-context-menu-option ]  -->
-                <TargetObject condition="contains">Classes\PROTOCOLS\</TargetObject>
-                <!-- Windows:Explorer: Protocol handlers -->
-                <TargetObject condition="contains">ContextMenuHandlers\</TargetObject>
-                <!-- Windows: [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ]  -->
-                <TargetObject condition="contains">CurrentVersion\Shell</TargetObject>
-                <!-- Windows: Shell Folders, ShellExecuteHooks, ShellIconOverloadIdentifers, ShellServiceObjects, ShellServiceObjectDelayLoad [ http://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/ ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks</TargetObject>
-                <!-- Windows: ShellExecuteHooks -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad</TargetObject>
-                <!-- Windows: ShellExecuteHooks -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers</TargetObject>
-                <!-- Windows: ShellExecuteHooks -->
-                <!-- AppPaths hijacking -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\</TargetObject>
-                <!-- Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ]  -->
-                <!-- Terminal service boobytrap -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram</TargetObject>
-                <!-- Windows:RDP: Note other Terminal Server run keys are handled by another wildcard already -->
-                <!-- Group Policy integrity -->
-                <TargetObject name="T1484" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\</TargetObject>
-                <!-- Windows: Group Policy internally uses a plug-in architecture that nothing should be modifying -->
-                <!-- Winsock and Winsock2 -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\WinSock</TargetObject>
-                <!-- Windows: Wildcard, includes Winsock and Winsock2 -->
-                <TargetObject condition="end with">\ProxyServer</TargetObject>
-                <!-- Windows: System and user proxy server -->
-                <!-- Credential providers -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider</TargetObject>
-                <!-- Wildcard, includes Credential Providers and Credential Provider Filters -->
-                <TargetObject name="T1101" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
-                <!--  [ https://attack.mitre.org/wiki/Technique/T1131 ] [ https://attack.mitre.org/wiki/Technique/T1101 ]  -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders</TargetObject>
-                <!-- Windows: Changes to WDigest-UseLogonCredential for password scraping [ https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/ ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Netsh</TargetObject>
-                <!-- Windows: Netsh helper DLL [ https://attack.mitre.org/wiki/Technique/T1128 ]  -->
-                <!-- Networking -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\</TargetObject>
-                <!-- Windows: Order of network providers that are checked to connect to destination [ https://www.malwarearchaeology.com/cheat-sheets ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</TargetObject>
-                <!-- Windows: | Credit @ion-storm  -->
-                <TargetObject name="T1089" condition="end with">\EnableFirewall</TargetObject>
-                <!-- Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ]  -->
-                <TargetObject name="T1089" condition="end with">\DoNotAllowExceptions</TargetObject>
-                <!-- Windows: Monitor for firewall disablement, all firewall profiles [ https://attack.mitre.org/wiki/Technique/T1089 ]  -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List</TargetObject>
-                <!-- Windows Firewall authorized applications for all networks| Credit @ion-storm  -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List</TargetObject>
-                <!-- Windows Firewall authorized applications for domain networks  -->
-                <!-- DLLs that get injected into every process at launch -->
-                <TargetObject name="T1103" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
-                <!-- Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ]  -->
-                <TargetObject name="T1103" condition="begin with">HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\</TargetObject>
-                <!-- Windows: Feature disabled by default [ https://attack.mitre.org/wiki/Technique/T1103 ]  -->
-                <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\</TargetObject>
-                <!-- Windows: Credit to @Hexacorn [ http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ ] [ https://blog.comodo.com/malware/trojware-win32-trojanspy-volisk-a/ ]  -->
-                <!-- Office -->
-                <TargetObject name="T1137" condition="contains">Microsoft\Office\Outlook\Addins\</TargetObject>
-                <!-- Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues -->
-                <TargetObject name="T1137" condition="contains">Office Test\</TargetObject>
-                <!--  Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn  -->
-                <TargetObject name="Context,ProtectedModeExitOrMacrosUsed" condition="contains">Security\Trusted Documents\TrustRecords</TargetObject>
-                <!-- Microsoft:Office: Monitor when "Enable editing" or "Enable macros" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ]  -->
-                <!-- IE -->
-                <TargetObject name="T1176" condition="contains">Internet Explorer\Toolbar\</TargetObject>
-                <!-- Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ]  -->
-                <TargetObject name="T1176" condition="contains">Internet Explorer\Extensions\</TargetObject>
-                <!-- Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ]  -->
-                <TargetObject name="T1176" condition="contains">Browser Helper Objects\</TargetObject>
-                <!-- Microsoft:InternetExplorer: Machine and user [ https://msdn.microsoft.com/en-us/library/bb250436(v=vs.85).aspx ]  -->
-                <TargetObject condition="end with">\DisableSecuritySettingsCheck</TargetObject>
-                <TargetObject condition="end with">\3\1206</TargetObject>
