From 9c8990a29721a4e3dc19da03107eb006b34b6eff Mon Sep 17 00:00:00 2001
From: Tobias Michalski <tobias.michalski@bsk-consulting.de>
Date: Mon, 14 Jun 2021 11:45:49 +0200
Subject: [PATCH 1/3] Condition for Outlook WebView URL Registry Change

---
 sysmonconfig-export.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f4acf26..f004170 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -647,6 +647,7 @@
 			<!--Office-->
 			<TargetObject name="T1137" condition="contains">Microsoft\Office\Outlook\Addins\</TargetObject> <!--Microsoft:Office: Outlook add-ins, access to sensitive data and often cause issues-->
 			<TargetObject name="T1137" condition="contains">Office Test\</TargetObject> <!-- Microsoft:Office: Persistence method [ http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/ ] | Credit @Hexacorn -->
+			<TargetObject name="Suspicious,ChangedURLOutlook" condition="contains all">\Software\Microsoft\Office\;\Outlook\WebView\;URL</TargetObject> <!-- The URL shouldn't be changed all that often and could enable persistance for hackers | @humpelpum [ https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 ]-->
 			<TargetObject name="Context,ProtectedModeExitOrMacrosUsed" condition="contains">Security\Trusted Documents\TrustRecords</TargetObject> <!--Microsoft:Office: Monitor when "Enable editing" or "Enable macros" is used | Credit @OutflankNL | [ https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ ] -->
 			<!--IE-->
 			<TargetObject name="T1176" condition="contains">Internet Explorer\Toolbar\</TargetObject> <!--Microsoft:InternetExplorer: Machine and user [ Example: https://www.exterminate-it.com/malpedia/remove-mywebsearch ] -->
@@ -701,6 +702,9 @@
 			<!--Suspicious sources-->
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="end with">regedit.exe</Image> <!--Users and helpdesk staff making system modifications -->
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
+			
+
+
 		</RegistryEvent>
 	</RuleGroup>
 

From 96209b3d28a1129fca258e2c9d29b8cf0d0e19a7 Mon Sep 17 00:00:00 2001
From: Tobias Michalski <tobias.michalski@bsk-consulting.de>
Date: Mon, 14 Jun 2021 11:51:28 +0200
Subject: [PATCH 2/3] Removed unnecessary whitespaces

---
 sysmonconfig-export.xml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f004170..5bf4e0e 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -702,9 +702,6 @@
 			<!--Suspicious sources-->
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="end with">regedit.exe</Image> <!--Users and helpdesk staff making system modifications -->
 			<Image name="Suspicious,ImageBeginWithBackslash" condition="begin with">\</Image> <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
-			
-
-
 		</RegistryEvent>
 	</RuleGroup>
 

From d63e86fb17aaca5831ac6eb9676bb5979dcd9047 Mon Sep 17 00:00:00 2001
From: humpalum <humpalum@users.noreply.github.com>
Date: Mon, 26 Jul 2021 09:39:36 +0200
Subject: [PATCH 3/3] Breaking the config

---
 sysmonconfig-export.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 5bf4e0e..ec05cd2 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -80,7 +80,7 @@
 			code signatures to validate, but Sysmon does not support that. Look into AppLocker/WindowsDeviceGuard for whitelisting support. -->
 
 		<!--DATA: UtcTime, ProcessGuid, ProcessID, Image, FileVersion, Description, Product, Company, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine, RuleName-->
-	<RuleGroup name="" groupRelation="or">
+	<RuleGroup name="" groupRelation="or"
 		<ProcessCreate onmatch="exclude">
 			<!--SECTION: Microsoft Windows-->
 			<CommandLine condition="begin with"> "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" </CommandLine> <!--Windows:Windows error reporting/telemetry-->
@@ -1157,4 +1157,4 @@
 		<!--Cannot be filtered.-->
 
 	</EventFiltering>
-</Sysmon>
\ No newline at end of file
+</Sysmon>