Skip to content
An easy ATT&CK-based Sysmon hunting tool, showing in Blackhat USA 2019 Arsenal
JavaScript Python HTML CSS
Branch: master
Clone or download
Latest commit 0ec6e28 Aug 8, 2019

An easy ATT&CK-based Sysmon hunting tool


  1. Elasticsearch

  2. Neo4j

  3. Python 2.7.x

  4. 3rd party python library dependency

    pip install -r requirements.txt


See conf/example.conf

es_host=http://localhost:9200			# Elasticsearch host uri
winlogbeat_index=winlogbeat-*			# winlogbeat index prefix
neo4j_host=bolt://localhost:7687		# Neo4j database host
neo4j_user=neo4j							# Neo4j login username
neo4j_pwd=								# Neo4j login password
attck_yaml=misc/attck.yaml				# rules file


Data process & import

Processing Sysmon logs to customized structured data, filtering abnormal behaviors based on YAML rules, then import to databases.

Sysmon logs supports two ways to collect.

  • manully, using logparser transfer .evtx to csv.

      logparser.exe -i:evt -o:csv "select TimeGenerated, SourceName, ComputerName, SID, EventID, Strings from Microsoft-Windows-Sysmon%4Operational.evtx
  • with winlogbeat collect to elasticsearch.

Usage for

For examples:

python -c conf/example.conf -t csv -i test/empire.csv
python -c conf/example.conf -t winlogbeat -start 2019-07-19 -end 2019-07-19

SysmonHunter tool

Execute command below and open http://localhost:5000/ in browser.

python -c conf/example.conf


More details include in the pptx under docs.

You can’t perform that action at this time.