English

English

Home » Microsoft Releases Linux Version of Windows Sysmon Tool

Microsoft Releases Linux Version of Windows Sysmon Tool

Microsoft likes the Linux header

Microsoft has released a Linux version of the popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity.

For those unfamiliar with Sysmon (aka System Monitor), this is a Sysinternals tool that monitors a system for malicious activity and then records any behavior detected in the system log files.

Sysmon’s versatility comes from the ability to create custom configuration files that administrators can use to monitor specific system events that may indicate malicious activity is occurring on the system.

Sysmon ported to Linux

Today, Microsoft’s Mark Russinovich and co-founder of the Sysinternals utility suite, announced that Microsoft has released Sysmon for Linux as an open source project on GitHub.

Unlike Sysmon for Windows, Linux users will need to compile the program themselves and make sure they have all the required dependencies, with instructions provided on the project’s GitHub page.

It is important to note that in order to compile Sysmon, you must first also install the SysinternalsEBPF project.

After Sysmon has been compiled, you can see a help file by typing sudo ./sysmon -h, as shown in the screenshot below.

Sysmon for Linux Help File
Sysmon for Linux Help File
Source: TechToSee

To use the program, you must first accept the End User License Agreement with the following command:

sudo ./sysmon -accepteula

Then you can start Sysmon with or without a configuration file using one of the following commands:

Without configuration file:

sudo ./sysmon -i

With configuration file:

sudo ./sysmon -i CONFIG_FILE

To create your own Sysmon configuration file, you will need to use ./sysmon -s to view the configuration diagram for the current version and see which directives are available.

To learn more about creating a Sysmon configuration file, you can check the official documentation or use the template from SwiftOnSecurity as an example.

Basic Windows Sysmon configuration file that enables DNSQuery logging
Basic Windows Sysmon configuration file that enables DNSQuery logging

Once started, Sysmon will begin recording events in the /var/log/syslog to file. If you haven’t specified a configuration file to restrict what is logged, you will find that your syslog file grows rapidly as new processes are started and terminated.

For example, in the screenshot below, you can see an event showing that the ‘adduser’ command ends after I used it to create a new user.

Sysmon events logged in / var / log / syslog
Sysmon events logged in / var / log / syslog
Source: TechToSee

To make it easier to filter specific event logs, you can use the sysmonLogView utility to display the events you are looking for.

The current event IDs that Sysmon for Linux is able to log are listed below:

  • 1: SYSMONEVENT_CREATE_PROCESS
  • 2: SYSMONEVENT_FILE_TIME
  • 3: SYSMONEVENT_NETWORK_CONNECT
  • 4: SYSMONEVENT_SERVICE_STATE_CHANGE
  • 5: SYSMONEVENT_PROCESS_TERMINATE
  • 6: SYSMONEVENT_DRIVER_LOAD
  • 7: SYSMONEVENT_IMAGE_LOAD
  • 8: SYSMONEVENT_CREATE_REMOTE_THREAD
  • 9: SYSMONEVENT_RAWACCESS_READ
  • 10: SYSMONEVENT_ACCESS_PROCESS
  • 11: SYSMONEVENT_FILE_CREATE
  • 12: SYSMONEVENT_REG_KEY
  • 13: SYSMONEVENT_REG_SETVALUE
  • 14: SYSMONEVENT_REG_NAME
  • 15: SYSMONEVENT_FILE_CREATE_STREAM_HASH
  • 16: SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
  • 17: SYSMONEVENT_CREATE_NAMEDPIPE
  • 18: SYSMONEVENT_CONNECT_NAMEDPIPE
  • 19: SYSMONEVENT_WMI_FILTER
  • 20: SYSMONEVENT_WMI_CONSUMER
  • 21: SYSMONEVENT_WMI_BINDING
  • 22: SYSMONEVENT_DNS_QUERY
  • 23: SYSMONEVENT_FILE_DELETE
  • 24: SYSMONEVENT_CLIPBOARD
  • 25: SYSMONEVENT_PROCESS_IMAGE_TAMPERING
  • 26: SYSMONEVENT_FILE_DELETE_DETECTED
  • 255: SYSMONEVENT_ERROR

As you can see, many of these events do not apply to Linux, such as Registry or WMI events, so you will need to adjust your configuration accordingly.

Sysmon is a powerful tool widely used in Windows environments as part of an organization’s security toolkit.

With its addition to Linux, a whole new segment of system administrators can use it to provide free system monitoring for malicious activity.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay on Top - Get the daily news in your inbox

Trending this Week