Skip to content
A repository of sysmon configuration modules
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
10_process_access added several rules thanks to SeriesOfTubez Jan 3, 2019
11_file_create added chm files, thanks darkoperator Mar 18, 2019
12_13_14_registry_event added several rules thanks to SeriesOfTubez Jan 3, 2019
15_file_create_stream_hash
17_18_pipe_event fixed formatting Aug 17, 2018
19_20_21_wmi_event MITRE ATT&CK annotation added Aug 13, 2018
1_process_creation fixed formattin Nov 22, 2018
2_file_create_time
3_network_connection_initiated added chm files, thanks darkoperator Mar 18, 2019
5_process_ended
6_driver_loaded_into_kernel schemaversion to 4.1 Aug 13, 2018
7_image_load
8_create_remote_thread added common injected processes Aug 14, 2018
9_raw_access_read schemaversion to 4.1 Aug 13, 2018
attack_matrix updated mapping Aug 15, 2018
.gitignore
Generate-Sysmon-config.ps1 Added filter out regex and force overwrite backup Nov 16, 2018
README.md
baseconfig.xml
license.md
sysmonconfig.xml

README.md

sysmon-modular | A Sysmon configuration repository for everybody to customise

license Maintenance GitHub last commit

This is a Microsoft Sysinternals Sysmon configuration repository, set up modular for easier maintenance and generation of specific configs.

NOTICE; Sysmon 8.02 is not compatible with this configuration, it will cause severe blind spots in your logging. Please use Sysmon 8.0 or 8.0.4

Note: I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on.

Big credit goes out to SwiftOnSecurity for laying a great foundation and making this repo possible! sysmonconfig-export.xml.

Equally a huge shoutout to Roberto Rodriguez for his amazing work on the ThreatHunter-Playbook and his contribution to the community on his blog.

Final thanks to Matt Graeber for his PowerShell Modules, without them, this project would not have worked as well.

Pull requests / issue tickets and new additions will be greatly appreciated!

I started a series of blog posts covering this repo;

Following this blogpost Sysmon 8.0, a leap forward in event annotation I've been working on updating the configuration modules to schemaversion 4.1 as well as adding the MITRE annotation fields. Eventually I deviated a little bit from my blogpost and went with the OSSEM field naming; technique_id and technique_name

Mitre ATT&CK

I strive to map all configurations to the ATT&CK framework whenever Sysmon is able to detect it. A current ATT&CK navigator export of all linked configurations is found here and can be viewed here Mapping

Required actions

I highly recommend looking at the configs before implementing them in your production environment. This enables you to have as actionable logging as possible and as litte noise as possible.

Prerequisites

Install the PowerShell modules from PSSysmonTools

git clone https://github.com/olafhartong/PSSysmonTools.git
cd PSSysmonTools
Import-Module .\PSSysmonTools.psm1

Customization

You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.

Generating a config

PowerShell

git clone https://github.com/olafhartong/sysmon-modular.git
cd sysmon modular
.\Generate-Sysmon-Config.ps1

Optionally you can omit the comments from the merged config with the “-ExcludeMergeComments” switch.

You might see an error like ; Merge-SysmonXMLConfiguration : The schema version of C:\Temp\sysmon-modular-master\sysmonconfig.xml () does not match that of the reference configuration: The error is due to the validator. When executing the oneliner the sysmonconfig.xml is created but it is still empty at that time. Therefore it is not a valid config at that time, the file is filled with data at the end of the generation phase. You can safely ignore it.

You can test your config if it's schema compliant

Test-SysmonConfiguration .\sysmonconfig.xml

SysmonShell

This repository also was made available within SysmonShell a great tool by Nader Shalabi

Use

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig.xml

Todo

  • Link more indicators to Mitre ATT&CK techniques.
  • Add / Improve comments
  • Extend, extend, extend.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.