
We should clarify upfront that this article will not address issues related to deliberate log cleaning or improper configuration of audit policies in a domain (Audit Policy). Instead, we will focus on how to enhance the informativeness and capabilities of event auditing by using the System Monitor (Sysmon) utility in a Windows environment (from Windows 7 for client nodes and from Windows Server 2008 R2 for servers).
Sysmon
You can download the utility from the Microsoft Docs website in the Windows Sysinternals section. Windows Sysinternals, created by Mark Russinovich and others, includes many other useful utilities, so take the time to explore them. Also, check out the collection of resources on GitHub.
For this article, we’ll use a special pre-built package available on GitHub, which includes the Sysmon Threat Intelligence Configuration file from ION-STORM. It is specifically designed for identifying cybersecurity incidents and can serve as a solid foundation for creating your own configuration files.
The utility can be installed individually on each workstation or using Group Policy in the domain. The configuration file mostly specifies the complete standard paths for various software:
<Image condition="is">C:\Program Files\OpenVPN\bin\openvpn-gui.exe</Image>
<ImageLoaded condition="contains">C:\Program Files (x86)\Notepad++</ImageLoaded>
In a specific IT infrastructure, this might require some tweaking. For example, corporate policy might dictate that programs be installed on the D:
drive instead of C:
. The toolset is highly flexible, allowing you to configure any rules aimed at monitoring specific actions or excluding them from your view.
After installation, you will have a new log (Channel) called Microsoft-Windows-Sysmon/Operational. In this log, Sysmon highlights 18 task categories, including: Process Create, Network Connect, Driver Load, ProcessAccess, and File Create.

Network Interaction Auditing
Let’s move on to the practical application of Sysmon.
Imagine the network interaction between two nodes: Node A is contacting Node B, and this contact is not authorized, raising suspicion of a cybersecurity incident. Traces of this network interaction will be searched for in the operating system as a last resort, starting instead with active network equipment. What information can a firewall or router provide if it is monitoring this network interaction?
<190>%ASA-6-302014: Teardown TCP connection 2047052539 for outside:IP_1/60307 (DOMAIN\USER_NAME) to dmz-0:IP_2/22 duration 0:00:16 bytes 5675 TCP FINs (USER_NAME)
We can only see the source IP_1 and the destination IP_2. Essentially, additional efforts will be required: you’ll need to analyze node A (IP_1) in a semi-automatic or manual mode to identify the real source of the network activity. It’s important to remember that if the network activity doesn’t extend beyond the network segment controlled by the firewall, or if relevant events are not logged by the firewall—as often happens—then nothing will be found in the logs.
Let’s say you managed to deploy a sniffer at this moment or preemptively divert traffic through a SPAN port to create a PCAP file. What will this accomplish?

We can see who, where, and, if we’re very lucky, with what tool—in this case, PuTTY. However, there’s no information on the application’s installation location, the executable file’s name, or its creation date. While these might seem like trivial attributes for PuTTY, they become crucial when you’re tracking traces of unauthorized actions or malware. Additionally, a malicious program might pose as a legitimate application, prompting you to dismiss a security incident as a false positive based solely on the application’s name retrieved from a network traffic dump.
Now, let’s take a look at the Microsoft-Windows-Sysmon/Operational channel. It contains the following event:
Network connection detected:
UtcTime: 2018-02-08 11:33:49.672
ProcessGuid: {4e1a728b-358a-5a7c-0000-00108901d000}
ProcessId: 4636
Image: C:\Users\USER_NAME\Desktop\putty.exe
User: DOMAIN\USER_NAME
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: IP_1
SourceHostname: COMP_NAME.DOMAIN
SourcePort: 60307
SourcePortName:
DestinationIsIpv6: false
DestinationIp: IP_2
DestinationHostname:
DestinationPort: 22
DestinationPortName: ssh
We can see who communicates where, using what, along with additional network interaction parameters (protocol, port). Now, in the same channel, we’ll locate the Process Create event using the ProcessGuid field value to gather more information about the source of this network activity.
Process Create:
UtcTime: 2018-02-08 11:33:30.583
ProcessGuid: {4e1a728b-358a-5a7c-0000-00108901d000}
ProcessId: 4636
Image: C:\Users\USER_NAME\Desktop\putty.exe
CommandLine: "C:\Users\USER_NAME\Desktop\putty.exe"
CurrentDirectory: C:\Users\USER_NAME\Desktop\
User: DOMAIN\USER_NAME
LogonGuid: {4e1a728b-268c-5a7c-0000-0020d3a20600}
LogonId: 0x6A2D3
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=7AFB56DD48565C3C9804F683C80EF47E5333F847F2D3211EC11ED13AD36061E1,IMPHASH=EFE162FD3D51DED9DD66FA4AC219BF53
ParentProcessGuid: {4e1a728b-268d-5a7c-0000-001023de0600}
ParentProcessId: 3632
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE
We can see that a process has been created, and the hash value of the file that spawned this process has been identified. Now, you can verify this file using its hash:
- Using corporate “whitelists” of approved software;
- Checking against the manufacturer’s official website for software compliance;
- In Threat Intelligence service rankings;
- On platforms like VirusTotal.

