This updated Sysmon configuration file has been customized to improve logging for Command Prompt (cmd.exe) and PowerShell activities. The configuration captures detailed information about command-line processes, ensuring visibility into executed commands, including their arguments. It is especially valuable for monitoring security-related events in environments where both cmd.exe and PowerShell are used extensively.
- Captures commands executed in
cmd.exe:- Includes full command-line arguments, e.g.,
ping zake.com -a. - Tracks all process creation events initiated from
cmd.exe.
- Includes full command-line arguments, e.g.,
- Parent-Child Process Tracking:
- Logs details about child processes spawned by
cmd.exe(e.g.,ping.exe).
- Logs details about child processes spawned by
- Tracks PowerShell Executions:
- Logs commands and script blocks executed via
powershell.exe,powershell_ise.exe, andpwsh.exe(PowerShell Core). - Captures full command-line arguments for PowerShell processes.
- Logs commands and script blocks executed via
- Complements Native Logging:
- Works alongside Windows' Script Block Logging for more comprehensive monitoring.
- Event ID 1 (Process Creation):
- Captures process creation events, including parent-child relationships.
- Logs executed commands with full arguments.
- Parent-Child Process Relationships:
- Links parent processes (e.g.,
cmd.exe,powershell.exe) to child processes.
- Links parent processes (e.g.,
- Security auditing and forensic investigations.
- Detection of suspicious activity such as unauthorized scripts or commands.
- Monitoring administrative tasks executed via cmd.exe or PowerShell.
- Location:
Event Viewer > Windows Logs > Security
- Event ID:
4688
- Details Captured:
- Command-line arguments if
Audit Command Line Process Creationis enabled.
- Command-line arguments if
- Location:
Event Viewer > Applications and Services Logs > Microsoft > Windows > PowerShell > Operational
- Event IDs:
4104(Script Blocks)4103(Modules)
- Details Captured:
- Commands, script blocks, and module activities.
- Comprehensive visibility into command-line and script execution activities.
- Early detection of unauthorized or malicious activity.
- Enhanced forensic and auditing capabilities for compliance and security monitoring.
This configuration is a valuable tool for system administrators and security professionals aiming to strengthen monitoring and incident response processes.
Run with administrator rights
sysmon.exe -i sysmonconfig-custom-by-zake.xml -accepteula
Run with administrator rights
sysmon.exe -c sysmonconfig-custom-by-zake.xml
Run with administrator rights
sysmon.exe -u
Highly recommend using Notepad++ to edit this configuration. It understands UNIX newline format and does XML syntax highlighting, which makes this very understandable. I do not recommend using the built-in Notepad.exe.
You will need to install and observe the results of the configuration in your own environment before deploying it widely. For example, you will need to exclude actions of your antivirus, which will otherwise likely fill up your logs with useless information.
The configuration is highly commented and designed to be self-explanatory to assist you in this customization to your environment.
This configuration expects software to be installed system-wide and NOT in the C:\Users folder. Various pieces of software install themselves in User directories, which are subject to extra monitoring. Where possible, you should install the system-wide version of these pieces of software, like Chrome. See the configuration file for more instructions.
I just update it, Original config is from SwiftOnSecurity