Sysmon
A Sysinternals tool that provides detailed information about process creations, network connections, and changes to file creation time. It is a wealth of information that can be used for a variety of purposes in Incident Response, Event Detection, and Threat Hunting.
SysmonForLinux - Linux version of Sysmon. Installation guide for Ubuntu available on Github.
Sysmon-dfir - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
Sysmon-modular - A repository of Sysmon configuration modules
Sysmon-config - SwiftOnSecurity's Sysmon configuration file template with default high-quality event tracing
SysmonSearch - Investigate suspicious activity by visualizing Sysmon's event log.
SysmonSimulator - Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
TrustedSec Sysmon Community Guide - Everything Dave Kennedy writes/makes is gold. It is the way.
Espy: Endpoint detection for remote hosts for consumption by RITA and Elasticsearch
NXLog-Autoconfig - With no customisation, the script will install Sysmon with the SwiftOnSecurity config, generate a NXLog config to start pulling the Sysmon and Windows Security events.
Sysmon event types and their fields
Last updated