Pwntario Team Blog
Pwntario Team Blog
Pwntario Team GitHub
DerbyComTOR
The C3X
Home
Team Posts
Anton's Posts
Hunt Fast: Splunk and tstats
Hunting Malicious Macros
Get Azure Key Vault Data into Splunk
Edit Your Sysmon Config in Style
Wrangle Your PowerShell Transcript Logs with Apache Nifi
(Very) Basic Elastic SIEM Set up
Moloch + Suricata + JA3
Making Lateral Movement Difficult in an Active Directory Environment
Taking a Closer Look at PowerShell Download Cradles
Visualize Windows Logs With Neo4j
Device Guard - Fixing VMWare Tools
Offensive Security OSCE (CTP) Review
(Attempting) to Detect Responder with Sysmon
Working with Sysmon
Setting Up Sysmon
Lee's Posts
Members
Powered by GitBook

Edit Your Sysmon Config in Style

Does this look familiar ?

​​​​

Until very recently, I was there too.

Notepad++ is a fantastic tool that I use for hours every day, but it's not ideal for editing large Sysmon config files, I recently looked at other options and found a setup that I was happy with - let's take a look at how you can replicate this.

To begin, grab a copy of Visual Studio Code ( https://code.visualstudio.com/download )

Navigate to the Extensions menu and search for and install the Sysmon extension:

​​​​

We'll also be installing the "Bookmarks" extension:

​​​​

Next up, install and setup git for Windows ( https://git-scm.com/download/win )

During the setup, you'll have the option to use VS Code as the default edit for git, I chose this option:

​​​​

Now restart VS Code and start a new Sysmon config, the Sysmon extension will help you here:

​​​​

In my case, I had a private GitHub repo set up for my Sysmon config, so I want to set that repo up and then save my new blank Sysmon config file to it:

​​​​

Now save your config file and give it a name, make sure to save it to the folder where you initialized your Git repo, in my case C:\Repos\sysmon-config

You should see a "1" icon next to the source control menu option in VS Code after saving your config file. Navigate to that menu, add your commit message, stage the changes and then commit them to your GitHub repo:

​​​​

When you are done committing your changes, push them via the terminal or GUI, you should now see your changes in GitHub:

​​​​

Now your Sysmon config is source controlled and resides in a feature-rich text editor with auto-complete unique to Sysmon's config syntax, nice!

As a final step, use the Bookmarks add-on to configure bookmarks within your Sysmon config so you can follow along with the various sections in a large config file.

If you've installed the bookmarks extension, navigate to the line where you want to set your bookmark and hit CTRL+ALT+K (Or right click --> toggle bookmark), in my case I'm going to bookmark my ProcessCreate exclusions section:

​​​​

You can also rename this bookmark to your liking, I've found this kind of bookmark layout time saving:

​​​​

And that's it -- a nice upgrade from Notepad++

Notes:

Previous
Get Azure Key Vault Data into Splunk
Next
Wrangle Your PowerShell Transcript Logs with Apache Nifi
Last updated 11 months ago