Link Search Menu Expand Document

date: 2016-03-29

I began my driver project because I couldn’t find what I wanted, unbeknown to me that sysmon existed and is exactly what I wanted (well for the first stage). I wanted a kernel driver to like a blackbox record every process that is created and destroyed and tell me the hash along with the process lineage. you can grab it from

I can then couple this with NxLog, to ship the events to a log platform of your choice eg (Splunk Ossim ELK) to name a few, for my toy i’ll use splunk simply because it has many addons available, and i’ll be keen to try out the virustotal checker with the hashes that sysmon generates, I can then also setup alerts for suspicious process lineage (call chains).  Plenty of reference material at any sandboxing sites like

Searching for opensource edr lead me to this article I have played with El Jefe before and was impressed, but it lacked stability and documentation, the others are new to me so i’ll be exploring them soon.

Sites like do charge but you get to rule out more known good files.


Good reference for processing the data particularly using Microsoft Logparser and the script for building up a hash set.

I installed logparser and copied the dll and exe from C:\Program Files (x86)\Log Parser 2.2 to C:\Windows\System32 and then ran the following commands

robocopy C:\Windows\system32\winevt\Logs c:\temp *sysmon*.evtx

logparser -i:evt -o:csv “Select RecordNumber,TO_UTCTIME(TimeGenerated),EventID,SourceName,ComputerName,SID,Strings from c:\temp\Microsoft-Windows-Sysmon%4Operational.evtx WHERE EventID in (‘1’;’2’;’3’;’4’;’5’;’6’;’7’;’8’)” > c:\temp\sysmon_parsed.txt

had to install package so cd c:\python27\scripts

pip install httplib2

fetched script from

python c:\temp\ -f c:\temp\sysmon_parsed.txt -t SHA1 > c:\temp\Sha1Hashes.txt

fetched virustotalchecker from

need to set the api key in settings.xml

cd c:\temp\vtchecker
virustotalchecker.exe -m c -f c:\temp\sha1Hashes.txt -o c:\temp\

You should have a list of detection ratios, and maybe failed lookups however this failed lookups file does not like excel so open it with a text editor.

Updated 18/07/2016:

Data sizing is estimated around 1GB per month, 3.08GB  (29 Mar 16:20 » 18 Jul 10:51) 3,993,495 Events