Skip to content

Sysmon Events

Jump to bottom
Olaf Hartong edited this page Nov 13, 2018 · 1 revision

Description

This page gathers Sysmon related events that might indicate tampering. The following triggers are populated on occurence.

  • Sysmon Config changes
  • Suspicous Sysmon Config changes
  • Sysmon Registry modifications by untrusted applications
  • Sysmon state changes

Sysmon Config changes

For any configuration that Sysmon loads it generates a hash of the config file. Any change to the configuration that is loaded on a machine is logged here.

Suspicous Sysmon Config changes

For any configuration that Sysmon loads it generates a hash of the config file. This new hash should be documented in the included lookuplist; trusted-sysmon-configurations.csv Any unknown change to the configuration that is loaded on a machine is logged here.

Sysmon Registry modifications by untrusted applications

If an application apart from sysmon.exe is attempting to write to the sysmon configuration registry keys there will be a trigger here.

Sysmon state changes

When the sysmon services changes state an event will be visible here

Clone this wiki locally