From 41dfcf379c7c093d11ce77594542cae31b0c556a Mon Sep 17 00:00:00 2001
From: Carlos Perez <carlos_perez@darkoperator.com>
Date: Wed, 13 Jan 2021 15:17:37 -0400
Subject: [PATCH] update table with changes

---
 the-sysmon-driver.md | 129 +++++++++++++++++++++++++++----------------
 1 file changed, 80 insertions(+), 49 deletions(-)
diff --git a/the-sysmon-driver.md b/the-sysmon-driver.md
index b3ff3e9..99739f6 100644
--- a/the-sysmon-driver.md
+++ b/the-sysmon-driver.md
@@ -21,103 +21,134 @@ Sysmon sets multiple callbacks on kernel objects in addition to using telemetry
 
 When the tool is downloaded from the Microsoft Sysinternals website <https://docs.microsoft.com/en-us/sysinternals/> it is important to save and identify previous versions since Microsoft does not provide older versions and the release notes do not detail what has been fixed. Microsoft has a fast release cycle, forcing users to test very carefully and to keep track of versions.
 
-
 <table width="1280">
 <tbody>
-<tr>
-<td width="132">
+<tr style="height: 46px;">
+<td style="height: 46px;" width="132">
 <p><strong>Version</strong></p>
 </td>
-<td width="114">
+<td style="height: 46px;" width="114">
 <p><strong>Schema </strong></p>
 </td>
-<td width="522">
+<td style="height: 46px;" width="522">
 <p><strong>Features</strong></p>
 </td>
-<td width="380">
-<p><strong>Known Issues</strong></p>
-</td>
-<td width="132">
+<td style="height: 46px;" width="132">
 <p><strong>Release</strong></p>
 </td>
 </tr>
-<tr>
-<td width="132">
+<tr style="height: 46px;">
+<td style="height: 46px;" width="132">
+<p>13.01</p>
+</td>
+<td style="height: 46px;" width="114">4.50&nbsp;</td>
+<td style="height: 46px;" width="522">&nbsp;* Fixed regression bug where several event types where not logged.&nbsp;</td>
+<td style="height: 46px;" width="132">&nbsp;January 13, 2021</td>
+</tr>
+<tr style="height: 46px;">
+<td style="height: 46px;" width="132">
+<p>13.0</p>
+</td>
+<td style="height: 46px;" width="114">&nbsp;4.50</td>
+<td style="height: 46px;" width="522">&nbsp;* Added support for Process Tampering Detection.</td>
+<td style="height: 46px;" width="132">&nbsp;January 11, 2021</td>
+</tr>
+<tr style="height: 61px;">
+<td style="height: 61px;" width="132">12.03</td>
+<td style="height: 61px;" width="114">&nbsp;4.40</td>
+<td style="height: 61px;" width="522">&nbsp;* fixes reporting and a possible crash condition for PipeEvent and RegistryEvent rules.</td>
+<td style="height: 61px;" width="132">&nbsp;November 25, 2020</td>
+</tr>
+<tr style="height: 61px;">
+<td style="height: 61px;" width="132">12.02</td>
+<td style="height: 61px;" width="114">&nbsp;4.40</td>
+<td style="height: 61px;" width="522">&nbsp;* This update to Sysmon fixes several configuration parsing bugs.</td>
+<td style="height: 61px;" width="132">&nbsp;November 4, 2020</td>
+</tr>
+<tr style="height: 61px;">
+<td style="height: 61px;" width="132">12.01</td>
+<td style="height: 61px;" width="114">&nbsp;4.40</td>
+<td style="height: 61px;" width="522">&nbsp;* Security and bug fix release, resolves a PipeEvent processing issue and adds extra checks to kernel writes.</td>
+<td style="height: 61px;" width="132">&nbsp;October 16, 2020</td>
+</tr>
+<tr style="height: 192px;">
+<td style="height: 192px;" width="132">
 <p>12.0</p>
 </td>
-<td width="114">
+<td style="height: 192px;" width="114">
 <p>4.40</p>
 </td>
-<td width="522">
+<td style="height: 192px;" width="522">
 <p>* Added support to capture text stored in to the clipboard by a process.</p>
 </td>
-<td width="380">
-<p>* Kernel memory write that can lead to code execution.</p>
-<p>* Metadata for driver still references.</p>
-<p>* Sysmon 11.1 and may affect install scripts.</p>
-<p>* Problems matching filters for FileDelete.</p>
-<p>* Blue Screen on some Windows 2016 DCs</p>
-</td>
-<td width="132">
+<td style="height: 192px;" width="132">
 <p>September 17, 2020</p>
 </td>
 </tr>
-<tr>
-<td width="132">
+<tr style="height: 196px;">
+<td style="height: 196px;" width="132">
+<p>11.11</p>
+</td>
+<td style="height: 196px;" width="114">
+<p>4.4</p>
+</td>
+<td style="height: 196px;" width="522">
+<p>* Fixes a bug that prevented USB media from being ejected.</p>
+<p>* Fixes an issue that could stop network event logging and a resulting memory leak.</p>
+<p>* Fixes logs file delete events for delete-on-close files.</p>
+</td>
+<td style="height: 196px;" width="132">
+<p>July 15, 2020</p>
+</td>
+</tr>
+<tr style="height: 196px;">
+<td style="height: 196px;" width="132">
 <p>11.1</p>
 </td>
-<td width="114">
+<td style="height: 196px;" width="114">
 <p>4.31</p>
 </td>
-<td width="522">
+<td style="height: 196px;" width="522">
 <p>* For Event ID 15 &ldquo;Content field was added to save text streams of less than 1k.</p>
 <p>* The &ndash;a commandline option has been removed. The custom archive directory must be set via configuration file.</p>
 <p>* Fix Issue where EventID 1 was not logged on Windowds 2016 and Windows 10.</p>
 <p>* Fix rule parsing issue.</p>
 </td>
-<td width="380">
-<p>* Kernel memory write that can lead to code execution.</p>
-<p>* Blue Screen on on Win10 1809&nbsp;</p>
-</td>
-<td width="132">
+<td style="height: 196px;" width="132">
 <p>June 24, 2020</p>
 </td>
 </tr>
-<tr>
-<td width="132">
+<tr style="height: 110px;">
+<td style="height: 110px;" width="132">
 <p>11.0</p>
 </td>
-<td width="114">
+<td style="height: 110px;" width="114">
 <p>4.30</p>
 </td>
-<td width="522">
+<td style="height: 110px;" width="522">
 <p>* Control Reverse DNS Lookup.</p>
 <p>* Log file deletions and story copy of the file.</p>
 <p>* Bug Fixes.</p>
 </td>
-<td width="380">
-<p>* Does not log Process Creation on Windows 2016.</p>
-<p>* Kernel memory write that can lead to code execution.</p>
-</td>
-<td width="132">
+<td style="height: 110px;" width="132">
 <p>April 28, 2020</p>
 </td>
 </tr>
-<tr>
-<td width="132">
+<tr style="height: 78px;">
+<td style="height: 78px;" width="132">
 <p>10.42</p>
 </td>
-<td width="114">
+<td style="height: 78px;" width="114">
 <p>4.23</p>
 </td>
-<td width="522">
-<p>* Fixed multiple memory leaks</p>
-<p>* Introduces the "Excludes Any" and "Excludes All" filtering conditions</p>
-</td>
-<td width="380">
-<p>* Issues with parsing some rules in configuration files.</p>
+<td style="height: 78px;" width="522">
+<div>* Memory&nbsp;leaks&nbsp;in&nbsp;DNS,&nbsp;Networking&nbsp;and&nbsp;Image&nbsp;load&nbsp;events</div>
+<div>* Bug&nbsp;fixes&nbsp;including&nbsp;filtering,&nbsp;rule&nbsp;group&nbsp;names,&nbsp;NULL&nbsp;process&nbsp;GUIDS&nbsp;and&nbsp;W3LOGSVC&nbsp;interop&nbsp;issue</div>
+<div>* Increased&nbsp;rule&nbsp;name&nbsp;field&nbsp;length&nbsp;from&nbsp;32&nbsp;to&nbsp;128&nbsp;characters</div>
+<div>* Added&nbsp;&ldquo;excludes&nbsp;any&rdquo;&nbsp;and&nbsp;&ldquo;excludes&nbsp;all&rdquo;&nbsp;filtering&nbsp;conditions.</div>
+<div>* Performance&nbsp;improvements&nbsp;for&nbsp;ImageLoad&nbsp;module</div>
 </td>
-<td width="132">
+<td style="height: 78px;" width="132">
 <p>December 11, 2019</p>
 </td>
 </tr>

