From baad960ea67e6c1ee662151049f34d5c0a42dee6 Mon Sep 17 00:00:00 2001 From: Techbrunch <1835765+Techbrunch@users.noreply.github.com> Date: Sun, 5 Apr 2026 18:27:43 +0200 Subject: [PATCH] Fix typos and spelling errors across documentation Corrects spelling mistakes and grammar issues across 13 markdown files, including misspelled words (e.g. "Windowss", "bellow", "recognisance"), missing/extra letters, and minor grammar fixes. Co-Authored-By: Claude Opus 4.6 --- README.md | 2 +- chapters/configuration.md | 30 +++++++++++++++--------------- chapters/dns-query.md | 2 +- chapters/eBPF.md | 2 +- chapters/file-block-exe.md | 2 +- chapters/file-blockshredding.md | 6 +++--- chapters/image-loading.md | 2 +- chapters/install_linux.md | 6 +++--- chapters/install_windows.md | 2 +- chapters/network-connections.md | 2 +- chapters/process-creation.md | 4 ++-- chapters/process-events.md | 8 ++++---- chapters/sysmon-changelog.md | 4 ++-- 13 files changed, 36 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 111b459..74bef45 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,7 @@ Table of Contents ## Current State: -Microsoft Sysinternals Sysmon is an ever changing piece of software provided by Microsoft free for its users. As such it is constantly being updated and new featured are added. As it relates to configurations this guide tries to be as open as possible since each environment is unique and recomendations are based on these contraints as much as possible. The guide is made Open Source so that as Sysmon evolves the comunity helps in expanding and maintaining the guide. +Microsoft Sysinternals Sysmon is an ever changing piece of software provided by Microsoft free for its users. As such it is constantly being updated and new features are added. As it relates to configurations this guide tries to be as open as possible since each environment is unique and recommendations are based on these constraints as much as possible. The guide is made Open Source so that as Sysmon evolves the community helps in expanding and maintaining the guide. ## Contributing diff --git a/chapters/configuration.md b/chapters/configuration.md index dd734b1..ceda88f 100644 --- a/chapters/configuration.md +++ b/chapters/configuration.md @@ -152,25 +152,25 @@ The main arguments that can be passed are: ``` ```bash -/ussr/bin/sysmon -u [force] +/usr/bin/sysmon -u [force] ``` * **-s** : Print schema ```shell -/ussr/bin/sysmon -s [schema version] +/usr/bin/sysmon -s [schema version] ``` * **-accepteula** : Accepts the license agreement ```shell -/ussr/bin/sysmon -accepteula +/usr/bin/sysmon -accepteula ``` * **--** : Resets the configuration to the default ```shell -/ussr/bin/sysmon -c -- +/usr/bin/sysmon -c -- ``` The option elements under the comment "Configuration file" allow for the configuration of filters and parameters that relate to filters. @@ -178,7 +178,7 @@ The option elements under the comment "Configuration file" allow for the configu * **-n** : Track network connections for specified process/processes. ```bash -/ussr/bin/sysmon -c -n [] +/usr/bin/sysmon -c -n [] ``` Filter Operators @@ -197,7 +197,7 @@ In the filters element under configuration is the list of operators that can be | excludes any | Excludes if any of the values match. (values are separate by ";" ) | image | Name of the image without the full path. | begins with | String value starts with the specified string. -| not begins with| String value does not starts with the specified string. +| not begins with| String value does not start with the specified string. | ends with | String value ends with the specified string. | not ends with| String value ends with the specified string. | LessThan | Numeric value is less than @@ -471,7 +471,7 @@ Under the events element each event that Sysmon generates is defined as an event We can filter on the Field Names defined in the data elements. They are defined as: -* **Name** : Name of filed +* **Name** : Name of field * **inType** : Type of data received in to the driver @@ -479,7 +479,7 @@ We can filter on the Field Names defined in the data elements. They are defined ![Fields definition](./media/image12.png) -As of the latest version we have defined as event types, one does need to be aware that not all fields and all event types will apply to both Sysmon fo Windows and Sysmon for Linux: +As of the latest version we have defined as event types, one does need to be aware that not all fields and all event types will apply to both Sysmon for Windows and Sysmon for Linux: * **NetworkConnect** - Network connections made by processes on the system; both TCP and UDP @@ -513,7 +513,7 @@ As of the latest version we have defined as event types, one does need to be awa * **ClipboardChange** - Stores and logs text that is stored in to the clipboard by processes and context of who stored the text. -* **ProcessTampering** - Detects some of the techniques of "hollow" and "herpaderp" where a process image is replace. +* **ProcessTampering** - Detects some of the techniques of "hollow" and "herpaderp" where a process image is replaced. * **FileDeleteDetected** - Only logs file deletion or file wipes. @@ -531,7 +531,7 @@ The presence of the CheckRevocation element is enough to allow for checking whet * EventType filters. -* EvenType Filters organized using RuleGroups +* EventType Filters organized