swiftonsecurity / sysmon-config Goto Github PK

I'd add logging of csc.exe and InstallUtil.exe to log compiling of executables and add logging of InstallUtil.exe since it can be used to execute powershell commands without invoking powershell.exe

Not sure if this is correct or not, but line 509 has ".rft"

It's in reference to RTF files, which should be .rtf.

Is the Dropbox updater considered sufficiently hardened? If so i think it would be prudent to add one of the below.

Image
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Or Command line
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ua /installsource scheduler

We're running into issues with deploying the new 10.2 version of Sysmon and the Alpha xml config. Right now, it is generating EventCode 22s for local DNS queries made on the actual Domain Controller. This was tested using ping to make a number of different calls. However, we noticed that we weren't receiving any external DNS queries from domain users. This particular DC is also configured as a DNS server so I was curious if anyone else has figured out how to log the routed DNS queries being made from end-users in their environment.

tl;dr We would like to capture all DNS queries being routed through the DC/DNS server, not just local queries. Has anyone figured out how to do this?

During testing I noticed a little bit of Network noise generated by OneDriveStandaloneUpdater.exe

It might be worth adding an exclusion for it like this https://github.com/vector-sec/sysmon-config/blob/vector-changes/sysmonconfig-export.xml#L85

(I also noticed noise for slack.exe, but it'll depend on if you use Slack in your org as to whether or not you would bother excluding it.)

Can you please add a LICENSE to this repo for clarity per this? Thanks!

Please keep just a simple snippet in the README (or in the inline comments), to understand when are the conditions being OR-ed & when are the conditions being AND-ed.

Example: https://pastebin.com/MdR8KGcs
(the text in the angle brackets were not showing up, so pasted the query at pastebin - simple ascii)

I did some testing, but can't get this to work:

If I want to log only network connection events when the destination port is 80 or 443 and the originating process is chrome.exe, how do I do that ?

Any:

Trying to understand config fully.

Under ProcessCreate onmatch='exclude' I expect that all processes created on the system running sysmon to be logged except what we specify in the stanza's below.

Line 76: C:\Windows\system32\DllHost.exe /Processid

When the system creates a service using DLLHost.exe from system32 the system "does not" log the event. This is expected.

When I attempt to invoke the process interactively from "cmd.exe" the system logs the event.

Can someone explain why this is and what I need to do to test this rule interactively or explain why I cannot?

I modified the sysmon config to filter out some Event ID 7 processes and when I load the config, I still see Event ID 7 processes in event viewer. Anyone else having this issue?

<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
	<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
	<ImageLoad onmatch="exclude">
		<Image condition="image">Conhost.exe</Image>
		<Image condition="image">whosip.exe</Image>
		<Image condition="image">g2mupdate.exe</Image>
		<Image condition="image">GoogleUpdate.exe</Image>
		<Image condition="image">FlashPlayerUpdateService.exe</Image>
		<Image condition="image">mscorsvw.exe </Image>
	<!-- Exclude SPLUNK -->
		<Image condition="image">splunkd.exe</Image>
		<Image condition="image">splunk-MonitorNoHandle.exe</Image>
		<Image condition="image">splunk-regmon.exe</Image>
		<Image condition="image">splunk-netmon.exe</Image>
		<Image condition="image">splunk-powershell.exe</Image>
		<Image condition="image">splunk-winprintmon.exe</Image>
		<Image condition="image">splunk-admon.exe</Image>
	</ImageLoad>

OS: windows 7 x64
OS Version:  6.1.7601 Service Pack 1 Build 7601

I downloaded sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

I tried many times installation and uninstallation, and it still doesn't show any EID:22, yes, I did visit many many urls from chrome.

Does anyone has the same confusion?

In the FilleEvent "include" filters, it says

".rft"[--RTF files often 0day malware vectors when opened by Office-]

It should be ".rtf"

It appears that the 10.x version of sysmon-config (z-AlphaVersion.xml) is broken on 10.4. I can't find an older version of 10.x to confirm. In addition I created some intentionally simple test configs and they appear to be broken on 10.4 so I have reason to believe this may be a Sysmon 10.4 bug, rather than an issue with this XML file. (I understand that this XML is tagged as an alpha version.)

