The Lack of a Sysmon Configuration Schema

The core of effective Sysmon use is in writing good XML configurations. If you’re new to Sysmon and want to learn more about writing configs, I recommend any of the following resources:

Other than that, you won’t find any official documentation as it is technically not an “official Microsoft product.” Another thing you won’t find is a schema describing the format of an XML configuration. Why is this important? Well, as new features are released that can be expressed in a config file, how do you actually know how to use it without fumbling around yourself or waiting for someone else to show you what’s new?

Now, technically, there are schemas embedded in sysmon.exe itself so you could certainly run strings.exe on it or pull it out more surgically with IDA and you would find that it uses antiquated DTD schemas to perform XML validation. There are a few problems there, namely:

Why should I have to extract a schema with strings.exe? Having a command-line switch to do so would be really nice just as they supply the “-s” switch to dump the event log manifest XML. DTD is far from being an expressive schema language. As of the latest Sysmon schema version (3.40), the embedded schema doesn’t even validate! The reason it doesn’t validate is because it has repeating RegistryEvent and WmiEvent definitions.

Ideally, Sysmon should ship with an XSD. What benefits would this offer?

XSD allows you to define simple and complex type definitions as well as impose restrictions on the types of data that can be supplied to an XML document instance. In other words, if written well, it would serve as sufficient documentation for those wanting to write Sysmon configs. XSDs enable code generation via xsd.exe. With an XSD, I would be able to auto-generate C# that would allow me to [de]serialize Sysmon configs to/from managed code. An XSD more easily facilitates writing tooling to validate an XML document against the schema. You can technically do this with DTD schemas as well but again, DTD is not expressive so your validation will only get you so far. With an XSD, tools like Visual Studio will give you tab completion and automatic XML document generation when writing XML.

So rather than incessantly complain about the lack of a proper Sysmon configuration schema (I’ll probably still do that anyway), I just wrote my own and in doing so, it enabled the development of a bunch of new tools in my PSSysmonTools PowerShell module. The remainder of this post will show these tools in action.