Fix incorrect parameters, links, EventIDs, and content errors

README.md

@@ -86,7 +86,7 @@ Table of Contents
 
 ## Current State:
 
-Microsoft Sysinternals Sysmon is an ever changing piece of software provided by Microsoft free for its users. As such it is constantly being updated and new featured are added. As it relates to configurations this guide tries to be as open as possible since each environment is unique and recomendations are based on these contraints as much as possible. The guide is made Open Source so that as Sysmon evolves the comunity helps in expanding and maintaining the guide. 
+Microsoft Sysinternals Sysmon is an ever changing piece of software provided by Microsoft free for its users. As such it is constantly being updated and new features are added. As it relates to configurations this guide tries to be as open as possible since each environment is unique and recommendations are based on these constraints as much as possible. The guide is made Open Source so that as Sysmon evolves the community helps in expanding and maintaining the guide. 
 
 ## Contributing
 

chapters/configuration.md

@@ -96,7 +96,7 @@ sysmon.exe -c --
 
 The option elements under the comment "Configuration file" allow for the configuration of filters and parameters that relate to filters.
 
-* **-h** : Hashing algorithm to has images. (Windows Only)
+* **-h** : Hashing algorithm to hash images. (Windows Only)
 
 ```shell
 sysmon.exe -c -h <sha1|sha2|md5|imphash|*>
@@ -123,7 +123,7 @@ sysmon.exe -c -k [<process,...>]
 * **-l** : Track modules (DLLs) loaded by a specified process/processes. (Windows Only)
 
 ```shell
-sysmon.exe -c -k [<process,...>]
+sysmon.exe -c -l [<process,...>]
 ```
 
 * **-d** : Rename the sysmon driver during install (8 character limit) (Windows Only)
@@ -152,33 +152,33 @@ The main arguments that can be passed are:
 ```
 
 ```bash
-/ussr/bin/sysmon -u [force]
+/usr/bin/sysmon -u [force]
 ```
 
 * **-s** : Print schema
 
 ```shell
-/ussr/bin/sysmon -s [schema version]
+/usr/bin/sysmon -s [schema version]
 ```
 
 * **-accepteula** : Accepts the license agreement
 
 ```shell
-/ussr/bin/sysmon -accepteula
+/usr/bin/sysmon -accepteula
 ```
 
 * **--** : Resets the configuration to the default
 
 ```shell
-/ussr/bin/sysmon -c --
+/usr/bin/sysmon -c --
 ```
 
 The option elements under the comment "Configuration file" allow for the configuration of filters and parameters that relate to filters.
 
 * **-n** : Track network connections for specified process/processes.
 
 ```bash
-/ussr/bin/sysmon -c -n [<process,...>]
+/usr/bin/sysmon -c -n [<process,...>]
 ```
 
 Filter Operators
@@ -197,9 +197,9 @@ In the filters element under configuration is the list of operators that can be
 |  excludes any |  Excludes if any of the values match. (values are separate by ";" )
 |  image |         Name of the image without the full path.
 |  begins with |    String value starts with the specified string.
-|  not begins with| String value does not starts with the specified string.
+|  not begins with| String value does not start with the specified string.
 |  ends with |      String value ends with the specified string.
-|  not ends with|  String value ends with the specified string.
+|  not ends with|  String value does not end with the specified string.
 |  LessThan  |     Numeric value is less than
 |  MoreThan |      Numeric value is more than
 |  Contain Any |   Contains any of the values. (values are separate by ";" )
@@ -471,15 +471,15 @@ Under the events element each event that Sysmon generates is defined as an event
 
 We can filter on the Field Names defined in the data elements. They are defined as:
 
-* **Name** : Name of filed
+* **Name** : Name of field
 
 * **inType** : Type of data received in to the driver
 
 * **outType** : Data type the data is presented as
 
 ![Fields definition](./media/image12.png)
 
-As of the latest version we have defined as event types, one does need to be aware that not all fields and all event types will apply to both Sysmon fo Windows and Sysmon for Linux:
+As of the latest version we have defined as event types, one does need to be aware that not all fields and all event types will apply to both Sysmon for Windows and Sysmon for Linux:
 
 * **NetworkConnect** - Network connections made by processes on the system; both TCP and UDP
 
@@ -513,7 +513,7 @@ As of the latest version we have defined as event types, one does need to be awa
 
 * **ClipboardChange** - Stores and logs text that is stored in to the clipboard by processes and context of who stored the text.
 
