Jump to content
  • Microsoft releases Linux version of the Windows Sysmon tool


    Karlston

    • 1k views
    • 4 minutes
     Share


    • 1k views
    • 4 minutes

    Microsoft has released a Linux version of the very popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity. 

     

    For those not familiar with Sysmon (aka System Monitor), it is a Sysinternals tool that monitors a system for malicious activity and then logs any detected behavior into system log files.

     

    Sysmon's versatility comes from the ability to create custom configuration files that administrators can use to monitor for specific system events that may indicate malicious activity is occurring on the system.

    Sysmon ported to Linux

    Today, Microsoft's Mark Russinovich and a cofounder of the Sysinternals utility suite, announced that Microsoft had released Sysmon for Linux as an open-source project on GitHub.

     

    Unlike Sysmon for Windows, Linux users will be required to compile the program themselves and ensure that they have all the required dependencies, with instructions provided on the project's GitHub page.

     

    It is important to note that to compile Sysmon, you must first also install the SysinternalsEBPF project.

     

    Once Sysmon is compiled, you can see a help file by typing sudo ./sysmon -h, as shown in the screenshot below.

     

    sysmon-help.jpg

    Sysmon for Linux help file
    Source: BleepingComputer

    To use the program, you first need to accept the end-user license agreement with the following command:

    sudo ./sysmon -accepteula

    Then you can launch Sysmon with or without a configuration file using one of the following commands:

    Without configuration file:
    
    sudo ./sysmon -i
    
    With configuration file:
    
    sudo ./sysmon -i CONFIG_FILE

    To create your own Sysmon configuration file, you would need to use ./sysmon -s command to view the current version's configuration schema and see what directives are available.

     

    To learn more about creating a Sysmon configuration file, you can consult the official documentation or use SwiftOnSecurity's template as an example.

     

    enable-dnsquery.jpg

    Basic Windows Sysmon config file that enables DNSQuery Logging

    Once started, Sysmon will begin logging events to the /var/log/syslog file. If you did not specify a configuration file to restrict what is logged, you will find that your syslog file quickly grows as new processes are launched and terminated.

     

    For example, in the screenshot below, you can see an event showing the 'adduser' command terminating after I used it to create a new user.

     

    sysmon-logs.jpg

    Sysmon events logged to /var/log/syslog
    Source: BleepingComputer

    To make it easier to filter the logs for specific events, you can use the sysmonLogView utility to show the events you are looking for.

     

    The current events IDs that Sysmon for Linux is capable of logging are listed below:

     

    • 1: SYSMONEVENT_CREATE_PROCESS
    • 2: SYSMONEVENT_FILE_TIME
    • 3: SYSMONEVENT_NETWORK_CONNECT
    • 4: SYSMONEVENT_SERVICE_STATE_CHANGE
    • 5: SYSMONEVENT_PROCESS_TERMINATE
    • 6: SYSMONEVENT_DRIVER_LOAD
    • 7: SYSMONEVENT_IMAGE_LOAD
    • 8: SYSMONEVENT_CREATE_REMOTE_THREAD
    • 9: SYSMONEVENT_RAWACCESS_READ
    • 10: SYSMONEVENT_ACCESS_PROCESS
    • 11: SYSMONEVENT_FILE_CREATE
    • 12: SYSMONEVENT_REG_KEY
    • 13: SYSMONEVENT_REG_SETVALUE
    • 14: SYSMONEVENT_REG_NAME
    • 15: SYSMONEVENT_FILE_CREATE_STREAM_HASH
    • 16: SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
    • 17: SYSMONEVENT_CREATE_NAMEDPIPE
    • 18: SYSMONEVENT_CONNECT_NAMEDPIPE 
    • 19: SYSMONEVENT_WMI_FILTER
    • 20: SYSMONEVENT_WMI_CONSUMER
    • 21: SYSMONEVENT_WMI_BINDING
    • 22: SYSMONEVENT_DNS_QUERY
    • 23: SYSMONEVENT_FILE_DELETE
    • 24: SYSMONEVENT_CLIPBOARD
    • 25: SYSMONEVENT_PROCESS_IMAGE_TAMPERING
    • 26: SYSMONEVENT_FILE_DELETE_DETECTED
    • 255: SYSMONEVENT_ERROR

     

    As you can see, many of these events do not apply to Linux, such as the Registry or WMI events, so you will need to adjust your configuration accordingly.

     

    Sysmon is a powerful tool widely used in Windows environments as part of an organization's security toolbox.

     

    With its addition to Linux, a whole new segment of system administrators can utilize it to provide free system monitoring for malicious activity.

     

     

    Microsoft releases Linux version of the Windows Sysmon tool


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...