Excelling with sysmon configs

March 4, 2019 in Compromise Detection, Mitre Att&ck, Sysmon, threat hunting

Writing your own sysmon config is a painful exercise. Well, maybe not if you start from a scratch and only rely on your own research, because there is an organic growth that you fully control.

Sooner or later you will reach the end of your creative ideas though… and will start borrowing ideas from others. You will then want to compare your config against others.

You can find an existing tool that does it for you (recommended), write a proper parser (recommended), or try to cheat and use Excel 😉

Despite it looking like an impossible task, Excel can do a pretty good work extracting rules from a sysmon config. We just need to use a bunch of formulas, and in the end can ‘visualize’ the data using e.g. a pivot table like the one shown here:

or this:

From there, it’s not too far from comparing multiple configs, or even merging them in Excel (I know, I will burn in hell for saying that!).

Anyways… if you are interested in doing similar analysis yourself you can have a look at this workbook. It’s just one of many ways this can be done, and there is plenty of room for improvements.

And if you are wondering what config I analyzed with this ‘tool’, it is the one from ionstorm (kudoz!) & you can download it from here.

Comments are closed.