Sysmon Rules Guide
Sysmon is a free tool initially developed by Mark Russinovich and designed to extend the current logging capabilities in Windows to aid in understanding and detecting attackers by behavior.
All events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog in order to accommodate security products that already leverage the EventLog, and to make the events easier to view and collect.
You can configure Sysmon through its XML configuration file. In the configuration file, you can apply logical operations to the fields that are defined by the schema version for the event types.
The following event types are defined for the latest version of Sysmon:
EventType | Description |
NetworkConnect | Network connections made by processes on the system; both TCP and UDP |
ProcessCreate | Creation of new processes in the system and information related to the process |
FileCreateTime | File creation time modification and what process is responsible for it |
ProcessTerminate | The termination of a process |
ImageLoad | Loading of any image by another process (OCX, DLL, etc.) with information of the process loading the image and the image itself |
DriverLoad | Loading of a driver by the system and its file information |
DnsQuery | DNS query performed by a process using Windows API, includes information on the query and the process that performed it |
ProcessAccess | Access to a process memory from another process and information on access permission and the processes involved |
RawAccessRead | Raw access to a file by a process bypassing the file system controls |
FileCreateStreamHash | An alternate stream was created and the content of the stream is hashed; information on the process that created the stream is logged |
RegistryEvent | Logs the creation, deletion, and modification of specific registry keys and values; information on the process that took the action is logged |
FileCreate | Named Pipe communication between two processes and its relevant information |
PipeEvent | Named Pipe communication between two processes and its relevant information |
WmiEvent | Information on the creation, deletion, and modification of WMI permanent event components in the CIM database |
With Sysmon Rules, you can organize filtering in the following ways
EventType filters
EvenType Filters organized using RuleGroups
EventType Filters organized into Rule sets inside RuleGroups
You can have up to 2 instances of each EventType - 1 include and 1 exclude for the entire configuration, the default relation between filters is AND:
If the filters match, they are included and placed in the EventLog using the AND logic:
The RuleGroup element allows for more complex logic since multiple Rule elements with multiple filters can be created and logic for the filters can be modified to capture actions in a more granular way:
A RuleGroup has a name and groupRelation options:
name values most likely will be showing under the current RuleName field since there is not a RuleGroup RuleName field in the event schema
groupRelation can be โandโ or โorโ and it is required when using RuleGroup
Note: you cannot have multiple RuleGroup elements of the same filter type (for example, Include-Include) in such a case, the second filter type must be Exclude, and groupRelation applied to each Rulegroup is AND.
To update your existing configuration with Sysmon Rule from SOC Prime Threat Detection Marketplace:
Step 1. Run with administrator rights
sysmon.exe -c sysmonconfig.xml
Step 2. Check the RuleGroup groupRelation value as per instruction included into the Sysmon Rule:
Step 3. Follow the further instructions and insert the include filter value into the appropriate RuleGroup section
Step 4. Insert the exclude filter value into the appropriate RuleGroup section
The triggered events have the following structure:
