Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Sysmon Base Configuration - Workstations
This is a Microsoft Sysmon configuration to be used on Windows workstations
v0.2.1 December 2016
Florian Roth (with the help and ideas of others)
The focus of this configuration is
- malware detection (execution)
- malware detection (network connections)
- exploit detection
It is not focussed on
- hacking activity on workstation (bad admin, attacker)
See Windows server base config:
<Sysmon schemaversion="3.20">
<!-- Capture MD5 Hashes -->
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
<!-- Exclude certain processes that have the integrity level 'System' -->
<ProcessCreate onmatch="exclude">
<!-- Do log remote thread creation events with certain exceptions -->
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="contains">WmiPrvSE.exe</SourceImage>
<SourceImage condition="contains">FireSvc.exe</SourceImage>
<!-- Do not log file creation time stamps -->
<FileCreateTime onmatch="include" />
<!-- Do not log raw disk access (caused event flooding with certain disk encryption drivers) -->
<RawAccessRead onmatch="include" />
<!-- Do not log process termination -->
<ProcessTerminate onmatch="include" />
<!-- Do log registry events to certain keys only (Autostart, Services, Debuggers) -->
<RegistryEvent onmatch="include">
<TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
<TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
<TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject>
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
<TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject>
<!-- Do not log file creation events -->
<FileCreate onmatch="include" />
<!-- Do not log if file stream is created -->
<FileCreateStreamHash onmatch="include" />
<!-- Do only log network connections to port 8080 (proxy) of every program that is not a browser -->
<NetworkConnect onmatch="exclude">
<Image condition="contains">chrome.exe</Image>
<Image condition="contains">iexplore.exe</Image> <!-- yes, malware that injects into IE will be missed -->
<Image condition="contains">firefox.exe</Image>
<DestinationPort condition="is not">8080</DestinationPort>
<!-- Direct access to Internet (without proxy server) -->
<DestinationPort condition="is not">80</DestinationPort>
Copy link

KaptainKool commented Jun 7, 2017

For the stanza, with the comment above it, that reads as "Do only log network connections to port 8080 (proxy) of every program that is not a browser"

This is incorrect (or I'm not understanding the intent correctly - too many negatives in a sentence confuse me). Tested it in v6.02 & for the 4 lines in that stanza, it means:
Include all the network events except those matching (LINE1 OR LINE 2 OR LINE3 OR LINE4)

Using IE, FF, Chrome & Opera went to internet websites on 80/tcp, 443/tcp & 8080/tcp (from each of them) the only events logged was opera going to 8080/tcp

see config:
see output:

To simplify, what this stanza means:

sysmon will not log any network events from chrome
sysmon will not log any network events from IE
sysmon will not log any network events from FF
sysmon will not log any network events towards ports 1-8079 (from any process)
sysmon will not log any network events towards ports 8081 - 65535 (from any process)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment