Posh-Sysmon Module for Creating Sysmon Configuration Files
Why a PowerShell Module
Sysmon configuration can be complex in addition to hard to maintain by hand. For this purpose I created a module called Posh-Sysmon some time ago to aid in the creation and maintenance of configuration files. The module was initially written after the release of version 2.0 and has been maintained and expanded as new version have been released all the way to the current one at the time of this blog post being written with version 6.0.
The module is written for PowerShell v3.0 and above and can be installed from the PowerShell Gallery if running version 5.0 or 5.1 using the cmdlet
Install-Module -Name Posh-Sysmon
If running PowerShell 3.0 or 4.0 it can use the PowerShell Gallery also following instruction in PowerShell Gallery Documentation
Onced install we can see all cmdlets available using Get-Command to list all for the module.
PS C:\> Get-Command -Module Posh-Sysmon CommandType Name Version Source ----------- ---- ------- ------ Function Get-SysmonEventData 0.7.5 Posh-Sysmon Function Get-SysmonHashingAlgorithm 0.7.5 Posh-Sysmon Function Get-SysmonRule 0.7.5 Posh-Sysmon Function Get-SysmonRuleFilter 0.7.5 Posh-Sysmon Function New-SysmonConfiguration 0.7.5 Posh-Sysmon Function New-SysmonDriverLoadFilter 0.7.5 Posh-Sysmon Function New-SysmonFileCreateFilter 0.7.5 Posh-Sysmon Function New-SysmonFileCreateStreamHashFilter 0.7.5 Posh-Sysmon Function New-SysmonImageLoadFilter 0.7.5 Posh-Sysmon Function New-SysmonNetworkConnectFilter 0.7.5 Posh-Sysmon Function New-SysmonPipeFilter 0.7.5 Posh-Sysmon Function New-SysmonProcessAccessFilter 0.7.5 Posh-Sysmon Function New-SysmonProcessCreateFilter 0.7.5 Posh-Sysmon Function New-SysmonProcessTerminateFilter 0.7.5 Posh-Sysmon Function New-SysmonRegistryFilter 0.7.5 Posh-Sysmon Function Remove-SysmonRule 0.7.5 Posh-Sysmon Function Remove-SysmonRuleFilter 0.7.5 Posh-Sysmon Function Set-SysmonHashingAlgorithm 0.7.5 Posh-Sysmon Function Set-SysmonRule 0.7.5 Posh-Sysmon
Creating a Configuration File
The first cmdlet we use is New-SysmonConfiguration. It allows us to create the initial configuration file where we can specify:
- Hash Algorithm, Supported options:
- MD5
- SHA1
- SHA256
- IMPHASH
- ALL
- Schema Version (Defaults to the latest version 3.3)
- Enable Certificate Revocation check for signed drivers.
- Log all event for a specified EventType with an empty exclude rule. Switches for event types are:
- DriverLoad
- ImageLoad
- FileCreate
- FileCreateStreamHash
- RawAcess
- ProcessCreate
- ProcessTerminate
- ProcessAccess
- RegistryEvent
- NetworkConnect
- PipeEvent
The cmdlet only has 2 required parameters the Path where to save the configuration file and the HashAlgorithm to use. In the following example, we will create a new configuration file and we will enable all hashing algorithms and set rules to log all process creation and termination.
PS C:\> New-SysmonConfiguration -Path .\sales_sysmon_config.xml -HashingAlgorithm all -ProcessCreate -ProcessTerminate -Verbose VERBOSE: Enabling hashing algorithms: * VERBOSE: Enabling logging all process creation by setting no filter and onmatch to exclude. VERBOSE: Enabling logging all process termination by setting no filter and onmatch to exclude. VERBOSE: Config file created as C:\Users\Carlos\Documents\sales_sysmon_config.xml VERBOSE: Configuration is for Sysmon 6.0</code>
The configuration file content will be:
<Sysmon schemaversion="3.3"> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <ProcessCreate onmatch="exclude"> </ProcessCreate > <ProcessTerminate onmatch="exclude"> </ProcessTerminate > </EventFiltering> </Sysmon>
We can modify the hash algorithms configured in the configuration file easily with the Set- SysmonHashingAlgorithm cmdlet and check the current one with the Get- SysmonHashingAlgorithm cmdlet. Lets look at the one currently set.
