|Project Name||Stars||Downloads||Repos Using This||Packages Using This||Most Recent Commit||Total Releases||Latest Release||Open Issues||License||Language|
|Sigma||6,453||3||13 hours ago||33||April 08, 2022||21||other||Python|
|Main Sigma Rule Repository|
|Detectionlab||4,129||2 months ago||31||mit||HTML|
|Automate the creation of a lab environment complete with security tooling and logging best practices|
|Sysmon Config||4,081||a month ago||71|
|Sysmon configuration file template with default high-quality event tracing|
|Sysmontools||1,374||2 years ago||7|
|Utilities for Sysmon|
|Sentinel Attack||692||2 years ago||9||mit||HCL|
|Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK|
|Lme||685||2 months ago||apache-2.0||Shell|
|Logging Made Easy|
|Sysmon Config||529||4 years ago||n,ull||Batchfile|
|Advanced Sysmon configuration, Installer & Auto Updater with high-quality event tracing|
|Ghost In The Logs||297||3 years ago||mit||C|
|Evade sysmon and windows event logging|
|Windows_event_logging||160||2 years ago||bsd-3-clause||PowerShell|
|Windows Event Forwarding subscriptions, configuration files and scripts that assist with implementing ACSC's protect publication, Technical Guidance for Windows Event Logging.|
|Sysmon Config Bypass Finder||68||4 years ago||gpl-3.0||Python|
|Detect possible sysmon logging bypasses given a specific configuration|
This repository contains the following:
Sysmon View helps in tracking and visualizing Sysmon logs by logically grouping and correlating the various Sysmon events together, using existing events data, such as executables names, session GUIDs, event creation time, etc., the tool then re-arranges this data for display into multiple views
To get started, export Sysmon events to XML fileusing the built-in WEVTUtil, this file will be imported later by Sysmon View:
WEVTUtil query-events "Microsoft-Windows-Sysmon/Operational" /format:xml /e:sysmonview > eventlog.xml
Once exported, run Sysmon View and import the generated file eventlog.xml (or the name you selected), please note that this might take some time, depending on the size of the log file (the file needs to be imported once, subsequent runs of Sysmon View do not require importing the data again, just use the file menu
File -> Load existing data to load previously imported data again).
All data will be imported to a SQLite database file named SysmonViewDB that resides in the same location as Sysmon View executable. This file can be shared with others if required, just place the file in the same location as Sysmon View and use the command
File -> Load existing data.
Each time a new XML file is imported, the database file will be deleted and re-created. To preserve any previously imported data, copy the database file to another location or simply rename it.
The database can be used directly in your own applications too, the database contains summaries of hashes, executables, IP addresses, geo mappings and all are logically linked through a file name or a session (executable GUID).
You can query the database file directly using any SQLite management software without the need for Sysmon View, for example, to generate reports or analyze data
Process View this view simply helps focus on a summary of "run sessions", for example, the analyst can start with executable name (such as cmd.exe) or event type (such as Network event), from there, further filtering can be applied, for example, finding running sessions originating for the same binary, but from different locations. This view utilizes the process GUID to filter events per session "run", selecting any running session (from the list of GUIDs) will show all other related (correlated) events in a simple data-flow-like view, sorted using the time of the event. Note: in case data is being imported from an Elasticsearch instance instead of single machine, events can be arranged per executable per machine - check previous section "Experimental - Sysmon View and Elasticsearch").
Access to Sysmon event details is provided by simply double-clicking any event in the view, for example, the previous screen capture shows the details of the Process Creation event (event ID 1), the tool also can integrate with VirusTotal upon demand for further hash and IP lookup (Needs an API key registration).
Map View : During the events import process, there is an option to geo-locate IP addresses, if set, Sysmon View will try to geo-map Network Destinations using https://ipstack.com/ service.
In map view, it is easy to navigate between correlated (related) events by using a network event as a starting point, again, the tool is able to achieve this using the running process session GUID. To explore related events, use the hyperlinks for the session GUID, a new view similar to process view will show up in a new window with all related session events:
All Events View can also be used to do a full search through all Sysmon collected events data, it also helps in viewing events that do not relate to other events, such as the "Driver Loaded" event type. Navigation between related events is still provided using the process GUID in addition to event details by clicking on FID link
Additionally, The All Events View supports pivot-like (grouping) arrangement of events, by machine name, event type or GUID, as shown below
Multiple grouping levels are also possible
Sysmon Shell can aid in writing and applying Sysmon XML configurations through a simple GUI interface.
Sysmon Shell can also be used to explore the various configuration options available to Sysmon, easily apply and update XML configuration, in addition to exporting Sysmon events logs, in a nutshell:
Sysmon.exe -c commanddirectly (creating a temporary XML file in the same folder where Sysmon is installed), for this reason, if this feature is used, Sysmon Shell will require elevated privileges (the need for this is inherited from Sysmon process itself), the output of applying the configuration will be displayed in the preview pan (this is Sysmon generated output)
What it wont do: warn you about Include/Exclude conflicts or attempt to validate the rules itself, however, once the configuration is applied, the preview pane will display the output captured from Sysmon.exe when configuration is applied (the output of
Sysmon -c command), from which errors can be identified
Sysmon Box is a small utility that can aid in building a database of captured Sysmon and Network traffic.
To run Sysmon Box, use the following command (Sysmon needs to be up and running along with tshark):
SysmonBox -in Wi-Fi
The tool then will carry out the following:
Copyright 2018 Nader Shallabi. All rights reserved. SYSMON TOOLS CAN BE COPIED AND/OR DISTRIBUTED WITHOUT ANY EXPRESS PERMISSION OF NADER SHALLABI. THIS SOFTWARE IS PROVIDED BY NADER SHALLABI ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NADER SHALLABI OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of Nader Shallabi.