Microsoft releases Linux version of the Windows Sysmon tool

Microsoft has released a Linux version of the very popular Sysmon system monitoring tool for Windows, allowing Linux administrators to monitor devices for malicious activity.

For those unfamiliar with Sysmon (aka System Monitor), it is a Sysinternals tool that monitors a malicious activity system and then logs any recorded behavior in system logs.

Sysmon’s versatility comes from the ability to create custom configuration files that administrators can use to monitor specific system events that may indicate malicious activity on the system.

Sysmon is ported to Linux

Today, Microsoft’s Mark Russinovich and one of the founders of Sysinternals utility suite announced that Microsoft had released Sysmon for Linux as an open source project on GitHub.

Unlike Sysmon for Windows, Linux users must compile the program themselves and ensure that they have all the necessary dependencies, with instructions on the project’s GitHub page.

It is important to note that to compile Sysmon, you must first install the SysinternalsEBPF project as well.

Once Sysmon is compiled, you can view a help file by typing sudo ./sysmon -h, as shown in the screenshot below.

Help file for Sysmon for Linux
Help file for Sysmon for Linux
Source: BleepingComputer

To use the program, you must first accept the end user license agreement with the following command:

sudo ./sysmon -accepteula

You can then start Sysmon with or without a configuration file using one of the following commands:

Without configuration file:

sudo ./sysmon -i

With configuration file:

sudo ./sysmon -i CONFIG_FILE

To create your own Sysmon configuration file you will need ./sysmon -s command to view the current version configuration chart and see which directives are available.

To learn more about creating a Sysmon configuration file, see the official documentation or use the SwiftOnSecurity template as an example.

Basic Windows Sysmon configuration file that enables DNSQuery logging
Basic Windows Sysmon configuration file that enables DNSQuery logging

Once started, Sysmon will start logging events /var/log/syslog file. If you have not specified a configuration file to restrict what to log, you will find that your syslog file grows rapidly as new processes start and end.

For example, in the screenshot below you can see an event showing the ‘adduser’ command exiting after I used it to create a new user.

Sysmon evensts logged in / var / log / syslog
Sysmon events logged in / var / log / syslog
Source: BleepingComputer

To make it easier to filter the logs for specific events, you can use sysmonLogView tool to view the events you are looking for.

The current event IDs that Sysmon for Linux can log on to are listed below:

  • 1: SYSMONEVENT_CREATE_PROCESS
  • 2: SYSMONEVENT_FILE_TIME
  • 3: SYSMONEVENT_NETWORK_CONNECT
  • 4: SYSMONEVENT_SERVICE_STATE_CHANGE
  • 5: SYSMONEVENT_PROCESS_TERMINATE
  • 6: SYSMONEVENT_DRIVER_LOAD
  • 7: SYSMONEVENT_IMAGE_LOAD
  • 8: SYSMONEVENT_CREATE_REMOTE_THREAD
  • 9: SYSMONEVENT_RAWACCESS_READ
  • 10: SYSMONEVENT_ACCESS_PROCESS
  • 11: SYSMONEVENT_FILE_CREATE
  • 12: SYSMONEVENT_REG_KEY
  • 13: SYSMONEVENT_REG_SETVALUE
  • 14: SYSMONEVENT_REG_NAME
  • 15: SYSMONEVENT_FILE_CREATE_STREAM_HASH
  • 16: SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
  • 17: SYSMONEVENT_CREATE_NAMEDPIPE
  • 18: SYSMONEVENT_CONNECT_NAMEDPIPE
  • 19: SYSMONEVENT_WMI_FILTER
  • 20: SYSMONEVENT_WMI_CONSUMER
  • 21: SYSMONEVENT_WMI_BINDING
  • 22: SYSMONEVENT_DNS_QUERY
  • 23: SYSMONEVENT_FILE_DELETE
  • 24: SYSMONEVENT_CLIPBOARD
  • 25: SYSMONEVENT_PROCESS_IMAGE_TAMPERING
  • 26: SYSMONEVENT_FILE_DELETE_DETECTED
  • 255: SYSMONEVENT_ERROR

As you can see, many of these events do not apply to Linux, e.g. Registry or WMI events, so you will need to adjust your configuration accordingly.

Sysmon is a powerful tool that is widely used in Windows environments as part of an organization’s security toolbox.

With the addition of Linux, a whole new segment of system administrators can use it to provide free system monitoring for malicious activity.

Leave a Comment