{"id":13387806,"url":"https://github.com/mhaggis/sysmon-dfir","last_synced_at":"2026-01-30T07:09:02.173Z","repository":{"id":15678328,"uuid":"78612417","full_name":"MHaggis/sysmon-dfir","owner":"MHaggis","description":"Sources, configuration and how to detect evil things utilizing Microsoft Sysmon. ","archived":false,"fork":false,"pushed_at":"2023-12-12T16:21:02.000Z","size":90663,"stargazers_count":912,"open_issues_count":0,"forks_count":184,"subscribers_count":113,"default_branch":"master","last_synced_at":"2025-03-24T01:35:52.881Z","etag":null,"topics":["sysmon"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MHaggis.png","metadata":{"files":{"readme":"README.legacy","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-01-11T07:09:03.000Z","updated_at":"2025-03-19T02:36:00.000Z","dependencies_parsed_at":"2024-10-28T20:44:37.794Z","dependency_job_id":null,"html_url":"https://github.com/MHaggis/sysmon-dfir","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MHaggis%2Fsysmon-dfir","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MHaggis%2Fsysmon-dfir/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MHaggis%2Fsysmon-dfir/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MHaggis%2Fsysmon-dfir/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MHaggis","download_url":"https://codeload.github.com/MHaggis/sysmon-dfir/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245710382,"owners_count":20659882,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sysmon"],"created_at":"2024-07-30T12:01:32.356Z","updated_at":"2026-01-30T07:08:57.145Z","avatar_url":"https://github.com/MHaggis.png","language":null,"funding_links":[],"categories":["\u003ca id=\"1d9dec1320a5d774dc8e0e7604edfcd3\"\u003e\u003c/a\u003e工具-新添加的"],"sub_categories":["\u003ca id=\"8f1b9c5c2737493524809684b934d49a\"\u003e\u003c/a\u003e文章\u0026\u0026视频"],"readme":"# Sysmon DFIR\nSources, configuration and how to detect evil things utilizing Microsoft Sysmon.\n\n# Install Sysmon\n\nTo install Sysmon, use the following command:\n\n    Sysmon.exe -i -h MD5,IMPHASH -n -l\n\n### Install config ###\nRun with administrator rights\n~~~~\nsysmon.exe -accepteula -i sysmonconfig-export.xml\n~~~~\n\nUpon installation, Sysmon will begin logging events to the operational event log “C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Sysmon%4Operational.evtx”.\n\n### Deploy Sysmon ###\n\n[Sysmon.bat - Ion-Storm](https://github.com/ion-storm/sysmon-config/blob/master/Install%20Sysmon.bat)\n\n\n[Deploying Sysmon through Group Policy - Pablo Delgado](http://syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/)\n\n### Update existing configuration ###\nRun with administrator rights\n\n    sysmon.exe -c sysmonconfig-export.xml\n\n### Configs ###\n\n**@SwiftOnSecurity config**\n\nRecommended.\n\nConfig will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.\n\nhttps://github.com/SwiftOnSecurity/sysmon-config\n\n**Sysmon_config.xml**\n\nSolid, detailed config. Probably one of the best ones out there in relation to completeness.\n\n[MalwareArchaeology](https://www.malwarearchaeology.com/logging/)\n\n**Sysmon-a.cfg**\n\nBasic config that will monitor critical Windows process execution. Very basic, but a good config to get used to sysmon and how things operate.\n\n[Blog post by blacklanternsecurity](http://www.blacklanternsecurity.com/blog/2016/12/11/sysmon-woes-elasticsearch-and-mitres-attack-matrix/)\n\n**Sysmon-b.cfg**\n\nCrypsis Group published config and PDF. Fairly detailed list of excludes that should assist with understanding how they work and get a configuration started.\n\n[Crypsis Group Config](https://github.com/crypsisgroup/Splunkmon/edit/master/sysmon.cfg)\n\n[Crypsis Group PDF](http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf)\n\n**Sysmon-c.cfg**\n\nGreat configuration to understand excludes and contains.\n\n[Decent Security Config](https://decentsecurity.com/enterprise/#/sysmon-enterprise-configuration/)\n\n**Sysmon-d.cfg**\n\nSolid blog post related to getting started with Sysmon. Config is nicely laid out and easy to understand.