Posted on Sysinternals Forums w/r/ apparent bug in Sysmon 10.4:
https://social.technet.microsoft.com/Forums/en-US/38375c19-08f9-497e-898b-8972ed6c185b/sysmon-104-apparent-bug-processing-config-xml?forum=miscutils

Has anyone been using newer versions of sysmon? I get an error when trying z-alphaversion.xml, and was wondering if there is an alternative config, or a place to download an older version of sysmon.

Error message I see:
RuleEngine Error: Multiple rule filters of the same type - Last error: The data is invalid.

Thanks

From the sysmon docs:
"Within a rule, filter conditions on the same field have OR behavior, whereas conditions on different fields have AND behavior."

You've got a bunch of rules that appear to be expecting OR behavior for the different field value specifications within the rule.

Sysmon v6.20 installed, Line 6 column 11 DTD prohibited error after command

sysmon.exe -c sysmonconfig-export.xml

I believe that events for traffic going to dynamic DNS providers can be a solid indicator of suspicious activity, at least in an enterprise environment. I have added a few of the domains that I see most frequently used by malware.

daniel-gallagher@d26898e#diff-42b0eea836e3eeb205ac37691ac81168L103

There are some TargetObjects like HKLM\SYSTEM... with condition="end with". Is this correct?

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System

Shouldn´t it be "begin with"?

Thanks for the great config!

While testing, we noticed there is a misconfig related to the WDigest registry on line 619.
The registry is listed as:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
But that has too many "SecurityProviders" and the actual entry should be:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders

We've tested it and this change works for the WDigest registry detection. Per https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/ :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

Just for of a bypass technique that I'll commonly use is for example on 64-bit platforms, there is the syswow64 directory which is the 32-compatibility for windows 64 bit platforms. In the current configs when things like wmiprvse (specifically in the ProcessCreation section) and essentially any of them where the path is specified for system32, if I call the 32-bit version of it, sysmon wouldn't trigger off of those. You could still copy the binary to a different location, but at least with these two you cover both major locations.

<CommandLine condition="contains">wmiprvse.exe -secured -Embedding</CommandLine> 

As an example, using contains instead and limiting it instead of system32 just removing the full path for the rulesets.

Just a suggestion!

-Dave

Hi there,
I need some guidance regarding making a dummy process image to capture its hash in ELK
can you guide how can i make a dummy process image which will get captured by sysmon, and will be presented in ELK

It's a very interesting things on 445 line:
https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
		<!--EVENT 11: "File created"-->
		<!--NOTE:	Other filesystem "minifilters" can make it appear to Sysmon that some files are being written twice. This is not a Sysmon issue, per Mark Russinovich.-->
<!--NOTE:	You may not see files detected by antivirus. Other filesystem minifilters, like antivirus, can act before Sysmon receives the alert a file was written.-->

Could someone explain me in datails why sysmon or Windows Event doesn't save some logs for file create event, if for example a antivirus has detect and deleted malware?

Is any way to make a higher priority for sysmon / windows event to capture all events before others minifilters like as antivirus? Or is exist another tools to do this?

Hello guys. A new version of Sysmon 10 with DNS resposnes is awsome. I have some idea to create related proccess tree between proccess and treads. But can you help me, what kind of informations should be interesting from these logs?

I mean for example some potential related and corelated information like ProccessGUID:

<Data Name="ProcessGuid">{1afd9578-9ff5-5d04-0000-0010561d0901}</Data>

<Event>
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"/>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-06-15T07:36:24.435858500Z"/><EventRecordID>2469</EventRecordID>
<Correlation/>
<Execution ProcessID="2492" ThreadID="3668"/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC1</Computer>
<Security UserID="S-1-5-18"/></System>
<EventData><Data Name="RuleName"/>
<Data Name="UtcTime">2019-06-15 07:36:22.146</Data>
<Data Name="ProcessGuid">{1afd9578-9ff5-5d04-0000-0010561d0901}</Data>
<Data Name="ProcessId">7084</Data>
<Data Name="Image">C:\Users\perun\Downloads\cycki.exe</Data>
<Data Name="User">PC1\perun</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">192.168.75.128</Data>
<Data Name="SourceHostname">PC1.localdomain</Data>
<Data Name="SourcePort">50669</Data>
<Data Name="SourcePortName"/>
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">217.8.117.24</Data>
<Data Name="DestinationHostname"/>
<Data Name="DestinationPort">80</Data>
<Data Name="DestinationPortName">http</Data></EventData></Event>

