From a0bd03e6737b38c41822895ed8889390de65b878 Mon Sep 17 00:00:00 2001 From: Carlos Perez Date: Thu, 17 Jul 2025 20:24:57 -0400 Subject: [PATCH 1/2] Update what-is-sysmon.md Initial set of changes to the guide --- chapters/what-is-sysmon.md | 150 +++++++++++++++++++++---------------- 1 file changed, 86 insertions(+), 64 deletions(-) diff --git a/chapters/what-is-sysmon.md b/chapters/what-is-sysmon.md index 217c3bc..9b74886 100644 --- a/chapters/what-is-sysmon.md +++ b/chapters/what-is-sysmon.md @@ -1,72 +1,94 @@ -What is Sysmon -============== +Certainly! Here is a full revised draft of the "What is Sysmon" section, focusing on clarity, structure, accuracy, and consistency: -Sysmon is a free tool initially developed by Mark Russinovich and by Tomas Garnier,with contributions David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, John Lambert and others at Microsoft. The tools was initially released for. Windows. host and on October 2021 a Open Source Linux version of the tools was release. The tool is designed to extend the current logging capabilities in Windows and Linux so as to aid in understanding and detecting attackers by behavior. +--- -The original version the tool was for internal use at Microsoft. Under Windows the tool supports 64-bit and 32-bit systems and uses a single command line tool for installation and configuration management. +# What is Sysmon -For Linux the tool can be compiled from source or installed via the distribution package manager. It supports the following distributions: +Sysmon (System Monitor) is a free, advanced system monitoring tool developed by Mark Russinovich and Tomas Garnier, with contributions from David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, and John Lambert. +Originally, Sysmon was created for internal use at Microsoft, but it is now widely used by security professionals to enhance visibility into system activity and detect abnormal behavior or potential threats. + +Sysmon enables defenders to better detect suspicious activity by monitoring and logging a broad range of system events, such as process creation, network connections, and changes to files or registry keys. These logs are especially valuable for security investigations and threat detection. + +## Sysmon on Windows + +Sysmon for Windows supports ARM, x64 and x86 systems. Installation and configuration are managed through a single command-line tool. When installed, Sysmon logs events to the Microsoft-Windows-Sysmon/Operational Event Log. + +### Windows Supported Event Types + +The following table lists the event types and corresponding event IDs generated by Sysmon on Windows systems: + +| Event Type | Event ID | +|------------------------------------|----------| +| Sysmon Service Status Changed | 0 | +| Process Create | 1 | +| File Create Time | 2 | +| Network Connect | 3 | +| Service State Change | 4 | +| Process Terminate | 5 | +| Driver Load | 6 | +| Image Load | 7 | +| Create Remote Thread | 8 | +| Raw Access Read | 9 | +| Process Access | 10 | +| File Create | 11 | +| Registry Object Added or Deleted | 12 | +| Registry Create | 13 | +| Registry Rename | 14 | +| File Create Stream Hash | 15 | +| Sysmon Config Change | 16 | +| Named Pipe Create | 17 | +| Named Pipe Connected | 18 | +| WMI Event Filter | 19 | +| WMI Event Consumer | 20 | +| WMI Consumer to Filter | 21 | +| DNS Query | 22 | +| File Delete | 23 | +| Clipboard Capture | 24 | +| Process Tampering | 25 | +| File Delete Detected | 26 | +| Error | 255 | + +## Sysmon on Linux + +Sysmon for Linux is an open-source adaptation, designed to collect similar security-relevant events from Linux environments. It leverages eBPF (Extended Berkeley Packet Filter) to efficiently monitor system activity at the kernel level. + +Sysmon for Linux can be compiled from source or installed via your distribution’s package manager. Currently supported distributions include: - Ubuntu - Debian - Red Hat Enterprise Linux - Fedora Linux -- OpenSuse -- Suse Linux Enterprise Server - -Sysmon will store logs in the default operating system login system. For Windows all of the events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog and in the case of Linux under /var/log/syslog in order to accommodate security products that already collect and centralize logs from both operating systems. - -Sysmon is able to monitor for a series of actions on a host that relate to existing behavior that is abused by threat actors. With this view on the actions, defenders are able to better detect abnormal behavior and abuses on a system. - -The table below shows the event types and event ID that the version