Skip to content

Utilities for working with and testing Sysmon configs against Windows Event Logs

License

Notifications You must be signed in to change notification settings

cnnrshd/sysmon_utils

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

sysmon_utils

Check it out on PyPi!

NOTICE - In Development

This library is still in development and subject to change. Some commands are a WIP, file and folder structure will be modified. Be sure to use sysmon_utils --help to get a list of all commands.

Utilities for working with and testing Sysmon configs against Windows Event Logs. Works in combination with my atomic-datasets-utils to support my sysmon-modular work. My goal is to make it easier to modify, verify, and test Sysmon configs. Development is sponsored by my (Connor Shade) employer QOMPLX.

Installation

I recommend performing all installations in a virtual environment - python3.10 -m venv .venv.

Pip

python3.10 -m pip install sysmon_utils

Poetry

git clone git@github.com:cnnrshd/sysmon_utils.git
cd sysmon_utils
poetry install

Commands

atomictests

Checks for techniques found or overruled. Designed to run against the output of atomic-datasets-utils to test Sysmon Config functionality.

emulate

Parses a provided log file as if it was just collected with the provided Sysmon config. Useful for determining the amount of "noise" you can remove from logs.

merge

A better implementation of my merge_sysmon_configs script, originally designed for Sysmon-Modular. This merge script organizes rules by priority.

overruled

Detects if an improperly-ordered rule overrules a specific pattern. I've seen this a lot with rules detecting PowerShell execution instead of focusing on what PowerShell was calling - it's more important to log Image is malware than ParentImage is PowerShell.

secdatasets WIP

Runs through a local copy of Security-Datasets, parses the metadata files for techniques, then runs verify and overruled on each.

techniques

Returns a list of techniques and their count in a provided Sysmon config. Useful for building a MITRE ATT&CK matrix.

verify

Filters LOGFILE with CONFIG, look for PATTERN within any RuleNames that pass the input.

About

Utilities for working with and testing Sysmon configs against Windows Event Logs

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages