下载:

https://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon

安装

直接安装不需要任何配置 -c 查看配置确认是否需要重启
```
sysmon  -accepteula –i
```

System Monitor v6.03 - System activity monitor
Copyright (C) 2014-2017 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Current configuration:
 - Service name:                  Sysmon
 - Driver name:                   SysmonDrv
 - HashingAlgorithms:             SHA1
 - Network connection:            disabled
 - Image loading:                 disabled
 - CRL checking:                  disabled
 - Process Access:                disabled

No rules installed

没有规则，默认sha1 hash算法， 不需要重启，在 C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx 下生成日志记录文件，主要包括事件:

进程创建和终止 \(包括前台GUI创建的进程和cmd下执行的进程\)

增加配过规则文件 - sysmon.cfg:

<Sysmon schemaversion="3.20">
  <HashAlgorithms>md5,imphash</HashAlgorithms>
  <EventFiltering>
    <FileCreate onmatch="include">
        <TargetFilename condition="contains">\Startup\</TargetFilename>
    </FileCreate>
    <RegistryEvent onmatch="include">
        <TargetObject condition="contains">\CurrentVersion\Run</TargetObject>
        <TargetObject condition="end with">\ImagePath</TargetObject>
        <TargetObject condition="end with">\ServiceDll</TargetObject>
    </RegistryEvent>
    <RegistryEvent onmatch="exclude">
        <Image condition="contains">\360\360</Image>
    </RegistryEvent>
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
      <Signature condition="contains">Qihoo 360</Signature>
      <Signature condition="contains">Intel(R) Intel</Signature>
    </DriverLoad>
    <ProcessCreate onmatch="exclude">
      <Image condition="contains">System32\backgroundTaskHost.exe</Image>
      <Image condition="contains">McAfee</Image>
      <Image condition="contains">Symantec</Image>
      <Image condition="contains">TrendMicro</Image>
      <Image condition="contains">Tanium</Image>
      <CurrentDirectory condition="contains">Tanium</CurrentDirectory>
      <Image condition="contains">Cortana</Image>
      <Image condition="contains">Cisco</Image>
      <Image condition="contains">Splunk</Image>
      <Image condition="contains">NVIDIA Corporation</Image>
      <Image condition="end with">System32\BackgroundTransferHost.exe</Image>
      <Image condition="end with">Microsoft.ActiveDirectory.WebServices.exe</Image>
      <Image condition="end with">System32\dllhost.exe</Image>
      <Image condition="end with">System32\smartscreen.exe</Image>
      <Image condition="end with">System32\SearchFilterHost.exe</Image>
      <Image condition="end with">System32\audiodg.exe</Image>
      <Image condition="end with">System32\conhost.exe</Image>
      <Image condition="end with">System32\SearchProtocolHost.exe</Image>
      <Image condition="end with">SysWOW64\msiexec.exe</Image>
      <Image condition="end with">system32\msiexec.exe</Image>      
      <Image condition="end with">Drive\googledrivesync.exe</Image>      
      <Image condition="contains">\slack\</Image>
      <Image condition="end with">microsoft shared\ClickToRun\OfficeClickToRun.exe</Image>
      <Image condition="end with">System32\consent.exe</Image>
      <Image condition="end with">System32\LogonUI.exe</Image>
      <Image condition="end with">System32\taskhostw.exe</Image>
      <Image condition="end with">System32\LockAppHost.exe</Image>
      <Image condition="end with">ink\TabTip.exe</Image>
      <Image condition="end with">LockApp.exe</Image>
      <Image condition="end with">Chrome\Application\chrome.exe</Image>
      <Image condition="end with">Explorer\iexplore.exe</Image>
      <Image condition="end with">Mozilla Firefox\firefox.exe</Image>
      <Image condition="end with">System32\wsqmcons.exe</Image>
      <Image condition="end with">System32\slui.exe</Image>
      <CommandLine condition="contains">chrome.exe" --type=renderer</CommandLine>
      <CommandLine condition="contains">Splunk</CommandLine>
      <CommandLine condition="contains"> btool server </CommandLine>
      <CommandLine condition="contains">wmiprvse.exe -Embedding</CommandLine>
      <CommandLine condition="contains">wermgr.exe -queuereporting</CommandLine>
      <CommandLine condition="contains">wmiprvse.exe -secured -Embedding</CommandLine>
      <User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
      <ParentImage condition="contains">Tanium</ParentImage>
      <Image condition="contains">\360\360</Image>
       <Image condition="contains">\Tencent\QQ\Bin\</Image>
    </ProcessCreate>
    <ProcessAccess onmatch="exclude">
      <GrantedAccess condition="is">0x1400</GrantedAccess>
    </ProcessAccess>
    <ProcessAccess onmatch="include">
      <TargetImage condition="end with">lsass.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
    </ProcessAccess>
    <ProcessTerminate onmatch="include" />
    <FileCreateTime onmatch="include" />
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">Explorer\iexplore.exe</Image>
      <Image condition="end with">Skype\Phone\Skype.exe</Image>
      <Image condition="end with">Chrome\Application\chrome.exe</Image>
      <Image condition="end with">Mozilla Firefox\firefox.exe</Image>
      <Image condition="contains">\slack\</Image>
      <Image condition="end with">spotify.exe</Image>
      <Image condition="end with">System32\lsass.exe</Image>
      <Image condition="end with">OneDrive\OneDrive.exe</Image>
      <Image condition="end with">Bonjour\mDNSResponder.exe</Image>
      <Image condition="end with">opera.exe</Image>
      <Image condition="end with">g2mcomm.exe</Image>
      <Image condition="end with">Drive\googledrivesync.exe</Image>
      <Image condition="end with">System32\backgroundTaskHost.exe</Image>
      <Image condition="end with">System32\BackgroundTransferHost.exe</Image>
      <Image condition="end with">OLicenseHeartbeat.exe</Image>
      <Image condition="contains">Splunk</Image>
      <Image condition="contains">McAfee</Image>
      <Image condition="contains">Symantec</Image>
      <Image condition="contains">TrendMicro</Image>
      <Image condition="contains">Tanium</Image>
      <Image condition="contains">Microsoft.Windows.Cortana</Image>
      <Image condition="is">System</Image>
      <Image condition="end with">OfficeClickToRun.exe</Image>
      <DestinationIp condition="begin with">172.</DestinationIp>
      <DestinationIp condition="begin with">10.</DestinationIp>
      <DestinationIp condition="begin with">192.</DestinationIp>
      <DestinationIp condition="is">224.0.0.253</DestinationIp>
      <DestinationIp condition="is">0:0:0:0:0:0:0:1</DestinationIp>
      <DestinationIp condition="is">0.0.0.0</DestinationIp>
      <DestinationIp condition="is">127.0.0.1</DestinationIp>
      <User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
      <User condition="is">NT AUTHORITY\LOCAL SERVICE</User>
      <Image condition="contains">\Tencent\QQ\Bin\</Image>
      <Image condition="contains">\360\360</Image>
      <Image condition="contains">Microsoft Office\Office</Image>
      <DestinationPort condition="is">443</DestinationPort>          
      <DestinationPort condition="is">80</DestinationPort>  
    </NetworkConnect>
  </EventFiltering>
</Sysmon>

安装命令:

   sysmon64.exe -accepteula -n -l –i  sysmon.cfg

日志路径:

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx

日志本机查看:

执行命令 %windir%\system32\eventvwr.msc /s 打开事件管理器，点击 Windows 日志，右键打开已保存日志，

远程搜集日志:

测试实例

results matching ""

No results matching ""