Getting Started With Sysmon

John Strand //

In this blog, I want to walk through how we can set up Sysmon to easily get improved logging over what we get from normal (and just plain awful) logging in Windows.

Basically, trying to get information from standard Windows logs is a lot like playing tennis against curtains.  Sure, you can go through the right motions, and you can try really hard, but no matter what, it is going to suck. 

For this blog, we will be using ADHD which you can get here:

https://www.activecountermeasures.com/free-tools/adhd/

I hope that by the time you do this, I will have updated it to the version I used at Black Hat 2019.

First, let’s start up the ADHD Linux system and set up our malware and C2 listener: 

On your Linux system, please run the following command:

$ifconfig

Please note the IP address of your Ethernet adapter.  

Please note that my adaptor is called ens33 and my IP address is 192.168.123.128.   Your IP Address and adapter name may be different.

Please note your IP address for the ADHD Linux system below:


Now, run the following commands to start a simple backdoor and backdoor listener: 

$ sudo su -
# cd /opt/java-web-attack/
# ./clone.sh https://gmail.com
# ./weaponize.py index.html 192.168.123.128 <<<--- Your IP will be different!!!!
# ./serve.sh

Next, move back to your Windows system log in as admin.

We will now need to open a cmd.exe terminal as Administrator.  Remember, hit the Windows key, type cmd.exe, right-click on it, and then select Run As Administrator.

Please take a few moments and download Sysmon from here:

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Then, extract it to a C:\Tools directory.  

And, download Swift on Security’s sysmon config to the tools directory.  

You can find it here:

https://github.com/SwiftOnSecurity/sysmon-config

I recommend downloading it as a zip and extracting it to the Tools directory.

Then, type the following:

C:\Windows\system32>cd \Tools

C:\Tools>Sysmon64.exe -accepteula -i sysmonconfig-export.xml

System Monitor v10.2 - System activity monitor
Copyright (C) 2014-2019 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Loading configuration file with schema version 4.00
Sysmon schema version: 4.21
Configuration file validated.
Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.

Now, let’s download and execute the malware.

Next, surf to your Linux system, download the malware and try to run it again.

Now, we need to view the Sysmon events for this malware:

You will select Event Viewer > Applications and Services Logs > Windows > Sysmon > Operational

Start at the top and work down through the logs. You should see your malware executing.

As you can see above, the level of detail in the logs is fantastic.  It gives us the process, the IP addresses, who ran it, and the hash values.  Everything you always wanted, all for free… From Microsoft.

Looking to implement this via Group Policy in Active Directory?  Want to throw the logs to ELK?

Check out the following video:

Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.

Join 1,800 other subscribers

Join 1,800 other subscribers