Networkforensic

Threat hunting

Sysmon
Setup and config files

02 Februar 2025 

Information:
I have for a long time been writing detection for the Sysmon made by Sysinternals by Microsoft. The config file is very well tested on live attacks and a lot of malware. Tested with Atomic-Red test tools as well. It have been tested in Blue-teams/ Red-Team pen-tests with high success. It is used in forensic cases to monitor behavior on hacked / malware infected systems.

There have been a focus on only to log what is importent. If you log everything that Sysmon can log, you will get way to many logs from the endpoints send to your SIEM system. That can have impact on licenses on SIEM systems and so on.

If you use "undocumented" config files, you basically don´t known why something is logged in the first place. This config is documnted in it self, with rule names and references to MITRE, LOBAS, LOLBINS and so on. You will know why and what is logged and send to SIEM. From there you can build near Real-Time Alerting in Splunk, Elastic. You can combine this with validation on things like HASH values, IP's from other systems like Recorded Future, MISP or other.

Rule based detections
Sinse Sysmon support "rule based detections". Many of the rules have been written as souch. This help to keep the amount of logs send to SIEM down and collection of logs very accurate.

Detection types
All detections are made with rule names, and are related to MITRE, LOLAPPS, LOLBAS, LOLDRIVERS, and an so on.

AutoRuns
Sysinternals AutoRuns is a tool that is veryr good at keeping an eye on what is happening in the regestry on Windows Systems. An implementation of Sysinternal Autoruns detections, have been added as well to the Sysmon config file.

Recommendation:
Note: You will need to customize network detections in Event ID 3 to match your needs. I have added a lot of common detection to the sysmon config file for a start.

Not Covered
"Event ID 24: ClipboardChange" are not covered. Because the can a security risk in most environments. You don't what to have copyed password in clear txt in a accessible folder.

Supported Sysmon version
The Sysmon config can be used on Sysmon from version 15.00. (Sysmon schema version: 4.90).

SIEM system
Logs send to SIEM systems like Security Onion (elastic) or Splunk works verry well. But I reccormed to use it with Winlogbeat from elastic and sending your logs to Security Onion. And i also reccormed that you use proper Windows logging set by Security policys in Windows as GPO's. I can recommend to follow the NSACyber guide.
Then you will have a very good logging system togheter win IDS destection

Sysmon install / uninstall  / Auto update Config file

Sysmon Install / Uinstall / Config Update script is included. 

This makes it verry easy to Install / uninstall Sysmon and update the Sysmon Config file on clients and servers just by changing 1 file on a central location. I can reccormend the use of your own web-server. You can auto update all clients and servers with my lates config file by using Task Scheduler in Windows. Config files for Task Scheduler is included for you to import to Task Scheduler. You just have to change from where you want hosts to get the config file from in the PowerShell script.

Monitoring of Sysmon alerts.
It is easy to monitor Sysmon alerts and create Notables in Splunk ore Alerts Dashboards in Security Onion.

Password protection on all Zip files
If you want to run and test all configs you now have to use a password to unzip any files.
You can request the password by sending a request mail. You can find my e-mail on my contact page.

Winlogbeat, registry files and setup instructions.
Filename:
Install_pack.zip
SHA1:d555045efc16b4f80088074e5133b38170d5104a

Sysmon with install / uninstall scripts and auto update scripts.
Filename: Sysmon_15.15_Config_74.zip
SHA1: 5304fb42c268a59bd24bbd68e6d6313a34688bf2

Sysmon Cheatsheet
Filename: Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e

Latest updates

02-02-2025
Changes:
- Sysmon Config 74
- More Pentest tools

31-01-2025
Changes:
- Sysmon Config 72
- Pentest tools

14-01-2025
Changes:
- Sysmon Config 70
- Remote tools

02-01-2025
Changes:
- Sysmon Config 69
- Wi-Fi Discovery

15-12-2024
Changes:
- Sysmon Config 68
- FIN6 Detection

22-11-2024
Changes:
- Sysmon Config 67
- Active Scannig
- File Block

14-11-2024
Changes:
- Sysmon Config 66
- File Block Unwanted remote admin tools
- LOLBINS
- Sysmon tampering

2-11-2024
Changes:
- Sysmon Config 65
- Remote Access Software

18-10-2024

Changes:
- Sysmon Config 57
- LOLAPPS - Persistence

15-10-2024
Changes:
- Sysmon Config 56
- Backup for data xfil