注意:Sysmon是微软对于Eventlog的补充解决⽅案,这是笔者对于Sysmon的理解,Sysmon可以能够获取到 Evenlog获取不到的更多信息;
sysmon64.exe -i exampleSysmonConfig.xml //执⾏安装:
sysmon64.exe -u //删除
执⾏安装
删除
注意:exampleSysmonConfig.xml为Sysmon的配置⽂件,内容和名字均可以⾃定义,内容可以⾃⾏进⾏增加 或修改。
<Sysmon schemaversion="4.40">
<EventFiltering>
<!-- Restrict logging to access targeting svchost.exe and verclsid.exe -->
<ProcessAccess onmatch="exclude">
<TargetImage condition="excludes">verclsid.exe</TargetImage>
<TargetImage condition="excludes">svchost.exe</TargetImage>
</ProcessAccess>
<!-- Process access requests with suspect privileged access,
or call trace indicative of unknown modules -->
<ProcessAccess onmatch="include">
<GrantedAccess condition="is">0x1F0FFF</GrantedAccess>
<GrantedAccess condition="is">0x1F1FFF</GrantedAccess>
<GrantedAccess condition="is">0x1F2FFF</GrantedAccess>
<GrantedAccess condition="is">0x1F3FFF</GrantedAccess>
<GrantedAccess condition="is">0x1FFFFF</GrantedAccess>
<CallTrace condition="contains">unknown</CallTrace>
</ProcessAccess>
</EventFiltering>
</Sysmon>
安装完成后,在本地事件管理器可以查看相关日志(路径:事件查看器---应用程序与服务日志---Microsoft---windows---sysmon):