{"id":13453643,"url":"https://github.com/olafhartong/sysmon-modular","last_synced_at":"2025-05-14T18:03:09.626Z","repository":{"id":37768225,"uuid":"117379388","full_name":"olafhartong/sysmon-modular","owner":"olafhartong","description":"A repository of sysmon configuration modules","archived":false,"fork":false,"pushed_at":"2024-08-21T12:08:06.000Z","size":4910,"stargazers_count":2755,"open_issues_count":52,"forks_count":613,"subscribers_count":164,"default_branch":"master","last_synced_at":"2025-04-11T10:00:33.858Z","etag":null,"topics":["dfir","mitre-attack","modular","security-tools","sysmon","threat-hunting"],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/olafhartong.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"license.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-13T21:20:59.000Z","updated_at":"2025-04-11T02:52:13.000Z","dependencies_parsed_at":"2023-02-02T09:16:26.627Z","dependency_job_id":"280503f8-806f-439e-a93d-e34912241e78","html_url":"https://github.com/olafhartong/sysmon-modular","commit_stats":{"total_commits":765,"total_committers":57,"mean_commits":"13.421052631578947","dds":0.4457516339869281,"last_synced_commit":"a9ff298f6d228c181be71b213c73d111c6096f41"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/olafhartong%2Fsysmon-modular","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/olafhartong%2Fsysmon-modular/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/olafhartong%2Fsysmon-modular/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/olafhartong%2Fsysmon-modular/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/olafhartong","download_url":"https://codeload.github.com/olafhartong/sysmon-modular/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254198452,"owners_count":22030964,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","mitre-attack","modular","security-tools","sysmon","threat-hunting"],"created_at":"2024-07-31T08:00:44.925Z","updated_at":"2025-05-14T18:03:04.618Z","avatar_url":"https://github.com/olafhartong.png","language":"PowerShell","readme":"# sysmon-modular | A Sysmon configuration repository for everybody to customise\r\n\r\n[![license](https://img.shields.io/github/license/olafhartong/sysmon-modular.svg?style=flat-square)](https://github.com/olafhartong/sysmon-modular/blob/master/license.md)\r\n![Maintenance](https://img.shields.io/maintenance/yes/2023.svg?style=flat-square)\r\n[![GitHub last commit](https://img.shields.io/github/last-commit/olafhartong/sysmon-modular.svg?style=flat-square)](https://github.com/olafhartong/sysmon-modular/commit/master)\r\n![Build Sysmon config with all modules](https://github.com/olafhartong/sysmon-modular/workflows/Build%20Sysmon%20config%20with%20all%20modules/badge.svg)\r\n[![Twitter](https://img.shields.io/twitter/follow/olafhartong.svg?style=social\u0026label=Follow)](https://twitter.com/olafhartong)\r\n[![Discord Shield](https://discordapp.com/api/guilds/715302469751668787/widget.png?style=shield)](https://discord.gg/B5n6skNTwy)\r\n\r\nThis is a Microsoft Sysinternals Sysmon [download here](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) configuration repository, set up modular for easier maintenance and generation of specific configs. \r\n\r\nPlease keep in mind that any of these configurations should be considered a starting point, tuning per environment is **strongly** recommended.\r\n\r\n**Note:** to get even more value out of the FileExecutable event, consider getting the most up to date version of the LOLdrivers config merged into the config as well. You can easily do that by grabbing the file and adding it in the 29_file_execute_detected folder and generate a new config. \r\n\r\nThe sysmonconfig.xml within the repo is automatically generated after a successful merge by the PowerShell script and a successful load by Sysmon in an Azure Pipeline run. More info on how to generate a custom config, incorporating your own modules [here](https://github.com/olafhartong/sysmon-modular/wiki/Configuration-options#generating-custom-configs)\r\n\r\n## Pre-Grenerated configurations\r\n| Type | Config | Description|\r\n| --- | --- | --- |\r\n| default | [sysmonconfig.xml](https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml) | This