sysmon-modular | A Sysmon configuration repository for everybody to customise
This is a Microsoft Sysinternals Sysmon download here configuration repository, set up modular for easier maintenance and generation of specific configs.
The sysmonconfig.xml within the repo is automatically generated after a successful merge by the PowerShell script and a successful load by Sysmon in an Azure Pipeline run.
NOTICE; Sysmon below 13 will not completely be compatible with this configuration
Older versions are still available in the branches, but are not as complete as the current branch
Note: I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on. But do make tailored configurations for Domain Controllers, Servers and workstations.
Big credit goes out to SwiftOnSecurity for laying a great foundation and making this repo possible! sysmonconfig-export.xml.
Final thanks to Mathias Jessen for his Merge script, without it, this project would not have worked as well.
Pull requests / issue tickets and new additions will be greatly appreciated!
I started a series of blog posts covering this repo;
- Endpoint detection Superpowers on the cheap - part1 - MITRE ATT&CK, Sysmon and my modular configuration
- Endpoint detection Superpowers on the cheap — part 2 — Deploy and Maintain
- Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering
I highly recommend looking at the configs before implementing them in your production environment. This enables you to have as actionable logging as possible and as litte noise as possible.
You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.
Generating a config
$> git clone https://github.com/olafhartong/sysmon-modular.git $> cd sysmon modular $> . .\Merge-SysmonXml.ps1 $> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml
Generating custom configs
Below functions with great thanks to mbmy
Find-RulesInBasePath - takes a base path (i.e. C:\folder\sysmon-modular) and finds all candidate xml rule files based upon regex pattern
PS C:\Users\sysmon\sysmon-modular> Find-RulesInBasePath -BasePath C:\users\sysmon\sysmon-modular\ -OutputRules | Out-File available_rules.txt
Merge-AllSysmonXml New Parameters:
-BasePath - finds all candidate xml rule files from a provided path based upon regex pattern and merges them
PS C:\Users\sysmon\sysmon-modular> Merge-AllSysmonXml -AsString -BasePath C:\Users\sysmon\sysmon-modular\
-ExcludeList - Combined with -BasePath, takes a list of rules and excludes them from found rules prior to merge
PS C:\Users\sysmon\sysmon-modular> Merge-AllSysmonXml -AsString -BasePath C:\Users\sysmon\sysmon-modular\ -ExcludeList C:\users\sysmon\sysmon-modular\exclude_rules.txt
-IncludeList - Combined with -BasePath, finds all available rules from base path but only merges those defined in a list
PS C:\Users\sysmon\sysmon-modular> Merge-AllSysmonXml -AsString -BasePath C:\Users\sysmon\sysmon-modular\ -IncludeList C:\users\sysmon\sysmon-modular\include_rules.txt
Include/Exclude List Format Example:
3_network_connection_initiated\include_native_windows_tools.xml 12_13_14_registry_event\exclude_internet_explorer_settings.xml 12_13_14_registry_event\exclude_webroot.xml 17_18_pipe_event\include_winreg.xml 19_20_21_wmi_event\include_wmi_create.xml 2_file_create_time\exclude_chrome.xml 3_network_connection_initiated\include_native_windows_tools.xml 3_network_connection_initiated\include_ports_proxies.xml 8_create_remote_thread\include_general_commment.xml 8_create_remote_thread\include_psinject.xml 9_raw_access_read\include_general_commment.xml
Run with administrator rights
sysmon.exe -accepteula -i sysmonconfig.xml
Update existing configuration
Run with administrator rights
sysmon.exe -c sysmonconfig.xml