Security monitoring with Sysmon

Sysmon from Microsoft is a great tool for monitoring activities in Windows desktop and server systems.

Once set up it simple runs in the background and logs interesting events to a separate section (Eventvwr->Microsoft-Windows-Sysmon->Operational) within the event viewer.

It very useful for setting up a log which can be checked for issues from finding when a file was deleted to monitoring malware.

A configuration file is used by Sysmon to store information about which events we want to include and which events we want to exclude.


Config files:
SwiftOnSecurity example config file

Donwload the file and then run: sysmon64.exe -accepteula -i [file.xml]
Sysmon will install (run at boot time) configured with the file.


Once you have sysmon configured and working you can just read the logs in the normal windows event viewer, or you can use various tools to analyse the logs:

Sysmon View helps in tracking and visualizing Sysmon logs by logically grouping and linking the various events generated using executable names, session GUIDs or the time of event, it also has easy to use search feature to look through all the events data, a GEO mapping of IP addresses and VirusTotal lookup for IP, domain and hashes.


Splunk, the data collection and analysis tool can be used to collect the log data from multiple sources and analyse/show pretty graphs.


https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmo...
https://twitter.com/swiftonsecurity/status/826877383902912512

https://github.com/nshalabi/SysmonTools