Sysmon - DFIR

A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.

Sysmon Learning Resources

• General
  • Community Guide
    • TrustedSec Sysinternals Sysmon Community Guide
  • Utilities
    • SysmonHunter - An easy ATT&CK-based Sysmon hunting tool
    • SysmonX - An Augmented Drop-In Replacement of Sysmon
    • SysmonTools - Nader Shalabi
    • Parse Sysmon logs - Matt Churchill, CrowdStrike
    • Sysmon Config Bypass Finder - @MartinKorman
  • Presentations
    • Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) -- 2018 - Tom Ueltschi
    • How to Go from Responding to Hunting with Sysinternals Sysmon - Mark Russinovich
    • Tracking Hackers on Your Network with Sysinternals Sysmon - Mark Russinovich
    • Advanced Incident Detection and Threat Hunting using Sysmon and Splunk Video - Tom Ueltschi
    • Advanced Incident Detection and Threat Hunting using Sysmon and Splunk Slides - Tom Ueltschi
    • Splunking the Endpoint - James Brodsky
    • Splunking the Endpoint: “Hands on!” Ransomware Edition - James Brodsky & Dimitri McKay
  • Graylog
    • Ion-Storm Graylog App
    • Back to Basics- Enhance Windows Security with Sysmon and Graylog - Jan Dobersten
  • ELK
    • Building a Sysmon Dashboard with an ELK Stack - Roberto Rodriguez
  • Splunk
    • Sysmon FTW! - Tom Ueltschi
    • TA-Sysmon-deploy - @olafhartong
    • Sysmon App for Splunk - @Jarrettp & @MHaggis
    • Sysmon-Threat-Intel - App - Jarrett Polcari @jarrettp
    • Splunk App to assist Sysmon Threat Hunting - Mike Haag
    • Splunking the Endpoint - Files from presentation - James Brodsky & Dimitri McKay
  • RSA Netwitness
    • Log - Sysmon 6 Windows Event Collection - Eric Partington
  • Deploy Sysmon
    • Sysmon.bat - Ion-Storm
    • Deploying Sysmon through Group Policy - Pablo Delgado
  • Sysmon Configuration Files
    • Sysmon Config files - Moti Bani @MotiBa
    • sysmon-modular | A Sysmon configuration repository for everybody to customize - @olafhartong
    • SwiftOnSecurity Sysmon Configuration
    • Ion-Storm Graylog App and Sysmon Configuration
    • 909Research Blog
    • Decent Security Config
    • MalwareArchaeology
  • Microsoft System Center
    • Microsoft System Center Advisor Sysmon Events collector - Microsoft.IntelligencePacks.Sysmon :: 7.0.11728.0 (Management Pack)
  • Blogs
    • Detecting (Some) Malicious Office Documents Using Sysmon - @malwaresoup
    • Chronicles of a Threat Hunter: Hunting for WMImplant with Sysmon and ELK - Part I - Roberto Rodriguez
    • Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK - Part I (Event ID 7) - Roberto Rodriguez
    • Effectively analysing sysmon logs - Adrian Shaw
    • Explaining and adapting Tay’s Sysmon configuration - Lennart Koopmann
    • Detecting Lateral Movement Using Sysmon and Splunk - David French
    • Setting up Elasticsearch 5.x – Sending Windows Logs using WinLogbeat 5.x Part 2/3 - Pablo Delgado
    • Advanced Sysmon filtering using Logstash - Pablo Delgado
    • Sample sysmon events and the schema you can expect in Sysmon v6 - @williballenthin
    • Sysmon Woes, Elasticsearch and MITRE’s ATT&CK Matrix - Black Lantern Security
    • Parsing Sysmon Events for IR Indicators - CrowdStrike
    • Detecting Advanced Threats with Sysmon, WEF and ElasticSearch - Joshua Lewis
    • Sysinternals New Tool Sysmon (System Monitor) - Carlos Perez
    • Putting attackers in hi vis jackets with sysmon - Adrian Shaw
    • Sample sysmon events and the schema you can expect in Sysmon v6 - @williballenthin
  • Sysmon Github Projects
    • Powershell Sysmon - GitHub - Carlos Perez
    • Sysmon queries - GitHub - James Habben
    • Splunk TA for Sysmon - GitHub - @daveherrald
    • SplunkMon cofiguration - GitHub - The Crypsis Group
    • Desired State Configuration for Deploying/Maintaining Sysmon - GitHub - @AwfulyPrideful

General

Sysmon Configuration

Sysmon-Modular

sysmon-modular | A Sysmon configuration repository for everybody to customize - @olafhartong

@SwiftOnSecurity config

Config will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.

https://github.com/SwiftOnSecurity/sysmon-config

Sysmon_config.xml

Solid, detailed config. Probably one of the best ones out there in relation to completeness.

MalwareArchaeology

Sysmon-a.cfg

Basic config that will monitor critical Windows process execution. Very basic, but a good config to get used to sysmon and how things operate.

Blog post by blacklanternsecurity

Sysmon-b.cfg

Crypsis Group published config and PDF. Fairly detailed list of excludes that should assist with understanding how they work and get a configuration started.

Crypsis Group Config

Crypsis Group PDF

Sysmon-c.cfg

Great configuration to understand excludes and contains.

Decent Security Config

Sysmon-d.cfg

Solid blog post related to getting started with Sysmon. Config is nicely laid out and easy to understand.

909Research Blog

Sysmon-e.cfg

Config is specific but it provides a good foundation for capturing a lot of specific data.

https://github.com/Prevenity/sysmon

(Translated comments to english)

StartLogging.xml

Provided by https://github.com/Cyb3rWard0g - Roberto Rodriguez

https://gist.github.com/Cyb3rWard0g/6f69475a667ef298d829370bd26ba8c2

Sysmoncfg_v2|31.xml

Related material from Splunking the Endpoint .conf talk by James Brodsky and Dimitri McKay.

Splunking the Endpoint - Files from presentation

Configs are optimized for Splunk.

Additional configs

Configs are updated frequently --

SwiftOnSecurity Fork by Ion-Storm

Server Config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409

Client config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5