And of course things like process access, which is good for pass-the-hash, I am only including LSASS, yeah?Īnd in case of a FileCreate onmatch=”include,” I am not monitoring everything. Create a remote thread, in this particular case, I am only monitoring explorer, LSASS, services, svchost, Winlogon and stuff like that, yes? Raw access read, only excluding, of course, Sysmon and system, but the rest I’m monitoring. Network connect, for example, what is happening in my case, I am monitoring all of the types of events. Either include certain events or exclude. And, long story short, you are also able to say what would you like to have here. You don’t have to configure everything, you can only configure a couple of things.
Now, you can say that not everything that is in the manifest I just showed you is in my config file. For example, if we have here rule WMI event, then pretty much you are putting this particular entry over here. But, here you can see event filtering, and this is the place where we put these names on. For example, we’ve got Sysmon schema version 3.3, we can do 3.4, and for that certain moment, it doesn’t really make a difference. If we do notepad config.xml file, this is the simplest possible config file we could have.
Well, because… Let me have a look at the configuration file.
This is a little bit of a cheat sheet … How things are called, how things are named. Then, based on that, you build your rules in the configuration file. Over here, you’ve got names of rules, like “rule pipe event,” “rule WMI event,” and so on. And the answer to that question is very simple. Now, whenever we are thinking about playing with the creation of the rules, because this is how we operate with Sysmon, you might be wondering what kind of names we need to use in the config file to make it work. Using names in the Sysmon configuration file Plenty of the WMI queries… This is new… That is, for example, if you’ve got malware that uses WMI, if the WMI is modified, then you are able to see of course that kind of information in Sysmon. And, as you see, there’s event consumer, event filter, ConsumerToFilter activity, and so on. Within the new Sysmon, you’ve got a possibility here to monitor WMI event filter. Probably you will not find that information quickly on the Internet, but that’s fine because here you are able to see what kind of stuff is added.
#Process monitor filter filename driver#
This is what we’re going to have logged in the event log: file creation time change, of course, process tracking, process creation, and process termination, network connection detected, driver loaded and things like that.Įvery single time there is a new Sysmon version released, don’t worry. This is the newest Sysmon 6.10 and over here you can see the templates that define us different types of approach to logging. It’s important to check how the manifest looks like, and the reason why it’s like this is that we need to verify what kind of possibilities we’ve got. For example, if you go to Sysmon executable… Let’s open on this one… in the resource hacker.
#Process monitor filter filename how to#
In order to be able to build a Sysmon configuration file, you need to first learn how to check what Sysmon has to offer.
0 kommentar(er)
