Although the noise generated by Sysmon could be reduced through filters applied in its XML configuration, it is still somehow too much to look at, (I usually tend to log everything when doing reverse engineering).
The main idea behind Sysmon View is to aid in the analysis of Sysmon logs using “visual” reporting modules, which are based on specific (useful) use cases.
The utility is still in its initial stages, I am releasing it with the first reporting module which can:
Step 1 – Filter binary images (executables) according to their file name
Step 2 – Further filter binary image files (selected from step 1) according to their path, which might be helpful in investigating anomalies in images location (Images with the same name running from multiple locations)
Step 3 – Visualize Sysmon events (related to binaries filtered through step 1 and 2), but per image logged session (this is Sysmon process GUID in action)
The utility can then help “visually” line up (sorted by time) the different events associated with a particular session.
To get started, you need to export Sysmon events first to an XML file using WEVTUtil (I could have designed the tool to connect and retrieve-pull the logs from the server directly, but Sysmon View was not designed to be used as live log analysis tool)
WEVTUtil query-events “Microsoft-Windows-Sysmon/Operational” /format:xml /e:sysmonview > eventlog.xml
Once exported, run Sysmon View and import the generated file “eventlog.xml” (or the name you selected). Note that this might take some time, depending on the size of the logged data (this needs to be done once per log file, subsequent runs do not need any imports, and can be reloaded using File -> Load existing data menu option, which will load previously saved data again)
Sysmon View will build an internal database that I will discuss its structure in upcoming posts and how to utilize its content (which by the way is an SQLite database file).
Once the log file is imported, you can start searching through the collected binary images, which can be easily filtered
Double-clicking any of the binary images will show the path location(s) reported by Sysmon, which will help in identifying anomalies in path location at this stage as previously outlined
Double-clicking an image path entry will cause the tool to collect all sessions (again, this is the process GUID in action) for that image entry that was running from that location
Double-clicking any of the sessions entries will generate a tree of events sorted by event’s logged time
Double-clicking any event block will reveal more details in a floating window (you will notice some additional entries that do not exist in Sysmon XML schema, as previously mentioned, I will elaborate more on this and the internal database structure in upcoming write-ups)