A Sysinternals tool that provides detailed information about process creations, network connections, and changes to file creation time. It is a wealth of information that can be used for a variety of purposes in Incident Response, Event Detection, and Threat Hunting.
- SysmonForLinux - Linux version of Sysmon. Installation guide for Ubuntu available on Github.
- Sysmon-dfir - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
- Sysmon-modular - A repository of Sysmon configuration modules
- Sysmon-config - SwiftOnSecurity's Sysmon configuration file template with default high-quality event tracing
- SysmonSearch - Investigate suspicious activity by visualizing Sysmon's event log.
- SysmonSimulator - Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
- TrustedSec Sysmon Community Guide - Everything Dave Kennedy writes/makes is gold. It is the way.
- Sysmon Threat Analysis Guide Splunking the Endpoint: Threat Hunting with Sysmon
- Espy: Endpoint detection for remote hosts for consumption by RITA and Elasticsearch
- Sysmon API MindMap
- NXLog-Autoconfig - With no customisation, the script will install Sysmon with the SwiftOnSecurity config, generate a NXLog config to start pulling the Sysmon and Windows Security events.
- https://docplayer.net/19532221-Tracking-hackers-on-your-network-with-sysinternals-sysmon.html
- https://github.com/olafhartong/sysmon-cheatsheet/blob/master/Sysmon-Cheatsheet-dark.pdf
.png)