It is worth noting that in network nodes where there are restrictions on installing antivirus protection tools (such as dispatcher terminals, technological workstations, and the like), hash analysis—particularly the automated kind through correlation with Threat Intelligence services, for example in Security Information and Event Management (SIEM) systems—can serve as an effective compensating measure for combating malicious software.
In continuing with the theme of tracking file-related activities, it is important to note that by default, the specified configuration file allows monitoring the creation of files in the operating system that could potentially be sources of information security incidents. This includes digital certificates, executable files, library files, PowerShell files, RDP files, MS Office files with macro support, as well as files created in specific directories of the file system.
File created:
UtcTime: 2018-02-08 11:50:39.893
ProcessGuid: {4e1a728b-283b-5a7c-0000-00107b384a00}
ProcessId: 2780
Image: C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
TargetFilename: C:\Users\USER_NAME\Desktop\Doc1.docm
CreationUtcTime: 2018-02-08 11:50:39.893
Files or actions that lead to changes in registry settings are also subject to logging. For example, associating the DOCM file type, which was first used in the operating system when the file Doc1.
was created, with the MS Word application:
Registry value set:
EventType: SetValue
UtcTime: 2018-02-08 11:50:40.550
ProcessGuid: {4e1a728b-268d-5a7c-0000-001023de0600}
ProcessId: 3632
Image: C:\Windows\Explorer.EXE
TargetObject: \REGISTRY\USER\S-1-5-21-1626002472-1445367128-3583509536-1113\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docm\OpenWithList\a
Details: WINWORD.EXE
For a security professional, it might be of interest when a malicious file re-associates legitimately assigned corporate applications for certain file types, thereby “forcing” the use of a vulnerable application. Another example is the alteration of operating system registry keys that affect the boot parameters of the OS, aiming to lower its security level after the next reboot (such as disabling antivirus or other information protection tools).
Centralized Collection and Storage of Events
To ensure centralized collection and storage of event logs from all network nodes, and to limit an attacker’s ability to clear logs on a compromised node, it is common to consolidate data on a dedicated node. This node should have the Windows Event Collector service running. As a result, events will appear in the Forwarded Events log.
You need to take the following steps on each workstation, either individually or by using group policies within the domain:
- Add the user, under whose name the “COLLECTOR” events will be collected, to the local group “Event log reader”.
- Run the command as an administrator (Run as) to execute it.
- Run the command as an administrator (Run as) to execute it and obtain the string
channelAccess:
.DATA - Run the command as an administrator (Run as) to execute it and obtain
UID_COLLECTOR
. - Run the command as an administrator (Run as) to execute it and grant extended access rights to the Microsoft-Windows-Sysmon/Operational channel for the COLLECTOR account.
- Add this node to a specially created Subscription for centralized collection and storage of events on a designated node running the Windows Event Collector service.
Conclusion
Our experience has shown that standard logging tools are often insufficient for a comprehensive analysis of suspicious network events, especially when it comes to targeted attacks on organizations. In such cases, Sysmon can be a highly promising solution, with its potential applications limited only by the imagination of the cybersecurity specialist using it.

2023.02.12 — Gateway Bleeding. Pentesting FHRP systems and hijacking network traffic
There are many ways to increase fault tolerance and reliability of corporate networks. Among other things, First Hop Redundancy Protocols (FHRP) are used for this…
Full article →
2023.04.04 — Serpent pyramid. Run malware from the EDR blind spots!
In this article, I'll show how to modify a standalone Python interpreter so that you can load malicious dependencies directly into memory using the Pyramid…
Full article →
2022.06.03 — Vulnerable Java. Hacking Java bytecode encryption
Java code is not as simple as it seems. At first glance, hacking a Java app looks like an easy task due to a large number of available…
Full article →
2022.01.13 — Bug in Laravel. Disassembling an exploit that allows RCE in a popular PHP framework
Bad news: the Ignition library shipped with the Laravel PHP web framework contains a vulnerability. The bug enables unauthorized users to execute arbitrary code. This article examines…
Full article →
2022.01.11 — Persistence cheatsheet. How to establish persistence on the target host and detect a compromise of your own system
Once you have got a shell on the target host, the first thing you have to do is make your presence in the system 'persistent'. In many real-life situations,…
Full article →
2023.02.21 — Herpaderping and Ghosting. Two new ways to hide processes from antiviruses
The primary objective of virus writers (as well as pentesters and Red Team members) is to hide their payloads from antiviruses and avoid their detection. Various…
Full article →
2022.01.12 — First contact. Attacks against contactless cards
Contactless payment cards are very convenient: you just tap the terminal with your card, and a few seconds later, your phone rings indicating that…
Full article →
2022.06.01 — First contact. Attacks on chip-based cards
Virtually all modern bank cards are equipped with a special chip that stores data required to make payments. This article discusses fraud techniques used…
Full article →
2023.03.03 — Infiltration and exfiltration. Data transmission techniques used in pentesting
Imagine a situation: you managed to penetrate the network perimeter and gained access to a server. This server is part of the company's internal network, and, in theory, you could…
Full article →
2023.02.13 — First Contact: Attacks on Google Pay, Samsung Pay, and Apple Pay
Electronic wallets, such as Google Pay, Samsung Pay, and Apple Pay, are considered the most advanced and secure payment tools. However, these systems are also…
Full article →