We can see in same event logs that ProccessGUID for malware cycki.exe is the same:

<Event>
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"/><EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-06-15T07:36:24.209491000Z"/><EventRecordID>2465</EventRecordID>
<Correlation/>
<Execution ProcessID="2492" ThreadID="3908"/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC1</Computer>
<Security UserID="S-1-5-18"/></System>
<EventData><Data Name="RuleName"/>
<Data Name="UtcTime">2019-06-15 07:36:24.185</Data>
<Data Name="ProcessGuid">{1afd9578-9ff5-5d04-0000-0010561d0901}</Data>
<Data Name="ProcessId">7084</Data>
<Data Name="Image">C:\Users\perun\Downloads\cycki.exe</Data>
<Data Name="TargetFilename">C:\Users\perun\AppData\Local\Temp\D6421E87\ucrtbase.dll</Data>
<Data Name="CreationUtcTime">2019-06-15 07:36:24.185</Data></EventData></Event>

Also, what does mean the numbers and tags below?

<Version>5</Version>
<Level>4</Level>
<Task>3</Task>

I would make a PR, but I'm keeping a lot more changes than just one in my fork, plus the change is concise enough that it'll fit in an issue easily.

I would recommend adding msiexec.exe to NetworkConnect logging. The reason being you can run

msiexec.exe /i http://site.com/pathtoamsi.msi

And msiexec will download the file and install it.

It is also worth noting that the URL does not need to end in .msi, it could just as easily be .jpg and it would work just the same as long as the file is actually an msi file.

Hi,

Not sure, however I think there is a typo on line 294 (PreviousPolicyAreas). There is a curly bracket there? Looking forward to dive into this, thank you.

Cheers

Tore

I've been using this sysmon config for only a couple months but I like how it brightens areas I was blind too previously.
I find myself wanting to just add a few things to test how it works or something local to my site.
Having a monolithic file makes that hard unless your really use to everything in the file.
My suggestion is create a python script (for example) that uses a standard templating engine and break this file up so the base template is just the main section headers and comments at the top of the file.
Then each section would be a directory by itself which then a simple 50-main.xml file would exist.
or perhaps several files depending on how its broken up.
This would allow for adding say a 10-test.xml for quick experiments or a 30-local.xml that could be items local to my own site that have no need to be sent upstream
Then running the script would generate the monolithic file that sysmon consumes

This setup also would allow hopefully for easier merging of ideas from forks as diff's would be useful again.
I've been chewing on this idea for a while and wanted to present it to see if is something I should spend time on, as I have no time myself to maintain this idea forked from this repo.
Changing to this setup would likely also likely start the need to create a 'release' every so often
as some people would likely consider it a hassle to install python to use this config.

Looks like it logs on .RFT, but not .RTF file creation.

Hi,

Line 476 reads:
<TargetFilename condition="end with">.rft</TargetFilename>

That file extension should be .rtf for rich text files.

There's a catastrophic bug that presents itself when using the FileCreate filter combined with an active installation of BoxDrive. It manifests itself by causing the affected machine to freeze almost completely. The mouse continues to move, but the user is unable to click on anything.

Killing Box.exe immediately after logon prevents the issue from occurring.

I tested and discovered this by removing all other filters one by one until I came to the one that fixed the issue.

Having a problem with Sysmon CPU Load.
I have a pretty good rig and with my config, with Event 10 enabled (Doesn't matter what it is), Sysmon process CPU jumps up from 0.5% to 5-7%.
My other rig, which isn't as good, jumps from 0.5% to 15-20% Sysmon process CPU usage.
Example: mimiktaz

When I disable this Event, it drops back down.
Is there any particular reason this one event requires so much CPU? Or better yet, a fix, without disabling it?

I also excluded my endpoint solution / av... by SourceImage / TargetImage .

Any ideas? Thanks in advance.

