<div id="readability-page-1" class="page"><div id="post-body-5547410768131972183" itemprop="articleBody">
특정 경로의 실행 파일을 예외 처리하는 Network connection 이벤트 필터링 설정.&nbsp;
<div><pre><code>&lt;Sysmon schemaversion="4.90"/&gt;&nbsp; &lt;!-- Capture all hashes --&gt;&nbsp; &lt;HashAlgorithms&gt;*&lt;/HashAlgorithms&gt;&nbsp; &lt;EventFiltering&gt;&nbsp; &nbsp; &lt;FileDelete onmatch="include"/&gt;&nbsp; &nbsp; &lt;ClipboardChange onmatch="include"/&gt;&nbsp; &lt;ProcessCreate onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;ProcessTerminate onmatch="include"/&gt;					&nbsp; &nbsp; &lt;ProcessTampering onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;ProcessAccess onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;FileCreateTime onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;FileCreate onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;FileCreateStreamHash onmatch="exclude"/&gt;<a name="more"></a>&nbsp; &nbsp; &lt;NetworkConnect onmatch="exclude"/&gt;	&lt;Image condition="begin with"/&gt;C:\Splunk&lt;/Image&gt;	&lt;Image condition="begin with"/&gt;D:\ELK&lt;/Image&gt;&nbsp; &nbsp; &lt;/NetworkConnect&gt;&nbsp; &nbsp; &lt;DriverLoad onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;ImageLoad onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;CreateRemoteThread onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;RawAccessRead onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;RegistryEvent onmatch="exclude"/&gt;&nbsp; &lt;PipeEvent onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;WmiEvent onmatch="exclude"/&gt;&nbsp; &nbsp; &lt;DnsQuery onmatch="exclude"/&gt;&nbsp; &lt;/EventFiltering&gt;&lt;/Sysmon&gt;</code></pre></div>

And 조건으로 표시돼 헷갈리지만 조건 필드 이름이 같을 때 실제 동작 조건은 Or이며,
<div><pre><code>PS C:\Users\Administrator\Downloads\Sysmon&gt; .\Sysmon64.exe -cSystem Monitor v15.15 - System activity monitorBy Mark Russinovich and Thomas GarnierCopyright (C) 2014-2024 Microsoft CorporationUsing libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.Sysinternals - www.sysinternals.comCurrent configuration:&nbsp;- Service name:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Sysmon64&nbsp;- Driver name:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;SysmonDrv&nbsp;- Config file:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;.\sysmon.xml&nbsp;- Config hash:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;SHA256=637818313215997ADA80024CFBD275970441BAF61C746509AF7B347DB65EBFCB&nbsp;- HashingAlgorithms:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;SHA1,MD5,SHA256,IMPHASH&nbsp;- Network connection:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; enabled&nbsp;- Archive Directory:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;-&nbsp;- Image loading:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;enabled&nbsp;- CRL checking:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; enabled&nbsp;- DNS lookup:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; enabledRule configuration (version 4.90):&nbsp;- ProcessCreate&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- FileCreateTime&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- NetworkConnect&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp; &nbsp; &nbsp; &nbsp; Image&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; filter: begin with&nbsp; &nbsp;value: 'C:\Splunk'&nbsp; &nbsp; &nbsp; &nbsp; Image&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; filter: begin with&nbsp; &nbsp;value: 'D:\ELK'&nbsp;- ProcessTerminate&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: include&nbsp; &nbsp;combine rules using 'And'&nbsp;- DriverLoad&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- ImageLoad&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- CreateRemoteThread&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- RawAccessRead&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- ProcessAccess&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- FileCreate&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- RegistryEvent&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- FileCreateStreamHash&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- PipeEvent&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- WmiEvent&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- DnsQuery&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp;- FileDelete&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: include&nbsp; &nbsp;combine rules using 'And'&nbsp;- ClipboardChange&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; onmatch: include&nbsp; &nbsp;combine rules using 'And'&nbsp;- ProcessTampering&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'</code></pre></div>
조건 필드가 다를 때만 And 조건으로 동작한다.<div><pre><code>&nbsp; &nbsp; &lt;NetworkConnect onmatch="exclude"/&gt;	&lt;Image condition="begin with"/&gt;C:\Splunk&lt;/Image&gt;	&lt;DestinationIp condition="is"/&gt;127.0.0.1&lt;/DestinationIp&gt;&nbsp; &nbsp; &lt;/NetworkConnect&gt;</code></pre></div>
<div><pre><code>&nbsp;- NetworkConnect&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'And'&nbsp; &nbsp; &nbsp; &nbsp; Image&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; filter: begin with&nbsp; &nbsp;value: 'C:\Splunk'&nbsp; &nbsp; &nbsp; &nbsp; DestinationIp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; filter: is&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;value: '127.0.0.1'</code></pre></div>
<h2><a href="https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-filtering-entries" target="_blank">다른 조건 필드의 Or 조건 동작이 필요하면?</a></h2>RuleGroup 지정 후 동작 방식을 명시해줘야 한다.
<div><pre><code>&nbsp; &nbsp; &lt;RuleGroup name="NetworkConnect group" groupRelation="or"&gt;	&lt;NetworkConnect onmatch="exclude"/&gt;	 &lt;Image condition="begin with"/&gt;C:\Splunk&lt;/Image&gt;	 &lt;DestinationIp condition="is"&gt;127.0.0.1&lt;/DestinationIp&gt;	&lt;/NetworkConnect&gt;&nbsp; &nbsp; &lt;/RuleGroup&gt;</code></pre></div>
<div><pre><code>&nbsp;- NetworkConnect&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;onmatch: exclude&nbsp; &nbsp;combine rules using 'Or'&nbsp; &nbsp; &nbsp; &nbsp; Image&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; filter: begin with&nbsp; &nbsp;value: 'C:\Splunk'&nbsp; &nbsp; &nbsp; &nbsp; DestinationIp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; filter: is&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;value: '127.0.0.1'</code></pre></div>
<div>관련 글<div><ul><li><a href="https://kangmyounghun.blogspot.com/2021/01/sysmon-dns.html" target="">Sysmon을 이용한 DNS 트래픽 추적</a></li><li><a href="https://kangmyounghun.blogspot.com/2022/11/sysmon-unknown-process.html">Sysmon의 unknown process</a></li></ul></div></div>

