avatarOlaf Hartong

Summary

Sysmon 1.0.0 for Linux has been released as open-source software, marking Sysinternals' 25th anniversary, with initial capabilities that include process creation, network connections, and file operations monitoring.

Abstract

The release of Sysmon for Linux coincides with the 25th anniversary of Sysinternals, offering a set of monitoring tools that were previously Windows-exclusive. This initial release includes the ability to monitor process creation, network connections, process termination, raw access reads, file creation/overwrites, configuration changes, and file deletions. Sysmon for Linux leverages eBPF and shares the same manifest and schema as its Windows counterpart, ensuring consistency in event logging. Installation requires compiling and installing eBPF from Sysinternals' GitHub repository followed by Sysmon itself. While the Linux version currently supports fewer command-line options and event types compared to Windows, it logs events in a similar XML format to the syslog file, and includes a utility called sysmonLogView for easier reading. Roberto Rodriguez has provided deployment templates and an overview for users to reference.

Opinions

  • The author suggests that avid Sysmon users might notice fewer command-line options in the Linux version compared to Windows, indicating a potential area for future improvement.
  • There is an expectation that more features will be added over time, reflecting confidence in the continuous development of Sysmon for Linux.
  • The author positively notes that Sysmon for Windows and Linux share the same manifest and schema, which simplifies configuration and event schema familiarity for users transitioning from Windows to Linux.
  • The provision of an example basic configuration and the mention of Roberto Rodriguez's work indicates a community-driven approach to the deployment and configuration of Sysmon for Linux.
  • The author encourages user feedback and community engagement through a Discord server, highlighting a collaborative and user-centric approach to the tool's development.

Sysmon for Linux

Today on the 25th birthday of Sysinternals Sysmon 1.0.0 for Linux has been released and it is open source software!

This short blog is a quick overview of the capabilities to give you an idea of what you can expect from this initial release.

Installing Sysmon for Linux

Sysmon relies on their implementation of eBPF so you’ll need to compile and install that first. https://github.com/Sysinternals/SysinternalsEBPF

When eBPF is installed you can move on to compiling and installing Sysmon, it has been well documented in the repository, just walk through the steps. https://github.com/Sysinternals/SysmonForLinux

Once complete we can run it and we’re greeted with a familiar prompt

Sysmon for Linux 1.0.0 banner screen

Avid Sysmon users will immediately notice that there is less command line options than on Windows. However, over time I am sure there will be more features added.

One thing that is cool is that Sysmon for Windows and Linux share the same manifest, so also the same schema. This means all events, that are loggable, will have exactly the same set of fields per event type that will be logged.

The contents of the fields will obiously differ per operating system and on Linux not all will be populated but all field names will be the same, as well as creating a configuration, which is great! Keep this in mind when requesting the schema, on Linux you will get the same output as the equivalent on Windows.

Sysmon -c output, partial schema export

However, not all event types are currently supported by Sysmon for Linux at the time of release. Right now the following events are supported by the Linux version:

Event ID | Description
1 | Process Creation
3 | Network Connect
5 | Process Terminate
9 | RAW access read
11 | File Create / Overwrite 
16 | Sysmon config change
23 | File Delete

A great overview and deployment templates by Roberto Rodriguez can be found here

Configuration

Writing a configuration will be very familiar to people that have used it on Windows before. The exact same structure and filters can be applied to it.

Example very basic sysmon configuration

Logging

All logs are written as an XML event to the syslog file. The Sysinternals team also included the sysmonLogView utility for parse the data in a more readable format on the local system.

Log entry example in /var/log/syslog

As you can see from the examples that were created with the sysmonLogView tool below, the events look very similar to the Windows equivalent. For the Process Creation events the only thing that is obviously missing is the PE data as well as the hashes.

Process creation event sample
Network connect event sample
Process termination event sample
Process access event sample
Sysmon config change event sample
File Delete event sample

Please let me know whether you like this new release, and join our community to discuss the use, configuration and other topics on our discord server

Sysmon
Sysinternals
Dfir
Detection
Falconforce
Recommended from ReadMedium
avatarBastradamus
How to create a Detection Engineering Lab — Part 2

A Two-Part series on building a Detection Engineering testing environment.

8 min read
avatarAYNUR BALCI
Windows Event

Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and…

6 min read
avatarVarun Belani
Building a Cybersecurity Purple Team Home Lab — Part Three

In this part, I will show you how to setup the Security Onion SOC and the endpoints that need to be monitored.

12 min read
avatarSatyam Pathania
A Simple yet Powerful Elastic SIEM Lab Project

8 min read
avatarThe Devops Girl
Mastering Networking Issues in Kubernetes: Interview Questions and Expert Answers

Networking is at the heart of Kubernetes, enabling pods and services to communicate seamlessly. During interviews, questions about…

4 min read
avatarJashanpreet Singh
🚀Day 1: Creating a Logical Diagram

Let’s Get Started!!!

4 min read