\n\n[909Research Blog](http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/)\n\n**Sysmon-e.cfg**\n\nConfig is specific but it provides a good foundation for capturing a lot of specific data.\n\nhttps://github.com/Prevenity/sysmon\n\n(Translated comments to english)\n\n**Sysmoncfg_v2|31.xml**\n\nRelated material from Splunking the Endpoint .conf talk by James Brodsky and Dimitri McKay.\n\n[Splunking the Endpoint - Files from presentation](https://splunk.app.box.com/v/splunking-the-endpoint)\n\nConfigs are optimized for Splunk.\n\n**Additional configs**\n\nConfigs are updated frequently --\n\n[SwiftOnSecurity Fork by Ion-Storm](https://github.com/ion-storm/sysmon-config/blob/master/sysmonconfig-export.xml)\n\nServer Config: https://gist.github.com/Neo23x0/a4b4af9481e01e749409\n\nClient config: https://gist.github.com/Neo23x0/f56bea38d95040b70cf5\n\n\n# Resources\n\n[Ion-Storm Graylog App](https://github.com/ion-storm/sysmon-config)\n\n[Advanced Incident Detection and Threat Hunting using Sysmon and Splunk Video - Tom Ueltschi](https://youtu.be/vv_VXntQTpE)\n\n[Advanced Incident Detection and Threat Hunting using Sysmon and Splunk Slides - Tom Ueltschi](http://security-research.dyndns.org/pub/slides/BotConf/2016/Botconf-2016_Tom-Ueltschi_Sysmon.pdf)\n\n[Splunking\tthe\tEndpoint - James Brodsky](https://conf.splunk.com/session/2015/conf2015_Jbrodsky_Splunk_SecurityComplinace_SplunkingTheEndpoint_FINAL.pdf)\n\n[Splunking the Endpoint: “Hands on!” Ransomware\tEdition - James Brodsky \u0026 Dimitri McKay](https://conf.splunk.com/files/2016/slides/splunking-the-endpoint-hands-on.pdf)\n\n[Microsoft Sysmon Deployment - @dmargaritis](https://securitylogsdotorg.files.wordpress.com/2017/01/sysmon-2017-16-1.pdf)\n\n[Sysinternals New Tool Sysmon (System Monitor) - Carlos Perez](http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon)\n\n[Splunkmon — Taking Sysmon to the Next Level- The Crypsis Group](http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf)\n\n[Putting attackers in hi vis jackets with sysmon - Adrian Shaw](https://labs.nettitude.com/blog/putting-attackers-in-hi-vis-jackets-with-sysmon/)\n\n[How to Go from Responding to Hunting with Sysinternals Sysmon - Mark Russinovich](https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843\u0026ithint=file%2cpptx\u0026app=PowerPoint\u0026authkey=!AMvCRTKB_V1J5ow)\n\n[Tracking Hackers on Your Network with Sysinternals Sysmon - Mark Russinovich](https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf)\n\n[Detecting Lateral Movement Using Sysmon and Splunk - David French](http://www.incidentresponderblog.com/2016/09/detecting-lateral-movement-using-sysmon.html)\n\n[Setting up Elasticsearch 5.x – Sending Windows Logs using WinLogbeat 5.x Part 2/3 - Pablo Delgado](http://syspanda.com/index.php/2017/02/07/setting-up-elasticsearch-5-x-sending-windows-logs-using-winlogbeat-5-x/)\n\n[Sample sysmon events and the schema you can expect in Sysmon v6 - @williballenthin](https://gist.github.com/williballenthin/f693b1c2f3d95cb8f8e17b5f7f26031d)\n\n[Sysmon Woes, Elasticsearch and MITRE’s ATT\u0026CK Matrix - Black Lantern Security](http://www.blacklanternsecurity.com/blog/2016/12/11/sysmon-woes-elasticsearch-and-mitres-attack-matrix/)\n\n[Parsing Sysmon Events for IR Indicators - CrowdStrike](https://www.crowdstrike.com/blog/sysmon-2/)\n\n[Detecting Advanced Threats with Sysmon, WEF and ElasticSearch - Joshua Lewis](https://joshuadlewis.blogspot.com/2014/10/advanced-threat-detection-with-sysmon_74.html)\n\n[Powershell Sysmon - GitHub - Carlos Perez](https://github.com/darkoperator/Posh-Sysmon)\n[Sysmon queries - GitHub - James Habben](https://github.com/JamesHabben/sysmon-queries)\n[Splunk TA for Sysmon - GitHub - @daveherrald](https://github.com/splunk/TA-microsoft-sysmon)\n[SplunkMon cofiguration - GitHub - The Crypsis Group](https://github.com/crypsisgroup/Splunkmon)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmhaggis%2Fsysmon-dfir","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmhaggis%2Fsysmon-dfir","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmhaggis%2Fsysmon-dfir/lists"}