Post

CyberThreat Hunting with (Sysmon)

Posted Updated
By
1 min read
CyberThreat Hunting with (Sysmon)

Sysmon (System Monitor) is a Windows system service and It is one of the Sysinternals tools. that, once installed, runs permanently on system reboots. Its main function is to monitor system activity and record detailed event information in the Windows event log. Sysmon provides detailed information about changes such as process creation, network connections, and file creation. This information can be collected and analyzed through Windows Event Collection or SIEM (Security Information and Event Management) tools to identify malicious or anomalous activity and provide you with an understanding of how intruders and malware are operating on your network.

Some features of Sysmon are:

Sysmon does not analyze the events it produces on its own. Additional tools or expertise are needed to analyze these events and draw meaningful conclusions.
Sysmon does not try to hide itself from attackers. Therefore, there is a possibility of detection through unauthorized access or malware.
It can also be applied as gpo to Sysmon clients

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
https://github.com/Sysinternals/SysmonForLinux

Conf. files:
https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/olafhartong/sysmon-modular
https://github.com/Neo23x0/sysmon-config
##Usage on Cmdlet:
Install Default: .\Sysmon64.exe -i -accepteula
Update existing Configuration: .\Sysmon64.exe -c sysmon-config.xml
Show Configuration: .\Sysmon64.exe -s
#Uninstall: .\Sysmon64.exe  -u

Location: Event Viewer -> Applications and Services Logs -> Microsoft ->
Windows -> Sysmon -> Operational
Specific Log Size: 1 gigabayt = 1048576 kilobayt
Log files dir: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Sysmon%

What events are there in Sysmon?

Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 16: ServiceConfigurationChange
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 22: DNSEvent (DNS query)
Event ID 23: FileDelete (File Delete archived)
Event ID 24: ClipboardChange (New content in the clipboard)
Event ID 25: ProcessTampering (Process image change)
Event ID 26: FileDeleteDetected (File Delete logged)
Event ID 255: Error

SIEM
SIEM
This post is licensed under CC BY 4.0 by the author.