is the balanced configuration, most used, more information [here](https://github.com/olafhartong/sysmon-modular/wiki/Configuration-options#generating-the-default-configuration) |\r\n| default+ | [sysmonconfig-with-filedelete.xml](https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-with-filedelete.xml) | This is the balanced configuration, most used, more information including FileDelete file saves | \r\n| verbose | [sysmonconfig-excludes-only.xml](https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-excludes-only.xml) |  This is the very verbose configuration, all events are included, only the exclusion modules are applied. This should not be used in production without validation, will generate a significant amount of data and might impact performance. More information [here](https://github.com/olafhartong/sysmon-modular/wiki/Configuration-options#generating-custom-configs)|\r\n| super verbose | [sysmonconfig-research.xml](https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-research.xml) | A configuration with extreme verbosity. The log volume expected from this file is significantly high, really DO NOT USE IN PRODUCTION! This config is only for research, this will use way more CPU/Memory. Only enable prior to running the to be investigated technique, when done load a lighter config. |\r\n| MDE augment | [sysmonconfig-mde-augmentation.xml](https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-mde-augment.xml) | A configuration to augment Defender for Endpoint, intended to augment the information and have as little overlap as possible. This is based on the default/balanced config and will *not generate all events* for Sysmon, there are comments in the config. In the benefit of IR, consider using the excludes only config and only ingest the enriching events. (Blog with more rationale soon)|\r\n\r\n---\r\n\r\n### Index\r\n\r\n  * [Required actions](#required-actions)\r\n    + [Customization](#customization)\r\n    + [Generating a config](#generating-a-config)\r\n      - [PowerShell](#powershell)\r\n    + [Generating custom configs](#generating-custom-configs)\r\n  * [Use](#use)\r\n    + [Install](#install)\r\n    + [Update existing configuration](#update-existing-configuration)\r\n  * [Python generator tool](#python-generator-tool)\r\n  * [Sysmon Community](#sysmon-community)\r\n  * [Contributing](#contributing) \r\n  * [More Information](#more-information)\r\n\r\n---\r\n\r\nNext to the documentation below, there is also [a video](https://youtu.be/Cx_zrM8Hu7Y) on how to use this project.\r\n\r\n[![how to use this project](https://img.youtube.com/vi/Cx_zrM8Hu7Y/0.jpg)](https://www.youtube.com/watch?v=Cx_zrM8Hu7Y)\r\n\r\n---\r\n\r\n## NOTICE; Sysmon below 15 will not completely be compatible with this configuration\r\n\r\nOlder versions are still available in the branches, but are not as complete as the current branch\r\n\r\n- V8.x \u003e\u003e [here](https://github.com/olafhartong/sysmon-modular/tree/version-8)\r\n- V9.x \u003e\u003e [here](https://github.com/olafhartong/sysmon-modular/tree/version-9)\r\n- V10.4 \u003e\u003e [here](https://github.com/olafhartong/sysmon-modular/tree/v10.4)\r\n- V12.x \u003e\u003e [here](https://github.com/olafhartong/sysmon-modular/tree/version-12)\r\n- V13.x / 14.x \u003e\u003e [here](https://github.com/olafhartong/sysmon-modular/tree/version-13-14)\r\n\r\nTo understand added features in the versions, have a look at my [small blog post](https://medium.com/falconforce/sysmon-11-dns-improvements-and-filedelete-events-7a74f17ca842) and newer articles or watch my [DerbyCon talk](http://www.irongeek.com/i.php?page=videos/derbycon9/stable-36-endpoint-detection-super-powers-on-the-cheap-with-sysmon-olaf-hartong)\r\n\r\n**Note:**\r\nI do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on. But do make tailored configurations for Domain Controllers, Servers and workstations.\r\n\r\n---\r\n\r\n## Required actions\r\n\r\nI highly recommend looking at the configs before implementing them in your production environment. This enables you to have as actionable logging as possible and as litte noise as possible.