Skip to content
Please note that GitHub no longer supports Internet Explorer.

We recommend upgrading to the latest Microsoft Edge, Google Chrome, or Firefox.

Learn more
Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
Branch: master
Clone or download
MHaggis Update README.md
Fixed links per #2
and Added sysmon-modular to configs at bottom.
Latest commit 9c09a76 Nov 11, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Resources BSides Athens Sysmon Jun 26, 2017
config Updates Mar 27, 2017
LICENSE Initial commit Jan 11, 2017
README.legacy typo Mar 2, 2017
README.md Update README.md Nov 11, 2019

README.md

Sysmon - DFIR

A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.

Sysmon Learning Resources

General

Sysmon Configuration

Sysmon-Modular

sysmon-modular | A Sysmon configuration repository for everybody to customize - @olafhartong

@SwiftOnSecurity config

Config will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.

https://github.com/SwiftOnSecurity/sysmon-config

Sysmon_config.xml

Solid, detailed config. Probably one of the best ones out there in relation to completeness.

MalwareArchaeology

Sysmon-a.cfg

Basic config that will monitor critical Windows process execution. Very basic, but a good config to get used to sysmon and how things operate.

Blog post by blacklanternsecurity

Sysmon-b.cfg

Crypsis Group published config and PDF. Fairly detailed list of excludes that should assist with understanding how they work and get a configuration started.

Crypsis Group Config

Crypsis Group PDF

Sysmon-c.cfg

Great configuration to understand excludes and contains.

Decent Security Config

Sysmon-d.cfg

Solid blog post related to getting started with Sysmon. Config is nicely laid out and easy to understand.

909Research Blog

Sysmon-e.cfg

Config is specific but it provides a good foundation for capturing a lot of specific data.

https://github.com/Prevenity/sysmon

(Translated comments to english)

StartLogging.xml

Provided by https://github.com/Cyb3rWard0g - Roberto Rodriguez

https://gist.github.com/Cyb3rWard0g/6f69475a667ef298d829370bd26ba8c2

Sysmoncfg_v2|31.xml

Related material from Splunking the Endpoint .conf talk by James Brodsky and Dimitri McKay.

Splunking the Endpoint - Files from presentation

Configs are optimized for Splunk.

Additional configs

Configs are updated frequently --

SwiftOnSecurity Fork by Ion-Storm

Server Config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409

Client config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5

You can’t perform that action at this time.