Microsoft loves Linux header

Microsoft has released a Linux version of the very popular Sysmon system monitoring utility for Windows, allowing Linux administrators to monitor devices for malicious activity. 

For those not familiar with Sysmon (aka System Monitor), it is a Sysinternals tool that monitors a system for malicious activity and then logs any detected behavior into system log files.

Sysmon's versatility comes from the ability to create custom configuration files that administrators can use to monitor for specific system events that may indicate malicious activity is occurring on the system.

Sysmon ported to Linux

Today, Microsoft's Mark Russinovich and a cofounder of the Sysinternals utility suite, announced that Microsoft had released Sysmon for Linux as an open-source project on GitHub.

Unlike Sysmon for Windows, Linux users will be required to compile the program themselves and ensure that they have all the required dependencies, with instructions provided on the project's GitHub page.

It is important to note that to compile Sysmon, you must first also install the SysinternalsEBPF project.

Once Sysmon is compiled, you can see a help file by typing sudo ./sysmon -h, as shown in the screenshot below.

Sysmon for Linux help file
Sysmon for Linux help file
Source: BleepingComputer

To use the program, you first need to accept the end-user license agreement with the following command:

sudo ./sysmon -accepteula

Then you can launch Sysmon with or without a configuration file using one of the following commands:

Without configuration file:

sudo ./sysmon -i

With configuration file:

sudo ./sysmon -i CONFIG_FILE

To create your own Sysmon configuration file, you would need to use ./sysmon -s command to view the current version's configuration schema and see what directives are available.

To learn more about creating a Sysmon configuration file, you can consult the official documentation or use SwiftOnSecurity's template as an example.

Basic Windows Sysmon config file that enables DNSQuery Logging
Basic Windows Sysmon config file that enables DNSQuery Logging

Once started, Sysmon will begin logging events to the /var/log/syslog file. If you did not specify a configuration file to restrict what is logged, you will find that your syslog file quickly grows as new processes are launched and terminated.

For example, in the screenshot below, you can see an event showing the 'adduser' command terminating after I used it to create a new user.

Sysmon evensts logged to /var/log/syslog
Sysmon events logged to /var/log/syslog
Source: BleepingComputer

To make it easier to filter the logs for specific events, you can use the sysmonLogView utility to show the events you are looking for.

The current events IDs that Sysmon for Linux is capable of logging are listed below:

  • 1: SYSMONEVENT_CREATE_PROCESS
  • 2: SYSMONEVENT_FILE_TIME
  • 3: SYSMONEVENT_NETWORK_CONNECT
  • 4: SYSMONEVENT_SERVICE_STATE_CHANGE
  • 5: SYSMONEVENT_PROCESS_TERMINATE
  • 6: SYSMONEVENT_DRIVER_LOAD
  • 7: SYSMONEVENT_IMAGE_LOAD
  • 8: SYSMONEVENT_CREATE_REMOTE_THREAD
  • 9: SYSMONEVENT_RAWACCESS_READ
  • 10: SYSMONEVENT_ACCESS_PROCESS
  • 11: SYSMONEVENT_FILE_CREATE
  • 12: SYSMONEVENT_REG_KEY
  • 13: SYSMONEVENT_REG_SETVALUE
  • 14: SYSMONEVENT_REG_NAME
  • 15: SYSMONEVENT_FILE_CREATE_STREAM_HASH
  • 16: SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
  • 17: SYSMONEVENT_CREATE_NAMEDPIPE
  • 18: SYSMONEVENT_CONNECT_NAMEDPIPE 
  • 19: SYSMONEVENT_WMI_FILTER
  • 20: SYSMONEVENT_WMI_CONSUMER
  • 21: SYSMONEVENT_WMI_BINDING
  • 22: SYSMONEVENT_DNS_QUERY
  • 23: SYSMONEVENT_FILE_DELETE
  • 24: SYSMONEVENT_CLIPBOARD
  • 25: SYSMONEVENT_PROCESS_IMAGE_TAMPERING
  • 26: SYSMONEVENT_FILE_DELETE_DETECTED
  • 255: SYSMONEVENT_ERROR

As you can see, many of these events do not apply to Linux, such as the Registry or WMI events, so you will need to adjust your configuration accordingly.

Sysmon is a powerful tool widely used in Windows environments as part of an organization's security toolbox.

With its addition to Linux, a whole new segment of system administrators can utilize it to provide free system monitoring for malicious activity.

Related Articles:

Microsoft Sysmon now detects when executables files are created

Decade-old Linux ‘wall’ bug helps make fake SUDO prompts, steal passwords

Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver

KDE advises extreme caution after theme wipes Linux user's files

Magnet Goblin hackers use 1-day flaws to drop custom Linux malware