-                <!-- Microsoft:InternetExplorer: Malware sometimes assures scripting is on in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ]  -->
-                <TargetObject condition="end with">\3\2500</TargetObject>
-                <!-- Microsoft:InternetExplorer: Malware sometimes disables Protected Mode in Internet Zone [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ]  -->
-                <TargetObject condition="end with">\3\1809</TargetObject>
-                <!-- Microsoft:InternetExplorer: Malware sometimes disables Pop-up Blocker in Internet Zone [ https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users ]  -->
-                <!-- Magic registry keys -->
-                <TargetObject condition="begin with">HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\</TargetObject>
-                <!-- Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\</TargetObject>
-                <!-- Windows: Thumbnail cache autostart [ http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/ ]  -->
-                <TargetObject condition="begin with">HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\</TargetObject>
-                <!-- Windows: DirectX instances -->
-                <TargetObject condition="begin with">HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\</TargetObject>
-                <!-- Windows: DirectX instances -->
-                <!-- Install/Run artifacts -->
-                <TargetObject condition="end with">\UrlUpdateInfo</TargetObject>
-                <!-- Microsoft:ClickOnce: Source URL is stored in this value [ https://subt0x10.blogspot.com/2016/12/mimikatz-delivery-via-clickonce-with.html ]  -->
-                <TargetObject condition="end with">\InstallSource</TargetObject>
-                <!-- Windows: Source folder for certain program and component installations -->
-                <TargetObject name="Alert,Sysinternals Tool Used" condition="end with">\EulaAccepted</TargetObject>
-                <!-- Sysinternals tool launched. Lots of useful abilities for attackers  -->
-                <!-- Antivirus tampering -->
-                <TargetObject name="T1089,Tamper-Defender" condition="end with">\DisableAntiSpyware</TargetObject>
-                <!-- Windows:Defender: State modified via registry -->
-                <TargetObject name="T1089,Tamper-Defender" condition="end with">\DisableAntiVirus</TargetObject>
-                <!-- Windows:Defender: State modified via registry -->
-                <TargetObject name="T1089,Tamper-Defender" condition="end with">\SpynetReporting</TargetObject>
-                <!-- Windows:Defender: State modified via registry -->
-                <TargetObject name="T1089,Tamper-Defender" condition="end with">DisableRealtimeMonitoring</TargetObject>
-                <!-- Windows:Defender: State modified via registry -->
-                <TargetObject name="T1089,Tamper-Defender" condition="end with">\SubmitSamplesConsent</TargetObject>
-                <!-- Windows:Defender: State modified via registry -->
-                <!-- Windows UAC tampering -->
-                <TargetObject name="T1088 - Windows UAC tampering" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject>
-                <!-- Detect: UAC Tampering | Credit @ion-storm  -->
-                <TargetObject name="T1088 - UAC tampering" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject>
-                <!-- Detect: UAC Tampering | Credit @ion-storm  -->
-                <!-- Microsoft Security Center tampering | Credit @ion-storm  -->
-                <TargetObject name="T1089,Tamper-SecCenter" condition="end with">HKLM\Software\Microsoft\Security Center\</TargetObject>
-                <!--  [ https://attack.mitre.org/wiki/Technique/T1089 ]  -->
-                <TargetObject name="T1089,Tamper-SecCenter" condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth</TargetObject>
-                <!-- Windows:Security Center: Malware sometimes disables [ https://blog.avast.com/2013/08/12/your-documents-are-corrupted-from-image-to-an-information-stealing-trojan/ ]  -->
-                <!-- Windows application compatibility -->
-                <TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom</TargetObject>
-                <!-- Windows: AppCompat [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ]  -->
-                <TargetObject name="T1138,AppCompatShim" condition="begin with">HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
-                <!-- Windows: AppCompat [ https://attack.mitre.org/wiki/Technique/T1138 ]  -->
-                <TargetObject condition="contains">VirtualStore</TargetObject>
-                <!-- Windows: Malware likes changing IFEO, like adding Debugger to disable antivirus EXE -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\</TargetObject>
-                <!-- Windows: Event log system integrity and ACLs -->
-                <TargetObject name="Tamper-Safemode" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\</TargetObject>
-                <!-- Windows: Services approved to load in safe mode. Almost nothing should ever modify this. -->
-                <TargetObject name="Tamper-Winlogon" condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\</TargetObject>
-                <!-- Windows: Providers notified by WinLogon -->
-                <TargetObject name="Context,DeviceConntectedOrUpdated" condition="end with">\FriendlyName</TargetObject>
-                <!-- Windows: New devices connected and remembered -->
-                <TargetObject name="Context,MsiInstallerStarted" condition="is">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default)</TargetObject>
-                <!-- Windows: See when WindowsInstaller is engaged, useful for timeline matching with other events -->
-                <TargetObject name="Tamper-Tracing" condition="begin with">HKLM\Software\Microsoft\Tracing\RASAPI32</TargetObject>
-                <!-- Windows: Malware sometimes disables tracing to obfuscate tracks -->
-                <!-- Windows inventory events -->
-                <TargetObject name="InvDB-Path" condition="end with">\LowerCaseLongPath</TargetObject>
-                <!--  [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ]  -->
-                <TargetObject name="InvDB-Pub" condition="end with">\Publisher</TargetObject>
