一、Sysmon基础操作

下载地址

一、基本命令

Sysmon -i  #基本安装
Sysmon -accepteula -i xxxx.xml #通过配置安装
Sysmon -c xxxx.xml #更新配置
Sysmon -u #卸载

二、配置文件

2.1常用配置文件

2.1.1记录全部日志

<Sysmon schemaversion="4.21">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation/>
<EventFiltering >
<RuleGroup name="" groupRelation="or"> 
    <ProcessCreate onmatch="exclude"></ProcessCreate>
    <FileCreateTime onmatch="exclude"></FileCreateTime>
    <NetworkConnect onmatch="exclude"></NetworkConnect>
    <ProcessTerminate onmatch="exclude"></ProcessTerminate>
    <DriverLoad onmatch="exclude"></DriverLoad>
    <ImageLoad onmatch="exclude"></ImageLoad>
    <CreateRemoteThread onmatch="exclude"></CreateRemoteThread>
    <RawAccessRead onmatch="exclude"></RawAccessRead>
    <ProcessAccess onmatch="exclude"></ProcessAccess>
    <FileCreate onmatch="exclude"></FileCreate>
    <RegistryEvent onmatch="exclude"></RegistryEvent>
    <FileCreateStreamHash onmatch="exclude"></FileCreateStreamHash>
    <PipeEvent onmatch="exclude"></PipeEvent>
    <DnsQuery onmatch="exclude"></DnsQuery>
</RuleGroup>
</EventFiltering>

2.1.1记录全部日志

  <EventFiltering>
    <RuleGroup name="group 1" groupRelation="and">
      <ProcessCreate onmatch="include">
        <Image condition="contains">timeout.exe</Image>
        <CommandLine condition="contains">100</CommandLine>
      </ProcessCreate>
    </RuleGroup>
    <RuleGroup groupRelation="or">
      <ProcessTerminate onmatch="include">
        <Image condition="contains">timeout.exe</Image>
        <Image condition="contains">ping.exe</Image>
      </ProcessTerminate>        
    </RuleGroup>
    <ImageLoad onmatch="include"/>
  </EventFiltering>

2.1.1通用配置

下载地址

2.1.4配置文件注释

下载地址

一些有用的教程

• windows官方文档：https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

• sysmon配置文件：https://www.infoq.cn/article/Gkms7FaVG6wbVcfQobaM

• github日志模板：https://github.com/ion-storm/sysmon-config/edit/master/sysmonconfig-export.xml