Sysmon Shell

Sysmon can add great visibility to security operations and to incident response, however, one to take full advantage of Sysmon means going beyond the default command line options, which means crafting XML configurations to leverage the powerful filtering capabilities of the tool, which can be a tedious task due to the frequent changes that Sysmon schema goes through with some new releases of the tool.

Sysmon Shell can aid in writing and applying Sysmon XML configuration through a simple GUI interface, it can also be used to learn more about Sysmon configuration options available with each release, in a nutshell:

  • Sysmon Shell can load Sysmon XML files configurations: with version 1.0, I am only supporting the latest schema v3.30 for Sysmon v6.01, future updates to Sysmon will be supported. In addition, the tool won’t be loading any configuration of Sysmon from registry, however, I might add support to this feature in the future.
  • It can export/save the final XML to a file.
  • It can apply the generated XML file by calling Sysmon.exe -c directly (creating a temp XML file in the same folder where Sysmon is installed), for this reason, it will need elevated privileges (the need for this is inherited from Sysmon), the output of applying the configuration will be displayed in the preview pan (Sysmon output)
  • XML Configuration can be previewed before saving in the preview pan
  • The utility contains descriptions for all events types taken from Sysmon Sysinternals home page (https://technet.microsoft.com/en-us/sysinternals/sysmon)

What it won’t do: warn you about Include/Exclude conflicts or attempt to validate the rules itself, however, once configuration is applied, the preview pan will display the output from Sysmon to show the results (this is the output of Sysmon -c command), from which errors can be identified

Following is a screenshot of Sysmon Shell in action

ScreenCapture

Sysmon Shell can be downloaded from the following link (Password is “password” without “”):

Sysmon Shell 32-bit build (md5 88f8d91f51274294084a2642f1fee860)

Sysmon Shell 64-bit build (md5 4e91946eb5dd597f4c4c0499a1b35ea2)

Please report any bugs or suggestions here