using RuleGroups * EventType Filters organized in to Rule sets inside RuleGroups. @@ -591,7 +591,7 @@ in the registry. ![](./media/image20.png) -Since getting stated can be complex, some great resources that serve as starting points for Rule development and reference include: +Since getting started can be complex, some great resources that serve as starting points for Rule development and reference include: * Swift On Security configuration example @@ -614,7 +614,7 @@ Due to initial footprint and safety, most advanced attackers limit their actions This does not mean that an attacker will not use more advanced methods to enumerate controls and find Sysmon on the system. -Detection of Sysmon in Windowss is achieved by looking at the areas that cannot be changed. +Detection of Sysmon in Windows is achieved by looking at the areas that cannot be changed. **Indicator** | **Can it be Changed** ----------------------------| ----------------------- @@ -749,17 +749,17 @@ Tools that allow to recover the XML configuration file from the binary blob stor It is also important to monitor any process that access the Sysmon service process to prevent suspension of the process or modification of it in memory. -For Linux only the root account can read and modify the the sysmon configuration file and its binary info. But the syslog file on most systems +For Linux only the root account can read and modify the sysmon configuration file and its binary info. But the syslog file on most systems Configuration Deployment ------------------------ Most environments that have the capabilities to leverage Sysmon enhanced log collection also have software deployment systems like Altiris, System Center Configuration Manager, Desired State Configuration, etc for Windows in the case of Linux we can leverage Ansible, Chef, Puppet and many other solutions. This is why these are just general recommendations. -Sylog Message Size +Syslog Message Size ------------------ -Syslog message size limits are dictated by the syslog transport mapping in use. By default the rsyslog package which is one of the most popular packages in distributions limit the size to 1024 bytes. It is important to prevent parsing errors of the structured data to set max sizes that match the size and transport of the messages configured for your given Syslog package. This is achieved using the **FieldSizes** XML element and setting a size for the CommandLine and Image field sizes. We can specify the field and the length we want for the field like in the example bellow. +Syslog message size limits are dictated by the syslog transport mapping in use. By default the rsyslog package which is one of the most popular packages in distributions limit the size to 1024 bytes. It is important to prevent parsing errors of the structured data to set max sizes that match the size and transport of the messages configured for your given Syslog package. This is achieved using the **FieldSizes** XML element and setting a size for the CommandLine and Image field sizes. We can specify the field and the length we want for the field like in the example below. ```xml diff --git a/chapters/dns-query.md b/chapters/dns-query.md index 2e72a3f..58f35f9 100644 --- a/chapters/dns-query.md +++ b/chapters/dns-query.md @@ -66,7 +66,7 @@ The fields for the event are: * **ProcessId**: Process ID of the process that made the DNS query -* **QueryName**: DNS name that was queries +* **QueryName**: DNS name that was queried * **QueryStatus**: Query result status code diff --git a/chapters/eBPF.md b/chapters/eBPF.md index 2b5e83e..3bb7e49 100644 --- a/chapters/eBPF.md +++ b/chapters/eBPF.md @@ -11,7 +11,7 @@ sysinternalsEBPF ![eBPF](media/image64.png) -The eBPF library leverages a large library of Kernel memory offsets that are stored after installation in a JSON file at **/opt/sysinternalsEBPF/offsets.json** if the kernel is not one in the list it will do an auto discovery of the offsets and add them to **/opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf** There might be some cases where it will fail to do an autodiscovery of the offsets like in the case of a kernel update. In this case the service will fail to load and provide instructions on how to update the offsets. Bellow is the error that would be displayed in the case that autodiscovery fails. +The eBPF library leverages a large library of Kernel memory offsets that are stored after installation in a JSON file at **/opt/sysinternalsEBPF/offsets.json** if the kernel is not one in the list it will do an auto discovery of the offsets and add them to **/opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf** There might be some cases where it will fail to do an autodiscovery of the offsets like in the case of a kernel update. In this case the service will fail to load and provide instructions on how to update the offsets. Below is the error that would be displayed in the case that autodiscovery fails. ![Kernel Offset](media/image65.png) diff --git a/chapters/file-block-exe.md b/chapters/file-block-exe.md index cba9470..8c86486 100644 --- a/chapters/file-block-exe.md +++ b/chapters/file-block-exe.md @@ -48,7 +48,7 @@ A sample baseline ruleset can be: ``` -Bellow is an example rule set that covers some of the most common scenarios where actors will drop executables using malicious documents, in emails, +Below