Queries to parse sysmon event log file with microsoft logparser
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
images
README.md
driver-load.txt
file-create-file-count-no-chrome.txt
file-create-file-count.txt
file-create-program-count.txt
file-create-time-backwards.txt
file-create-time.txt
image-load-wininet-winsock32.txt
image-load.txt
network-connection-count.txt
network-connection.txt
network-connections-ip-list-external.txt
network-socket-count.txt
process-create-terminate.txt
process-start-stop-by-user.txt

README.md

sysmon-queries

Queries to parse sysmon event log file with Microsoft logparser.
https://technet.microsoft.com/en-us/sysinternals/dn798348

Sysmon Event Format

Sysmon creates event log entries in the Windows event log viewer, but the details are not seen from the list view.

The details can been seen in the individual event details, but it is hard to filter on details of the Sysmon data.

Usage

These queries allow the use of the logparser tool to extract the individual values from inside the sysmon data field. This will export the results to a variety of formats for further analysis.
http://www.microsoft.com/en-us/download/details.aspx?id=24659

They can also be used with log parser lizard to view the data in the GUI
http://lizard-labs.com/log_parser_lizard.aspx

I created different queries because the fields are different between the different event IDs generated.

Sample Queries

###process-create-terminate Query to combine the records which are process start(1) and process terminate(5).

###process-start-stop-by-user Query to display all processes started(1) by a specified user logon. Also in the results are terminate records(5) that have matching PID to a process matching the user logon. There will be extra terminate records(5) since there are no logons associated with it, but the first terminate(5) should be the matching record for the displayed start record(5).

###file-create-time Query to display all file create date change records(2).

###file-create-time-backwards Query to display all date records(2) that have a new date that is older than the previous date. Essential, detection of actions consistent with timestomp/filetouch/setmace activity. This query excludes records that have 'chrome.exe' in the ImagePath property because Google Chrome makes a ton of date changes for some reason. I also found ExFil type artifacts from files I was copying to an external USB drive.

###file-create-program-count Query to get a unique list of programs that have made date changes(2) to some file somewhere. Plus a column to count the number of changes that have been made.

###file-create-file-count Query to get a unique list of files that have had their date changed(2) and the program that made the change. Plus a count of the number of times that file's date has been changed.

###file-create-file-count-no-chrome Same as file-create-file-count only this removes any records made by 'chrome.exe' since it makes a huge number of changes.

###driver-load Query to display all driver load records(6)

###image-load Query to display all image load records(7)

###image-load-wininet-winsock32 Query to display all records for processes that have image loads(7) pointing at wininet.dll or winsock32.dll.

###network-connection Query to display all records for network connections(4).

###network-socket-count Query to display a unique list of network sockets (IP and port) from the connection records(4). Plus a count of the number of records for each socket.

###network-connection-count Query to display unique list of network connections from the connection records(4). Plus a count of the number of records for each connection.