-                <!--  [ https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html ]  -->
-                <TargetObject name="InvDB-Ver" condition="end with">\BinProductVersion</TargetObject>
-                <!--  [ https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709 ]  -->
-                <TargetObject name="InvDB-DriverVer" condition="end with">\DriverVersion</TargetObject>
-                <!--  [ https://df-stream.com/2015/02/leveraging-devicecontainers-key/ ]  -->
-                <TargetObject name="InvDB-DriverVer" condition="end with">\DriverVerVersion</TargetObject>
-                <!--  [ https://df-stream.com/2015/02/leveraging-devicecontainers-key/ ]  -->
-                <TargetObject name="InvDB-CompileTimeClaim" condition="end with">\LinkDate</TargetObject>
-                <!--  Compile time of EXE, may not be reliable [ https://en.wikipedia.org/wiki/Link_time ]  -->
-                <TargetObject name="InvDB" condition="contains">Compatibility Assistant\Store\</TargetObject>
-                <!--  Inventory  -->
-                <!-- Suspicious sources -->
-                <Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image>
-                <!-- Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ]  -->
-            </RegistryEvent>
-        </RuleGroup>
-        <RuleGroup name="" groupRelation="or">
-            <RegistryEvent onmatch="exclude">
-                <!-- COMMENT:	Remove low-information noise. Often these hide a procress recreating an empty key and do not hide the values created subsequently. -->
-                <!-- NOTE:	A lot of noise can be removed by excluding CreateKey events, which are largely innocuous -->
-                <TargetObject condition="contains">\{CAFEEFAC-</TargetObject>
-                <EventType condition="is">CreateKey</EventType>
-                <TargetObject condition="begin with">HKLM\COMPONENTS</TargetObject>
-                <!-- Inventory noise -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache</TargetObject>
-                <!-- Misc -->
-                <TargetObject condition="end with">Toolbar\WebBrowser</TargetObject>
-                <!-- Microsoft:IE: Extraneous activity -->
-                <TargetObject condition="end with">Browser\ITBar7Height</TargetObject>
-                <!-- Microsoft:IE: Extraneous activity, covers ShellBrowser and WebBrowser -->
-                <TargetObject condition="end with">Browser\ITBar7Layout</TargetObject>
-                <!-- Microsoft:IE: Extraneous activity -->
-                <TargetObject condition="end with">Internet Explorer\Toolbar\Locked</TargetObject>
-                <!-- Windows:Explorer: Extraneous activity -->
-                <TargetObject condition="end with">Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93}</TargetObject>
-                <!-- Windows:Explorer: Extraneous activity -->
-                <TargetObject condition="end with">}\PreviousPolicyAreas</TargetObject>
-                <!-- Windows: Remove noise from \Winlogon\GPExtensions by svchost.exe -->
-                <TargetObject condition="contains">\Control\WMI\Autologger\</TargetObject>
-                <!-- Windows: Remove noise from monitoring "\Start" -->
-                <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start</TargetObject>
-                <!-- Windows: Remove noise from monitoring "\Start" -->
-                <TargetObject condition="end with">\Lsa\OfflineJoin\CurrentValue</TargetObject>
-                <!-- Windows: Sensitive value during domain join -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\</TargetObject>
-                <!-- Windows: Remove noise monitoring installations run as system -->
-                <TargetObject condition="contains">_Classes\AppX</TargetObject>
-                <!-- Windows: Remove noise monitoring "Shell\open\command" -->
-                <!-- Win8+ -->
-                <TargetObject condition="begin with">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\</TargetObject>
-                <!-- Windows: SvcHost Noise -->
-                <!-- Bootup Control noise -->
-                <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid</TargetObject>
-                <!-- Windows:lsass.exe: Boot noise -->
-                <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache</TargetObject>
-                <!-- Windows:lsass.exe: Boot noise -->
-                <!-- Win8+ -->
-                <TargetObject condition="end with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains</TargetObject>
-                <!-- Windows:lsass.exe: Boot noise -->
-                <!-- Win8+ -->
-                <!-- Services startup settings noise, some low-risk services routinely change it and this can be ignored -->
-                <TargetObject condition="end with">\Services\BITS\Start</TargetObject>
-                <!-- Windows: Remove noise from monitoring "\Start" -->
-                <TargetObject condition="end with">\services\clr_optimization_v2.0.50727_32\Start</TargetObject>
-                <!-- Microsoft:dotNet: Windows 7 -->
-                <TargetObject condition="end with">\services\clr_optimization_v2.0.50727_64\Start</TargetObject>
-                <!-- Microsoft:dotNet: Windows 7 -->
-                <TargetObject condition="end with">\services\clr_optimization_v4.0.30319_32\Start</TargetObject>
-                <!-- Microsoft:dotNet: Windows 10 -->
-                <TargetObject condition="end with">\services\clr_optimization_v4.0.30319_64\Start</TargetObject>
-                <!-- Microsoft:dotNet: Windows 10 -->
-                <TargetObject condition="end with">\services\deviceAssociationService\Start</TargetObject>
-                <!-- Windows: Remove noise from monitoring "\Start" -->
-                <TargetObject condition="end with">\services\fhsvc\Start</TargetObject>
-                <!-- Windows: File History Service -->
-                <TargetObject condition="end with">\services\nal\Start</TargetObject>
-                <!-- Intel: Network adapter diagnostic driver -->
-                <TargetObject condition="end with">\services\trustedInstaller\Start</TargetObject>
-                <!-- Windows: Remove noise from monitoring "\Start" -->
-                <TargetObject condition="end with">\services\tunnel\Start</TargetObject>
