Sysmon
🚧 This post is a work in progress 🚧
Overview #
Sysmon is a monitoring tool, part of Sysinternals suite of tools from Microsoft.
It's not complicated to install.
Download it
Sysmon configuration #
Config file structure #
Main structure: HashAlgorithms and EventFiltering #
There are 2 main sections for the configuration file:
- HashAlgorithms to specify which hash algorithms to use.
- EventFiltering to identify events that are monitored or events excluded from monitoring.
<Sysmon schemaversion="4.50">
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
<EventFiltering>
<!-- ... -->
</EventFiltering>
</Sysmon>Events #
- Previous: Network notes
- Next: Zeek