+
Version	+	Schema	+	Features	- Known Issues -	+	Release
+
+ 13.01 +	4.50	* Fixed regression bug where several event types where not logged.	January 13, 2021
+ 13.0 +	4.50	* Added support for Process Tampering Detection.	January 11, 2021
12.03	4.40	* fixes reporting and a possible crash condition for PipeEvent and RegistryEvent rules.	November 25, 2020
12.02	4.40	* This update to Sysmon fixes several configuration parsing bugs.	November 4, 2020
12.01	4.40	* Security and bug fix release, resolves a PipeEvent processing issue and adds extra checks to kernel writes.	October 16, 2020
12.0	+	4.40	+	* Added support to capture text stored in to the clipboard by a process.	- * Kernel memory write that can lead to code execution. - * Metadata for driver still references. - * Sysmon 11.1 and may affect install scripts. - * Problems matching filters for FileDelete. - * Blue Screen on some Windows 2016 DCs -	+	September 17, 2020
+
+ 11.11 +	+ 4.4 +	+ * Fixes a bug that prevented USB media from being ejected. + * Fixes an issue that could stop network event logging and a resulting memory leak. + * Fixes logs file delete events for delete-on-close files. +	+ July 15, 2020 +
11.1	+	4.31	+	* For Event ID 15 “Content field was added to save text streams of less than 1k. * The –a commandline option has been removed. The custom archive directory must be set via configuration file. * Fix Issue where EventID 1 was not logged on Windowds 2016 and Windows 10. * Fix rule parsing issue.	- * Kernel memory write that can lead to code execution. - * Blue Screen on on Win10 1809 -	+	June 24, 2020
+
11.0	+	4.30	+	* Control Reverse DNS Lookup. * Log file deletions and story copy of the file. * Bug Fixes.	- * Does not log Process Creation on Windows 2016. - * Kernel memory write that can lead to code execution. -	+	April 28, 2020
+
10.42	+	4.23	- * Fixed multiple memory leaks - * Introduces the "Excludes Any" and "Excludes All" filtering conditions -	- * Issues with parsing some rules in configuration files. +	+ * Memory leaks in DNS, Networking and Image load events + * Bug fixes including filtering, rule group names, NULL process GUIDS and W3LOGSVC interop issue + * Increased rule name field length from 32 to 128 characters + * Added “excludes any” and “excludes all” filtering conditions. + * Performance improvements for ImageLoad module	+	December 11, 2019