Sysinternals Sysmon


Windows System Monitor (sysmon) is a kernel-level driver that allows for the selective capture and logging of detailed system actions that happen on a Windows system. Similar to commercial Electronic Data Recording (EDR) security tools, sysmon can capture hashes of running processes, binary image loads, loading and unloading of drivers, raw disk access, network connections, registry changes, and more. This data can be used by developers to debug issues and/or by security professionals looking for suspicious activity.

Acquiring Sysmon

Sysmon is part of the Windows Sysinternals suite and is available for any supported Windows operating system for free on Microsoft’s website, either as standalone or as part of the entire suite. Older versions are also available for legacy Windows versions, however, not all features may be present.

Sysmon Configuration Files

Sysmon uses an XML-based configuration file with the following structure:

<Sysmon schemaversion="4.22">
  <!-- Select which hash algorithms to capture for binary images -->
  <HashAlgorithms />
  <EventFiltering>
    <!-- This section specifies which types of actions to track -->
	<DriverLoad />
	<ProcessTerminate />
	<NetworkConnect onmatch="include">
	  <DestinationPort>22</DestinationPort>
	</NetworkConnect>
	<NetworkConnect onmatch="exclude">
	  <Image condition="end with">putty.exe</Image>
	</NetworkConnect>
  </EventFiltering>
</Sysmon>

Each of the main level options within the <EventFiltering> tag can include sub options to include or exclude particular indicators. You could for example exclude common network connection ports or known good executables from your environment. The example above is just a sample of available options, check the references section at the end for more complete documentation.

One of the biggest challenges with sysmon is filtering out uninteresting data. Whether you are looking for malicious activity or simply trying to debug a misbehaving program, it is all too easy to have sysmon generate a lot of noise in the logs. Fortunately, you don’t need to start from scratch as the open nature of sysmon means that there are many shared configuration files which can be adapted for many needs. One excellent example is sysmon-config by SwiftOnSecurity.

Installing Sysmon

Sysmon is installed simply by copying the binary to the desired system along with a configuration file and running the following from an Administrator command prompt:

sysmon -i config.xml

This will immediately load the driver into memory, start monitoring according to the configuration file and automatically persists across reboots until sysmon -u is run.

Updating a Configuration

You can verify the current configuration in the running sysmon instance by running:

sysmon -c

If desired, you can update it to a new configuration file by running:

sysmon -c new-config.xml

Similar to installation, changes will take effect immediately and do not require a reboot.

Reading the Logs

On modern versions of Windows, sysmon writes to the Microsoft-Windows-Sysmon/Operational log provider. This can be queried using the normal methods like Get-WinEvent or Event Viewer. Additionally, these can be forwarded to a central collector using the Windows Event Forwarder service which makes central monitoring and analysis of logs much easier than searching across hundreds or thousands of systems.

Conclusion

Sysmon is a very capable debugging and security investigation tool with its dynamical configuration capabilities and deep insight into system activities. Time to give it a try!

Further Reading

Ben Langrill