下载地址
一、基本命令
Sysmon -i #基本安装
Sysmon -accepteula -i xxxx.xml #通过配置安装
Sysmon -c xxxx.xml #更新配置
Sysmon -u #卸载
二、配置文件
2.1常用配置文件
2.1.1记录全部日志
<Sysmon schemaversion="4.21">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation/>
<EventFiltering >
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"></ProcessCreate>
<FileCreateTime onmatch="exclude"></FileCreateTime>
<NetworkConnect onmatch="exclude"></NetworkConnect>
<ProcessTerminate onmatch="exclude"></ProcessTerminate>
<DriverLoad onmatch="exclude"></DriverLoad>
<ImageLoad onmatch="exclude"></ImageLoad>
<CreateRemoteThread onmatch="exclude"></CreateRemoteThread>
<RawAccessRead onmatch="exclude"></RawAccessRead>
<ProcessAccess onmatch="exclude"></ProcessAccess>
<FileCreate onmatch="exclude"></FileCreate>
<RegistryEvent onmatch="exclude"></RegistryEvent>
<FileCreateStreamHash onmatch="exclude"></FileCreateStreamHash>
<PipeEvent onmatch="exclude"></PipeEvent>
<DnsQuery onmatch="exclude"></DnsQuery>
</RuleGroup>
</EventFiltering>
2.1.1记录全部日志
<EventFiltering>
<RuleGroup name="group 1" groupRelation="and">
<ProcessCreate onmatch="include">
<Image condition="contains">timeout.exe</Image>
<CommandLine condition="contains">100</CommandLine>
</ProcessCreate>
</RuleGroup>
<RuleGroup groupRelation="or">
<ProcessTerminate onmatch="include">
<Image condition="contains">timeout.exe</Image>
<Image condition="contains">ping.exe</Image>
</ProcessTerminate>
</RuleGroup>
<ImageLoad onmatch="include"/>
</EventFiltering>
2.1.1通用配置
下载地址
2.1.4配置文件注释
下载地址
一些有用的教程