Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion chapters/file-blockshredding.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
File Block EXE
===========

On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be loggedusing **EventID 27**. This event type is found under schema version 4.83.
On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be logged using **EventID 28**. This event type is found under schema version 4.83.


![minifilter](./media/image36.png)
Expand Down
13 changes: 10 additions & 3 deletions chapters/what-is-sysmon.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# What is Sysmon

Sysmon (System Monitor) is a free, advanced system monitoring tool developed by Mark Russinovich and Tomas Garnier, with contributions from David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, and John Lambert.
Sysmon (System Monitor) is a free, advanced system monitoring tool developed by Mark Russinovich and Thomas Garnier, with contributions from David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, and John Lambert.
Originally, Sysmon was created for internal use at Microsoft, but it is now widely used by security professionals to enhance visibility into system activity and detect abnormal behavior or potential threats.

Sysmon enables defenders to better detect suspicious activity by monitoring and logging a broad range of system events, such as process creation, network connections, and changes to files or registry keys. These logs are especially valuable for security investigations and threat detection.

## Sysmon on Windows

Sysmon for Windows supports ARM, x64 and x86 systems. Installation and configuration are managed through a single command-line tool. When installed, Sysmon logs events to the Microsoft-Windows-Sysmon/Operational Event Log.
Sysmon for Windows supports ARM, x64 and x86 systems. The download provides three binaries for these architectures: Sysmon.exe (32-bit x86), Sysmon64.exe (64-bit x64), and Sysmon64a.exe (64-bit ARM64). Installation and configuration are managed through a single command-line tool. When installed, Sysmon logs events to the Microsoft-Windows-Sysmon/Operational Event Log.

### Windows Supported Event Types

Expand Down Expand Up @@ -42,8 +42,15 @@ The following table lists the event types and corresponding event IDs generated
| Clipboard Capture | 24 |
| Process Tampering | 25 |
| File Delete Detected | 26 |
| File Block Executable | 27 |
| File Block Shredding | 28 |
| File Executable Detected | 29 |
| Error | 255 |

### Windows on ARM (ARM64)

Sysmon runs natively on Windows on ARM (ARM64 / AArch64) devices — such as Snapdragon-based PCs, the Surface Pro X, and ARM64 virtual machines — through the dedicated `Sysmon64a.exe` build. Event coverage on ARM64 is identical to x64: the same event IDs and configuration schema apply, since the processor architecture does not change which events Sysmon produces. Because `SysmonDrv` is a kernel-mode driver that must match the operating system architecture, the native `Sysmon64a.exe` is required on ARM64 — the x64 build's driver cannot be loaded under the system's x86/x64 emulation.

## Sysmon on Linux

Sysmon for Linux is an open-source adaptation, designed to collect similar security-relevant events from Linux environments. It leverages eBPF (Extended Berkeley Packet Filter) to efficiently monitor system activity at the kernel level.
Expand Down Expand Up @@ -79,7 +86,7 @@ Sysmon for Linux uses the sysinternalsEBPF library to capture file and network a

Both sysinternalsEBPF and Sysmon for Linux are open source projects, allowing the community to contribute and extend their features. You can find the projects and source code on GitHub:
- [Sysmon for Linux](https://github.com/Sysinternals/SysmonForLinux)
- [sysinternalsEBPF library](https://github.com/Sysinternals/ebpf-for-windows)
- [sysinternalsEBPF library](https://github.com/Sysinternals/SysinternalsEBPF)

## Further Resources

Expand Down
Loading