Sysmon documentation

1. Sysmon Basics
· Research and understand Sysmon for Linux. What is it, and what
functionalities does it offer?
o What is Sysmon:
Sysmon is a tool that helps users and admins monitoring and logging
activity on a particular system. This includes system uptime, network
connections, filesystem writes, etc…
It helps identifying malicious activity and how possible malware is
entering the system

o What are the functionalities:

▪ Logging system events from operating system
▪ Tracking user activity
▪ Detecting unauthorized changing system configurations
▪ Auditing user account access

· How does it differ from the traditional Windows Sysmon tool?

o Sysmon for Windows has more mature features due to its longer
development history, in Linux some Event ID’s are not integrated (yet)
o Windows version integrates with Windows Event Log
o Linux version uses system calls for event logging and writes logs via
syslog

· Install and configure Sysmon for Linux on a test machine.

o Installation
▪ Register Microsoft Key:
▪ wget -q https://packages.microsoft.com/config/ubuntu/$
(lsb_rele se -rs)/packages-microsoft-prod.deb -O
packages microsoft-prod.deb
▪ Install Sysmon:
▪ Sudo ap-get update
▪ Sudo apt-get install apt-transport-https
▪ dpkg -i packages-microsoft-prod.deb
▪ Sudo apt-get update
▪ Sudo apt-get install sysmonforlinux
o Configuration:
 ▪ Create config file:
▪ nano /opt/config.xml
▪ change/add configurations (for example):

<Sysmon schemaversion="4.70">
<EventFiltering>
<!-- Event ID 1 == ProcessCreate. Log all newly created processes -->
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"/>
</RuleGroup>
<!-- Event ID 3 == NetworkConnect Detected. Log all network connections -->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="exclude"/>
</RuleGroup>
<!-- Event ID 5 == ProcessTerminate. Log all processes terminated -->
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="exclude"/>
</RuleGroup>
<!-- Event ID 9 == RawAccessRead. Log all raw access read -->
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="exclude"/>
</RuleGroup>
<!-- Event ID 10 == ProcessAccess. Log all open process operations -->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude"/>
</RuleGroup>
<!-- Event ID 11 == FileCreate. Log every file creation -->
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="exclude"/>
</RuleGroup>
<!--Event ID 23 == FileDelete. Log all files being deleted -->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="exclude"/>
</RuleGroup>
</EventFiltering>
</Sysmon>

▪ Apply configuration :
▪ sysmon -accepteula -i /opt/config.xml
· Experiment with basic configuration options.
o Basic configurations can be changed by changing the config.html file

· Explore the Sysmon for Linux user interface

o Output from Sysmon can be viewed using:
▪ tail -f /var/log/syslog
this will display the complete Sysmon log files (following the
config file)

· Familiarize yourself with the information Sysmon captures.

Sysmon for Linux follows a similar approach to Sysmon for Windows in terms
of event IDs. However, there are currently fewer supported events in the Linux
version. Here's a breakdown of the currently supported Event IDs in Sysmon
for Linux:
o Event ID 1: ProcessCreate:
This event captures information whenever a new process is created on
the system.
o Event ID 3: NetworkConnect:
This event logs details about network connections made by processes.
o Event ID 5: ProcessTerminate: This event captures information when
a process terminates.
o Event ID 9: RawAccessRead: This event monitors raw disk reads
performed by processes.
o Event ID 11: FileCreate: This event logs information whenever a file is
created.
o Event ID 23: FileDelete: This event captures information when a file is
deleted.
2. Monitoring System Activity
· Simulate common system activities: Create, modify, and delete files, Start and
stop processes, Establish network connections.
· Analyze the generated Sysmon logs. Can you identify the events
corresponding to your simulated activities?
o Create, modify and delete files:
▪ Simulate:
▪ Create a file:
touch /Desktop/testfile.txt
▪ # Modify the file
echo "Adding some content" >> /Desktop/testfile.txt
▪ # Delete the file
rm /Desktop/testfile.txt
▪ Monitor:
▪ By filtering on event ID 11 & 23 we can monitor all events
that are related on file creation and file deletion
▪ A specific event ID to monitor file modification is not
available in Sysmon for Linux.
Sysmon for Windows does have this event ID
▪ Use the following command:
sudo tail -f /var/log/syslog |
sudo/opt/sysmon/sysmonLogView -e 11, 23
o Start and stop process:
▪ Simulate:
▪ Start process (e.g.: sleep 60 seconds:
command: sleep 60 &
▪ Get PID:
command: PID=$!
▪ Stop process:
command: kill $PID
▪ Monitor:
▪ By filtering on even ID 1 (ProcessCreate) and ID 5
(ProcessTerminate) we can filter on these events in the
log files
▪ Command: sudo tail -f /var/log/syslog | sudo
/opt/sysmon/sysmonLogView -e 1,5
o Establish Network connection
▪ Simulate:
▪ We will simulate/establish a network connection by using
the ping command. e.g.:
▪ Command: ping -c 10 www.google.com
▪ Monitoring:
▪ By filtering on Event ID 3, we can have an overview of
established network connections.
▪ Command: sudo tail -f /var/log/syslog | sudo
/opt/sysmon/sysmonLogView -e 3
· Explore specific log entries and understand the captured details.