注意:Sysmon是微软对于Eventlog的补充解决⽅案,这是笔者对于Sysmon的理解,Sysmon可以能够获取到 Evenlog获取不到的更多信息;
sysmon64.exe -i exampleSysmonConfig.xml //执⾏安装: sysmon64.exe -u //删除
执⾏安装
删除
注意:exampleSysmonConfig.xml为Sysmon的配置⽂件,内容和名字均可以⾃定义,内容可以⾃⾏进⾏增加 或修改。
<Sysmon schemaversion="4.40"> <EventFiltering> <!-- Restrict logging to access targeting svchost.exe and verclsid.exe --> <ProcessAccess onmatch="exclude"> <TargetImage condition="excludes">verclsid.exe</TargetImage> <TargetImage condition="excludes">svchost.exe</TargetImage> </ProcessAccess> <!-- Process access requests with suspect privileged access, or call trace indicative of unknown modules --> <ProcessAccess onmatch="include"> <GrantedAccess condition="is">0x1F0FFF</GrantedAccess> <GrantedAccess condition="is">0x1F1FFF</GrantedAccess> <GrantedAccess condition="is">0x1F2FFF</GrantedAccess> <GrantedAccess condition="is">0x1F3FFF</GrantedAccess> <GrantedAccess condition="is">0x1FFFFF</GrantedAccess> <CallTrace condition="contains">unknown</CallTrace> </ProcessAccess> </EventFiltering> </Sysmon>
安装完成后,在本地事件管理器可以查看相关日志(路径:事件查看器---应用程序与服务日志---Microsoft---windows---sysmon):
