Sysmon is a kernel level system monitor written by Sysinternals. While we are not able to distribute Sysmon ourselves, Velociraptor can help you manage its deployment and installation.
NOTE: By default we install the sysmon config from SwiftOnSecurity - we recommend you review the config file and override it in the GUI with one that better suits your needs.
name: Windows.Sysinternals.SysmonInstall
description: |
Sysmon is a kernel level system monitor written by
Sysinternals. While we are not able to distribute Sysmon ourselves,
Velociraptor can help you manage its deployment and installation.
NOTE: By default we install the sysmon config from SwiftOnSecurity -
we recommend you review the config file and override it in the GUI
with one that better suits your needs.
tools:
- name: SysmonBinary
url: https://live.sysinternals.com/tools/sysmon64.exe
serve_locally: true
- name: SysmonConfig
url: https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
serve_locally: true
precondition: SELECT OS From info() where OS = 'windows'
required_permissions:
- EXECVE
parameters:
- name: SysmonFileLocation
description: If set, we check this location first for sysmon installed.
default: C:/Windows/sysmon64.exe
sources:
- query: |
LET bin <= SELECT * FROM switch(
a={
SELECT * FROM glob(globs=SysmonFileLocation)
}, b={
SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName="SysmonBinary")
})
LET existing_hash = SELECT lowcase(
string=parse_string_with_regex(
string=Stdout, regex="hash:.+SHA256=([^\\n\\r]+)").g1) AS Hash
FROM execve(argv=[bin[0].OSPath, "-c"])
LET sysmon_config = SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName="SysmonConfig", IsExecutable=FALSE)
LET ensure_service_running =
SELECT * FROM execve(argv=["sc.exe", "start", "sysmon64"])
LET doit = SELECT * FROM chain(
a={
// First force an uninstall to clear the config
SELECT * FROM execve(argv= [ bin[0].OSPath, "-accepteula", "-u"], length=10000000)
}, b={
SELECT * FROM execve(argv= [ bin[0].OSPath,
"-accepteula", "-i", sysmon_config[0].OSPath ], length=10000000)
}, c=ensure_service_running)
// Only install sysmon if the existing config hash is not the same
// as the specified hash.
SELECT * FROM if(
condition=if(
condition=bin AND sysmon_config,
else=log(message="Failed to fetch sysmon tools!"),
then=if(
condition=existing_hash[0].Hash != Tool_SysmonConfig_HASH,
then=log(message="Sysmon config hash has changed (%v vs %v) - reinstalling",
args=[existing_hash[0].Hash, Tool_SysmonConfig_HASH]),
else=log(message="Existing sysmon config hash has not changed (%v) - skipping reinstall",
args=Tool_SysmonConfig_HASH) AND FALSE
)
),
then={ SELECT * FROM doit },
else={ SELECT * FROM ensure_service_running })