-                <!-- Windows: Remove noise from monitoring "\Start" -->
-                <TargetObject condition="end with">\services\usoSvc\Start</TargetObject>
-                <!-- Windows: Remove noise from monitoring "\Start" -->
-                <!-- FileExts noise filtering -->
-                <TargetObject condition="end with">\UserChoice\ProgId</TargetObject>
-                <!-- Windows: Remove noise from monitoring "FileExts" -->
-                <!-- Win8+ -->
-                <TargetObject condition="end with">\UserChoice\Hash</TargetObject>
-                <!-- Windows: Remove noise from monitoring "FileExts" -->
-                <!-- Win8+ -->
-                <TargetObject condition="end with">\OpenWithList\MRUList</TargetObject>
-                <!-- Windows: Remove noise from monitoring "FileExts" -->
-                <TargetObject condition="contains">Shell Extentions\Cached</TargetObject>
-                <!-- Windows: Remove noise generated by explorer.exe on monitored ShellCached binary keys -->
-                <!-- Win8+ -->
-                <!-- Group Policy noise -->
-                <TargetObject condition="end with">HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups</TargetObject>
-                <!-- Windows: Routinely set through Group Policy, not especially important to log -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="end with">SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime</TargetObject>
-                <!-- Windows:Group Policy: Noise below the actual key while building -->
-                <TargetObject condition="contains">\safer\codeidentifiers\0\HASHES\{</TargetObject>
-                <!-- Windows: Software Restriction Policies. Can be used to disable security tools, but very noisy to monitor if you use it -->
-                <!-- SECTION: Office C2R -->
-                <TargetObject condition="contains">VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject>
-                <!-- Microsoft: SearchProtocolHost writes to OfficeC2R registry for Outlook, seemingly regarding mail indexing -->
-                <TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Office\ClickToRun\</TargetObject>
-                <!-- Microsoft: Virtual registry for Office -->
-                <!-- SECTION: 3rd party -->
-                <Image condition="is">C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe</Image>
-                <!-- Constantly writes to HKLM -->
-                <TargetObject condition="begin with">HKCR\VLC.</TargetObject>
-                <!-- VLC update noise -->
-                <TargetObject condition="begin with">HKCR\iTunes.</TargetObject>
-                <!-- Apple: iTunes update noise -->
-                <!-- WINEVT publishers noise -->
-                <TargetObject condition="is">HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658}</TargetObject>
-                <!-- Windows update -->
-            </RegistryEvent>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash] -->
-        <!-- EVENT 15: "File stream created" -->
-        <!-- COMMENT:	Any files created with an NTFS Alternate Data Stream which match these rules will be hashed and logged.
-			[ https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ ]
-			ADS's are used by browsers and email clients to mark files as originating from the Internet or other foreign sources.
-			[ https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ ]  -->
-        <!-- NOTE: Other filesystem minifilters can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich. -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, Hash -->
-        <FileCreateStreamHash onmatch="include">
-            <TargetFilename condition="contains">Downloads</TargetFilename>
-            <!-- Downloaded files. Does not include "Run" files in IE -->
-            <TargetFilename condition="contains">Temp\7z</TargetFilename>
-            <!-- 7zip extractions -->
-            <TargetFilename condition="contains">Startup</TargetFilename>
-            <!-- ADS startup | Example: [ https://www.hybrid-analysis.com/sample/a314f6106633fba4b70f9d6ddbee452e8f8f44a72117749c21243dc93c7ed3ac?environmentId=100 ]  -->
-            <TargetFilename condition="end with">.bat</TargetFilename>
-            <!-- Batch scripting -->
-            <TargetFilename condition="end with">.cmd</TargetFilename>
-            <!-- Batch scripting | Credit @ion-storm  -->
-            <TargetFilename condition="end with">.doc</TargetFilename>
-            <!-- Office doc potentially with macro  -->
-            <TargetFilename condition="end with">.hta</TargetFilename>
-            <!-- Scripting -->
-            <TargetFilename condition="end with">.lnk</TargetFilename>
-            <!-- Shortcut file | Credit @ion-storm  -->
-            <TargetFilename condition="end with">.ppt</TargetFilename>
-            <!-- Office doc potentially with macros -->
-            <TargetFilename condition="end with">.ps1</TargetFilename>
-            <!-- PowerShell -->
-            <TargetFilename condition="end with">.ps2</TargetFilename>
-            <!-- PowerShell -->
-            <TargetFilename condition="end with">.reg</TargetFilename>
-            <!-- Registry File -->
-            <TargetFilename condition="end with">.jse</TargetFilename>
-            <!-- Registry File -->
-            <TargetFilename condition="end with">.vb</TargetFilename>
-            <!-- VisualBasicScripting files -->
-            <TargetFilename condition="end with">.vbe</TargetFilename>
-            <!-- VisualBasicScripting files -->
-            <TargetFilename condition="end with">.vbs</TargetFilename>
-            <!-- VisualBasicScripting files -->
-        </FileCreateStreamHash>
-        <RuleGroup name="" groupRelation="or">
-            <FileCreateStreamHash onmatch="exclude"></FileCreateStreamHash>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE -->
-        <!-- EVENT 16: "Sysmon config state changed" -->
-        <!-- COMMENT:	This ONLY logs if the hash of the configuration changes. Running "sysmon.exe -c" with the current configuration will not be logged with Event 16 -->
-        <!-- DATA: UtcTime, Configuration, ConfigurationFileHash -->
-        <!-- Cannot be filtered. -->
-        <!-- SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent] -->