Because sysmon logs the final destination DNS, and not the start, usually these redirect to CDNs. need to research each one

			<!--Hack tools hosting - UNDERGOING RENOVATION, NOT RELIABLE-->
			<!--TESTING <DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> --> <!--Github: Malicious tools often loaded from here, not used except by developers-->
			<!--Suspicious destinations - UNDERGOING RENOVATION, NOT RELIABLE-->
			<!--TESTING <DestinationHostname condition="is">api.ipify.org</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--TESTING <DestinationHostname condition="is">whatismyipaddress.com</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--TESTING <DestinationHostname condition="is">edns.ip-api.com</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--TESTING <DestinationHostname condition="is">checkip.dyndns.org</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--TESTING <DestinationHostname condition="is">icanhazip.com</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--TESTING <DestinationHostname condition="is">ifconfig.me</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--TESTING <DestinationHostname condition="is">ifconfig.co</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--TESTING <DestinationHostname condition="is">ipaddress.com</DestinationHostname> --> <!--Malware uses to get external IP address-->
			<!--Dynamic DNS Providers - UNDERGOING RENOVATION, NOT RELIABLE-->
			<!--TESTING <DestinationHostname condition="end with">dlinkddns.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">no-ip.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">no-ip.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">no-ip.biz</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">no-ip.info</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">noip.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">afraid.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">duckdns.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">changeip.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">ddns.net</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">hopto.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">zapto.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">servehttp.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
			<!--TESTING <DestinationHostname condition="end with">sytes.net</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->

It appears you can only have an include OR an exclude statement per rule group. The correct format would be:

<RuleGroup name="FileCreateInclude" groupRelation="or">
  <FileCreate onmatch="include">
    <TargetFilename condition="end with">.bat</TargetFilename>
  </FileCreate>
</RuleGroup>
<RuleGroup name="FileCreateExclude" groupRelation="or">
  <FileCreate onmatch="include">
    <TargetFilename condition="begin with">t</TargetFilename>
  </FileCreate>
</RuleGroup>

This will result in the following (verified by running sysmon -c:

- FileCreate                         onmatch: include   combine rules using 'Or'
        TargetFilename                 filter: end with     value: '.bat'
 - FileCreate                         onmatch: exclude   combine rules using 'Or'
        TargetFilename                 filter: begin with   value: 't'

If both include and exclude are couched in the same rule group, sysmon only honors the include statements

The following message is prepended to the top of every Sysmon event for every Event ID:

`The description for Event ID # from source Microsoft-Windows-Sysmon cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:
`

I had been using an older version of the sysmon.exe utility but just updated to the latest version available and now this message is appearing. I am also using the latest version of the xml config file from your repo. Any advice on how to correct this issue?

The current config doesn't produce any WMI events out of the box.

Should the WmiEvent section of the config be set to "exclude" instead of "include" ?

IE below:

WmiEvent onmatch="exclude"

/WmiEvent

Hello, I installed Sysmon with your configuration file .

I receive event 11 with message like below:

File created:
UtcTime: 2017-03-03 07:45:12.846
ProcessGuid: {c1ec32d1-1f03-58b9-0000-00107b02ac0a}
ProcessId: 27480
Image: C:\Program Files\System Center Operations Manager\Agent\MonitoringHost.exe
TargetFilename: C:\Program Files\System Center Operations Manager\Agent\Health Service State\Monitoring Host Temporary Files 14022\11725\DiscoverSQL2008DB.vbs
CreationUtcTime: 2017-03-03 07:45:12.846

I went ahead and modified lines related to FileCreate as below and I still receive eventids by MonitoringHost.exe

<FileCreateTime onmatch="include">
	<Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
</FileCreateTime>
<FileCreateTime onmatch="exclude">
	<Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
	<Image condition="contains">setup</Image> <!--Ignore setups-->
	**<!--SECTION: MyOwnSection-->**
	<Image condition="image">C:\Program Files\System Center Operations Manager\Agent\MonitoringHost.exe</Image>
	<Image condition="end with">C:\Program Files\System Center Operations Manager\Agent\MonitoringHost.exe</Image>
</FileCreateTime>

The question is: What's the correct form of excluding Images from FileCreate events?

