I wanted to track some of the ttps/methods I was learning while in CRTO2. This isnt perfect, and will be refined over time. Some of the API calls are still very vague. Theres some obvious ttps that I left out to reduce noise. These are commented out in the ruleset and can be changed. This is a mix of things ive found from other creators and some ive implemeted myself/tweaked.
Research that helped: https://github.com/jsecurity101/TelemetrySource jsecurity for rev engineering sysmon and correlating events to win32 API calls. and as always; thanks to the spectreops bois https://posts.specterops.io/uncovering-the-unknowns-a47c93bb6971 https://specterops.io/wp-content/uploads/sites/3/2022/06/Subverting_Sysmon.pdf