Networkforensic
Threat hunting
Sysmon
Setup and config files
2 November 2025
Information:
I have for a long time been writing detection for the
Sysmon made by
Sysinternals by Microsoft. The config file is very well tested
on live attacks and a lot of malware. Tested with
Atomic-Red test
tools as well. It have been tested in
Blue-teams/ Red-Team pen-tests with
high success. It is used in forensic cases to monitor behavior on hacked
/ malware infected systems.
There have been a focus on, only to log what is importent.
If you log everything that Sysmon can log, you will get way to many
logs from the endpoints send to your SIEM system. That can have
impact on licenses on SIEM systems and so on.
If you use "undocumented" config files, you basically don´t known
why something is logged in the first place. This config is documnted
in it self, with rule names and references to MITRE, LOBAS, LOLBINS and so
on. You will know why and what is logged and send to SIEM. From
there you can build near Real-Time Alerting in Splunk, Elastic. You
can combine this with validation on things like HASH values, IP's
from other systems like
Recorded
Future,
MISP and others.
Rule based detections
Sinse Sysmon support "rule
based detections". Many of the rules have been written as souch. This help to keep the amount of logs send to SIEM down
and collection of logs very accurate.
Detection types
All detections are made with rule names, and are related to MITRE,
LOLAPPS, LOLBAS, LOLDRIVERS, and more.
AutoRuns
Sysinternals AutoRuns is a tool that is very good at keeping an
eye on what is happening in the regestry on Windows Systems. An implementation of Sysinternal
Autoruns detections, have been added as well to the Sysmon config
file. So the Sysmon config will work as AutoRuns.
Recommendation:
Note: You will need to customize network detections in Event ID 3 to
match your needs. I have added a lot of common detection to the
sysmon config file for a start. You can have other demands.
Not Covered
"Event ID 24: ClipboardChange" are not
covered. Because this can be a security risk in most environments. You
don't what to have copyed password in clear txt in an accessible
folder.
But this can be very useful in other scenarios.
Like malware testing.
Supported Sysmon version
The Sysmon config can be used on Sysmon from version 15.00. (Sysmon schema version: 4.90).
SIEM system
Logs send to SIEM systems like
Security Onion (elastic) or
Splunk works verry well. But I reccormed to use it with
Winlogbeat from elastic and sending your logs to
Security Onion. And i also reccormed that you use proper Windows
logging set by Security policys in Windows as GPO's. I can recommend
to follow the
NSACyber guide.
Then you will have a very good logging system togheter win IDS
destection.
Sysmon install / uninstall / Auto update Config file
Sysmon Install / Uinstall / Config Update script is included.
This makes it verry easy to Install / uninstall Sysmon and update the
Sysmon Config file on clients and servers just by changing 1 file on
a central location. I can reccormend the use of your own web-server. You can auto update all
clients and servers with my lates config file by using Task
Scheduler in Windows. Config files for Task Scheduler is included
for you to import to Task Scheduler. You just have to change from
where you want hosts to get the config file from in the PowerShell
script.
Monitoring of Sysmon alerts.
It is easy to monitor Sysmon alerts and create Notables in Splunk
ore Alerts Dashboards in Security Onion.
Password protection on all Zip
files
If you want to run and test all configs
you now have to use a password to unzip any files.
You can request the password by sending a request mail. You can find
my e-mail on my contact page.
If i cant relate your request to a company with valid names you will
not get the password.
Sysmon with install / uninstall scripts and auto update scripts.
Filename: Sysmon_15.15_Config_120.zip
SHA1: e7c18c32b53b04255e1238961622d08e172dd145
Sysmon Cheatsheet
Filename: Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e
Latest updates
2-11-2025
Changes:
- Sysmon Config 120
- Obfuscated Files or Information
- Data from Local System
- File Metadata
- Exfiltration Over Alternative Protocol
- Encrypted Channel
25-10-2025
Changes:
- Sysmon Config 116
- Network Sniffing
- Data Encrypted for Impact
24-10-2025
Changes:
- Sysmon Config 115
- Command and Scripting Interpreter
- Data Obfuscation: Steganography
23-10-2025
Changes:
- Sysmon Config 114
- Windows Command Shells
- Service Execution
- OS Credential Dumping
10-10-2025
Changes:
- Sysmon Config 110
- Exfiltration Over Bluetooth
21-09-2025
Changes:
- Sysmon Config 108
- SIM Card Swap
21-09-2025
Changes:
- Sysmon Config 107
- Exfiltration Over Bluetooth
21-09-2025
Changes:
- Sysmon Config 106
- Driver Loaded add exclusions
- WMIC all Active
20-09-2025
Changes:
- Sysmon Config 105
- Driver Loaded rewrite to rule based exclusions
19-09-2025
Changes:
- Sysmon Config 104
- System Network Configuration Discovery
- Security Software Discovery
02-09-2025
Changes:
- Sysmon Config 103
- Masquerading - Invalid Code Signature
24-08-2025
Changes:
- Sysmon Config 102
- Impair Defenses
13-08-2025
Changes:
- Sysmon Config 101
- Inhibit System Recovery
28-07-2025
Changes:
- Sysmon Config 100
- ISS Monitor
17-07-2025
Changes:
- Sysmon Config 99
- New TOR Detection
- New Nirsoft Detection
20-06-2025
Changes:
- Sysmon Config 97
- New MITRE numbers on Windows Command Shell
- Clean-up in ID 22
30-05-2025
Changes:
- Sysmon Config 95
- Network Connection
- File Block Executable
26-05-2025
Changes:
- Sysmon Config 94
- Indicator Removal
- Disable or Modify Tools
10-05-2025
Changes:
- Sysmon Config 90
- OneDrive Privat Sync
09-05-2025
Changes:
- Sysmon Config 89
- Hidden Files and Directories
- LOLBAS Signed Binary Proxy Execution
- Reorder CMD and PowerShell detection
27-04-2025
Changes:
- Sysmon Config 87
- Commonly Used Port
- Resource Hijacking
- Ingress Tool Transfer
26-04-2025
Changes:
- Sysmon Config 86
- Network Service Discovery
- Local Data Staging
- Ingress Tool Transfer
23-04-2025
Changes:
- Sysmon Config 85
- NGROK detection
- Ncat detection