Hi all,
(Thanks SwiftOnSecurity for your work)

I try to simply exclude events like "ping 8.8.8.8" but no effect!
Os = Win7 (on virtualbox)
Sysmon = 10.42
XML = sysmon-config from SwiftOnSecurity

1) Take your xml and load sysmon: Sysmon64.exe -c SysmonConfig.xml
2) Test ping 8.8.8.8 in cmd.exe
3) Sysmon log in eventviewer:

Process Create:
RuleName: technique_id=T1059,technique_name=Command-Line Interface
...
Image: C:\Windows\System32\PING.EXE
OriginalFileName: ping  8.8.8.8
CommandLine: C:\sysmon\
ParentImage: ndows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe" 

4) Then put exclusions in your XML (put a lot because i try everything to block it)

	<ProcessCreate onmatch="exclude">
		<Image condition="is">C:\Windows\system32\ping.exe</Image>
		<ParentCommandLine condition="is">C:\Windows\System32\cmd.exe</ParentCommandLine>
		<ParentImage condition="end with">\System32\cmd.exe</ParentImage>
		<CommandLine condition="contains">ping.exe</CommandLine>
		<CommandLine condition="contains">cmd.exe</CommandLine>
		<CommandLine condition="contains">sysmon</CommandLine>
		...

5) Update sysmon with new rules:

Sysmon64.exe -c SysmonConfig.xml
		Loading configuration file with schema version 4.22
		Sysmon schema version: 4.23
		Configuration file validated.
		Configuration updated.

6) Test ping 8.8.8.8 in cmd.exe
7) Same log in eventviewer than before

RuleName: technique_id=T1059,technique_name=Command-Line Interface
Image: C:\Windows\System32\PING.EXE
OriginalFileName: ping  8.8.8.8
CommandLine: C:\sysmon\
ParentImage: ndows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe" 

Am i missing something ?
Even try debug mode (Sysmon64.exe -t -i SysmonConfig.xml) but seems disable in 10.42

regards

So I edited the configuration to include watching for events generated by LSASS.exe and also removed VBoxService.exe to make the logs less noisy.

I added the following lines.

<ProcessAccess onmatch="include">
    <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
</ProcessAccess>
<!-- Processes that you wish to exclude -->
<ProcessAccess onmatch="exclude">
    <SourceImage condition="is">C:\WINDOWS\System32\VBoxService.exe</SourceImage>
</ProcessAccess>

But I still see the logs with the source image VBoxService.exe and target image lsass.exe. Anyone else having a similar issue?

I have been able to install Sysmon (7.01) on my Windows 8.1 host and the latest config (f24dc22) with no issues.

However, using the same installation files and process, when installing on Windows 10, the installation fails to start the service (Service times out), when I specify the config with the initial install
e.g. sysmon.exe -accepteula -i sysmonconfig-export.xml

Instead, I have to do

sysmon.exe -accepteula -i
sysmon.exe -c sysmonconfig-export.xml.

When I update the config with the second command, this crashes the service and restarting also times out, so I can only assume there is an issue with the config on Win10, or my build. Has anyone seen this issue before? Have not been able to test on another Win10 build yet.

Hi guys, this is just running base executable Sysmon version v5.02 on Win7 32-bit. I haven't edited the xml file at all.

C:\Users\jamesbond\Desktop>Sysmon.exe -accepteula -i sysmonconfig-export.xml

System Monitor v5.02 - System activity monitor
Copyright (C) 2014-2016 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 3.30
Sysmon schema version: 3.20
Error: Incorrect XML configuration: sysmonconfig-export.xml
Reason: Element 'FileCreate' is unexpected according to content model of parent
element 'EventFiltering'.
Expecting: ProcessCreate, FileCreateTime, NetworkConnect, ProcessTerminate, Driv
erLoad, ImageLoad, CreateRemoteThread, RawAccessRead, P....

Usage:
Install: Sysmon.exe -i []
[-h <[sha1|md5|sha256|imphash|],...>] [-n [<process,...>]]
[-l [<process,...>]
Configure: Sysmon.exe -c []
[--|[-h <[sha1|md5|sha256|imphash|],...>] [-n [<process,...>]]
[-l [<process,...>]]]
Uninstall: Sysmon.exe -u
-c Update configuration of an installed Sysmon driver or dump the
current configuration if no other argument is provided. Optionally
take a configuration file.
-h Specify the hash algorithms used for image identification (default
is SHA1). It supports multiple algorithms at the same time.
Configuration entry: HashAlgorithms.
-i Install service and driver. Optionally take a configuration file.
-l Log loading of modules. Optionally take a list of processes to track.
-m Install the event manifest (done on service install as well).
-n Log network connections. Optionally take a list of processes to track.
-r Check for signature certificate revocation.
Configuration entry: CheckRevocation.
-u Uninstall service and driver.

