Skip to content
SysmonX - An Augmented Drop-In Replacement of Sysmon
C++ C Roff
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs
external
misc
src
.appveyor.yml
.gitignore
LICENSE
README.md
SysmonX.sln

README.md

Build status Appveyor Latest Commit MIT license


SysmonX

Open Source drop-in compatible version of sysmon

This project is WORK IN PROGRESS. Expect feature changes and binary releases on the upcoming weeks.

Overview

SysmonX is an open-source, community-driven, and drop-in replacement version of Sysmon that provides a modularized architecture with the purpose of enabling the infosec community to:

  • Extend the Sysmon data collection sources and create new security events
  • Extend the Sysmon ability to correlate events. Effectively enabling new logical operations between events and the creation of advanced detection capabilities
  • Enrich the current set of events with more data!
  • Enable the false positive reduction by narrowing down suspicious events through dedicated scanners
  • Extend the security configuration schema
  • React to known subversion and evasion techniques that impact Sysmon, and by doing so, increasing the resilience of security auditing and data collection mechanism such as this one.

SysmonX is composed of a standalone binary that gets itself deployed as a windows service, supports legacy Sysmon configurations and event reporting mechanism, while also providing users the ability to configure all the SysmonX aspects through command-line interface.

The SysmonX binary is a drop-in replacement of Sysmon. This effectively means that SysmonX is a feature-compatible version of Sysmon (same input, same output). This is possible thanks to the SysmonX ability to package, deploy, manage Sysmon binaries behind the scene. SysmonX uses this to intercept data collected by Sysmon drivers, enrich them, along with the ability to create, combine, and add scanning logic on top of new security events. The result is a combined output, with the old good features from Sysmon + the new features from SysmonX.

Example of new security events and features added to SysmonX are:

  • Cmdline and Parent Process Spoofing detection
  • WMI calls over all the namespaces, not just root:subscription
  • Ability to collect authentication information
  • Ability to collect powershell events
  • Ability to detect userspace injection techniques (eventing + memory inspection through built in scanner modules)
  • Ability to perform regex over security event fields
  • Many more!

SysmonX Overview deck available here

SysmonX Overview Talk - Video here

SysmonX Demo: Component Install, Component Uninstall and Regex Detection - Video here SysmonX Demo: Component Install, Component Uninstall and Regex Detection

You can’t perform that action at this time.