Sysmon

This Visual Studio Code extension is for heping in the writting of Sysmon XML configuration files.

Features

This extensions offers a series of snippets for helping in building a Microsofty Sysinternals Sysmon XML configuration. The extension is based on the 4.30 version of the Sysinternals Sysmon schema. It also provide automatic closing of element tags for the filter fields.

Usage

Change the language to Sysmon on a existing XML file or use the extension ".smc".

Set Language to Sysmon

It is easy to create a initial configuration with the snippets.

Configuration Template

A RuleGroups and Rules snippets have options ready for name and setting logic.

Configuration Template

Individual filters in a Rule or outside of one are easier to write.

Filter

Snippets

General snippets for the building of the initial structure of the configuration file.

Name	Description
comment	Sysmon Comment
sysmon_config	Template Sysmon Config
rulegroup	Sysmon RuleGroup
rule	Sysmon Rule
condition	Filter condition operator used

Snippets for each of the individual filters available in the schema with the exception of the run time unique ones that one would not filter on like ProcessID, UTC Time, Sysmon system unique GUIDs and others.

Name	Description
!ProcessCreate	Sysmon EventType ProcessCreate
!FileCreateTime	Sysmon EventType FileCreateTime
!NetworkConnect	Sysmon EventType NetworkConnect
!ProcessTerminate	Sysmon EventType ProcessTerminate
!DriverLoad	Sysmon EventType DriverLoad
!ImageLoad	Sysmon EventType ImageLoad
!CreateRemoteThread	Sysmon EventType CreateRemoteThread
!RawAccessRead	Sysmon EventType RawAccessRead
!ProcessAccess	Sysmon EventType ProcessAccess
!FileCreate	Sysmon EventType FileCreate
!RegistryEvent	Sysmon EventType RegistryEvent
!FileCreateStreamHash	Sysmon EventType FileCreateStreamHash
!PipeEvent	Sysmon EventType PipeEvent
!WmiEvent	Sysmon EventType WmiEvent
!DnsQuery	Sysmon EventType DnsQuery
!CallTrace	Sysmon event field CallTrace filter
!CommandLine	Sysmon event field CommandLine filter
!Company	Sysmon event field Company filter
!Configuration	Sysmon event field Configuration filter
!ConfigurationFileHash	Sysmon event field ConfigurationFileHash filter
!Consumer	Sysmon event field Consumer filter
!CurrentDirectory	Sysmon event field CurrentDirectory filter
!Description	Sysmon event field Description filter
!Destination	Sysmon event field Destination filter
!DestinationHostname	Sysmon event field DestinationHostname filter
!DestinationIp	Sysmon event field DestinationIp filter
!DestinationIsIpv6	Sysmon event field DestinationIsIpv6 filter
!DestinationPort	Sysmon event field DestinationPort filter
!DestinationPortName	Sysmon event field DestinationPortName filter
!Details	Sysmon event field Details filter
!Device	Sysmon event field Device filter
!EventNamespace	Sysmon event field EventNamespace filter
!EventType	Sysmon event field EventType filter
!FileVersion	Sysmon event field FileVersion filter
!Filter	Sysmon event field Filter filter
!GrantedAccess	Sysmon event field GrantedAccess filter
!Hash	Sysmon event field Hash filter
!Hashes	Sysmon event field Hashes filter
!ID	Sysmon event field ID filter
!Image	Sysmon event field Image filter
!ImageLoaded	Sysmon event field ImageLoaded filter
!Initiated	Sysmon event field Initiated filter
!IntegrityLevel	Sysmon event field IntegrityLevel filter
!Name	Sysmon event field Name filter
!NewName	Sysmon event field NewName filter
!Operation	Sysmon event field Operation filter
!OriginalFileName	Sysmon event field OriginalFileName filter
!ParentCommandLine	Sysmon event field ParentCommandLine filter
!ParentImage	Sysmon event field ParentImage filter
!PipeName	Sysmon event field PipeName filter
!PreviousCreationUtcTime	Sysmon event field PreviousCreationUtcTime filter
!Product	Sysmon event field Product filter
!Protocol	Sysmon event field Protocol filter
!Query	Sysmon event field Query filter
!QueryName	Sysmon event field QueryName filter
!QueryResults	Sysmon event field QueryResults filter
!QueryStatus	Sysmon event field QueryStatus filter
!SchemaVersion	Sysmon event field SchemaVersion filter
!Signature	Sysmon event field Signature filter
!SignatureStatus	Sysmon event field SignatureStatus filter
!Signed	Sysmon event field Signed filter
!SourceHostname	Sysmon event field SourceHostname filter
!SourceImage	Sysmon event field SourceImage filter
!SourceIp	Sysmon event field SourceIp filter
!SourceIsIpv6	Sysmon event field SourceIsIpv6 filter
!SourcePort	Sysmon event field SourcePort filter
!SourcePortName	Sysmon event field SourcePortName filter
!SourceThreadId	Sysmon event field SourceThreadId filter
!StartAddress	Sysmon event field StartAddress filter
!StartFunction	Sysmon event field StartFunction filter
!StartModule	Sysmon event field StartModule filter
!State	Sysmon event field State filter
!TargetFilename	Sysmon event field TargetFilename filter
!TargetImage	Sysmon event field TargetImage filter
!TargetObject	Sysmon event field TargetObject filter
!Type	Sysmon event field Type filter
!User	Sysmon event field User filter
!Version	Sysmon event field Version filter

