captureSysmon

crazy-max edited this page Jun 3, 2016 · 1 revision

Capture with Sysmon

About

Sysmon is an advanced background monitor that records process-related activity to the event log.

Capture

This application is embedded in WindowsSpyBlocker repository.
To install Sysmon, execute the script scripts/sysmon/sysmon.bat and chosse Install option.

This installs Sysmon as a service that will survive reboots, collect network connection information, record MD5 hashes for all created processes, and record loading of modules.
Everything will be recorded in the Windows event log in C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx.
You can see every events in the Event Viewer window (Start > Run > eventvwr) :

Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

Parsing

The script scripts/sysmon/sysmon.bat can be used to parse logs and generate CSV files.
Before executing the script, do not forget to edit sysmon.conf :

{
    "evtxPath": "C:/Windows/sysnative/winevt/Logs/Microsoft-Windows-Sysmon%4Operational.evtx",
    "exclude": {
        "ips": [
            "127.0.0.1",
            "10.0.0.1",
            "192.168.0.0-192.168.0.255"
        ],
        "hosts": [
            "yourISP.com",
            "*.yourISP.com"
        ]
    }
}
  • evtxPath: Path to the event log.
  • exclude ips: exclude IPs addresses from parsing. Ranges are allowed and in most cases you have to exclude your local network and your DNS servers.
  • exclude hosts: exclude hosts / domains from parsing. Wildcard are allowed and in most cases you have to exclude your ISP domain.

Then execute the script :

CSV will be generated in logs/ folder :

  • sysmon-all.csv
  • sysmon-hosts-count.csv
  • sysmon-unique.csv