Sysmon: Enterprise configuration [Redirected]
Sysmon is an installable Windows service by Microsoft that logs key activities on the system to aid troubleshooting and real-time or retrospective monitoring of security breaches.
This configuration has been replaced with Sysmon-Config | PLEASE CLICK HERE
Important things it can log, fully customizable and filterable:
- Process launches, what launched it, with what command line, and a SHA1/MD5 hash of that binary
- DLLs loaded by processes, and drivers by the system
- Network connections - IP address, port, TCP/UDP, and remote host
- Processes injecting into other processes
- If the modified or created date of files is changed unnaturally
As you can imagine, this can quickly add up if you don't need to see every single thing that happens on the PC. Luckily, Sysmon includes the ability to filter events before they are written to the Event Log. It also enables powerful filtering in Event Viewer by event types and plaintext.
You can do things like only log network events from processes named iexplore.exe or located in C:\Users, drivers that aren't signed by Microsoft,
It's up to you to determine how much data you want included.
This is a work in progress. This makes very specific trade-offs in what it logs based on my criteria. It does not provide anything close to complete coverage. Sysmon must be tuned to every environment for it to be effective. This is just a starting point.
<Sysmon schemaversion="3.10"> <HashAlgorithms>md5</HashAlgorithms> <EventFiltering> <ProcessCreate onmatch="exclude"> <IntegrityLevel condition="is">AppContainer</IntegrityLevel> <ParentCommandLine condition="contains">\\fileserver.domain.com\IT_Software</ParentCommandLine> <ParentCommandLine condition="begin with">C:\Windows\System32</ParentCommandLine> <ParentCommandLine condition="begin with">%SystemRoot%\system32\</ParentCommandLine> <Image condition="begin with">C:\Windows\SystemApps</Image> <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility</CommandLine> <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer</CommandLine> <CommandLine condition="begin with">"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process</CommandLine> <CommandLine condition="begin with">C:\Program Files (x86)\Google\Update\</CommandLine> <Image condition="begin with">C:\Program Files\Windows Defender</Image> <Image condition="Image">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <Image condition="Image">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> <ParentImage condition="image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</ParentImage> </ProcessCreate> <FileCreateTime onmatch="include"> <Image condition="begin with">C:\Users</Image> </FileCreateTime> <NetworkConnect onmatch="include"> <Image condition="begin with">C:\Users</Image> <Image condition="begin with">C:\ProgramData</Image> </NetworkConnect> <ProcessTerminate onmatch="include"> <Image condition="begin with">C:\Users</Image> </ProcessTerminate> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> </DriverLoad> <ImageLoad onmatch="include"> </ImageLoad> <CreateRemoteThread onmatch="exclude"> <SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage> <TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage> <SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage> <SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage> <SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage> <SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage> <SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage> <SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage> </CreateRemoteThread> <RawAccessRead onmatch="include"> </RawAccessRead> <ProcessAccess onmatch="include"> </ProcessAccess> </EventFiltering> </Sysmon>