{"id":6027,"date":"2019-03-04T00:12:25","date_gmt":"2019-03-04T00:12:25","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6027"},"modified":"2019-03-04T00:15:43","modified_gmt":"2019-03-04T00:15:43","slug":"excelling-with-sysmon-configs","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/03\/04\/excelling-with-sysmon-configs\/","title":{"rendered":"Excelling with sysmon configs"},"content":{"rendered":"\n

Writing your own sysmon config is a painful exercise. Well, maybe not if you start from a scratch and only rely on your own research, because there is an organic growth that you fully control.<\/p>\n\n\n\n

Sooner or later you will reach the end of your creative ideas though… and will start borrowing ideas from others. You will then want to compare your config against others.<\/p>\n\n\n\n

You can find an existing tool that does it for you (recommended), write a proper parser (recommended), or try to cheat and use Excel \ud83d\ude09<\/p>\n\n\n\n

Despite it looking like an impossible task, Excel can do a pretty good work extracting rules from a sysmon config. We just need to use a bunch of formulas, and in the end can ‘visualize’ the data using e.g. a pivot table like the one shown here:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

or this:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

From there, it’s not too far from comparing multiple configs, or even merging them in Excel (I know, I will burn in hell for saying that!).<\/p>\n\n\n\n

Anyways… if you are interested in doing similar analysis yourself you can have a look at this workbook<\/a>. It’s just one of many ways this can be done, and there is plenty of room for improvements.<\/p>\n\n\n\n

And if you are wondering what config I analyzed with this ‘tool’, it is the one from ionstorm<\/a> (kudoz!) & you can download it from here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Writing your own sysmon config is a painful exercise. Well, maybe not if you start from a scratch and only rely on your own research, because there is an organic growth that you fully control. Sooner or later you will … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,74,82,79],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6027"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6027"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6027\/revisions"}],"predecessor-version":[{"id":6033,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6027\/revisions\/6033"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}