Jump to content

Setting up Microsoft Sysmon to audit the system to look for unwanted or und


Recommended Posts

  • Root Admin

Setting up Microsoft Sysmon to audit the system to look for unwanted or undesirable objects.

Please note that running SYSMON will have a small increase of system usage and small performance hit. Once done auditing for undesirable objects you may wish to uninstall Sysmon

 

[ 1 ]

Make a new folder at the top level of your computer named C:\MONITOR 
 

[ 2 ]

Download the latest version of Sysmon from the official Sysinternals website and save or copy it to the new folder C:\Monitor

Site:  https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
File: https://download.sysinternals.com/files/Sysmon.zip

[ 3 ]

Open the file Sysmon.zip and extract or copy all of the files inside the zip file to the C:\Monitor folder.

[ 4 ]

Click the link below and save the file: "sysmonconfig-export.zip" to the C:\Monitor folder as well

sysmonconfig-export.zip

Then open that file and extract or copy the sysmonconfig-export.xml to the C:\Monitor folder.

The file must be extracted out of the zip file or Sysmon will not install correctly.

Once the the configuration file has been extracted the C:\Monitor folder should look something like the image below

image.png.0ef2ee1edbdafa1290d530f327ddcd

 

[ 5 ]

Click on START and type in CMD.EXE and when it shows on the menu right-click and select "Run as administrator"

Type the following and press the Enter key

CD C:\Monitor

Then type the following and press the enter key

DIR

You should then see something similar to the following

image.png.169775357abde37a1e647022e1ea0f

 

[ 6 ]

Copy and Paste the following to the command prompt window to install Sysmon with the specified configuration file and press the Enter key

sysmon64.exe -accepteula -i sysmonconfig-export.xml

That should produce a similar output as shown below

C:\Monitor>sysmon.exe -accepteula -i sysmonconfig-export.xml


System Monitor v14.14 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2023 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.50
Sysmon schema version: 4.83
Configuration file validated.
Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

 

[ 7 ]

Once Sysmon is installed properly it will create a new Event folder and log.  Microsoft-Windows-Sysmon/Operational

In the command prompt window type in the following and press the Enter key:  eventvwr

Then click on Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational

That is where Sysmon will store the events it is now tracking.

image.thumb.png.338380d26649924689bebf02

 

Restart the computer now

 

Then monitor the Event Log for Sysmon for any undesirable actions

 

To uninstall Sysmon once completed, please do the following

Click on START and type in CMD.EXE and when it shows on the menu right-click and select "Run as administrator"

Type the following and press the Enter key

CD C:\Monitor

Then type the following and press the enter key

sysmon64.exe -u

If there is an error or it refuses to uninstall then use the following

sysmon64.exe -u force

 

 

 

 

  • Like 2
Link to post
  • Root Admin

For users that have the Professional version of Windows you can also setup the following additional auditing for PowerShell. This is not supported on the Home or Educational versions of Windows.

 

Please run GPedit.msc and browse to the following tree level

Local Computer Policy -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy

image.png

Double-click and open the Audit object access entry and enable Success and Failure

image.png

 

Then open My Computer or run Windows File Explorer and browse to the following location.

C:\Windows\System32\WindowsPowerShell\v1.0

In that folder please find the file: powershell.exe

Right-Click on powershell.exe and select Properties and go to the Security tab and click the Advanced button

image.png

Then click on the Auditing tab, then the  image.pngContinue button

image.png

After you click the Continue button the controls will unlock to allow editing

Currently the owner should be TrustedInstaller

Highlight the Everyone entry and click the Edit button

Make sure the Principal is set to Everyone  and the Type is All - then click OK a couple of times to close out the boxes

image.png

 

Then restart your computer and once you do see PowerShell kick off again, look and track it down in the Event Viewer.

Write down the exact time you saw it run in case you need to isolate the time in the Event Logs

 

Below are other Additional methods of auditing PowerShell

 

STEP 1

Make a new folder at the top level of your C: drive named Transcripts
So it will be:  C:\Transcripts

 

STEP 2

Click on START and type in GPEDIT  and you should see something like this. Run it.

image.png

 

STEP 3

Then drill down to the following path

Computer Configuration --> Administrative Templates --> Windows Components --> Windows PowerShell

 

STEP 4

We'll set the following policies

image.png

  • Turn on Module Logging

Click on the Show... button

image.png

Enter an asterisk * into the table and press the Enter key, then click the OK button

image.png

 

  • Turn on PowerShell Script Block Logging

Click on the "Log script block invocation start / stop events:

image.png

 

  • Turn on PowerShell Transcription

Type in the name of the folder we created in STEP 1

C:\Transcripts

Place a checkmark in the "Include invocation headers:"

image.png

 

Restart the computer

Watch the C:\Transcripts folder for entries being created

This should probably be enough to help you track down what is running PowerShell.

 

 

Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.