When working with Rule elements in the config where he order of the field play an important role these snippets will put all fileds one would filter on in the order as they appear in the schema. Each with positions set for the name and the condition with a option set to make it easier to select.

Name	Description
!sysmon_create_process_filter_set	Sysmon EventType SYSMON_CREATE_PROCESS filter set.
!sysmon_file_time_filter_set	Sysmon EventType SYSMON_FILE_TIME filter set.
!sysmon_network_connect_filter_set	Sysmon EventType SYSMON_NETWORK_CONNECT filter set.
!sysmon_process_terminate_filter_set	Sysmon EventType SYSMON_PROCESS_TERMINATE filter set.
!sysmon_driver_load_filter_set	Sysmon EventType SYSMON_DRIVER_LOAD filter set.
!sysmon_image_load_filter_set	Sysmon EventType SYSMON_IMAGE_LOAD filter set.
!sysmon_create_remote_thread_filter_set	Sysmon EventType SYSMON_CREATE_REMOTE_THREAD filter set.
!sysmon_rawaccess_read_filter_set	Sysmon EventType SYSMON_RAWACCESS_READ filter set.
!sysmon_access_process_filter_set	Sysmon EventType SYSMON_ACCESS_PROCESS filter set.
!sysmon_file_create_filter_set	Sysmon EventType SYSMON_FILE_CREATE filter set.
!sysmon_reg_key_filter_set	Sysmon EventType SYSMON_REG_KEY filter set.
!sysmon_reg_setvalue_filter_set	Sysmon EventType SYSMON_REG_SETVALUE filter set.
!sysmon_reg_name_filter_set	Sysmon EventType SYSMON_REG_NAME filter set.
!sysmon_file_create_stream_hash_filter_set	Sysmon EventType SYSMON_FILE_CREATE_STREAM_HASH filter set.
!sysmon_create_namedpipe_filter_set	Sysmon EventType SYSMON_CREATE_NAMEDPIPE filter set.
!sysmon_connect_namedpipe_filter_set	Sysmon EventType SYSMON_CONNECT_NAMEDPIPE filter set.
!sysmon_wmi_filter_filter_set	Sysmon EventType SYSMON_WMI_FILTER filter set.
!sysmon_wmi_consumer_filter_set	Sysmon EventType SYSMON_WMI_CONSUMER filter set.
!sysmon_wmi_binding_filter_set	Sysmon EventType SYSMON_WMI_BINDING filter set.
!sysmon_dns_query_filter_set	Sysmon EventType SYSMON_DNS_QUERY filter set.
!sysmon_filedelete_set	Sysmon EventType SYSMON_FILE_DELETE filter set.
!sysmon_clipboardchange_set	Sysmon EventType SYSMON_CLIPBOARD filter set.
!sysmon_processtampering_set	Sysmon EventType SYSMON_PROCESS_IMAGE_TAMPERING filter set.

Release Notes

1.3.0

Added support for Sysmon Process Tampering EventId 25.
Fixed multiple typos.

1.2.0

Added support for Sysmon Clipboard Change EventId 24.

1.0.0

Initial release.

Questions, issues, feature requests, and contributions

If you come across a problem with the extension, please file an issue
Contributions are always welcome!
Any and all feedback is appreciated and welcome!
- If someone has already filed an issue that encompasses your feedback, please leave a 👍/👎 reaction on the issue
- Otherwise please file a new issue

Sysmon

DarkOperator

Sysmon

Features

Usage

Snippets

Release Notes

1.3.0

1.2.0

1.0.0

Questions, issues, feature requests, and contributions