-        <!-- EVENT 17: "Pipe Created" -->
-        <!-- EVENT 18: "Pipe Connected" -->
-        <!-- ADDITIONAL REFERENCE: [ https://www.cobaltstrike.com/help-smb-beacon ]  -->
-        <!-- ADDITIONAL REFERENCE: [ https://blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/ ]  -->
-        <!-- DATA: UtcTime, ProcessGuid, ProcessId, PipeName, Image -->
-        <RuleGroup name="" groupRelation="or">
-            <PipeEvent onmatch="include">
-                <PipeName name="technique_id=T1021.001,apt=Volt Typhoon,Fancy Bear,Fox Kitten" condition="contains">\\\\.\\pipe\\</PipeName> <!-- added 2025-01-08 by cpl iverson -->
-                <PipeName name="technique_id=S0029,apt=Volt Typhoon,Fancy Bear,Fox Kitten" condition="contains">PsExec</PipeName> <!-- added 2025-01-08 by cpl iverson -->
-            </PipeEvent>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent] -->
-        <!-- EVENT 19: "WmiEventFilter activity detected" -->
-        <!-- EVENT 20: "WmiEventConsumer activity detected" -->
-        <!-- EVENT 21: "WmiEventConsumerToFilter activity detected" -->
-        <!-- ADDITIONAL REFERENCE: [ https://www.darkoperator.com/blog/2017/10/15/sysinternals-sysmon-610-tracking-of-permanent-wmi-events ]  -->
-        <!-- ADDITIONAL REFERENCE: [ https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ ]  -->
-        <!-- DATA: EventType, UtcTime, Operation, User, Name, Type, Destination, Consumer, Filter -->
-        <RuleGroup name="" groupRelation="or">
-            <WmiEvent onmatch="exclude">
-                <Query name="technique_id=T1654,apt=Volt Typhoon" condition="contains">Get-EventLog</Query> <!-- added 2025-01-08 by cpl iverson -->
-            <Query name="technique_id=S0645,apt=Volt Typhoon,Fancy Bear" condition="contains">Wevtutil</Query> <!-- added 2025-01-08 by cpl iverson -->
-            <Query name="technique_id=T1047,apt=Fancy Bear" condition="contains">Win32_Process</Query> <!-- added 2025-01-08 by cpl iverson -->
-            </WmiEvent>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 22 : DNS QUERY [DnsQuery] -->
-        <!-- EVENT 22: "Dns query" -->
-        <!-- NOTE:	Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover.  -->
-        <!-- COMMENT:	DNS logging is a very nuanced challenge in monitoring due to event volume. Legitimate domains can be used to host malware/C2, but lookup itself is not very informative.
-						It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2.
-						This section of Sysmon configuration will require your full judgement and knowledge of your org's priorities. There is no correct answer. -->
-        <!-- OPERATIONS:	Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
-						Search for Group Policy for these browsers to configure this. -->
-        <!-- OPERATIONS:	Most DNS traffic is web advertising. To significantly reduce DNS queries and malware ads, enable client-side advertising filtering via Group Policy. This is easy.
-				Internet Explorer: https://decentsecurity.com/adblocking-for-internet-explorer-deployment/
-				Chrome: https://decentsecurity.com/ublock-for-google-chrome-deployment/
-				Firefox: ToDo
-						Also note, this configuration is designed for United States computers. Your country's users will may need customization to reduce noise.
-			 -->
-        <!-- CONFIG:	DNS poisoning is an issue during threat investigations. Try to only exclude ROUTINE system-level queries you know are strongly validated with HTTPS or code signing. -->
-        <!-- CONFIG:	If you exclude microsoft.com, someone could register malware-microsoft.com and it wouldn't be logged. Use "END WITH" with leading . or "IS" operators. -->
-        <!-- CONFIG:	Be very specific in exclusions. Threat actors use legitimate services, too. Dont exclude all of AWS or Azure or Google or CDNs! -->
-        <!-- CONFIG: Popularity data: [ http://s3-us-west-1.amazonaws.com/umbrella-static/index.html ] [ https://better.fyi/trackers/alexa-top-500-news/ ]  -->
-        <!-- CRITICAL:	Do NOT exclude "wpad" lookups. This is a MitM vector routinely used by attackers. Disable WPAD or enforce client-side DNSSEC for AD domain lookups. -->
-        <!-- CRITICAL:	Do NOT exclude IPv6 lookups. -->
-        <!-- DATA: RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryType, QueryStatus, QueryResults (can't filter on) -->
-        <!-- BELOW: These domains should not be excluded at the top level. Be specific if you want to reduce noise under them. -->
-        <!--  Rejected: .cloudapp.net, customer content [ https://blogs.technet.microsoft.com/ptsblog/2012/06/18/security-consideration-when-using-cloudapp-net-domain-as-production-environment-in-windows-azure/ ]  -->
-        <!--  Rejected: .googleapis.com, customer content [ https://www.zdnet.com/article/this-business-email-scam-spreads-trojans-through-google-cloud-storage/ ]  -->
-        <!--  Rejected: .cloudfront.net, customer content  -->
-        <!--  Rejected: .windows.net, customer content  -->
-        <!--  Rejected: *github.com, customer content, including open-source malware components  -->
-        <RuleGroup name="" groupRelation="or">
-             <!-- DNS Query -->
-            <DnsQuery onmatch="include">
-                <QueryName name="technique_id=T1071.004,apt=Fancy Bear" condition="contains">example.com</QueryName> <!-- added 2025-01-08 by cpl iverson -->
-                <QueryName name="technique_id=T1102,apt=Fox Kitten" condition="contains">amazonaws.com</QueryName> <!-- added 2025-01-08 by cpl iverson -->
-            </DnsQuery>
-            <DnsQuery onmatch="exclude">
-                <!-- Network noise -->
-                <QueryName condition="end with">.arpa.</QueryName>
-                <!-- Design decision to not log reverse DNS lookups. You will need to decide. -->
-                <QueryName condition="end with">.arpa</QueryName>
-                <!-- Design decision to not log reverse DNS lookups. You will need to decide. -->
-                <QueryName condition="end with">.msftncsi.com</QueryName>
-                <!-- Microsoft proxy detection | Microsoft default exclusion -->
-                <QueryName condition="is">..localmachine</QueryName>
-                <QueryName condition="is">localhost</QueryName>
-                <!-- Microsoft -->
-                <QueryName condition="end with">-pushp.svc.ms</QueryName>
