-
Notifications
You must be signed in to change notification settings - Fork 592
Configuration options
The following commands will generate the default, balanced configuration. This config uses nearly all include and exclude modules and will provide an acceptable amount of volume for most environments. All with the exception of FileDelete events and ClipboardEvents. these have been disabled for disk space preservation and privacy reasons. Use them during IR, not all the time.
Keep in mind that because not everything is configured to be logged that his will impose certain blind spots. Should that not be acceptable to your organization you could either add additional include modules for certain event types or make use of the more verbose configuration sysmonconfig-exclude-only.xml
git clone https://github.com/olafhartong/sysmon-modular.git
cd sysmon-modular
. .\Merge-SysmonXml.ps1
Merge-AllSysmonXml -AsString -BasePath .\ -ExcludeList .\0_custom_configuration\file_delete_modules.txt | Out-File -Encoding utf8 sysmonconfig.xmlNew Function: Find-RulesInBasePath - takes a base path (i.e. C:\folder\sysmon-modular) and finds all candidate xml rule files based upon regex pattern
Find-RulesInBasePath -BasePath .\ -OutputRules | Out-File available_modules.txtMerge-AllSysmonXml New Parameters:
-BasePath - finds all candidate xml rule files from a provided path based upon regex pattern and merges them
Merge-AllSysmonXml -AsString -BasePath .\-ExcludeList - Combined with -BasePath, takes a list of rules and excludes them from found rules prior to merge
The BasePath must be the full path, otherwise it will not be incorporated
Merge-AllSysmonXml -AsString -BasePath C:\sysmon-modular\ -ExcludeList .\0_custom_configuration\exclude_rules.txt-IncludeList - Combined with -BasePath, finds all available rules from base path but only merges those defined in a list
Merge-AllSysmonXml -AsString -BasePath .\ -IncludeList .\0_custom_configuration\include_rules.txtThis also allows you to add a custom folder like: 100_company_tuning and include custom, environment specific module files there. That way you can keep in sync with the repository and determine what will be enabled/disabled for your own configuration.
Include/Exclude List Format Example:
3_network_connection_initiated\include_native_windows_tools.xml
12_13_14_registry_event\exclude_internet_explorer_settings.xml
12_13_14_registry_event\exclude_webroot.xml
17_18_pipe_event\include_winreg.xml
19_20_21_wmi_event\include_wmi_create.xml
2_file_create_time\exclude_chrome.xml
3_network_connection_initiated\include_native_windows_tools.xml
3_network_connection_initiated\include_ports_proxies.xml
8_create_remote_thread\include_general_commment.xml
8_create_remote_thread\include_psinject.xml
9_raw_access_read\include_general_commment.xml
To utilize all modules and generate a configuration that includes the FileDelete events
$> git clone https://github.com/olafhartong/sysmon-modular.git
$> cd sysmon-modular
$> . .\Merge-SysmonXml.ps1
$> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File -Encoding utf8 sysmonconfig-with-deletes.xml