Detecting a Cyber Attack Part 2 (Sysmon – Create a verbose custom view)

As covered in the previous blog, sysmon is very powerful for logging and alerting, however the logs are hidden deep in the folder structure of Event Viewer so ideally we want to be able to have quick access to these logs when threat hunting locally on an asset. (We will cover centralising logs later in the series or have a read of our previous blog series on building a free SIEM solution. The sysmon part is here if you want to take a look.

However back to today’s blog. We don’t want to have to go searching for sysmon logs and sometimes we want a different level of logging, either verbose or brief depending on how much information you wish to see, which is where custom views come in handy. In this demo will will create a verbose log which will show everything, however in other demos we will create custom views for very specific logs and events. As we are starting from scratch here, we want to see everything.

You’ll find sysmon logs under Event Viewer > Applications and Services > Microsoft > Windows > Sysmon > Operational so let’s open up Event Viewer and create our custom view.(Although we are using Windows 7 here in our lab, the commands are exactly the same in Windows 10)

Type eventvwr in the search bar

Below we see the native location of the sysmon logs

Select create custom view on the right hand side of Event Viewer and complete the steps as shown. Remember we are creating a verbose log so it will create a lot of information.

Tick all the boxes
Select Sysmon from the dropdown
Select All Task Categories
Select all keywords
The completed form should look like this
Create a name and add a description (If you do not add a description it will not work)
We can see our custom view at the top left of Event Viewer.

That’s it! Simple right? In the next blog we will use this view to do some basic malware hunting.