SysmonFind

SysmonFind is a Sysmon event search engine, both local and remote, that allows you to analyze or investigate security incidents in real time. Sysmon must be installed on the computer.

How to install Sysmon and create a Standard for use and Updates

https://github.com/mikeHack23/SYSMON_INSTALL

Summary

Application to read sysmon logs, either local or from remote computers, this application searches whatever, based on free searches or Regex searches, what can you do?

• Analyze which process started the communication to a certain IP,
• Search for some IOCs
• Malware analysis
• Search for event IDs and parser the content
• Forensics
• Use of ByPass to use credentials and consult computers in Domain or not

Images

Expresiones Regulares (REGEX)

Examples:

Search for events that have an IP address

IPV4

\b(?:\d{1,3}\.){3}\d{1,3}\b

IPV6

\b(?:[A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}\b

Look up court case numbers

\b\d{2}-\d{6}-\d{4}-[A-Z]{2}\b

Files generated with sequence: 0549.exe, 0550.exe, 0560.exe

[0-9][0-9][0-9][0-9]?\.exe

Files generated with sequence: chymbacjDriverUpgradeMastersynlDriverBoost.exe, chymmtwmDriverOptimizerExpertfuqpDriverDiagnostics.exe

.*Driver.*Driver.*\.exe.*

Security

The program encrypts the password, so that no other application has access to the passwords used.

Requirements

1. https://github.com/mikeHack23/SYSMON_INSTALL
2. https://download.visualstudio.microsoft.com/download/pr/06239090-ba0c-46e2-ad3e-6491b877f481/c5e4ab5e344eb3bdc3630e7b5bc29cd7/windowsdesktop-runtime-6.0.21-win-x64.exe

Video

https://youtu.be/uzA-QOV--mo

Audit

• folder "SysmonFind_Log" file .log
• folder "\AppData\Local\SysmonFind" file .log