System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
SysMon v6.01 is out from Windows Sysinternals and is even better than ever. This free tool runs in the background of your machine, and provides efficient and powerful tracking of key security activity data that you can use for threat hunting.
How to install:
1. Download and extract .Link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
1. Download and extract .Link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
2. Go to location.
3. Type C:\Users\Test\Downloads\Sysmon>sysmon -i -accepteula
3. Type C:\Users\Test\Downloads\Sysmon>sysmon -i -accepteula
How to Uninstall:
1. Sysmon.exe -u
1. Sysmon.exe -u
You can view the configuration by using the following command: Sysmon -c
Once installed, Sysmon does its job automatically in the background. You can find out the results in the Event Viewer.
To increase the event log size to 200 MB:
wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:209715200
wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:209715200
Location of event:
Event viewer > Application and Services Logs > Windows > Sysmon > Operational
Event viewer > Application and Services Logs > Windows > Sysmon > Operational
Basic configruation:
<sysmon schemaversion="3.40">
<!-- Capture SHA256 and IMPHASH Hashes -->
<hashalgorithms>sha256 </hashalgorithms>
<eventfiltering>
<networkconnect onmatch="exclude">
<createremotethread onmatch="include">
<targetimage condition="image">explorer.exe</targetimage>
<targetimage condition="image">firefox.exe</targetimage>
<targetimage condition="image">chrome.exe</targetimage>
<targetimage condition="image">lsass.exe</targetimage>
<targetimage condition="image">services.exe</targetimage>
<targetimage condition="image">svchost.exe</targetimage>
<targetimage condition="image">winlogon.exe</targetimage>
</createremotethread>
<rawaccessread onmatch="exclude">
<image condition="image">C:\Windows\Sysmon.exe</image>
<image condition="image">System</image>
</rawaccessread>
</networkconnect></eventfiltering>
</sysmon>
Update configuration:
sysmon -c config.xml
sysmon -c config.xml
Tutorial:
CQURE
https://www.youtube.com/watch?v=8qDEbnofkos
CQURE
https://www.youtube.com/watch?v=8qDEbnofkos
No comments:
Post a Comment