Skip to content

A repository of sysmon configuration modules

License

Notifications You must be signed in to change notification settings

gastori/sysmon-modular

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

sysmon-modular | A Sysmon configuration repository for everybody to customize

license

This is a Microsoft Sysinternals Sysmon configuration repository, set up modular for easier maintenance and generation of specific configs.

The sysmonconfig.xml within the repo is automatically generated after a successful merge by the PowerShell script and a successful load by Sysmon in an Azure Pipeline run.

This is a publicly available and maintained fork that should NOT be used in production unless it has been thoroughly tested in your environment and tuned to your needs. While the original fork from Olaf Hartong is reliable and stable, this should be considered unstable with new features pushed more often as I make changes in testing, but untested for tuning.

Note: I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability, and so on.

Credits

Most of this work was started and is still maintained by Olaf Hartong. He is creating stable and reliable configs on a very stable schedule as new versions of Sysmon are released.

Big credit goes out to SwiftOnSecurity for laying a great foundation and making this repo possible! sysmonconfig-export.xml.

Equally a huge shoutout to Roberto Rodriguez for his amazing work on the ThreatHunter-Playbook and his contribution to the community on his blog.

Final thanks to Mathias Jessen for his Merge script, without it, this project would not have worked as well.

Contributing

Pull requests/issue tickets and new additions will be greatly appreciated!

More information

I started a series of blog posts covering this repo;

Mitre ATT&CK

I strive to map all configurations to the ATT&CK framework whenever Sysmon is able to detect it. A current ATT&CK navigator export of all linked configurations is found here and can be viewed here Mapping

Required actions

I highly recommend looking at the configs before implementing them in your production environment. This enables you to have as actionable logging as possible and as little noise as possible.

Customization

You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.

Generating a config

PowerShell

$> git clone https://github.com/olafhartong/sysmon-modular.git
$> cd sysmon modular
$> . .\Merge-SysmonXml.ps1
$> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml

Use

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig.xml

About

A repository of sysmon configuration modules

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%