![]() ![]() The only problem with breaking out configs is that at the time, there was no tooling to facilitate selective merging of configs so I wrote Merge-SysmonXMLConfiguration to make merging configs pretty mindless. It makes sense to maintain a config that is specific to red team TTPs so that a customer could easily merge that into their base config and deploy accordingly. Also, imagine that your red team maintained their own internal Sysmon config that captured many of their specific TTPs. ![]() After all, there is no one-size-fits-all Sysmon config. I love this idea for many reasons but primarily, I love it because it enables the maintenance of separate configs. The remainder of this post will show these tools in action. So rather than incessantly complain about the lack of a proper Sysmon configuration schema (I’ll probably still do that anyway), I just wrote my own and in doing so, it enabled the development of a bunch of new tools in my PSSysmonTools PowerShell module. With an XSD, tools like Visual Studio will give you tab completion and automatic XML document generation when writing XML.You can technically do this with DTD schemas as well but again, DTD is not expressive so your validation will only get you so far. An XSD more easily facilitates writing tooling to validate an XML document against the schema.With an XSD, I would be able to auto-generate C# that would allow me to serialize Sysmon configs to/from managed code. XSDs enable code generation via xsd.exe.In other words, if written well, it would serve as sufficient documentation for those wanting to write Sysmon configs. XSD allows you to define simple and complex type definitions as well as impose restrictions on the types of data that can be supplied to an XML document instance.As of the latest Sysmon schema version (3.40), the embedded schema doesn’t even validate! The reason it doesn’t validate is because it has repeating RegistryEvent and WmiEvent definitions.DTD is far from being an expressive schema language.Why should I have to extract a schema with strings.exe? Having a command-line switch to do so would be really nice just as they supply the “-s” switch to dump the event log manifest XML.Now, technically, there are schemas embedded in sysmon.exe itself so you could certainly run strings.exe on it or pull it out more surgically with IDA and you would find that it uses antiquated DTD schemas to perform XML validation. ![]() Why is this important? Well, as new features are released that can be expressed in a config file, how do you actually know how to use it without fumbling around yourself or waiting for someone else to show you what’s new? Other than that, you won’t find any official documentation as it is technically not an “official Microsoft product.” Another thing you won’t find is a schema describing the format of an XML configuration. Sysinternals Sysmon Suspicious Activity Guide.Any Sysmon-related blog post from Carlos Perez.amazingly well-documented Sysmon config.If you’re new to Sysmon and want to learn more about writing configs, I recommend any of the following resources: The core of effective Sysmon use is in writing good XML configurations. The Lack of a Sysmon Configuration Schema ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |