Sysmon is a Windows service that is used to analyze Windows events and system activity. It can gather detailed and high quality logs that can assist with an investigation.

Events are typically stored in Applications and Services Logs>Microsoft/Windows/Sysmon/operational

Sysmon requires a config file to tell the binary how to analyze each event. One can be downloaded or you can create your own.

It contains 29 different types of Event IDs. These event IDs can be used within the config to specify how the vents should be handled or analyzed.

A lot of time people tend to have the config files set to exclude items instead of including. The reason for this is that normal activity is excluded.

Important Event IDs

Event ID 1: Process creation

This will look for any processes that have been created. This can assist with looking into suspicious processes or processes that may have typos.

Event ID 3: Network connection

This event ID will look for events that occur remotely. This may include files as well as opened ports.

This event uses Image and DestinationPort XML tags.

Event ID 7: Image Loaded

This looks for DLLS loaded by processes. This is helpful for DL injections and hijacking. This uses the Signed, ImageLoaded, and signature XML tags.

Event ID 8: CreateRemoteThread

This monitors for processes injecting code into other processes. This activity could be used by malware to hide malicious activity.

Event ID 11: File Created

This logs when files are created or overwritten to an endpoint. This could help identify file names and signatures of files that are written to disk

Event ID 12, 13, and 14: Registry events

These look for changes made to the registry on the device. This may include persistence and credential abuse

Event ID 15: FileCreateStreamHash

This looks for any file created in an alternate data stream. This is how malicious actors hide malware.

Event ID 22: DNS event

This shows any DNS queries or events. Best practice on here is to exclude all trusted domains, that way you can tune out the noise. Doing that will allow you to locate DNS anomalies a lot easier.

Installing Sysmon

To install system run the following command in Powershell

Download-SysInternalsTools C:\Sysinternals

You will also need a config for Sysmon.

This will give you more granular control over the logs that are created.

Starting Sysmon

To start run the following command in Powershell

Sysmon.exe -accepteula -i ..\Configuration\swift.xml

Once it is started, you can start to view the logs in event viewer (Applications and Services Logs/Microsoft/Windows/Sysmon/Operational)