Sysmon Example Config XML

Sysmon is a powerful monitoring tool for Windows systems. Is is not possible to unleash all its power without using the configuration XML, which allows you to include or exclude certain event types or events generated by a certain process. Use the configuration to exclude high volume sources or event types of less interest (e.g. Process Termination).

Installation:
sysmon.exe -i config.xml

Set new configuration:
sysmon.exe -c config.xml

Get help on the configuration and filtering options via „sysmon -h config“.

The following example may help you to understand the format and define your own rules.

<Sysmon schemaversion="1.0">
<Configuration>
  <!-- Capture MD5 Hashes -->
  <Hashing>MD5</Hashing>
  <!-- Enable network logging -->
  <Network />
</Configuration>
<Rules>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad default="include">
        <Signature condition="contains">microsoft</Signature>
        <Signature condition="contains">windows</Signature>
    </DriverLoad>
    <!-- Do not log process termination -->
    <ProcessTerminate />
    <!-- Exclude certain processes that cause high event volumes -->
    <ProcessCreate default="include">
        <Image condition="contains">chrome.exe</Image>
    </ProcessCreate>
    <!-- Do not log file creation time stamps -->
    <FileCreateTime />
    <!-- Do not log network connections of a certain process or port -->
    <NetworkConnect default="include">
        <Image condition="contains">chrome.exe</Image>
        <DestinationPort>123</DestinationPort>
    </NetworkConnect>
</Rules>
</Sysmon>

You can always use the task name and the event fields to define more filters. The rule tag can be found in the event viewer on the task name.

Sysmon Event Type

Sysmon Event Type

Use the event fields as tags to apply a certain filter.

Sysmon Event Field

Sysmon Event Field

The available conditions for the field entries are as follows:

  • is – Default, values are equals.
  • is not – Values are different.
  • contains – The field contains this value.
  • excludes – The field does not contain this value.
  • begin with – The field begins with this value.
  • end with – The field ends with this value.
  • less than – Lexicographical comparison is less than zero.
  • more than – Lexicographical comparison is more than zero.
  • image – Match an image path (full path or only image name). For example: lsass.exe will match c:\windows\system32\lsass.exe.

Tags: , , , , , , , , ,

About Florian Roth

Senior IT Security Engineer: THOR APT Scanner, Security Monitoring and SIEM, Web Application Audits, Advanced Persistent Threats (APT), Malware Analysis, Incident Response, Intrusion Detection, Perl / Python / .NET Programming, Data Visualization

Trackbacks/Pingbacks

  1. Detect System File Manipulations with SysInternals Sysmon - März 21, 2015

    […] deployment manager to push the Add-on to the Splunk Forwarders and install Sysmon. (see my other blog post on Sysmon for more appropriate configuration […]

Schreibe einen Kommentar