Sysmon Shell – Release 1.1

I have just uploaded a new version of Sysmon Shell (v1.1)

SS1

Here is the list of updates

  • I added new configuration options to include or exclude an entire event log, for example (Surprisingly missing in version 1.0):
    <PipeEvent onmatch=”include”/> or <PipeEvent onmatch=”exclude”/>
  • If you are using Sysmon for malware analysis, you might find the last tap marked “Logs Export” useful, as it allows exporting Sysmon logs to XML file, for example, I use the exported XML log files by loading them in Sysmon View for later analysis, the export feature has 3 options:
    • Export only
    • Export and clear Sysmon event log (to mark new analysis starting point)
    • Export, backup evtx file and clear the event log

SS3

  • In case you are applying Sysmon configuration using Sysmon Shell and not through the command line using Sysmon, you must be aware that I am no longer validating the image of Sysmon against it’s hash as I used to do in version 1.0, however, I am reporting the hash of Sysmon image being used to run the configuration command in the preview pane

SS2

The new version can be found on my Github

Please contact me to report any bugs or suggestions

Sysmon Shell

Sysmon Shell can aid in writing and applying Sysmon XML configurations through a simple GUI interface, it can also be used to learn more about Sysmon configuration options available with each release, instead of digging behind the XML Schema, in a nutshell:

  • Sysmon Shell can load Sysmon XML files configurations: with version 1.0, I am only supporting the latest schema v3.30 for Sysmon v6.01, future updates to Sysmon will be supported. In addition, the tool won’t be loading any configuration of Sysmon from registry, however, I might add support to this feature in the future.
  • It can export/save the final XML to a file.
  • It can apply the generated XML file by calling Sysmon.exe -c directly (creating a temp XML file in the same folder where Sysmon is installed), for this reason, it will need elevated privileges (the need for this is inherited from Sysmon), the output of applying the configuration will be displayed in the preview pan (Sysmon output)
  • XML Configuration can be previewed before saving in the preview pan
  • The utility contains descriptions for all events types taken from Sysmon Sysinternals home page (https://technet.microsoft.com/en-us/sysinternals/sysmon)

What it won’t do: warn you about Include/Exclude conflicts or attempt to validate the rules itself, however, once configuration is applied, the preview pan will display the output from Sysmon to show the results (this is the output of Sysmon -c command), from which errors can be identified

Following is a screenshot of Sysmon Shell in action

ScreenCapture

Sysmon Shell can be downloaded from my Github.

Please contact me to report any bugs or suggestions