The service logs events immediately and the driver installs as a boot-start
driver to capture activity from early in the boot that the service will write
to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services
Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are
written to the System event log.

If you need more information on configuration files, use the '-? config'
command. More examples are available on the Sysinternals website.

Specify -accepteula to automatically accept the EULA on installation,
otherwise you will be interactively prompted to accept it.

Neither install nor uninstall requires a reboot.

Is there any way to track outgoing SMB connection (not at the network level, at the redirector level) so that we can see the user ID and original process name (cmd.exe, Excel, Explorer, etc.) instead of SYSTEM (PID 4)?

I know this would be very noisy but I'm wondering if the capability even exists in the sysmon events.

Here's an equivalent filter from procmon.exe:

Operation IRP_MJ_CREATE
Result SUCCESS
Detail contains Synchronize (the access level initially requested)

Log Id 15 is generated like below, how can we get the file name after being created.
C:\Users\user1\Downloads\PortMon.zip.8g8if7a.partial:Zone.Identifier
C:\Users\user1\Downloads\PortMon.zip.8g8if7a.partial

i have two logs with the above file names after downloading the zip file with different hashes.
how can we get only the file name with the final hash after finishing download.

1. SecurityProviders\SecurityProvider is wrong on the XML file
2. SYSMON64.exe with version 6.2 doesnt work for HKLM format, still need to use Contains instead of begin with

I may be wrong but looks like there is an small error in sysmonconfig-export.xml, 142 is listed as IMAP mail protocol port but to IANA's Service Name and Transport Protocol Port Number Registry 143 seems to be the correct one (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=IMAP)

Looks like sysmon v7 doesn't accept setting the config with a v3.30 schema. Updating the schema version to 4.0 seems to fix this.
I havn't found any documentation on what's changed between 3.30 and 4.0, but the 3.30 file with an updated schema version seems to still work?

Thank you for the rule-set, it is really helpfull!

I'm wandering if it would be possible to have logging for all the network connections filtered by destination. Rationale is, in corporate network all the devices should use proxy and internal dns and only local services. Any attempt to connect outside (destination network is NOT private range, ie.10.0.0.0/8) is suspicious and should be investigated,

is it possible?

Hello folks,
Someone explain me how to export sysmon logs evtx to another format like xml, json or csv? I would like to learn more about malicious activities and harmful files, but reading original logs in Windows Event is a nightmare.

I would be nice to export logs to friendly logs and parse logs, create a tree image path, PID or others relationships. It would be easier to read and analyse logs.

I do not want to use Splunk or another remote logs server for sysmon. I would like to keep all data on same localhost.

Regarding "z-AlphaVersion.xml":

It appears that Event IDs that have both Include and Exclude filter sets are only processing one or the other filter set. For example when I run sysmon -c to view the current configuration, it only shows the Include filter set for both FileCreateTime and NetworkConnect.

I have tested on both Sysmon v10.0 and v10.1.

Can lines be added to detect some registry key modifications around some MITRE ATT&CK persistence methods?

Netsh Helper DLL persistence detection

<TargetObject condition="begin with">HKLM\SOFTWARE\Microsoft\Netsh</TargetObject>
https://attack.mitre.org/wiki/Technique/T1128

Office Application Startup

<TargetObject condition="begin with">HKEY_USERS\Software\Microsoft\Office test\Special\Perf</TargetObject>
https://attack.mitre.org/wiki/Technique/T1137

This is not a direct issue of this project.. I currently do not have time to track it down in detail, but because I did not find anything anywhere, I decided to post it here. Feel free to close if you think it doesn't fit here.

We encoutered a weird issue. When using the alpha config (with dns logging), after a server restart IIS is not logging anymore. No file logging, no ETW logging. Just nothing.
iisreset does not help. Stopping sysmon or changing configuration to non-alpha and doing an iisreset recovers logging.

This happened on Win Server 2012 R2 and Server 2016 with Sysmon 10.1 and 10.2.

Going over the config, I found a tiny error..
142 <!--IMAP mail protocol port...

Imap port (clear) is 143.