PS C:\> Get- SysmonHashingAlgorithm -Path .\sales_sysmon_config.xml Hashing ------- *
We can now modify the algorithm to be SHA1 using the Set- SysmonHashingAlgorithm cmdlet and verify that it was properly set using the Get- SysmonHashingAlgorithm
PS C:\> Set-SysmonHashingAlgorithm -Path .\sales_sysmon_config.xml -HashingAlgorithm SHA1 PS C:\> Get-SysmonHashingAlgorithm -Path .\sales_sysmon_config.xml Hashing ------- SHA1
Working with Event Types
We can manage the Rules in the configuration file using the following cmdlets:
- Get-SysmonRule – Look at a specified or all Rules configured in a configuration file and their filters.
- Remove-SysmonRule – Remove a specific rule in a configuration file.
- Set-SysmonRule – Add or modify a rule in a configuration file.
Let’s take a look at the rules we have on the current file:
PS C:\> Get-SysmonRule -Path .\sales_sysmon_config.xml EventType : ProcessCreate Scope : All Events DefaultAction : Exclude Filters : EventType : ProcessTerminate Scope : All Events DefaultAction : Exclude Filters :
We can specify a EventType so we only see the rule for that specific one:
PS C:\> Get-SysmonRule -Path .\sales_sysmon_config.xml -EventType ProcessTerminate EventType : ProcessTerminate Scope : All Events DefaultAction : Exclude Filters :
We can add a rule for a specific event type using Set-SysmonRule, if the rule does not previously exist it will add the rule for with the specific OnMatch action.
PS C:\> Set-SysmonRule -Path .\sales_sysmon_config.xml -EventType ProcessAccess -OnMatch Exclude -Verbose VERBOSE: No rule for ProcessAccess was found. VERBOSE: Creating rule for event type with action of Exclude VERBOSE: Action has been set. EventType : ProcessAccess Scope : All Events DefaultAction : Exclude Filters :
We can modify the rule OnMatch action if no other rule of the same event type exist, the default action is to modify.
PS C:\> Set-SysmonRule -Path .\sales_sysmon_config.xml -EventType ProcessAccess -OnMatch Include -Verbose VERBOSE: Setting as default action for ProcessAccess the rule on match of Include. VERBOSE: Action has been set. EventType : ProcessAccess Scope : All Events DefaultAction : Include Filters :
We can change the default modify action by specifying the action with the Action parameter.
PS C:\> Set-SysmonRule -Path .\sales_sysmon_config.xml -EventType ProcessAccess -OnMatch exclude -Action Add -Verbose VERBOSE: Creating rule for event type with action of exclude VERBOSE: Action has been set. EventType : ProcessAccess Scope : All Events DefaultAction : Exclude Filters : PS C:\> Get-SysmonRule -Path .\sales_sysmon_config.xml -EventType ProcessAccess EventType : ProcessAccess Scope : All Events DefaultAction : Include Filters : EventType : ProcessAccess Scope : All Events DefaultAction : Exclude Filters :
We can remove a specific rule for an given event type and OnMatch action using Remove-SysmonRule.
PS C:\> Remove-SysmonRule -Path .\sales_sysmon_config.xml -EventType ProcessAccess -OnMatch exclude -Verbose VERBOSE: Removed rule for ProcessAccess. PS C:\> Get-SysmonRule -Path .\sales_sysmon_config.xml -EventType ProcessAccess EventType : ProcessAccess Scope : All Events DefaultAction : Include Filters :
Working with Filters
We can have rules for an event type without filters so as to exclude or include all events in a given event type by not having any filter the opposite of the OnMatch action will happen. For managing and creating filters the module includes several functions, 2 general use functions for listing and removing filters for a given event type and one function per each event type with each of the supported fields we can effectively filter on based on the embedded DTD in the sysmon.exe.
The 2 general functions are:
- Get-SysmonRuleFilter - gets all filters for a given event type.
- Remove-SysmonRuleFilter - Removes a specifc filter for a given event type.
Each event type supported by Sysmon have different fields we can filter on. The schema for the XML requires that we provide the correct field and that it is the appropriate case or it will fail when importing the rule, for this reason there is a function for each event type so as to ensure proper formatting and prevent errors that may be caused by modifying the XML file by hand.
Each of the cmdlets have the name of the event type they will filter followed by the word filter as it can be seen bellow.
- New-SysmonDriverLoadFilter
- New-SysmonFileCreateFilter
- New-SysmonFileCreateStreamHashFilter
- New-SysmonImageLoadFilter
- New-SysmonNetworkConnectFilter
- New-SysmonPipeFilter
- New-SysmonProcessAccessFilter
- New-SysmonProcessCreateFilter
- New-SysmonProcessTerminateFilter
- New-SysmonRegistryFilter
Each of the filtering cmdlets have a default set of parameters:
- Path - Path to the configuration file.
- OnMatch - The on match acttion we whant to create the filter under for the event type.
- Condition - What condition for matching we whant to use.
