sysmon-modular | A Sysmon configuration repository for everybody to customise

This is a Microsoft Sysinternals Sysmon configuration repository, set up modular for easier maintenance and generation of specific configs.

NOTICE; Sysmon below 10.4 is not compatible with this configuration

Older versions are still available in the branches, but are not as complete as the current branch V8.x >> here V9.x >> here

To understand added features in the latest version, have a look at my small blog post or watch my DerbyCon talk

Note: I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on.

Credits

Big credit goes out to SwiftOnSecurity for laying a great foundation and making this repo possible! sysmonconfig-export.xml.

Equally a huge shoutout to Roberto Rodriguez for his amazing work on the ThreatHunter-Playbook and his contribution to the community on his blog.

Final thanks to Mathias Jessen for his Merge script, without it, this project would not have worked as well.

Contributing

Pull requests / issue tickets and new additions will be greatly appreciated!

More information

I started a series of blog posts covering this repo;

• Endpoint detection Superpowers on the cheap - part1 - MITRE ATT&CK, Sysmon and my modular configuration
• Endpoint detection Superpowers on the cheap — part 2 — Deploy and Maintain
• Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering

Mitre ATT&CK

I strive to map all configurations to the ATT&CK framework whenever Sysmon is able to detect it. A current ATT&CK navigator export of all linked configurations is found here and can be viewed here

Required actions

I highly recommend looking at the configs before implementing them in your production environment. This enables you to have as actionable logging as possible and as litte noise as possible.

Customization

You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.

Generating a config

PowerShell

git clone https://github.com/olafhartong/sysmon-modular.git
cd sysmon modular
. .\Merge-SysmonXml.ps1
Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml

Use

Install

Run with administrator rights

sysmon.exe -accepteula -i sysmonconfig.xml

Update existing configuration

Run with administrator rights

sysmon.exe -c sysmonconfig.xml