</div></div>

케세라세라

특정 경로의 실행 파일을 예외 처리하는 Network connection 이벤트 필터링 설정. 
<Sysmon schemaversion="4.90"/>
  
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <FileDelete onmatch="include"/>
    <ClipboardChange onmatch="include"/>
  <ProcessCreate onmatch="exclude"/>
    <ProcessTerminate onmatch="include"/>					
    <ProcessTampering onmatch="exclude"/>
    <ProcessAccess onmatch="exclude"/>
    <FileCreateTime onmatch="exclude"/>
    <FileCreate onmatch="exclude"/>
    <FileCreateStreamHash onmatch="exclude"/>
    <NetworkConnect onmatch="exclude"/>
	<Image condition="begin with"/>C:\Splunk</Image>
	<Image condition="begin with"/>D:\ELK</Image>
    </NetworkConnect>
    <DriverLoad onmatch="exclude"/>
    <ImageLoad onmatch="exclude"/>
    <CreateRemoteThread onmatch="exclude"/>
    <RawAccessRead onmatch="exclude"/>
    <RegistryEvent onmatch="exclude"/>
  <PipeEvent onmatch="exclude"/>
    <WmiEvent onmatch="exclude"/>
    <DnsQuery onmatch="exclude"/>
  </EventFiltering>
</Sysmon>
And 조건으로 표시돼 헷갈리지만 조건 필드 이름이 같을 때 실제 동작 조건은 Or이며,
PS C:\Users\Administrator\Downloads\Sysmon> .\Sysmon64.exe -c
System Monitor v15.15 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com
Current configuration:
 - Service name:                  Sysmon64
 - Driver name:                   SysmonDrv
 - Config file:                   .\sysmon.xml
 - Config hash:                   SHA256=637818313215997ADA80024CFBD275970441BAF61C746509AF7B347DB65EBFCB
 - HashingAlgorithms:             SHA1,MD5,SHA256,IMPHASH
 - Network connection:            enabled
 - Archive Directory:             -
 - Image loading:                 enabled
 - CRL checking:                  enabled
 - DNS lookup:                    enabled
Rule configuration (version 4.90):
 - ProcessCreate                      onmatch: exclude   combine rules using 'And'
 - FileCreateTime                     onmatch: exclude   combine rules using 'And'
 - NetworkConnect                     onmatch: exclude   combine rules using 'And'
        Image                          filter: begin with   value: 'C:\Splunk'
        Image                          filter: begin with   value: 'D:\ELK'
 - ProcessTerminate                   onmatch: include   combine rules using 'And'
 - DriverLoad                         onmatch: exclude   combine rules using 'And'
 - ImageLoad                          onmatch: exclude   combine rules using 'And'
 - CreateRemoteThread                 onmatch: exclude   combine rules using 'And'
 - RawAccessRead                      onmatch: exclude   combine rules using 'And'
 - ProcessAccess                      onmatch: exclude   combine rules using 'And'
 - FileCreate                         onmatch: exclude   combine rules using 'And'
 - RegistryEvent                      onmatch: exclude   combine rules using 'And'
 - FileCreateStreamHash               onmatch: exclude   combine rules using 'And'
 - PipeEvent                          onmatch: exclude   combine rules using 'And'
 - WmiEvent                           onmatch: exclude   combine rules using 'And'
 - DnsQuery                           onmatch: exclude   combine rules using 'And'
 - FileDelete                         onmatch: include   combine rules using 'And'
 - ClipboardChange                    onmatch: include   combine rules using 'And'
 - ProcessTampering                   onmatch: exclude   combine rules using 'And'
조건 필드가 다를 때만 And 조건으로 동작한다.
    <NetworkConnect onmatch="exclude"/>
	<Image condition="begin with"/>C:\Splunk</Image>
	<DestinationIp condition="is"/>127.0.0.1</DestinationIp>
    </NetworkConnect>
 - NetworkConnect                     onmatch: exclude   combine rules using 'And'
        Image                          filter: begin with   value: 'C:\Splunk'
        DestinationIp                  filter: is           value: '127.0.0.1'
다른 조건 필드의 Or 조건 동작이 필요하면?
RuleGroup 지정 후 동작 방식을 명시해줘야 한다.
    <RuleGroup name="NetworkConnect group" groupRelation="or">
	<NetworkConnect onmatch="exclude"/>
	 <Image condition="begin with"/>C:\Splunk</Image>
	 <DestinationIp condition="is">127.0.0.1</DestinationIp>
	</NetworkConnect>
    </RuleGroup>
 - NetworkConnect                     onmatch: exclude   combine rules using 'Or'
        Image                          filter: begin with   value: 'C:\Splunk'
        DestinationIp                  filter: is           value: '127.0.0.1'
관련 글
Sysmon을 이용한 DNS 트래픽 추적
Sysmon의 unknown process

Sysmon의 이벤트 필터링

댓글