Module Library
The ICS Watch Dog module library provides opt-in XML fragments that advanced users merge into a base curated configuration to add vendor-specific, sector-specific, protocol-specific, or software-specific monitoring without editing the curated configs directly.
Curated configs remain the primary supported deployment artifact. The module library is for users who have outgrown the baselines and want to compose customized configs without forking. If you are new to ICS Watch Dog, start with the curated configurations first.
How Modules Work
A module is a partial Sysmon XML fragment containing one or more <RuleGroup> elements. It is not a complete Sysmon config. It has no <Sysmon> root element, no <HashAlgorithms>, no <CheckRevocation>, and no <EventFiltering> wrapper.
The merge tool (tools/Merge-SysmonModules.ps1) reads a base curated config plus a list of modules, inserts each module's <RuleGroup> elements into the base config's <EventFiltering> section, and writes the merged result to a new file.
Base config + Module A + Module B + ... = Merged configThe base config's meta configuration (HashAlgorithms, CheckRevocation, schemaversion) is preserved as-is. All include rules in modules use the same ATT&CK structured tagging convention as the curated configs.
Module Categories
| Category | Directory | Rule Type | Purpose |
|---|---|---|---|
| OT Vendor | vendor-ot/ |
Include | Monitor OT vendor software (Siemens, Rockwell, Schneider, AVEVA, Ignition) |
| IT Vendor | vendor-it/ |
Exclude (noise reduction) | Suppress noise from IT software present in OT environments (browsers, Adobe, Office) |
| Cloud Storage | cloud-storage/ |
Dual-use | Detect or suppress cloud storage clients (Dropbox, OneDrive, Google Drive, Box, MEGA) |
| Sector | sector/ |
Include | Sector-specific monitoring (electric, water, oil/gas, manufacturing) |
| Protocol | protocol/ |
Include | Industrial protocol port monitoring (Modbus, OPC-UA, DNP3, S7comm, EtherNet/IP, BACnet, IEC 60870-5-104, MQTT) |
| Remote Access | remote-access/ |
Dual-use | Per-tool RMM detection or noise reduction (TeamViewer, AnyDesk, ScreenConnect, RustDesk) |
| LOLBAS | lolbas/ |
Include (Tier 3 comprehensive) | Comprehensive Living off the Land Binaries and Scripts detection (T1218 family, T1059.001 offensive PowerShell, T1047 WMIC, T1140/T1105 certutil, T1197 BITS, T1220 XSL, T1127 trusted developer utilities, persistence/discovery patterns, T1562.001 AMSI bypass, .NET unmanaged abuse, long-tail rare LOLBAS including WSL). See the LOLBAS Detection page for the full strategy. |
Dual-Use Convention
Cloud storage and remote access tools are dual-use: a sanctioned tool needs noise reduction, while unsanctioned use needs active detection. The library provides both stances for each tool:
| File | Use If | Effect |
|---|---|---|
exclude_<tool>.xml |
The tool is sanctioned at your site | Suppresses Sysmon events from the tool to reduce noise |
include_<tool>.xml |
The tool is NOT sanctioned at your site | Generates detection events when the tool is observed |
Pick exactly one per tool based on site policy. The merge tool does not enforce mutual exclusion. Merging both exclude_<tool>.xml and include_<tool>.xml for the same tool produces unpredictable results.
Schema Versions and Provenance
All modules use schema 4.90 (Sysmon v15+). The merge tool warns on schema mismatches between modules and the base config.
Every module includes a provenance block in its header documenting where the rule content came from, and a companion .validation.md file recording what has been tested. Confidence levels:
| Level | Meaning |
|---|---|
| verified-in-lab | Tested against a real installation with documented evidence |
| vendor-documented | Built from vendor public documentation (not lab-tested) |
| security-research | Based on security research, LOLBAS Project, MITRE ATT&CK |
| theoretical | Plausible patterns without authoritative source |
Using the Merge Tool
The merge tool is a PowerShell script that runs on Windows PowerShell 5.1+ or PowerShell Core 7+ (Windows, Linux, macOS). It has no external dependencies.
Basic Usage
.\tools\Merge-SysmonModules.ps1 `
-BaseConfig sysmon-configs\sysmonconfig-baseline-ot.xml `
-Modules @(
'sysmon-configs\modules\vendor-ot\siemens-tia-portal.xml',
'sysmon-configs\modules\protocol\modbus-tcp.xml',
'sysmon-configs\modules\cloud-storage\include_dropbox.xml'
) `
-OutputPath sysmonconfig-site-acmeplant.xmlParameters
| Parameter | Required | Description |
|---|---|---|
-BaseConfig | Yes | Path to a curated Sysmon configuration file |
-Modules | Yes | Array of paths to module XML fragment files |
-OutputPath | Yes | Path where the merged config will be written |
-VerboseLogging | No | Print detailed progress information |
What the Tool Does
- Validates that the base config is a well-formed Sysmon XML file
- For each module, validates that it contains only
<RuleGroup>elements (rejects modules containing forbidden meta elements like<Sysmon>,<HashAlgorithms>, etc.) - Inserts each module's
<RuleGroup>elements into the base config's<EventFiltering>section, in order - Preserves the base config's meta section (
HashAlgorithms,CheckRevocation,schemaversion) - Validates the output XML well-formedness before writing
- Reports a manifest of which modules were merged
Bounded Scope
This tool exists only to merge ICS Watch Dog modules into ICS Watch Dog base configs. It is intentionally not a general-purpose Sysmon config generator.