of Windows collects. - -| EventType| EventId| -|---|---| -|Sysmon Service Status Changed|0 -|ProcessCreate|1 -|FileCreateTime|2 -|NetworkConnect|3 -|Service State Change|4 -|ProcessTerminate|5 -|DriverLoad|6 -|ImageLoad|7 -|CreateRemoteThread| 8 -|RawAccessRead| 9 -|ProcessAccess| 10 -|FileCreate| 11 -|Registry object added or deleted | 12 -|Registry Create| 13 -|Registry Rename| 14 -|FileCreateStreamHash | 15 -|Sysmon Config Change| 16 -|Named Pipe Create| 17 -|Named Pipe Connected|18 -|WMI Event Filter|19 -|WMI Event Consumer|20 -|WMI Consumer to Filter|21 -|DNS Query|22 -|File Delete|23 -|Clipboard Capture|24 -|Process Tampering|25 -|File Delete Detected|26 -|Error|255 - -The Linux version supports given the OS and technologies a smaller number of events. - -| EventType| EventId| -|---|---| -|Sysmon Service Status Changed|0 -|ProcessCreate|1 -|NetworkConnect|3 -|Service State Change|4 -|ProcessTerminate|5 -|RawAccessRead| 9 -|FileCreate| 11 -|Sysmon Config Change| 16 -|File Delete|23 - -The Sysmon version for Linux is an open-source version of the tool, developed to collect security events from Linux environments using eBPF (Extended Berkeley Packet Filter) and placing the captured events in to Syslog for easy consumption by existing centralized log collection solutions. - -Sysmon for Linux use the sysinternalsEBPF library to allow it to capture actions against files on disk and network actions. eBPF is a technology that allows to run the program at the Kernel level in a sandbox allowing it to capture read and. Sysmon leverages this technology to capture information on processes, reads and writes to block devices and also for Socket and TCP/IP actions before they reach a network interface. This behavior is similar to that of mini filter drivers in Windows that allow for the capture of events as they are executed by the APIs in the OS. - -The sysinternalsEBPF and Sysmon for Linux are Open Source projects, this allows the community to contribute and to further expand the capabilities of the tools. They can be found at https://github.com/Sysinternals. Both Projects are written in C and in each repository they include documentation on how to build the utilities. +- openSUSE +- SUSE Linux Enterprise Server + +Sysmon logs events to the native system logging facility (such as journald). The scope of supported events is narrower compared to Windows, due to differences in operating system architecture. + +### Linux Supported Event Types + +The following table lists the event types and event IDs currently supported by Sysmon on Linux: + +| Event Type | Event ID | +|------------------------------|----------| +| Sysmon Service Status Changed | 0 | +| Process Create | 1 | +| Network Connect | 3 | +| Service State Change | 4 | +| Process Terminate | 5 | +| Raw Access Read | 9 | +| File Create | 11 | +| Sysmon Config Change | 16 | +| File Delete | 23 | + +Sysmon for Linux uses the sysinternalsEBPF library to capture file and network activities. eBPF allows execution of custom code at the kernel level, enabling efficient and secure event collection without requiring kernel modules. + +Both sysinternalsEBPF and Sysmon for Linux are open source projects, allowing the community to contribute and extend their features. You can find the projects and source code on GitHub: +- [Sysmon for Linux](https://github.com/Sysinternals/SysmonForLinux) +- [sysinternalsEBPF library](https://github.com/Sysinternals/ebpf-for-windows) + +## Further Resources + +- [Sysmon for Windows - Microsoft Documentation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) +- [Sysmon for Linux - GitHub](https://github.com/Sysinternals/SysmonForLinux) + +Sysmon is a vital tool for defenders looking to increase their visibility into system activities and detect security threats on both Windows and Linux platforms. + From 63df90b7c03d30856b61b803964b34ac4c1955d1 Mon Sep 17 00:00:00 2001 From: Carlos Perez Date: Thu, 17 Jul 2025 20:25:57 -0400 Subject: [PATCH 2/2] Update what-is-sysmon.md --- chapters/what-is-sysmon.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/chapters/what-is-sysmon.md b/chapters/what-is-sysmon.md index 9b74886..5cc49b0 100644 --- a/chapters/what-is-sysmon.md +++ b/chapters/what-is-sysmon.md @@ -1,7 +1,3 @@ -Certainly! Here is a full revised draft of the "What is Sysmon" section, focusing on clarity, structure, accuracy, and consistency: - ---- - # What is Sysmon Sysmon (System Monitor) is a free, advanced system monitoring tool developed by Mark Russinovich and Tomas Garnier, with contributions from David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, and John Lambert.