\r\n\r\n### Customization\r\n\r\nYou will need to install and observe the results of the configuration in your own environment before deploying it widely.\r\nFor example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.\r\n\r\n### Generating a config\r\n\r\n#### PowerShell\r\n\r\n    $\u003e git clone https://github.com/olafhartong/sysmon-modular.git\r\n    $\u003e cd sysmon modular\r\n    $\u003e . .\\Merge-SysmonXml.ps1\r\n    $\u003e Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\\*.xml') -AsString | Out-File sysmonconfig.xml\r\n\r\n### Generating custom configs\r\n\r\nBelow functions with great thanks to mbmy\r\n\r\n**New Function:** \r\n`Find-RulesInBasePath` - takes a base path (i.e. C:\\folder\\sysmon-modular\\) and finds all candidate xml rule files based upon regex pattern\r\n\r\nExample:\r\n```PS C:\\Users\\sysmon\\sysmon-modular\u003e Find-RulesInBasePath -BasePath C:\\users\\sysmon\\sysmon-modular\\ -OutputRules | Out-File available_rules.txt```\r\n\r\n**Merge-AllSysmonXml New Parameters:**\r\n\r\n`-BasePath` - finds all candidate xml rule files from a provided path based upon regex pattern and merges them\r\n\r\nExample:\r\n```PS C:\\Users\\sysmon\\sysmon-modular\u003e Merge-AllSysmonXml -AsString -BasePath C:\\Users\\sysmon\\sysmon-modular\\```\r\n\r\n\r\n`-ExcludeList` - Combined with -BasePath, takes a list of rules and excludes them from found rules prior to merge\r\n\r\nExample:\r\n```PS C:\\Users\\sysmon\\sysmon-modular\u003e Merge-AllSysmonXml -AsString -BasePath C:\\Users\\sysmon\\sysmon-modular\\ -ExcludeList C:\\users\\sysmon\\sysmon-modular\\exclude_rules.txt```\r\n\r\n\r\n`-IncludeList` - Combined with -BasePath, finds all available rules from base path but only merges those defined in a list\r\n\r\nExample:\r\n```PS C:\\Users\\sysmon\\sysmon-modular\u003e Merge-AllSysmonXml -AsString -BasePath C:\\Users\\sysmon\\sysmon-modular\\ -IncludeList C:\\users\\sysmon\\sysmon-modular\\include_rules.txt```\r\n\r\n\r\n**NOTE** The BasePath needs to be the full path to the sysmon-modular files (for example c:\\tools\\sysmon-modular), otherwise PowerShell will not be able to locate them, resulting in a default config.\r\n\r\nInclude/Exclude List Format Example:\r\n\r\n```1_process_creation\\exclude_adobe_acrobat.xml\r\n3_network_connection_initiated\\include_native_windows_tools.xml\r\n12_13_14_registry_event\\exclude_internet_explorer_settings.xml\r\n12_13_14_registry_event\\exclude_webroot.xml\r\n17_18_pipe_event\\include_winreg.xml\r\n19_20_21_wmi_event\\include_wmi_create.xml\r\n2_file_create_time\\exclude_chrome.xml\r\n3_network_connection_initiated\\include_native_windows_tools.xml\r\n3_network_connection_initiated\\include_ports_proxies.xml\r\n8_create_remote_thread\\include_general_commment.xml\r\n8_create_remote_thread\\include_psinject.xml\r\n9_raw_access_read\\include_general_commment.xml\r\n```\r\n\r\n\r\n**Building a config with all sysmon-modular rules for certain event IDs (include whole directory) and then disabling all event ids without imported rules**\r\n\r\nExample:\r\n```\r\n# generate the config\r\n$sysmonconfig =  Merge-AllSysmonXml  -BasePath . -IncludeList $workingFolder\\include.txt -VerboseLogging -PreserveComments\r\n\r\n# flip off any rule groups where rules were not imported\r\nforeach($rg in $sysmonconfig.SelectNodes(\"/Sysmon/EventFiltering/RuleGroup [*/@onmatch]\"))\r\n{\r\n    $ruleNodes = $rg.SelectNodes(\"./* [@onmatch]\")\r\n\r\n    if(     $ruleNodes -eq $null `\r\n        -or $ruleNodes.ChildNodes.count -gt 0)\r\n    {\r\n        # no rule nodes found (unlikely) or more than one rule found\r\n        continue\r\n    }\r\n\r\n    # RuleGroup with only one rule node\r\n    $ruleNode = $ruleNodes[0]\r\n\r\n    if($ruleNode.onmatch -eq \"exclude\" -and $ruleNode.ChildNodes.count -eq 0 )\r\n    {\r\n        $message = \"{0} {1} has no matching conditions.  