SysmonHunter
An easy ATT&CK-based Sysmon hunting tool, showing in Blackhat USA 2019 Arsenal
Install / Use
/learn @baronpan/SysmonHunterREADME
An easy ATT&CK-based Sysmon hunting tool
Requirements
-
Elasticsearch
-
Neo4j
-
Python 2.7.x
-
3rd party python library dependency
pip install -r requirements.txt
Configuration
See conf/example.conf
es_host=http://localhost:9200 # Elasticsearch host uri
winlogbeat_index=winlogbeat-* # winlogbeat index prefix
neo4j_host=bolt://localhost:7687 # Neo4j database host
neo4j_user=neo4j # Neo4j login username
neo4j_pwd= # Neo4j login password
attck_yaml=misc/attck.yaml # rules file
Usage
Data process & import
Processing Sysmon logs to customized structured data, filtering abnormal behaviors based on YAML rules, then import to databases.
Sysmon logs supports two ways to collect.
-
manully, using
logparsertransfer .evtx to csv.logparser.exe -i:evt -o:csv "select TimeGenerated, SourceName, ComputerName, SID, EventID, Strings from Microsoft-Windows-Sysmon%4Operational.evtx -
with
winlogbeatcollect to elasticsearch.
Usage for agent.py:
For examples:
python agent.py -c conf/example.conf -t csv -i test/empire.csv
python agent.py -c conf/example.conf -t winlogbeat -start 2019-07-19 -end 2019-07-19
SysmonHunter tool
Execute command below and open http://localhost:5000/ in browser.
python server.py -c conf/example.conf
Conclusion
More details include in the pptx under docs.
Related Skills
node-connect
343.1kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
90.0kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
343.1kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
343.1kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