-* **ProcessTampering** - Detects some of the techniques of "hollow" and "herpaderp" where a process image is replace.
+* **ProcessTampering** - Detects some of the techniques of "hollow" and "herpaderp" where a process image is replaced.
 
 * **FileDeleteDetected** - Only logs file deletion or file wipes.
 
@@ -531,7 +531,7 @@ The presence of the CheckRevocation element is enough to allow for checking whet
 
 * EventType filters.
 
-* EvenType Filters organized using RuleGroups
+* EventType Filters organized using RuleGroups
 
 * EventType Filters organized in to Rule sets inside RuleGroups.
 
@@ -573,9 +573,6 @@ For RuleGroups, Rules and Filters use comments to organize filters and to provid
 
 ![](./media/image19.png)
 
-Hash configurations that are deployed and keep a log of them for later
-verification.
-
 Hash configurations that are deployed and keep a log of them for later verification.
 On a system where the Sysmon service process consumes a lot of CPU resources, the number of filters and operators should be reviewed. The operators that use slightly more CPU are:
 
@@ -591,7 +588,7 @@ in the registry.
 
 ![](./media/image20.png)
 
-Since getting stated can be complex, some great resources that serve as starting points for Rule development and reference include:
+Since getting started can be complex, some great resources that serve as starting points for Rule development and reference include:
 
 * Swift On Security configuration example
     <https://github.com/SwiftOnSecurity/sysmon-config>
@@ -614,7 +611,7 @@ Due to initial footprint and safety, most advanced attackers limit their actions
 
 This does not mean that an attacker will not use more advanced methods to enumerate controls and find Sysmon on the system.
 
-Detection of Sysmon in Windowss is achieved by looking at the areas that cannot be changed.
+Detection of Sysmon in Windows is achieved by looking at the areas that cannot be changed.
 
   **Indicator**               | **Can it be Changed**
   ----------------------------| -----------------------
@@ -749,17 +746,17 @@ Tools that allow to recover the XML configuration file from the binary blob stor
 
 It is also important to monitor any process that access the Sysmon service process to prevent suspension of the process or modification of it in memory.
 
-For Linux only the root account can read and modify the the sysmon configuration file and its binary info. But the syslog file on most systems
+For Linux only the root account can read and modify the sysmon configuration file and its binary info. But the syslog file on most systems
 
 Configuration Deployment
 ------------------------
 
 Most environments that have the capabilities to leverage Sysmon enhanced log collection also have software deployment systems like Altiris, System Center Configuration Manager, Desired State Configuration, etc for Windows in the case of Linux we can leverage Ansible, Chef, Puppet and many other solutions. This is why these are just general recommendations.
 
