Sysmon Shell can aid in writing and applying Sysmon XML configuration through a simple GUI interface, it can also be used to learn more about Sysmon configuration options available with each release, in a nutshell:
- Sysmon Shell can load Sysmon XML files configurations: with version 1.0, I am only supporting the latest schema v3.30 for Sysmon v6.01 and above, future updates to Sysmon will be supported. In addition, the tool won’t be loading any configuration of Sysmon from registry, however, I might add support to this feature in the future.
- It can export/save the final XML to a file.
- It can apply the generated XML file by calling Sysmon.exe -c directly (creating a temp XML file in the same folder where Sysmon is installed), for this reason, it will need elevated privileges (the need for this is inherited from Sysmon), the output of applying the configuration will be displayed in the preview pan (Sysmon output)
- XML Configuration can be previewed before saving in the preview pan
- If you are using Sysmon for malware analysis, you might find the last tap marked “Logs Export” useful, as it allows exporting Sysmon logs to XML file for use later, for example, I use it in Sysmon View for later analysis, the export has 3 options:
- Export only
- Export and clear Sysmon event log
- Export, backup evtx file and clear the event log
- The utility contains descriptions for all events types taken from Sysmon Sysinternals home page (https://technet.microsoft.com/en-us/sysinternals/sysmon)
Leave a Reply