Published on January 22nd, 2015 📆 | 7936 Views ⚑0
Sysmon v2.0 – System Activity Monitor for Windows
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.
Overview of Sysmon Capabilities
Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Multiple hashes can be used at the same time.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Include a session GUID in each events to allow correlation of events on same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Automatically reload configuration if changed in the registry.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
Uses Sysmon simple command-line options to install and uninstall it, as well as to check and modify Sysmon’s configuration:
Sysinternals Sysmon v2.00 - System activity monitor
Copyright (C) 2014-2015 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Install: Sysmon.exe -i <configfile>
[-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]
Configure: Sysmon.exe -c <configfile>
[--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]
Uninstall: Sysmon.exe -u
|-c||Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.|
|-h||Specify the hash algorithms used for image identification (default is SHA1). It supports multiple algorithms at the same time. Configuration entry: Hashing.|
|-i||Install service and driver. Optionally take a configuration file.|
|-l||Log loading of modules. Optionally take a list of processes to track. Configuration entry: ImageLoading.|
|-m||Install the event manifest (done on service install as well).|
|-n||Log network connections. Optionally take a list of processes to track. Configuration entry: Network.|
|-u||Uninstall service and driver.|
The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events written to the System event log.
If you need more information on configuration files, use the '-? config' command. More examples are available on the Sysinternals website.
Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.
Neither install nor uninstall requires a reboot.
Install with default settings (process images hashed with sha1 and no network monitoring)
sysmon -accepteula –i
Install with md5 and sha256 hashing of process created and monitoring network connections
sysmon -accepteula –i –h md5,sha256 –n
Install Sysmon with a configuration file (as described below)
sysmon –accepteula –i c:\windows\config.xml
Dump the current configuration
Change the configuration to use all hashes, no network monitoring and monitoring of DLLs in Lsass
sysmon –c –h * –l lsass.exe
Change the configuration of sysmon with a configuration file (as described below)
sysmon –c c:\windows\config.xml
Change the configuration to default settings
sysmon –c --