-Sylog Message Size
+Syslog Message Size
 ------------------
 
-Syslog message size limits are dictated by the syslog transport mapping in use. By default the rsyslog package which is one of the most popular packages in distributions limit the size to 1024 bytes. It is important to prevent parsing errors of the structured data to set max sizes that match the size and transport of the messages configured for your given Syslog package. This is achieved using the **FieldSizes** XML element and setting a size for the CommandLine and Image field sizes. We can specify the field and the length we want for the field like in the example bellow.
+Syslog message size limits are dictated by the syslog transport mapping in use. By default the rsyslog package which is one of the most popular packages in distributions limit the size to 1024 bytes. It is important to prevent parsing errors of the structured data to set max sizes that match the size and transport of the messages configured for your given Syslog package. This is achieved using the **FieldSizes** XML element and setting a size for the CommandLine and Image field sizes. We can specify the field and the length we want for the field like in the example below.
 
 ```xml
 <Sysmon schemaversion="4.81">

chapters/dns-query.md

@@ -66,7 +66,7 @@ The fields for the event are:
 
 * **ProcessId**: Process ID of the process that made the DNS query
 
-* **QueryName**: DNS name that was queries
+* **QueryName**: DNS name that was queried
 
 * **QueryStatus**: Query result status code
 

chapters/eBPF.md

@@ -11,7 +11,7 @@ sysinternalsEBPF
 
 ![eBPF](media/image64.png)
 
-The eBPF library leverages a large library of Kernel memory offsets that are stored after installation in a JSON file at **/opt/sysinternalsEBPF/offsets.json** if the kernel is not one in the list it will do an auto discovery of the offsets and add them to **/opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf** There might be some cases where it will fail to do an autodiscovery of the offsets like in the case of a kernel update. In this case the service will fail to load and provide instructions on how to update the offsets. Bellow is the error that would be displayed in the case that autodiscovery fails.
+The eBPF library leverages a large library of Kernel memory offsets that are stored after installation in a JSON file at **/opt/sysinternalsEBPF/offsets.json** if the kernel is not one in the list it will do an auto discovery of the offsets and add them to **/opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf** There might be some cases where it will fail to do an autodiscovery of the offsets like in the case of a kernel update. In this case the service will fail to load and provide instructions on how to update the offsets. Below is the error that would be displayed in the case that autodiscovery fails.
 
 ![Kernel Offset](media/image65.png)
 

chapters/file-block-exe.md

@@ -1,7 +1,7 @@
 File Block EXE
 ===========
 
-On version 14.0 of Sysmon the capability to block the creation of executables by a process was added, this is the first event type where Sysmon takes a block action on a rule match. Sysmon relies on its filter driver, Sysmon can log the creation of files and information on what process is the the file using **EventID 27**. This event type is found under schema version 
+On version 14.0 of Sysmon the capability to block the creation of executables by a process was added, this is the first event type where Sysmon takes a block action on a rule match. Sysmon relies on its filter driver, Sysmon can log the creation of files and information on what process is creating the file using **EventID 27**. This event type is found under schema version 4.82.
 
 
 ![minifilter](./media/image36.png)
@@ -13,7 +13,7 @@ Sysmon will not generate any alert on screen for the user once it takes the acti
 
 ### Event information
 
-The file delete event fields are:
+The file block EXE event fields are:
 
 * **RuleName**: Name of rule that triggered the event
 
@@ -48,7 +48,7 @@ A sample baseline ruleset can be:
 </Sysmon>
 ```
 
-Bellow is an example rule set that covers some of the most common scenarios where actors will drop executables using malicious documents, in emails, 
+Below is an example rule set that covers some of the most common scenarios where actors will drop executables using malicious documents or in emails.
 
 ```XML
 <Sysmon schemaversion="4.82">

chapters/file-blockshredding.md

@@ -1,12 +1,12 @@
-File Block EXE
+File Block Shredding
 ===========
 
-On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be loggedusing **EventID 27**. This event type is found under schema version 4.83.
+On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be logged using **EventID 28**. This event type is found under schema version 4.83.
 
 
 ![minifilter](./media/image36.png)
 
-The minidriver inspect the action that is being taken to see if it is a file block overwrite and if the header of the file for the MZ DOS Executable header. Some common processes on system that perform actions that may generate some false positives if all instances of the action is blocked. If this approach is follower a exclusion list should be used. An example of these are:
+The minidriver inspect the action that is being taken to see if it is a file block overwrite and if the header of the file for the MZ DOS Executable header. Some common processes on system that perform actions that may generate some false positives if all instances of the action is blocked. If this approach is followed an exclusion list should be used. An example of these are:
 
 ```xml
       <FileBlockShredding onmatch="exclude">
@@ -43,7 +43,7 @@ The minidriver inspect the action that is being taken to see if it is a file blo
         </Rule>
       </FileBlockShredding>
 ```
-It is recommended to better block those files that an attacket would like to delete so as to hide their tracks that where part of a compromise at several stages. Now great care should be taken for those applications that update themself and some software management solutions that may trigger false positives for some of the files covered. Since this is a blocking action it is important to test before a configuration is pushed to host, after a deployment it is also important to minitor to prevent disruption in some environments. 
+It is recommended to better block those files that an attacker would like to delete so as to hide their tracks that were part of a compromise at several stages. Now great care should be taken for those applications that update themselves and some software management solutions that may trigger false positives for some of the files covered. Since this is a blocking action it is important to test before a configuration is pushed to host, after a deployment it is also important to monitor to prevent disruption in some environments. 
 
