Building A Perfect Sysmon Configuration File

If you already know that Sysmon can monitor your system AND you see value in doing so… it’s the right time to explore Sysmon customization options. In particular its configuration file, which controls how Sysmon works. In this episode of CQURE Hacks Weekly, you’ll learn how to build such file in a way that makes Sysmon do exactly what you need from it.

What does Sysmon have in store?

You should see my screen right now. In order to be able to build a Sysmon configuration file, you need to first learn how to check what Sysmon has to offer. For example, if you go to Sysmon executable… Let’s open on this one… in the resource hacker. It’s important to check how the manifest looks like, and the reason why it’s like this is that we need to verify what kind of possibilities we’ve got.

Sysmon Configuration File

This is the newest Sysmon 6.10 and over here you can see the templates that define us different types of approach to logging.

This is what we’re going to have logged in the event log: file creation time change, of course, process tracking, process creation, and process termination, network connection detected, driver loaded and things like that.

Sysmon Configuration File

Every single time there is a new Sysmon version released, don’t worry. Probably you will not find that information quickly on the Internet, but that’s fine because here you are able to see what kind of stuff is added.

Within the new Sysmon, you’ve got a possibility here to monitor WMI event filter. And, as you see, there’s event consumer, event filter, ConsumerToFilter activity and so on. Plenty of the WMI queries… This is new… That is, for example, if you’ve got malware that uses WMI, if the WMI is modified, then you are able to see of course that kind of information in Sysmon.

Using names in the Sysmon configuration file

Now, whenever we are thinking about playing with the creation of the rules, because this is how we operate with Sysmon, you might be wondering what kind of names we need to use in the config file to make it work. And the answer to that question is very simple. Over here, you’ve got names of rules, like “rule pipe event,” “rule WMI event,” and so on.

Then, based on that, you build your rules in the configuration file. This is a little bit of a cheat sheet … How things are called, how things are named.

Now, why we are talking about this?

Well, because… Let me have a look at the configuration file. If we do notepad config.xml file, this is the simplest possible config file we could have. For example, we’ve got Sysmon schema version 3.3, we can do 3.4, and for that certain moment, it doesn’t really make a difference. But, here you can see event filtering, and this is the place where we put these names on. For example, if we have here rule WMI event, then pretty much you are putting this particular entry over here.

Sysmon Configuration File

Now, you can say that not everything that is in the manifest I just showed you is in my config file.

You don’t have to configure everything, you can only configure a couple of things. And, long story short, you are also able to say what would you like to have here. Either include certain events or exclude.

Network connect, for example, what is happening in my case, I am monitoring all of the types of events. Create a remote thread, in this particular case, I am only monitoring explorer, LSASS, services, svchost, Winlogon and stuff like that, yes? Raw access read, only excluding, of course, Sysmon and system, but the rest I’m monitoring. And of course things like process access, which is good for pass-the-hash, I am only including LSASS, yeah?

And in case of a FileCreate onmatch=”include,” I am not monitoring everything. So, I’m actually monitoring nothing here. So FileCreate onmatch=”include” means monitor nothing because I’m including nothing, which means, of course, nothing is monitored. So this is how we are working on this Sysmon file.

Now, question is, can I have it larger?

Can I play totally with what’s going on and specify that would like to only have certain processes that are not known monitored and so on?

Well, Sysmon isn’t really flexible over here… It’s fantastic but it’s not flexible. So, you need to work on your files. And, that’s why maybe it’s even good to get some examples.

I’ve got another configuration file over here if we do Notepad, and then we do Sysmon Swift. That is the configuration file that SwiftOnSecurity shares. It’s not the most up-to-date because it’s from July. But that’s alright… Well, there is a new version of Sysmon out there that is not included in the file. But it’s totally not important because you will know how to do that.

Sysmon Configuration File

Process monitoring exclusion

Now, here what we can see is that we’ve got different types of processes mentioned that we don’t want to monitor. So we are, in this particular case, having ProcesCreate exclude… We’re excluding all the names of the processes of course that are known, which could potentially lead to a little bit of a problem because over here we’re specifying only the name.

Begin with, for example… Windows defender and so on. Could this be that malware will fit in, into these rules and, for example, be called as one of these files? The answer is yes.

But in general, the set is pretty good. So, we’ve got different other conditions over here. This is all about these processes. It’s actually a pretty big file.

Then we’ve got a file creation time and so on. We’re excluding, as you see, things like OneDrive and Setup and so on. So, all the classics that could affect file creation time in the end.

And things like the network. Over here, it’s actually a pretty interesting approach, so that you’ve got different types of options that are included over here. So we are excluding the rest but we’re interested in, for example, anything that is processed in the C:\users that tries to establish the network communication. Anything from C:\Windows\Temp and so on.

Sysmon Configuration File

This is, in general, network connection established by different types of files that are not normally the ones that you use to establish a network connection. Within the legal configuration of the operating system.

Things like, of course, all destination port, so connections over certain ports. And, of course, we’ve got over here, different types of drivers loaded into the kernel.

And over here, well… the question is: do we want to monitor that or not? Or we want to monitor everything?

So as you can see DriverLoad onmatch=”exclude”, so we are not really excluding much. So Microsoft Windows, Intel, so different types of drivers of that kind we’re excluding, but anything else we are including.

This is the case. So we’ve got over here also raw disk access and so on. So there’s plenty of options how we are able to monitor Sysmon. This is the flow.