is an example rule set that covers some of the most common scenarios where actors will drop executables using malicious documents, in emails, ```XML diff --git a/chapters/file-blockshredding.md b/chapters/file-blockshredding.md index 59a0cf4..cea13d2 100644 --- a/chapters/file-blockshredding.md +++ b/chapters/file-blockshredding.md @@ -1,12 +1,12 @@ File Block EXE =========== -On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be loggedusing **EventID 27**. This event type is found under schema version 4.83. +On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be logged using **EventID 27**. This event type is found under schema version 4.83. ![minifilter](./media/image36.png) -The minidriver inspect the action that is being taken to see if it is a file block overwrite and if the header of the file for the MZ DOS Executable header. Some common processes on system that perform actions that may generate some false positives if all instances of the action is blocked. If this approach is follower a exclusion list should be used. An example of these are: +The minidriver inspect the action that is being taken to see if it is a file block overwrite and if the header of the file for the MZ DOS Executable header. Some common processes on system that perform actions that may generate some false positives if all instances of the action is blocked. If this approach is followed an exclusion list should be used. An example of these are: ```xml @@ -43,7 +43,7 @@ The minidriver inspect the action that is being taken to see if it is a file blo ``` -It is recommended to better block those files that an attacket would like to delete so as to hide their tracks that where part of a compromise at several stages. Now great care should be taken for those applications that update themself and some software management solutions that may trigger false positives for some of the files covered. Since this is a blocking action it is important to test before a configuration is pushed to host, after a deployment it is also important to minitor to prevent disruption in some environments. +It is recommended to better block those files that an attacker would like to delete so as to hide their tracks that were part of a compromise at several stages. Now great care should be taken for those applications that update themselves and some software management solutions that may trigger false positives for some of the files covered. Since this is a blocking action it is important to test before a configuration is pushed to host, after a deployment it is also important to monitor to prevent disruption in some environments. ```XML diff --git a/chapters/image-loading.md b/chapters/image-loading.md index 0798878..48e1d0e 100644 --- a/chapters/image-loading.md +++ b/chapters/image-loading.md @@ -138,7 +138,7 @@ Configuration Examples - + jscript9.dll mshta.exe diff --git a/chapters/install_linux.md b/chapters/install_linux.md index d7a09fc..8521cf6 100644 --- a/chapters/install_linux.md +++ b/chapters/install_linux.md @@ -1,7 +1,7 @@ Install and Configuration ========================= -Installation under Linux varies given that each Linux distribution and even version of each differ slightly in the steps to install the packages for sysinternalsEBPF and sysmonforlinux. The package installation steps for each distribution and is maintained in github at . The solution can be compiled and installed from source but it is not recommended for a production environment since it will add more complexity in the tracking of versions of dependencies and also introduced other packages that can be abused by an attacker if they gain access tto the system. +Installation under Linux varies given that each Linux distribution and even version of each differ slightly in the steps to install the packages for sysinternalsEBPF and sysmonforlinux. The package installation steps for each distribution and is maintained in github at . The solution can be compiled and installed from source but it is not recommended for a production environment since it will add more complexity in the tracking of versions of dependencies and also introduces other packages that can be abused by an attacker if they gain access to the system. The package installation process will create a sysmon elf binary as /usr/bin/sysmon this binary will be used to install and configure the service. @@ -28,7 +28,7 @@ Installation The key parameter that initiates the installation mode of Sysmon is the **-i** switch. The installation process will be as follows: -* Decompresses and copy of itself in to **/opt/sysmon** +* Decompresses and copies itself in to **/opt/sysmon** * Creates a systemd service @@ -47,7 +47,7 @@ To uninstall Sysmon, a binary with the same name as the main service, if renamed When executed the command will run a series of steps to uninstall the service and remove files for the tool from **/opt/sysmon**. -The value of **force** can be passed to the **-u** parameter fo force uninstallation. +The value of **force** can be passed to the **-u** parameter to force uninstallation. ```bash /opt/sysmon/sysmon -u force diff --git a/chapters/install_windows.md b/chapters/install_windows.md index b8eb287..4cf2617 100644 --- a/chapters/install_windows.md +++ b/chapters/install_windows.md @@ -84,7 +84,7 @@ One important thing to keep in mind when obfuscating