Sysmon is a free tool initially developed by Mark Russinovich and by Tomas Garnier,with contributions David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, John Lambert and others at Microsoft. The tools was initially released for. Windows. host and on October 2021 a Open Source Linux version of the tools was release. The tool is designed to extend the current logging capabilities in Windows and Linux so as to aid in understanding and detecting attackers by behavior.
The original version the tool was for internal use at Microsoft. Under Windows the tool supports 64-bit and 32-bit systems and uses a single command line tool for installation and configuration management.
For Linux the tool can be compiled from source or installed via the distribution package manager. It supports the following distributions:
- Ubuntu
- Debian
- Red Hat Enterprise Linux
- Fedora Linux
- OpenSuse
- Suse Linux Enterprise Server
Sysmon will store logs in the default operating system login system. For Windows all of the events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog and in the case of Linux under /var/log/syslog in order to accommodate security products that already collect and centralize logs from both operating systems.
Sysmon is able to monitor for a series of actions on a host that relate to existing behavior that is abused by threat actors. With this view on the actions, defenders are able to better detect abnormal behavior and abuses on a system.
The table below shows the event types and event ID that the version of Windows collects.
EventType | EventId |
---|---|
Sysmon Service Status Changed | 0 |
ProcessCreate | 1 |
FileCreateTime | 2 |
NetworkConnect | 3 |
Service State Change | 4 |
ProcessTerminate | 5 |
DriverLoad | 6 |
ImageLoad | 7 |
CreateRemoteThread | 8 |
RawAccessRead | 9 |
ProcessAccess | 10 |
FileCreate | 11 |
Registry object added or deleted | 12 |
Registry Create | 13 |
Registry Rename | 14 |
FileCreateStreamHash | 15 |
Sysmon Config Change | 16 |
Named Pipe Create | 17 |
Named Pipe Connected | 18 |
WMI Event Filter | 19 |
WMI Event Consumer | 20 |
WMI Consumer to Filter | 21 |
DNS Query | 22 |
File Delete | 23 |
Clipboard Capture | 24 |
Process Tampering | 25 |
File Delete Detected | 26 |
Error | 255 |
The Linux version supports given the OS and technologies a smaller number of events.
EventType | EventId |
---|---|
Sysmon Service Status Changed | 0 |
ProcessCreate | 1 |
NetworkConnect | 3 |
Service State Change | 4 |
ProcessTerminate | 5 |
RawAccessRead | 9 |
FileCreate | 11 |
Sysmon Config Change | 16 |
File Delete | 23 |
The Sysmon version for Linux is an open-source version of the tool, developed to collect security events from Linux environments using eBPF (Extended Berkeley Packet Filter) and placing the captured events in to Syslog for easy consumption by existing centralized log collection solutions.
Sysmon for Linux use the sysinternalsEBPF library to allow it to capture actions against files on disk and network actions. eBPF is a technology that allows to run the program at the Kernel level in a sandbox allowing it to capture read and. Sysmon leverages this technology to capture information on processes, reads and writes to block devices and also for Socket and TCP/IP actions before they reach a network interface. This behavior is similar to that of mini filter drivers in Windows that allow for the capture of events as they are executed by the APIs in the OS.
The sysinternalsEBPF and Sysmon for Linux are Open Source projects, this allows the community to contribute and to further expand the capabilities of the tools. They can be found at https://github.com/Sysinternals. Both Projects are written in C and in each repository they include documentation on how to build the utilities.