-                <!-- Microsoft: Doesn't appear to host customer content or subdomains -->
-                <QueryName condition="end with">.b-msedge.net</QueryName>
-                <!-- Microsoft: Doesn't appear to host customer content or subdomains -->
-                <QueryName condition="end with">.bing.com</QueryName>
-                <!--  Microsoft | Microsoft default exclusion  -->
-                <QueryName condition="end with">.hotmail.com</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.live.com</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.live.net</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.s-microsoft.com</QueryName>
-                <!-- Microsoft -->
-                <QueryName condition="end with">.microsoft.com</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.microsoftonline.com</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.microsoftstore.com</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.ms-acdc.office.com</QueryName>
-                <!-- Microsoft: Doesn't appear to host customer content or subdomains -->
-                <QueryName condition="end with">.msedge.net</QueryName>
-                <!-- Microsoft: Doesn't appear to host customer content or subdomains -->
-                <QueryName condition="end with">.msn.com</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.msocdn.com</QueryName>
-                <!-- Microsoft -->
-                <QueryName condition="end with">.skype.com</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.skype.net</QueryName>
-                <!-- Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.windows.com</QueryName>
-                <!-- Microsoft -->
-                <QueryName condition="end with">.windows.net.nsatc.net</QueryName>
-                <!-- Microsoft -->
-                <QueryName condition="end with">.windowsupdate.com</QueryName>
-                <!-- Microsoft -->
-                <QueryName condition="end with">.xboxlive.com</QueryName>
-                <!-- Microsoft -->
-                <QueryName condition="is">login.windows.net</QueryName>
-                <!-- Microsoft -->
-                <Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
-                <!-- Microsoft: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection  -->
-                <!-- Microsoft:Office365/AzureAD -->
-                <QueryName condition="end with">.activedirectory.windowsazure.com</QueryName>
-                <!-- Microsoft: AzureAD -->
-                <QueryName condition="end with">.aria.microsoft.com</QueryName>
-                <!-- Microsoft: OneDrive/SharePoint -->
-                <QueryName condition="end with">.msauth.net</QueryName>
-                <QueryName condition="end with">.msftauth.net</QueryName>
-                <QueryName condition="end with">.opinsights.azure.com</QueryName>
-                <!-- Microsoft: AzureAD/InTune client event monitoring -->
-                <QueryName condition="end with">osi.office.net</QueryName>
-                <!-- Microsoft: Office -->
-                <QueryName condition="is">loki.delve.office.com</QueryName>
-                <!-- Microsoft: Office -->
-                <QueryName condition="is">management.azure.com</QueryName>
-                <!-- Microsoft: AzureAD/InTune -->
-                <QueryName condition="is">messaging.office.com</QueryName>
-                <!-- Microsoft: Office -->
-                <QueryName condition="is">outlook.office365.com</QueryName>
-                <!-- Microsoft: Protected by HSTS -->
-                <QueryName condition="is">portal.azure.com</QueryName>
-                <!-- Microsoft: AzureAD/InTune -->
-                <QueryName condition="is">protection.outlook.com</QueryName>
-                <!-- Microsoft: Office -->
-                <QueryName condition="is">substrate.office.com</QueryName>
-                <!-- Microsoft: Office -->
-                <!-- 3rd-party applications -->
-                <QueryName condition="end with">.mozaws.net</QueryName>
-                <!-- Mozilla -->
-                <QueryName condition="end with">.mozilla.com</QueryName>
-                <!-- Mozilla -->
-                <QueryName condition="end with">.mozilla.net</QueryName>
-                <!-- Mozilla -->
-                <QueryName condition="end with">.mozilla.org</QueryName>
-                <!-- Mozilla -->
-                <QueryName condition="end with">.spotify.com</QueryName>
-                <!-- Spotify -->
-                <QueryName condition="end with">.spotify.map.fastly.net</QueryName>
-                <!-- Spotify -->
-                <QueryName condition="is">clients1.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">clients2.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">clients3.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">clients4.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">clients5.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">clients6.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">safebrowsing.googleapis.com</QueryName>
-                <!-- Google -->
-                <!-- Goodlist CDN -->
-                <QueryName condition="end with">.akadns.net</QueryName>
-                <!-- AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion -->
-                <QueryName condition="end with">.netflix.com</QueryName>
-                <QueryName condition="end with">aspnetcdn.com</QueryName>
-                <!-- Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ] -->
-                <QueryName condition="is">ajax.googleapis.com</QueryName>
-                <QueryName condition="is">cdnjs.cloudflare.com</QueryName>
-                <!-- Cloudflare: Hosts popular javascript libraries -->
-                <QueryName condition="is">fonts.googleapis.com</QueryName>
-                <!-- Google fonts -->
-                <QueryName condition="end with">.typekit.net</QueryName>
-                <!-- Adobe fonts -->
-                <QueryName condition="is">cdnjs.cloudflare.com</QueryName>
-                <QueryName condition="end with">.stackassets.com</QueryName>
-                <!-- Stack Overflow -->
-                <QueryName condition="end with">.steamcontent.com</QueryName>
-                <!-- Web resources -->
