Skip to content

Detect possible sysmon logging bypasses given a specific configuration

License

Notifications You must be signed in to change notification settings

mkorman90/sysmon-config-bypass-finder

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Sysmon configuration bypass finder

Find possible ways to bypass sysmon logging, given a specific configuration.

For example:

(sysmon) martin@pc:~$ analyze-sysmon-config configurations/sysmonconfig-export.xml
 
rule_type       description
--------------  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ProcessCreate   Any CommandLine containing AcroRd32.exe" /CR
ProcessCreate   Any CommandLine containing AcroRd32.exe" --channel=
ProcessCreate   Any ParentCommandLine that ends with "-outc=C:\ProgramData\Dell\CommandUpdate\inventory.xml" "-logc=C:\ProgramData\Dell\CommandUpdate\scanerrs.xml" "-lang=en" "-enc=UTF-16"
NetworkConnect  Any Image with the name Spotify.exe
NetworkConnect  Any Image that ends with AppData\Roaming\Dropbox\bin\Dropbox.exe
NetworkConnect  Any Image with the name g2ax_comm_expert.exe
NetworkConnect  Any Image with the name g2mcomm.exe
NetworkConnect  Any Image with the name OneDrive.exe
NetworkConnect  Any Image with the name OneDriveStandaloneUpdater.exe
NetworkConnect  Any Image that ends with AppData\Local\Microsoft\Teams\current\Teams.exe
NetworkConnect  Any DestinationHostname that ends with microsoft.com
NetworkConnect  Any DestinationHostname that ends with microsoft.com.akadns.net
NetworkConnect  Any DestinationHostname that ends with microsoft.com.nsatc.net

Notes

  • The tool does not correlate between conditions, but I intend to add this feature in the future
  • ProcessCreate and NetworkConnect are the only rule types that are searched for bypasses
  • Written for python 3.7 (https://pythonclock.org/)

About

Detect possible sysmon logging bypasses given a specific configuration

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages