|
14 | 14 | https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon |
15 | 15 | Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated. |
16 | 16 |
|
17 | | - NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. You will need to run this command to allow log access to the Network Service: |
| 17 | + NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF. Will need to run command to allow log access to the Network Service: |
18 | 18 | wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS) |
19 | 19 |
|
20 | 20 | NOTE: Do not let the size and complexity of this configuration discourage you from customizing this or building your own. |
|
33 | 33 | this configuration monitors, especially in the first minutes. |
34 | 34 |
|
35 | 35 | TECHNICAL: |
36 | | - - Run sysmon.exe -? for a briefing on Sysmon configuration. |
37 | | - - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules. |
38 | | - - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default. |
39 | | - - Some Sysmon monitoring abilities are not meant for general-purpose use due to their large performance impact, such as ProcessAccess. |
40 | | - - Duplicate or overlapping "Include" rules do not result in duplicate events being logged. |
41 | | - - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx. |
42 | | - - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)" |
43 | | - - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path. |
44 | | - - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart. |
45 | | - - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart. |
46 | | - - Sysmon does not track which rule caused an event to be logged. |
| 36 | + - Run sysmon.exe -? for a briefing on Sysmon configuration. |
| 37 | + - Sysmon does not support nested/multi-conditional rules. There are only blanket INCLUDE and EXCLUDE. "Exclude" rules override "Include" rules. |
| 38 | + - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default. |
| 39 | + - Some Sysmon monitoring abilities are not meant for general-purpose use due to their large performance impact, such as ProcessAccess. |
| 40 | + - Duplicate or overlapping "Include" rules do not result in duplicate events being logged. |
| 41 | + - All characters enclosed by XML tags are always interpreted literally. Sysmon does not support wildcards (*), alternate characters, or RegEx. |
| 42 | + - In registry events, the value name is appended to the full key path with a "\" delimiter. Default key values are named "\(Default)" |
| 43 | + - "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path. |
| 44 | + - "ProcessGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual process launches. Cleared on service restart. |
| 45 | + - "LoginGuid" is randomly generated, assigned, and tracked by Sysmon to assist in tracing individual user sessions. Cleared on service restart. |
| 46 | + - Sysmon does not track which rule caused an event to be logged. |
47 | 47 |
|
48 | 48 | TECHNICAL: Filter conditions available for use are: is, is not, contains, excludes, begin with, end with, less than, more than, image |
49 | | - - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation |
| 49 | + - The "image" filter is usable with any field. Same as "is" but can either match the entire string, or only the text after the last "\" in the string. Credit: @mattifestation |
50 | 50 |
|
51 | 51 | PERFORMANCE: By using "end with" you can save performance by starting a string match at the end of a line, which usually triggers earlier. |
52 | 52 | --> |
|
0 commit comments