Sysmon event logging

Sysmon is a very powerful tool to log the windows internals calls and events. With increasing threat to the endpoints and cheaper to do analytics of logs on the cheap, there is no execuse to NOT log sysmon events.

Sysmon events based on Olaf or SwiftOnSecurity will be valued more than gold in weight, when there is a breach. It could become the only linchpin to help unravel the mystery of what happened part of breach.

So lets get started…

1. Download the sysmon from Microsoft sysinternals
   https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

2. Configure a sysmon template to log only useful events. Because “Endpoint Events Collection” = “Big Data”. Two security oriented syslog templates you can choose. One from SwiftOnSecurity another OlafHartong.

   • Download the template from swiftonsecurity github.
     https://github.com/SwiftOnSecurity/sysmon-config

   • Download the template from olafhartong github for more modular and MITRE&ATTACK aligned configuration.
     https://github.com/olafhartong/sysmon-modular

3. Open cmd with administrative rights and execute

   • Install new sysmon service, check under services.msc
     sysmon.exe -accepteula -i sysmonconfig-export.xml

   • Update existing installation
     sysmon.exe -c sysmonconfig-export.xml

   • Uninstall sysmon service
     sysmon.exe -u