Toggled to 'include' to limit output\" -f $ruleNode.Name,$rg.Name\r\n        Write-Warning $message\r\n\r\n        $ruleNode.onmatch = \"include\"\r\n        $comment = $sysmonconfig.CreateComment($message)\r\n        $rg.AppendChild($comment) | Out-Null\r\n    }\r\n}\r\n```\r\n\r\nInclude/Exclude List Format Example (for entire rule/event families):\r\n\r\n```\r\n1_process_creation\r\n5_process_ended\r\n11_file_create\r\n23_file_delete\r\n7_image_load\r\n17_18_pipe_event\r\n```\r\n\r\n## Use\r\n\r\n### Install\r\n\r\nRun with administrator rights\r\n\r\n    sysmon.exe -accepteula -i sysmonconfig.xml\r\n\r\n### Update existing configuration\r\n\r\nRun with administrator rights\r\n\r\n    sysmon.exe -c sysmonconfig.xml\r\n\r\n\r\n## Python generator tool\r\nThis is a new feature, created by [cnnrshd](https://github.com/cnnrshd)\r\n\r\n### Priority-based Rules Sorting\r\n\r\n1. Simple Python script that can merge based on a similar format to preexisting Include Lists - the only difference is it takes a CSV with two columns, filepath and priority\r\n2. A config formatted using a csv file\r\n3. A simple template\r\n5. Schemaversion is dynamic and based on the highest schema version of provided rules.\r\n\r\nConfigs generated using this script maintain comments and proper XML indentation is enforced, increasing readability and allowing easier cross-referencing of rule files\r\n\r\nexample prompt\r\n```bash\r\npython merge_sysmon_configs.py config_lists/default_list/default_list.csv -f csv -b templates/sysmon_template.xml  -o test.xml\r\n```\r\n\r\n** This way of generating content is still new and experimental. There is no support for the custom versions like the MDE augment and exclude-only versions yet.\r\n\r\n---\r\n\r\n## Sysmon Community\r\n\r\nThere are three major Sysmon configurations:\r\n\r\n- [@SwiftOnSecurity](https://twitter/com/SwiftOnSecurity):  great introductory walkthrough of many of the settings. Get started with 1 command **[https://github.com/SwiftOnSecurity/sysmon-config/](https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml)**.\r\n\r\n- [@cyb3rops](https://twitter.com/cyb3rops):  A fork of SwiftOnSecurity, bleeding-edge and proactive. **[https://github.com/Neo23x0/sysmon-config](https://github.com/Neo23x0/sysmon-config)\r\n\r\n- [@olafhartong](https://twitter.com/olafhartong): This repo, which focuses on being very maintainable with detailed rule notes for guided response and SIEM.\r\n \r\n- An excellent community guide by [@Carlos_Perez](https:twitter.com/Carlos_Perez):\r\n [https://github.com/trustedsec/SysmonCommunityGuide](https://github.com/trustedsec/SysmonCommunityGuide)\r\n\r\n## Contributing\r\n\r\nPull requests / issue tickets and new additions will be greatly appreciated!\r\n\r\n## More information\r\n\r\nI started a series of blog posts covering this repo;\r\n- [Endpoint detection Superpowers on the cheap - part1 - MITRE ATT\u0026CK, Sysmon and my modular configuration](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-1-e9c28201ac47)\r\n- [Endpoint detection Superpowers on the cheap — part 2 — Deploy and Maintain](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-2-deploy-and-maintain-d06580329fe8)\r\n- [Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering](https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-3-sysmon-tampering-49c2dc9bf6d9)\r\n\r\n- [A comparison between Sysmon and Microsoft Defender for Endpoint](https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347) \r\n\r\n## MITRE ATTACK\r\n\r\nI strive to map all configurations to the ATT\u0026CK framework whenever Sysmon is able to detect it.\r\nPlease note this is a *possible log entry* that might lead to a detection, not in all cases is this the only telemetry for that technique. Additionally there might be more techniques releated to that rule, the one mapped is the one I deemed most likely.\r\n","funding_links":[],"categories":["Threat Detection and Hunting","IR Tools Collection","PowerShell","PowerShell (153)","Uncategorized","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","\u003ca id=\"1d9dec1320a5d774dc8e0e7604edfcd3\"\u003e\u003c/a\u003e工具-新添加的","Resources"],"sub_categories":["Tools","Other Tools","Uncategorized","\u003ca id=\"8f1b9c5c2737493524809684b934d49a\"\u003e\u003c/a\u003e文章\u0026\u0026视频","Event ID configuration and monitoring suggestions"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Folafhartong%2Fsysmon-modular","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Folafhartong%2Fsysmon-modular","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Folafhartong%2Fsysmon-modular/lists"}