The Sysmon Configuration Builder is a web application designed to streamline the process of authoring and managing Sysmon configuration files. Sysmon, a powerful tool from Microsoft's Sysinternals suite, enhances Windows system monitoring by logging detailed events for threat detection and incident response. However, crafting effective Sysmon XML configurations can be complex due to intricate rule ordering and filtering logic. This application addresses these challenges by providing an intuitive interface for users to import, edit, and export valid Sysmon configurations, making the process accessible to users with varying expertise.

Developed as part of the Project 2 course by the School of Information and Communication Technology (SoICT) at Hanoi University of Science and Technology (HUST), this application leverages Node.js for the backend and HTML, CSS, and JavaScript for the frontend. It was tested using the Sliver C2 framework to validate configurations against simulated adversarial behaviors, ensuring their effectiveness in detecting Indicators of Compromise (IoCs).

• Configuration Import: Import Sysmon configurations in XML or TXT formats for easy editing.
• Dynamic Rule Editing: Add, modify, or delete RuleGroups, rules, and compound rules with dynamic forms supporting all Sysmon event types (Event IDs 1-29).
• Drag-and-Drop Reordering: Reorder RuleGroups, rules, and compound rules to ensure correct Sysmon rule precedence using SortableJS.
• Configuration Export: Export configurations as valid XML files, ready for use with Sysmon.
• Validation Support: Ensures configurations adhere to Sysmon’s schema and best practices, reducing errors like logical operator inconsistencies.
• Adversary Emulation Testing: Validated using the Sliver C2 framework to detect IoCs such as process creation, network connections, registry modifications, and file operations. (Report)

├── css
│   └── (Styling files for the web interface)
├── example
│   └── (Sample Sysmon XML configuration files)
├── js
│   ├── config.js (Dynamic field mapping, UI logic, import/export)
│   ├── configData.js (Data parsing, format conversion, rule reconstruction)
│   └── (Other client-side scripts)
├── node_modules
│   └── (Third-party libraries and dependencies)
├── index.html
│   └── (Main HTML entry point for the web interface)
├── package.json
│   └── (Project metadata and dependencies)
├── package-lock.json
│   └── (Dependency lock file)
├── README.md
│   └── (Project documentation)
└── server.js
    └── (Node.js backend script for HTTP requests and static file serving)

Download the project folder directly from github.

In order to run this project, you must have Nodejs

npm install
npm run dev

See LICENSE for more information.

This project is maintained by 1 moderators:

• QuanPH - [email protected]/[email protected]