- EventField - The event type filed we want to filter on.
- Value - The value of what we want to match.
Here is an example where we create a ProcessAccess filter for LSASS to detect if a malicious process is trying to extract credentials from its memory.
PS C:\> New-SysmonProcessAccessFilter -Path .\sales_sysmon_config.xml -OnMatch include -Condition Contains -EventField TargetImage lsass.exe -Verbose VERBOSE: Mutiple nodes. VERBOSE: Found rule for event type ProcessAccess with include VERBOSE: Creating filters for event type ProcessAccess. VERBOSE: Creating filter for event filed TargetImage with condition Contains for value lsass.exe. EventType : ProcessAccess Scope : Filtered DefaultAction : Include Filters : {@{EventField=TargetImage; Condition=contains; Value=lsass.exe}}
We can provide several values so as to create a filter for each with a same condition, event field and on match action.
Lets create multiple filters for possible malicious connection adapting some of the filters shared by @swiftOnSecurity. All image entries will be kept in an array, we will create the rule for the event type and then create the filters for it. This will allow us to easily automate rule creation keeping the information either in files that get imported or in variables in a build script that then generated the master config file.
PS C:\> # Log connections processes that contain PS C:\> # the following strings under the Image field PS C:\Users\Carlos\Documents> # Adapted from - https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml PS C:\> $DetectImageConnection = @( >>> 'C:\Users', >>> 'C:\ProgramData', >>> 'C:\Windows\Temp', >>> 'powershell.exe', >>> 'cmd.exe', >>> 'wmic.exe', >>> 'cscript.exe', >>> 'wscript.exe', >>> 'rundll32.exe', >>> 'notepad.exe', >>> 'regsvr32.exe') PS C:\> Set-SysmonRule -Path .\sales_sysmon_config.xml -EventType NetworkConnect -OnMatch Include -Verbos VERBOSE: No rule for NetworkConnect was found. VERBOSE: Creating rule for event type with action of Include VERBOSE: Action has been set. EventType : NetworkConnect Scope : All Events DefaultAction : Include Filters : PS C:\> New-SysmonNetworkConnectFilter -Path .\sales_sysmon_config.xml -OnMatch include -Condition Contains -EventField Image -Value $DetectImageConnection -Verbose VERBOSE: Mutiple nodes. VERBOSE: Found rule for event type NetworkConnect with include VERBOSE: Creating filters for event type NetworkConnect. VERBOSE: Creating filter for event filed Image with condition Contains for value C:\Users. VERBOSE: Creating filter for event filed Image with condition Contains for value C:\ProgramData. VERBOSE: Creating filter for event filed Image with condition Contains for value C:\Windows\Temp</Image>. VERBOSE: Creating filter for event filed Image with condition Contains for value powershell.exe. VERBOSE: Creating filter for event filed Image with condition Contains for value cmd.exe. VERBOSE: Creating filter for event filed Image with condition Contains for value wmic.exe. VERBOSE: Creating filter for event filed Image with condition Contains for value cscript.exe. VERBOSE: Creating filter for event filed Image with condition Contains for value wscript.exe. VERBOSE: Creating filter for event filed Image with condition Contains for value rundll32.exe. VERBOSE: Creating filter for event filed Image with condition Contains for value notepad.exe. VERBOSE: Creating filter for event filed Image with condition Contains for value regsvr32.exe.
We can take a look of the created filters using the Get-SysmonRuleFilter cmdlet.
PS C:\> Get-SysmonRuleFilter -Path .\sales_sysmon_config.xml -EventType NetworkConnect -OnMatch include EventField Condition Value ---------- --------- ----- Image contains C:\Users Image contains C:\ProgramData Image contains C:\Windows\Temp Image contains powershell.exe Image contains cmd.exe Image contains wmic.exe Image contains cscript.exe Image contains wscript.exe Image contains rundll32.exe Image contains notepad.exe Image contains regsvr32.exe
Working with Events
The real value of Sysmon is in the events that it generates. The module provides a cmdlet for pulling events from the local machine or from a evtx file parsing the events in to custom objects where each field is a property of the object. By working with objects it allows via the pipeline to better manipulate the data and use it for reporting or for feeding in to other functions to generate filters on.
The cmdlet for getting events and serialized objects is Get-SysmonEvent. It has the following parameters:
- EventId
- EventType
- MaxEvents
- Path
- StartTime
- EndTime
Lets look at the scenario that we want to log any new driver being loaded. For this we will exclude all known exinting drivers on the system by creating a rule to capture all, applying the rule and then pull the data from the event log to created filters on.