-                <QueryName condition="end with">.disqus.com</QueryName>
-                <!-- Microsoft default exclusion -->
-                <QueryName condition="end with">.fontawesome.com</QueryName>
-                <QueryName condition="is">disqus.com</QueryName>
-                <!-- Microsoft default exclusion -->
-                <!-- Ads -->
-                <QueryName condition="end with">.1rx.io</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.2mdn.net</QueryName>
-                <!-- Ads: Google | Microsoft default exclusion -->
-                <QueryName condition="end with">.adadvisor.net</QueryName>
-                <!-- Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ]  -->
-                <QueryName condition="end with">.adap.tv</QueryName>
-                <!-- Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ]  -->
-                <QueryName condition="end with">.addthis.com</QueryName>
-                <!-- Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ]  -->
-                <QueryName condition="end with">.adform.net</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.adnxs.com</QueryName>
-                <!-- Ads: AppNexus | Microsoft default exclusion -->
-                <QueryName condition="end with">.adroll.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.adrta.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.adsafeprotected.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.adsrvr.org</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.advertising.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.amazon-adsystem.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.amazon-adsystem.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.analytics.yahoo.com</QueryName>
-                <!-- Ads:Yahoo -->
-                <QueryName condition="end with">.aol.com</QueryName>
-                <!-- Ads | Microsoft default exclusion  -->
-                <QueryName condition="end with">.betrad.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.bidswitch.net</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.casalemedia.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.chartbeat.net</QueryName>
-                <!-- Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ] -->
-                <QueryName condition="end with">.cnn.com</QueryName>
-                <!--  Microsoft default exclusion -->
-                <QueryName condition="end with">.convertro.com</QueryName>
-                <!-- Ads:Verizon -->
-                <QueryName condition="end with">.criteo.com</QueryName>
-                <!-- Ads [ https://better.fyi/trackers/criteo.com/ ]  -->
-                <QueryName condition="end with">.criteo.net</QueryName>
-                <!-- Ads [ https://better.fyi/trackers/criteo.com/ ]  -->
-                <QueryName condition="end with">.crwdcntrl.net</QueryName>
-                <!-- Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ]  -->
-                <QueryName condition="end with">.demdex.net</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.domdex.com</QueryName>
-                <QueryName condition="end with">.dotomi.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.doubleclick.net</QueryName>
-                <!-- Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ]  -->
-                <QueryName condition="end with">.doubleverify.com</QueryName>
-                <!-- Ads: Google -->
-                <QueryName condition="end with">.emxdgt.com</QueryName>
-                <!-- Ads: EMX -->
-                <QueryName condition="end with">.exelator.com</QueryName>
-                <!-- Ads:Nielson Marketing Cloud -->
-                <QueryName condition="end with">.google-analytics.com</QueryName>
-                <!-- Ads:Google | Microsoft default exclusion -->
-                <QueryName condition="end with">.googleadservices.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="end with">.googlesyndication.com</QueryName>
-                <!-- Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ] -->
-                <QueryName condition="end with">.googletagmanager.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="end with">.googlevideo.com</QueryName>
-                <!-- Google | Microsoft default exclusion -->
-                <QueryName condition="end with">.gstatic.com</QueryName>
-                <!-- Google | Microsoft default exclusion -->
-                <QueryName condition="end with">.gvt1.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="end with">.gvt2.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="end with">.ib-ibi.com</QueryName>
-                <!-- Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ]  -->
-                <QueryName condition="end with">.jivox.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.mathtag.com</QueryName>
-                <!-- Microsoft default exclusion -->
-                <QueryName condition="end with">.moatads.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.moatpixel.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.mookie1.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.myvisualiq.net</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.netmng.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.nexac.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.openx.net</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.optimizely.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.outbrain.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.pardot.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.phx.gbl</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.pinterest.com</QueryName>
-                <!-- Pinerest -->
-                <QueryName condition="end with">.pubmatic.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.quantcount.com</QueryName>
-                <QueryName condition="end with">.quantserve.com</QueryName>
-                <QueryName condition="end with">.revsci.net</QueryName>
-                <!-- Ads:Omniture | Microsoft default exclusion -->
-                <QueryName condition="end with">.rfihub.net</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.rlcdn.com</QueryName>
-                <!-- Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ]  -->
-                <QueryName condition="end with">.rubiconproject.com</QueryName>
