Sysmon Config
| Project Name | Stars | Downloads | Repos Using This | Packages Using This | Most Recent Commit | Total Releases | Latest Release | Open Issues | License | Language |
|---|---|---|---|---|---|---|---|---|---|---|
| Sigma | 6,412 | 3 | 2 days ago | 33 | April 08, 2022 | 23 | other | Python | ||
| Main Sigma Rule Repository | ||||||||||
| Detectionlab | 4,129 | 2 months ago | 31 | mit | HTML | |||||
| Automate the creation of a lab environment complete with security tooling and logging best practices | ||||||||||
| Sysmon Config | 4,081 | 23 days ago | 71 | |||||||
| Sysmon configuration file template with default high-quality event tracing | ||||||||||
| Sysmontools | 1,374 | 2 years ago | 7 | |||||||
| Utilities for Sysmon | ||||||||||
| Sentinel Attack | 692 | 2 years ago | 9 | mit | HCL | |||||
| Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK | ||||||||||
| Lme | 685 | a month ago | apache-2.0 | Shell | ||||||
| Logging Made Easy | ||||||||||
| Sysmon Config | 529 | 4 years ago | n,ull | Batchfile | ||||||
| Advanced Sysmon configuration, Installer & Auto Updater with high-quality event tracing | ||||||||||
| Ghost In The Logs | 297 | 3 years ago | mit | C | ||||||
| Evade sysmon and windows event logging | ||||||||||
| Windows_event_logging | 160 | 2 years ago | bsd-3-clause | PowerShell | ||||||
| Windows Event Forwarding subscriptions, configuration files and scripts that assist with implementing ACSC's protect publication, Technical Guidance for Windows Event Logging. | ||||||||||
| Sysmon Config Bypass Finder | 68 | 4 years ago | gpl-3.0 | Python | ||||||
| Detect possible sysmon logging bypasses given a specific configuration | ||||||||||
Sysmon Threat Intelligence Configuration
See the develop Branch for more bleeding edge updates: https://github.com/ion-storm/sysmon-config/tree/develop
This config is based off of the OR logic in sysmon 8.00 and 8.04, sysmon 8.02 breaks this functionality. Also 8.00 introduced a memory leak that will consume all available memory on your system if you frequently reload the config file. Upgrading to 8.04 is mandatory.
This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
The file provided should function as a great starting point for system monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon.
Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems. It demonstrates a lot of what I wish I knew when I began with Sysmon in 2014.
Pull requests and issue tickets are welcome, and new additions will be credited in-line or on Git.
Note: Exact syntax and filtering choices are deliberate to catch appropriate entries and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of every possible important area.
This now has an Auto Updater script to update to the latest Sysmon config hourly. This is great for mass deployments without having to manually update thousands of systems.
Use
Auto-Install with Auto Update Script:###
Install Sysmon.bat
Install
Run with administrator rights
sysmon.exe -accepteula -i sysmonconfig-export.xml
Update existing configuration
Run with administrator rights
sysmon.exe -c sysmonconfig-export.xml
Uninstall
Run with administrator rights
sysmon.exe -u
Hide Sysmon from services.msc
Hide:
sc sdset Sysmon D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Restore:
sc sdset Sysmon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