Validation
After merging, validate your output config:
- XML well-formedness:
xmllint --noout merged-config.xml - Load into Sysmon:
Sysmon64.exe -c merged-config.xml(look for "Configuration updated.") - Verify coverage:
.\Get-SysmonCoverage.ps1 -ConfigPath merged-config.xml
Available Modules
The current release ships with 48 modules across all seven categories. See the module library on GitHub for the full list with descriptions and ATT&CK references.
Module library will grow over time as community contributions are accepted and additional vendors, sectors, and tools are added.
OT Vendor (5 modules)
- Siemens TIA Portal
- Rockwell Studio 5000 / RSLogix
- Schneider Electric EcoStruxure / Unity Pro / Citect
- AVEVA / OSIsoft PI System
- Inductive Automation Ignition Gateway
IT Vendor (5 modules, all noise reduction)
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Adobe Acrobat Reader
- Microsoft Office (Word, Excel, PowerPoint, Outlook)
Cloud Storage (8 modules)
- Dropbox (exclude + include variants)
- OneDrive (exclude + include variants)
- Box (include variant)
- Google Drive (include variant)
- MEGA.nz (include only, generally not sanctioned)
- Anonymous file sharing (temp.sh, transfer.sh, file.io, anonfiles, MEGA, etc., include only)
Sector (4 modules)
- Electric utility (NERC CIP / IEC 61850 environments)
- Water and wastewater
- Oil and gas pipeline (TSA SD relevant)
- Manufacturing (discrete and process)
Protocol (8 modules)
- Modbus TCP (502)
- OPC UA (4840)
- EtherNet/IP (44818, 2222)
- DNP3 (20000)
- Siemens S7comm / ISO-TSAP (102)
- BACnet/IP (47808)
- IEC 60870-5-104 (2404)
- MQTT (1883, 8883)
Remote Access (5 modules)
- TeamViewer (exclude + include variants)
- AnyDesk (include)
- ConnectWise ScreenConnect (include)
- RustDesk (include)
LOLBAS (13 modules, 153 rules)
Comprehensive Living off the Land Binaries and Scripts detection. Tier 3 of the three-tier LOLBAS strategy. See the LOLBAS Detection page for full details.
include_signed_binary_proxy.xml(25 rules) -- T1218 family comprehensiveinclude_powershell_offensive.xml(15 rules) -- T1059.001 offensive patternsinclude_wmic_abuse.xml(10 rules) -- T1047 / T1021.003 / T1220include_certutil_abuse.xml(8 rules) -- All certutil abuse modesinclude_bitsadmin_abuse.xml(6 rules) -- T1197 BITS abuseinclude_script_host_abuse.xml(10 rules) -- cscript/wscript/jscriptinclude_trusted_developer_utilities.xml(12 rules) -- T1127include_xsl_script_processing.xml(6 rules) -- T1220include_persistence_via_lolbas.xml(10 rules) -- at, schtasks, sc, reg addinclude_discovery_recon.xml(15 rules) -- whoami, net group, nltest, etc.include_amsi_bypass_patterns.xml(8 rules) -- T1562.001 AMSI bypassinclude_dotnet_unmanaged_abuse.xml(8 rules) -- csi, jsc, dotnet abuseinclude_uncommon_lolbas.xml(20 rules) -- Long-tail rare LOLBAS plus WSL detection
Contributing Modules
Module contributions are welcome via pull request. New modules must:
- Be a partial XML fragment with no
<Sysmon>root element - Include the standard module header (purpose, when to use, when not to use, ATT&CK references)
- Use the ATT&CK structured tagging convention for all include rules
- Use the
exclude=<context>convention for exclude rules - Default to schema 4.50 unless 4.90 features are essential
- Pass
xmllintvalidation when wrapped in a synthetic root element
For dual-use cloud storage and remote access modules, contribute both exclude_<tool>.xml and include_<tool>.xml variants together. See the Community Contributions page for the contribution process.
Disclaimer
These modules are provided as-is for educational and operational use. They are NOT tested against all environments and may require tuning for your specific systems. Cutaway Security, LLC and contributors assume no liability for any impact resulting from the use of these modules. Users are responsible for testing in their own environments before production deployment.