<Sysmon schemaversion="4.90">
<HashAlgorithms>sha256</HashAlgorithms>
<EventFiltering>
<!-- 1. Process Create (EID 1) -->
<ProcessCreate onmatch="include">
<CommandLine condition="is not">-</CommandLine>
</ProcessCreate>
<!-- 7. Image Load (EID 7) -->
<!-- Focus on side-loading / user-writable DLL loads -->
<RuleGroup name="ImageLoad_SuspiciousPathsOrUnsigned" groupRelation="or">
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">\Users\</ImageLoaded>
</ImageLoad>
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">\Temp\</ImageLoaded>
</ImageLoad>
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">\AppData\</ImageLoaded>
</ImageLoad>
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">\Downloads\</ImageLoaded>
</ImageLoad>
<!-- Optional: include unsigned/invalid signature DLL loads (can be noisy, tune later) -->
<ImageLoad onmatch="include">
<Signed condition="is">false</Signed>
</ImageLoad>
<ImageLoad onmatch="include">
<SignatureStatus condition="is not">Valid</SignatureStatus>
</ImageLoad>
</RuleGroup>
<!-- 8. Create Remote Thread (EID 8) -->
<CreateRemoteThread onmatch="include">
<!-- Start with include-all; you can add excludes later -->
<SourceImage condition="is not">-</SourceImage>
</CreateRemoteThread>
<!-- 10. Process Access (EID 10) -->
<!-- Core for injection prep: OpenProcess/VM_WRITE/CREATE_THREAD patterns -->
<RuleGroup name="ProcessAccess_HighRiskMasks" groupRelation="or">
<!-- Very high / all access masks (common in tools + malware) -->
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x1F0FFF</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x001F0FFF</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x1FFFFF</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x001FFFFF</GrantedAccess>
</ProcessAccess>
<!-- Your original candidates (keep them) -->
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x143A</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x1010</GrantedAccess>
</ProcessAccess>
<!-- Useful additional common combos seen in injection workflows -->
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x1410</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x1400</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<GrantedAccess condition="contains">0x1FFFF</GrantedAccess>
</ProcessAccess>
<!-- Optional: include call trace presence (often helpful, but can be noisy) -->
<ProcessAccess onmatch="include">
<CallTrace condition="is not">-</CallTrace>
</ProcessAccess>
</RuleGroup>
<!-- 11. File Create (EID 11) -->
<!-- For DLL drop + staging in user-writable paths -->
<RuleGroup name="FileCreate_SuspiciousDropLocations" groupRelation="or">
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Temp\</TargetFilename>
</FileCreate>
<FileCreate onmatch="include">
<TargetFilename condition="contains">\AppData\</TargetFilename>
</FileCreate>
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Downloads\</TargetFilename>
</FileCreate>
</RuleGroup>
<FileCreate onmatch="include">
<!-- limit to interesting extensions -->
<TargetFilename condition="end with">.dll</TargetFilename>
</FileCreate>
<FileCreate onmatch="include">
<TargetFilename condition="end with">.exe</TargetFilename>
</FileCreate>
</EventFiltering>
</Sysmon>