killchain-compendium/enumeration/windows/sysmon.md

# Sysmon

Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events. 

## Paths

* Logfiles
```
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
```

## Configuration

* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)

## Installation

```sh
Downloads-SysInternalsTools C:\Sysinternals
```

## Best Practices

* Exclude, not include events
* CLI gives further control over filters
```sh
Get-WinEvent
```
```sh
wevutil.exe
```
* Know the env before implementation

## Filtering Events

* Actions -> Filter Current Log

### Filtering Events with Powershell

* Logged Events containing port 4444
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
```
* Logged Events containing lsass.exe
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
```
* Rats and C2
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
```

## Evasion Techniques

* Alternate Data Streams
* Injections
* Masquerading
* Packing/Compression
* Recompiling
* Obfuscation
* Anti-Reversing Techniques
* Remote Thread (OpenThread, ResumeThread)

### Detecting Evasion Techniques with Powershell

```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
```
second commit 2021-08-23 01:13:54 +02:00			`# Sysmon`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			`Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.`

			`## Paths`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			`* Logfiles`
			```
			`Applications and Services Logs/Microsoft/Windows/Sysmon/Operational`
			```

			`## Configuration`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			`* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)`
			`* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)`

			`## Installation`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			```sh
			`Downloads-SysInternalsTools C:\Sysinternals`
			```

			`## Best Practices`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			`* Exclude, not include events`
			`* CLI gives further control over filters`
			```sh
			`Get-WinEvent`
			```
			```sh
			`wevutil.exe`
			```
			`* Know the env before implementation`

			`## Filtering Events`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			`* Actions -> Filter Current Log`

			`### Filtering Events with Powershell`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			`* Logged Events containing port 4444`
			```sh
			`Get-WinEvent -Path <Path to Log> -FilterXPath '/System/EventID=3 and /EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'`
			```
			`* Logged Events containing lsass.exe`
			```sh
			`Get-WinEvent -Path <Path to Log> -FilterXPath '/System/EventID=10 and /EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'`
			```
			`* Rats and C2`
			```sh
			`Get-WinEvent -Path <Path to Log> -FilterXPath '/System/EventID=3 and /EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'`
			```

			`## Evasion Techniques`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			`* Alternate Data Streams`
			`* Injections`
			`* Masquerading`
			`* Packing/Compression`
			`* Recompiling`
			`* Obfuscation`
			`* Anti-Reversing Techniques`
			`* Remote Thread (OpenThread, ResumeThread)`

			`### Detecting Evasion Techniques with Powershell`
formatting 2022-10-18 21:26:19 +02:00
second commit 2021-08-23 01:13:54 +02:00			```sh
			`Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'`
			`Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'`
			```