Sysinternals Sysmon

Sysmon is a Windows system service and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log. It can log detailed information about process creations, network connections, and changes to file creation time. 


https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

A pre-built configuration file can be found at:

https://github.com/SwiftOnSecurity/sysmon-config

To install Sysmon and use the configuration file, download the Sysmon utility and extract the .ZIP file.  If you download the .XML file using a browser and attempt to use it, an error may be returned with the text of "DTD is prohibited."

To avoid this error, click on the link for the .XML file and then copy/paste the contents into a text editor such as Notepad++, and then save the file using the original file name.

To verify the service was installed and logging is occurring, launch an elevated PowerShell session and enter the following commands.

Get-Service sysmon

Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -MaxEvents 10















The logs can be manually viewed via the Computer Management MMC (compmgmt.msc) using the path Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational.



The .XML file includes comments concerning some of the parameters included.


Below is an example of a log entry from using the nslookup command.

Network connection detected:
RuleName:
UtcTime: 2019-02-23 23:41:00.742
ProcessGuid: {8fcfd9c4-da0c-5c71-0000-0010dc068801}
ProcessId: 1636
Image: C:\Windows\System32\nslookup.exe
User: sam
Protocol: udp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.254.27
SourceHostname: computer
SourcePort: 60836
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 192.168.254.254
DestinationHostname:
DestinationPort: 53
DestinationPortName: domain