the driver name and service Process for x86 --------------- -![x86 bit insall process](./media/image6.png) +![x86 bit install process](./media/image6.png) x64 Process ----------- diff --git a/chapters/network-connections.md b/chapters/network-connections.md index 00b8732..7ff969a 100644 --- a/chapters/network-connections.md +++ b/chapters/network-connections.md @@ -168,7 +168,7 @@ This configuration only logs network connections from Windows built-in tools and sc.exe wmic.exe wscript.exe - driverquery.exe + driverquery.exe dsquery.exe hh.exe infDefaultInstall.exe diff --git a/chapters/process-creation.md b/chapters/process-creation.md index 8059da5..d3af5d8 100644 --- a/chapters/process-creation.md +++ b/chapters/process-creation.md @@ -47,11 +47,11 @@ The fields on a process creation event are: * **ProcessGuid** -- Unique process GUID generated by Sysmon. -* **ProcessId** -- Process ID represented as a integer number. +* **ProcessId** -- Process ID represented as an integer number. * **Image** -- Full path of the executable image that was executed. -* **FileVersion** -- File version filed in the image metadata. (Windows Only) +* **FileVersion** -- File version field in the image metadata. (Windows Only) * **Description** -- Description field in the image metadata.(Windows Only) diff --git a/chapters/process-events.md b/chapters/process-events.md index f2d6cab..1f0c6cc 100644 --- a/chapters/process-events.md +++ b/chapters/process-events.md @@ -4,7 +4,7 @@ Process Events Sysmon can log process creation, process termination and process access events. For Windows the process events are captured via ObjRegisterCallbacks at the kernel level using its driver, and contain a unique, deterministically generated ProcessGuid and LogonGuid that are unique to their process instance and LSA logon session respectively. -The ProcessGuid and LoginGuid make tracking individual process and users much easier. The ProcessGuid attribute is used in all events associated with its process, and, unlike a ProcessID, will not be reused by the host system later. The LogonGuid attribute similarly is assigned to a login session of a particular user, and will not be reused later as a LoginID would. +The ProcessGuid and LogonGuid make tracking individual process and users much easier. The ProcessGuid attribute is used in all events associated with its process, and, unlike a ProcessID, will not be reused by the host system later. The LogonGuid attribute similarly is assigned to a login session of a particular user, and will not be reused later as a LogonID would. ![ProcessGUID Source](./media/image31.png) @@ -20,7 +20,7 @@ In Linux the process for generating the ProcessGuid is similar to Windows with t ![Linux ProcessGUID Source](./media/image66.png) -The ProcessGUIs is referenced in several events under different names. +The ProcessGUID is referenced in several events under different names. ![ProcessGUID Relation](./media/image32.png) @@ -35,11 +35,11 @@ All processes associated to a unique logon session can be mapped using the Logon For Windows -![LogonGuide Source](./media/image68.png) +![LogonGuid Source](./media/image68.png) For Linux -![Linux LogonGuide Source](./media/image67.png) +![Linux LogonGuid Source](./media/image67.png) When a user logs onto on a modern version of Windows (Windows 2016/10) they will have 2 Logon IDs assigned if: diff --git a/chapters/sysmon-changelog.md b/chapters/sysmon-changelog.md index a6915bf..d1a67b3 100644 --- a/chapters/sysmon-changelog.md +++ b/chapters/sysmon-changelog.md @@ -9,6 +9,6 @@ | 12.01 | 4.40 | * Security and bug fix release, resolves a PipeEvent processing issue and adds extra checks to kernel writes. | October 16, 2020 | | 12.0 | 4.40 | * Added support to capture text stored in to the clipboard by a process. | September 17, 2020 | | 11.11 | 4.4 | * Fixes a bug that prevented USB media from being ejected.
* Fixes an issue that could stop network event logging and a resulting memory leak.
* Fixes logs file delete events for delete-on-close files. | July 15, 2020 | -| 11.1 | 4.31 | * For Event ID 15 “Content field was added to save text streams of less than 1k.
* The –a commandline option has been removed. The custom archive directory must be set via configuration file.
* Fix Issue where EventID 1 was not logged on Windowds 2016 and Windows 10.
* Fix rule parsing issue. | June 24, 2020 | -| 11.0 | 4.30 | * Control Reverse DNS Lookup.
* Log file deletions and story copy of the file.
* Bug Fixes. | April 28, 2020 | +| 11.1 | 4.31 | * For Event ID 15 “Content field was added to save text streams of less than 1k.
* The –a commandline option has been removed. The custom archive directory must be set via configuration file.
* Fix Issue where EventID 1 was not logged on Windows 2016 and Windows 10.
* Fix rule parsing issue. | June 24, 2020 | +| 11.0 | 4.30 | * Control Reverse DNS Lookup.
* Log file deletions and store copy of the file.
* Bug Fixes. | April 28, 2020 | | 10.42 | 4.23 | * Memory leaks in DNS, Networking and Image load events
* Bug fixes including filtering, rule group names, NULL process GUIDS and W3LOGSVC interop issue
* Increased rule name field length from 32 to 128 characters
* Added “excludes any” and “excludes all” filtering conditions.
* Performance improvements for ImageLoad module | December 11, 2019 | \ No newline at end of file