-                <!-- Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ]  -->
-                <QueryName condition="end with">.scdn.co</QueryName>
-                <!-- Spotify -->
-                <QueryName condition="end with">.scorecardresearch.com</QueryName>
-                <!-- Ads: Comscore | Microsoft default exclusion -->
-                <QueryName condition="end with">.serving-sys.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.sharethrough.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.simpli.fi</QueryName>
-                <QueryName condition="end with">.sitescout.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.smartadserver.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.snapads.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.spotxchange.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.taboola.com</QueryName>
-                <!-- Ads:Taboola -->
-                <QueryName condition="end with">.taboola.map.fastly.net</QueryName>
-                <!-- Ads:Taboola -->
-                <QueryName condition="end with">.tapad.com</QueryName>
-                <QueryName condition="end with">.tidaltv.com</QueryName>
-                <!-- Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ]  -->
-                <QueryName condition="end with">.trafficmanager.net</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.tremorhub.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.tribalfusion.com</QueryName>
-                <!-- Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ]  -->
-                <QueryName condition="end with">.turn.com</QueryName>
-                <!-- Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ]  -->
-                <QueryName condition="end with">.twimg.com</QueryName>
-                <!-- Ads | Microsoft default exclusion -->
-                <QueryName condition="end with">.tynt.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="end with">.w55c.net</QueryName>
-                <!-- Ads:dataxu -->
-                <QueryName condition="end with">.ytimg.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="end with">.zorosrv.com</QueryName>
-                <!-- Ads:Taboola -->
-                <QueryName condition="is">1rx.io</QueryName>
-                <!-- Ads -->
-                <QueryName condition="is">adservice.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">ampcid.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">clientservices.googleapis.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">googleadapis.l.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">imasdk.googleapis.com</QueryName>
-                <!-- Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ]  -->
-                <QueryName condition="is">l.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">ml314.com</QueryName>
-                <!-- Ads -->
-                <QueryName condition="is">mtalk.google.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">update.googleapis.com</QueryName>
-                <!-- Google -->
-                <QueryName condition="is">www.googletagservices.com</QueryName>
-                <!-- Google -->
-                <!-- SocialNet -->
-                <QueryName condition="end with">.pscp.tv</QueryName>
-                <!-- Twitter:Periscope -->
-                <!-- OSCP/CRL Common -->
-                <QueryName condition="end with">.digicert.com</QueryName>
-                <QueryName condition="end with">.globalsign.com</QueryName>
-                <QueryName condition="end with">.globalsign.net</QueryName>
-                <QueryName condition="is">msocsp.com</QueryName>
-                <!-- Microsoft:OCSP -->
-                <QueryName condition="is">ocsp.msocsp.com</QueryName>
-                <!-- Microsoft:OCSP -->
-                <QueryName condition="end with">pki.goog</QueryName>
-                <QueryName condition="is">ocsp.godaddy.com</QueryName>
-                <QueryName condition="end with">amazontrust.com</QueryName>
-                <QueryName condition="is">ocsp.sectigo.com</QueryName>
-                <QueryName condition="is">pki-goog.l.google.com</QueryName>
-                <QueryName condition="end with">.usertrust.com</QueryName>
-                <QueryName condition="is">ocsp.comodoca.com</QueryName>
-                <QueryName condition="is">ocsp.verisign.com</QueryName>
-                <QueryName condition="is">ocsp.entrust.net</QueryName>
-                <QueryName condition="end with">ocsp.identrust.com</QueryName>
-                <QueryName condition="is">status.rapidssl.com</QueryName>
-                <QueryName condition="is">status.thawte.com</QueryName>
-                <QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
-            </DnsQuery>
-            <!-- SYSMON EVENT ID 23 : FILE DELETE [FileDelete] -->
-        <RuleGroup name="File Delete Monitoring" groupRelation="or">
-            <FileDelete onmatch="include">
-                <TargetFilename name="technique_id=T1070.004,apt=Volt Typhoon,Fancy Bear" condition="contains">*.log</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-                <TargetFilename name="technique_id=S1040,apt=Fancy Bear" condition="contains">rclone.conf</TargetFilename> <!-- added 2025-01-08 by cpl iverson -->
-            </FileDelete>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 24 : CLIPBOARD CHANGE [ClipboardChange] -->
-        <RuleGroup name="Clipboard Change Monitoring" groupRelation="or">
-            <ClipboardChange onmatch="include">
-                <Process name="technique_id=S1018,apt=Fancy Bear" condition="contains">SaintBot</Process> <!-- added 2025-01-08 by cpl iverson -->
-                <Process name="T1113" condition="contains">gdi32.dll</Process> <!-- added 2025-01-08 by cpl iverson -->
-                <Process name="S0057" condition="contains">Tasklist</Process> <!-- added 2025-01-08 by cpl iverson -->
-            </ClipboardChange>
-        </RuleGroup>
-        </RuleGroup>
-        <!-- SYSMON EVENT ID 255 : ERROR -->
-        <!-- "This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load
-			and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the
-			Sysinternals forum or over Twitter (@markrussinovich)." -->
-        <!-- Cannot be filtered. -->
-    </EventFiltering>
-</Sysmon>
\ No newline at end of file