We create a new configuration file and give it the -DriverLoad parameter to New-SysmonConfiguration so as to log all drivers being loaded. After creating we configuration file we apply the configuration.
PS C:\> New-SysmonConfiguration -Path .\capture_drivers.xml -HashingAlgorithm SHA1 -DriverLoad PS C:\> sysmon -c .\capture_drivers.xml System Monitor v6.00 - System activity monitor Copyright (C) 2014-2017 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Loading configuration file with schema version 3.30 Configuration file validated. You need to launch Sysmon as an Administrator.
We now reboot the machine and connect any peripherals we normally use. Now we can use Get-SysmonEventData to get all DriverLoad events and group them under the property signed to make sure all drivers being loaded are signed.
PS C:\> Get-SysmonEventData -EventType DriverLoad | group -Property signed Count Name Group ----- ---- ----- 149 true {@{EventId=6; EventType=DriverLoad; Computer=DESKTOP-HLPPN56; UtcTime=2017-02-19 14:48:29.007; ImageLoaded=C:\Windows\System32\drivers\ms S...
Using Select-Object cmdlet we now get a list of unique signature names. This list will be used for creating our filters.
PS C:\> Get-SysmonEventData -EventType DriverLoad | select -ExpandProperty signature -Unique Microsoft Windows Intel(R) Rapid Storage Technology VMware Riverbed Technology Broadcom Corporation Intel(R) OWR Realtek Semiconductor Corp Intel Corporation Intel(R) Software Intel Corporation - Embedded Subsystems and IP Blocks Group Intel(R) Embedded Subsystems and IP Blocks Group Wireshark Foundation Intel(R) pGFX OpenVPN Technologies IDRIX
We save the unique signatures in to variable for use with New-SysmonDriverLoadFilter cmdlet.
PS C:\> $uniqueSigs = Get-SysmonEventData -EventType DriverLoad | select -ExpandProperty signature -Unique
Before creating the filters we have to ensure that on our intended configuration file that a rule for DriverLoad exist and that the OnMatch action is set to Exclude
PS C:\> Set-SysmonRule -Path .\sales_sysmon_config.xml -EventType DriverLoad -OnMatch Exclude EventType : DriverLoad Scope : All Events DefaultAction : Exclude Filters :
We can now create the filters for each one of the signers by adding to the exiting Rule filters with the condition of Is for each one of the values matching the even filed of Signature and we give it as a value the array we created.
PS C:\> New-SysmonDriverLoadFilter -Path .\sales_sysmon_config.xml -OnMatch exclude -Condition Is -EventField Signature -Value $uniqueSigs -Verbose VERBOSE: Mutiple nodes. VERBOSE: Found rule for event type DriverLoad with exclude VERBOSE: Creating filters for event type DriverLoad. VERBOSE: Creating filter for event filed Signature with condition Is for value Microsoft Windows. VERBOSE: Creating filter for event filed Signature with condition Is for value Intel(R) Rapid Storage Technology. VERBOSE: Creating filter for event filed Signature with condition Is for value VMware. VERBOSE: Creating filter for event filed Signature with condition Is for value Riverbed Technology. VERBOSE: Creating filter for event filed Signature with condition Is for value Broadcom Corporation. VERBOSE: Creating filter for event filed Signature with condition Is for value Intel(R) OWR. VERBOSE: Creating filter for event filed Signature with condition Is for value Realtek Semiconductor Corp. VERBOSE: Creating filter for event filed Signature with condition Is for value Intel Corporation. VERBOSE: Creating filter for event filed Signature with condition Is for value Intel(R) Software. VERBOSE: Creating filter for event filed Signature with condition Is for value Intel Corporation - Embedded Subsystems and IP Blocks Group. VERBOSE: Creating filter for event filed Signature with condition Is for value Intel(R) Embedded Subsystems and IP Blocks Group. VERBOSE: Creating filter for event filed Signature with condition Is for value Wireshark Foundation. VERBOSE: Creating filter for event filed Signature with condition Is for value Intel(R) pGFX. VERBOSE: Creating filter for event filed Signature with condition Is for value OpenVPN Technologies. VERBOSE: Creating filter for event filed Signature with condition Is for value IDRIX. EventType : DriverLoad Scope : Filtered DefaultAction : Exclude Filters : {@{EventField=Signature; Condition=is; Value=Microsoft Windows}, @{EventField=Signature; Condition=is; Value=Intel(R) Rapid Storage Technology}, @{EventFi Condition=is; Value=Riverbed Technology}...}
As it can be seen the filters where created and we can apply to the host the configuration file. Any new drivers not signed by any of those original certificates will be logged.
I hope you find the module useful in automating the creation of Sysmon configuration files.