 ```XML
 <RuleGroup name="" groupRelation="or">

chapters/image-loading.md

@@ -138,7 +138,7 @@ Configuration Examples
         <RuleGroup name="" groupRelation="or">
             <ImageLoad onmatch="include">
                 <!--Detect execution of HTA using the IE Javascript engine to bypass AMSI-->
-                <!--Note: Rule placed before Windows Scriptingh to ensure it triggers on this on case any other component is used.-->
+                <!--Note: Rule placed before Windows Scripting to ensure it triggers on this on case any other component is used.-->
                 <Rule groupRelation="and">
                     <ImageLoaded name="technique_id=T1170,technique_name=MSHTA with AMSI Bypass" condition="end with">jscript9.dll</ImageLoaded>
                     <Image condition="end with">mshta.exe</Image>

chapters/install_linux.md

@@ -1,7 +1,7 @@
 Install and Configuration
 =========================
 
-Installation under Linux varies given that each Linux distribution and even version of each differ slightly in the steps to install the packages for sysinternalsEBPF and sysmonforlinux. The package installation steps for each distribution and is maintained in github at <https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md>. The solution can be compiled and installed from source but it is not recommended for a production environment since it will add more complexity in the tracking of versions of dependencies and also introduced other packages that can be abused by an attacker if they gain access tto the system.
+Installation under Linux varies given that each Linux distribution and even version of each differ slightly in the steps to install the packages for sysinternalsEBPF and sysmonforlinux. The package installation steps for each distribution and is maintained in github at <https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md>. The solution can be compiled and installed from source but it is not recommended for a production environment since it will add more complexity in the tracking of versions of dependencies and also introduces other packages that can be abused by an attacker if they gain access to the system.
 
 The package installation process will create a sysmon elf binary as /usr/bin/sysmon this binary will be used to install and configure the service.
 
@@ -28,7 +28,7 @@ Installation
 
 The key parameter that initiates the installation mode of Sysmon is the **-i** switch. The installation process will be as follows:
 
-* Decompresses and copy of itself in to **/opt/sysmon**
+* Decompresses and copies itself in to **/opt/sysmon**
 
 * Creates a systemd service
 
@@ -47,7 +47,7 @@ To uninstall Sysmon, a binary with the same name as the main service, if renamed
 
 When executed the command will run a series of steps to uninstall the service and remove files for the tool from **/opt/sysmon**.
 
-The value of **force** can be passed to the **-u** parameter fo force uninstallation.
+The value of **force** can be passed to the **-u** parameter to force uninstallation.
 
 ```bash
 /opt/sysmon/sysmon -u force

chapters/install_windows.md

@@ -84,7 +84,7 @@ One important thing to keep in mind when obfuscating the driver name and service
 Process for x86
 ---------------
 
-![x86 bit insall process](./media/image6.png)
+![x86 bit install process](./media/image6.png)
 
 x64 Process
 -----------

chapters/network-connections.md

@@ -168,7 +168,7 @@ This configuration only logs network connections from Windows built-in tools and
             <Image name="technique_id=T1031,technique_name=Modify Existing Service" condition="image">sc.exe</Image> <!--Microsoft:Windows: Remotely change Windows service settings from command line | Credit @ion-storm -->
             <Image name="technique_id=T1047,technique_name=Windows Management Instrumentation" condition="image">wmic.exe</Image> <!--T1047--><!--Mitre T1135--><!--Microsoft:WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
             <Image name="technique_id=T1218,technique_name=Signed Script Proxy Execution" condition="image">wscript.exe</Image> <!--Microsoft:WindowsScriptingHost: | Credit @arekfurt -->
-            <Image condition="image">driverquery.exe</Image> <!--Microsoft:Windows: Remote recognisance of system configuration, oudated/vulnerable drivers -->
+            <Image condition="image">driverquery.exe</Image> <!--Microsoft:Windows: Remote reconnaissance of system configuration, outdated/vulnerable drivers -->
             <Image condition="image">dsquery.exe</Image> <!--Microsoft: Query Active Directory -->
             <Image condition="image">hh.exe</Image> <!--Microsoft:Windows: HTML Help Executable, opens CHM files -->
             <Image condition="image">infDefaultInstall.exe</Image> <!--Microsoft: [ https://github.com/huntresslabs/evading-autoruns ] | Credit @KyleHanslovan -->

chapters/process-creation.md

@@ -47,11 +47,11 @@ The fields on a process creation event are:
 
 * **ProcessGuid** -- Unique process GUID generated by Sysmon.
 
-* **ProcessId** -- Process ID represented as a integer number.
+* **ProcessId** -- Process ID represented as an integer number.
 
 * **Image** -- Full path of the executable image that was executed.
 
-* **FileVersion** -- File version filed in the image metadata. (Windows Only)
+* **FileVersion** -- File version field in the image metadata. (Windows Only)
 
 * **Description** -- Description field in the image metadata.(Windows Only)