I’ve been excited about the long past announcement (Aug 2014) of a new utility from Sysinternals – Sysmon!
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
In one of the channel9 video’s Mark Russinovich talks about how it helped him track down the original point of entry of a malware application. Mark is an amazing guy.
I was immediately hooked, so Sysmon has been installed on all my home devices and devices that my relatives forces me to support. Plus it’s a cool way to keep your paranoia in check and find out who installed that piece of software on your favourite Terminal (oops, Remote Desktop Services!) Server.
Now, the link above has all the installation and configuration instructions, so I won’t dig into them.
The minor issue I had with the tool is that it lacked structured output. Most of the useful information is stored in the message block of the Event Viewer log, for example:
UtcTime: 19/07/2015 06:35
CommandLine: C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
User: NT AUTHORITY\SYSTEM
ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch
I’ve finally decided it’s time to make the output a bit more readable (and my definition of readable was .csv and Pivot Tables in Microsoft Excel), so I wrote a nice script that converted Event Viewer Sysmon log into .csv for some quality reading and analysis. The alternative would be to convert it to xml and work my way from there, but it’s .csv for now.
Main issues were that I got a bit rusty using the string class and methods and the conversion to .csv that required to work with an array of objects that have different number of properties, hence the conversion wasn’t always picking up all the data, stackoverflow.com had the answer to that issue.
The conversion is still a bit messy sometimes, but that doesn’t bother me, data is more or less readable and visible in Excel.
Now I can track down all the started apps, network connections, which users started the apps, where did the connection from them go and so forth. I know there are probably a lot more complicated and fancy solutions on the market, but Sysmon is easy, small and free, what can be better?
Grab your script copy New-SysmonCsvReport.ps1. No warranties.