Updated SysmonView

Here is the latest update of Sysmon View (1.1), the tool incorporated much of the feedback received (thank you all), bug fixing and new features, here they are:

  • Bug fixes related to internal database connectivity errors
  • Bug fixes related to UI not to be reset after resetting data
  • Bug related to the way information about binary images (executables) are collected
  • Sysmon View design is now based on visual modules (currently there are two visual modules)
  • Sysmon comes in 32 and 64 builds
  • New cool “Black” theme 🙂
  • “Process View” got an additional filtering option that will show images (executables) that are being reported with only selected events, so if the analyst would like to view the timeline of a process, but excluding it’s network and Image loaded events, then this filter will help narrow down the results (as shown in the following screenshot)

  • Map View: this is cool! you can view network events based on destination country, this will work only if the geo-location option was selected during the import process. Selecting any country will display the related network events. Check it out

There are many enhancements I am currently working on, in addition to new features, but I decided to release earlier instead of waiting too long between releases.

Sysmon View can be downloaded (32 & 64 builds) from Github @ this link (Password is “password” without “”):

For any questions or suggestions, please contact me by email.

Sysmon View

Although the noise generated by Sysmon could be reduced through filters applied in its XML configuration, it is still somehow too much to look at, or in the case of malware reverse engineering, filtering events is something to be done after logging almost everything.

No matter what challenges the amount of logs a security analyst have to deal with, Sysmon View can be of some help (thanks to Sysmon logged process GUID, which works as a correlation identifier).

The main idea is to help identify malicious binaries using “visual” reporting modules, which are based on certain (useful) use cases.

The utility is still in it’s initial stages, I am releasing it with the first reporting module, which can identify malicious binaries following those steps:

Step 1 – Filtering binary images according to their file name

Step 2 – Filtering binary image files (selected from step 1) according to their path, this is helpful in the case of path anomaly (executable with the same name running from multiple locations)

Step 3 – Last step is to visualize certain executable events (filtered through step 1 and 2), but per image logged session (this is the process GUID in action)

Step 4 – The utility can then help “visually” line up (sorted by time) the different events associated with a certain session

To get started, we need to export Sysmon events first to an XML file using WEVTUtil (I could have designed the tool to connect and retrieve the logs from the server directly, but for so many reasons related to security and stability and “Please do not touch my production”, I decided that exporting them to a file is a far better and safer approach)

WEVTUtil query-events “Microsoft-Windows-Sysmon/Operational” /format:xml /e:sysmonview > eventlog.xml

Once exported, run Sysmon View and import the generated file “eventlog.xml” (or the name you selected), please note that this might take some time, depending on the size of the log file (this needs to be done once per log file, subsequent runs do not need any imports, just use the command File -> Load existing data to load previous data and work with it again)


Sysmon View will build an internal database that I will discuss its structure in upcoming posts and how to utilize its content, which by the way is a SQLite database.


Once the log file is imported, you can start searching through the collected binary images, which can be easily filtered



Double clicking any of the binary images will show the path location(s) reported by Sysmon, which will help in identifying anomalies in path location at this stage


Double clicking an image path entry will cause the tool to collect all sessions (again, this is the process GUID in action) for that image entry that was running from that location


Double clicking any of the sessions entries will generate a tree of events sorted by event’s logged time


The generated tree chart can be exported to PDF, and in case more details needed about certain event block, double clicking it will reveal more details in a floating window (you will notice some additional entries that do not exist in Sysmon XML schema, as previously mentioned, I will post another blog entry to explain the internal database structure)


Sysmon View can be downloaded (32 & 64 builds) from Github link @ this link (Password is “password” without “”):

For any questions or suggestions, please contact me by email.