This library is still in development and subject to change. Some commands are a WIP, file and folder structure will be modified. Be sure to use sysmon_utils --help
to get a list of all commands.
Utilities for working with and testing Sysmon configs against Windows Event Logs. Works in combination with my atomic-datasets-utils to support my sysmon-modular work. My goal is to make it easier to modify, verify, and test Sysmon configs. Development is sponsored by my (Connor Shade) employer QOMPLX.
I recommend performing all installations in a virtual environment - python3.10 -m venv .venv
.
python3.10 -m pip install sysmon_utils
git clone git@github.com:cnnrshd/sysmon_utils.git
cd sysmon_utils
poetry install
Checks for techniques found or overruled. Designed to run against the output of atomic-datasets-utils to test Sysmon Config functionality.
Parses a provided log file as if it was just collected with the provided Sysmon config. Useful for determining the amount of "noise" you can remove from logs.
A better implementation of my merge_sysmon_configs script, originally designed for Sysmon-Modular. This merge script organizes rules by priority.
Detects if an improperly-ordered rule overrules a specific pattern. I've seen this a lot with rules detecting PowerShell execution instead of focusing on what PowerShell was calling - it's more important to log Image is malware
than ParentImage is PowerShell
.
Runs through a local copy of Security-Datasets, parses the metadata files for techniques, then runs verify
and overruled
on each.
Returns a list of techniques and their count in a provided Sysmon config. Useful for building a MITRE ATT&CK matrix.
Filters LOGFILE with CONFIG, look for PATTERN within any RuleNames that pass the input.