111. Sysmon

Table of Contents

NXLog can be configured to capture and process audit logs generated by the Sysinternals Sysmon utility. Sysmon is a Windows system service and device driver that logs system activity into Windows Event Log. Supported events include (but are not limited to):

process creation and the full command line used,
loading of system drivers,
network connections, and
modification of file creation timestamps.

On Windows Vista and higher, Sysmon logs are stored in the Microsoft-Windows-Sysmon/Operational Windows Event Log channel. On older systems, events are written to the default System channel.

111.1. Setting up Sysmon

To download Sysmon, and for full details about configuring and installing Sysmon, see the Sysmon page on Microsoft Docs.

Download and extract the Sysmon ZIP archive.
Install the Sysmon service with the default parameters. The service will become active immediately; no restart is required. The service will remain resident across reboots. Other command-line parameters are available to enable or disable various types of logging.
```
> sysmon -accepteula -i
```
A complex configuration with filtering can be deployed by creating a custom XML configuration file for Sysmon.

See SwiftOnSecurity Sysmon configuration, or IONStorm Sysmon configuration on GitHub. Both provide good information for understanding what is possible with Sysmon and include many examples.

Use the -c option to update the service with a new configuration.
```
> sysmon -c config.xml
```
To uninstall the Sysmon service, use the -u option.
```
> sysmon -u
```

111.2. Collecting Sysmon logs

When Sysmon generates event log data, it encodes details of the event into the EventData tag of the Windows Event Log record.

Example Sysmon Windows Event Log entry

<EventData>
  <Data Name="UtcTime">2015.04.27. 13:23</Data>
  <Data Name="ProcessGuid">{00000000-3862-553E-0000-001051D40527}</Data>
  <Data Name="ProcessId">25848</Data>
  <Data Name="Image">c:\Program Files (x86)\nxlog\nxlog.exe</Data>
  <Data Name="CommandLine">"c:\Program Files (x86)\nxlog\nxlog.exe" -f</Data>
  <Data Name="User">WIN-OUNNPISDHIG\Administrator</Data>
  <Data Name="LogonGuid">{00000000-568E-5453-0000-0020D5ED0400}</Data>
  <Data Name="LogonId">0x4edd5</Data>
  <Data Name="TerminalSessionId">2</Data>
  <Data Name="IntegrityLevel">High</Data>
  <Data Name="HashType">SHA1</Data>
  <Data Name="Hash">1DCE4B0F24C40473Ce7B2C57EB4F7E9E3E14BF94</Data>
  <Data Name="ParentProcessGuid">{00000000-3862-553E-0000-001088D30527}</Data>
  <Data Name="ParentProcessId">26544</Data>
  <Data Name="ParentImage">C:\msys\1.0\bin\sh.exe</Data>
  <Data Name="ParentCommandLine">C:\msys\1.0\bin\sh.exe</Data>
</EventData>

Sysmon audit log data can be collected with im_msvistalog (or other modules, see Windows Event Log). The Data tags will be automatically parsed, and the values will be available as fields in the event records. The log data can then be forwarded to a log analytics system to allow identification of malicious or anomalous activity.

Example 512. Collecting Sysmon logs

Here, the im_msvistalog module will collect all Sysmon logs from Windows Event Log. A sample event is shown below.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10

  <Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

Output sample

{
  "EventTime": "2015-04-27 15:23:46",
  "Hostname": "WIN-OUNNPISDHIG",
  "Keywords": -9223372036854776000,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 1,
  "SourceName": "Microsoft-Windows-Sysmon",
  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
  "Version": 3,
  "Task": 1,
  "OpcodeValue": 0,
  "RecordNumber": 2335906,
  "ProcessID": 1680,
  "ThreadID": 1728,
  "Channel": "Microsoft-Windows-Sysmon/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "SYSTEM",
  "AccountType": "Well Known Group",
  "Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
  "Opcode": "Info",
  "UtcTime": "2015.04.27. 13:23",
  "ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
  "Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
  "CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
  "User": "WIN-OUNNPISDHIG\\Administrator",
  "LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
  "LogonId": "0x4edd5",
  "TerminalSessionId": "2",
  "IntegrityLevel": "High",
  "HashType": "SHA1",
  "Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
  "ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
  "ParentProcessId": "26544",
  "ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
  "ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
  "EventReceivedTime": "2015-04-27 15:23:47",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog"
}

111.3. Filtering Sysmon events

Some scenarios require more advanced filtering of Sysmon logs in order to achieve more useful results. There are three main ways to filter Sysmon logs.

Sysmon configuration

Sysmon supports filtering tags that can be used to avoid logging unwanted events. See Setting up Sysmon above and the Sysmon page for details about the available tags. This method is the most efficient because it avoids creating the unwanted log entries in the first place.

Windows Event Log XPath query

The im_msvistalog Query or QueryXML directive can be used to limit the entries that are read via the Windows Event Log API. Because this method restricts the number of entries that reach NXLog, it is a fairly efficient way to filter logs.

Example 513. Filtering Sysmon events with an XPath Query

The following example shows a query that collects only events that have an event ID of 1 (process creation).

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12

  <Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">
                    *[System[(EventID='1')]]
                </Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

NXLog language

Finally, the built-in filtering capabilities of NXLog can be used, which may be easier to write than the XML query syntax provided by the Windows Event Log API.

Example 514. Filtering Sysmon events in an Exec block

This example discards all network connection events (event ID 3) regarding HTTP network connections to a particular server and port, and all process creation and termination events (event IDs 1 and 5) for conhost.exe.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

  <Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
        if ($EventID in (1, 5) and
            $Image == "C:\\Windows\\System32\\conhost.exe") or
           ($EventID == 3 and
            $DestinationPort == 80 and
            $DestinationIp == 10.0.0.1)
           drop();
    </Exec>
</Input>

You are here

111. Sysmon | Log Collection Solutions

111. Sysmon

111.1. Setting up Sysmon

111.2. Collecting Sysmon logs

111.3. Filtering Sysmon events