From 2a8f71fdacf05f9cab02db26a7275a36431a032d Mon Sep 17 00:00:00 2001
From: Eric Conrad <git@zez.me>
Date: Thu, 7 Sep 2017 19:59:59 -0400
Subject: [PATCH] Update DeepWhite.md

---
 DeepWhite.md | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/DeepWhite.md b/DeepWhite.md
index 75b987a..6958886 100644
--- a/DeepWhite.md
+++ b/DeepWhite.md
@@ -1,6 +1,8 @@
 # DeepWhite
 
-Detective whitelisting using Sysmon event logs
+Detective whitelisting using Sysmon event logs.
+
+Parses the Sysmon event logs, grabbing the SHA256 hashes from process creation (event 1), driver load (event 6, sys), and image load (event 7, DLL) events. 
 
 ## VirusTotal and Whitelisting setup
 
@@ -20,6 +22,42 @@ set-VTAPIKey -APIKey <API Key>
 ```
 The script assumes a personal API key, and waits 15 seconds between submissions.
 
+## Sysmon setup
+
+Sysmon is required: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+
+Must log the SHA256 hash, DeepWhite will ignore the others.
+
+This minimal Sysmon 6.0 config will log the proper events/hashes:
+
+```xml
+<Sysmon schemaversion="3.3">
+  <!-- Capture SHA256 hashes only -->
+  <HashAlgorithms>SHA256</HashAlgorithms>
+  <EventFiltering>
+    <!-- Log all drivers (.sys) except if the signature contains Microsoft or Windows -->
+    <DriverLoad onmatch="exclude">
+      <Signature condition="contains">microsoft</Signature>
+      <Signature condition="contains">windows</Signature>
+    </DriverLoad>
+    <!-- Log all images (.dll) except if the signature contains Microsoft or Windows -->
+    <ImageLoad onmatch="exclude">
+      <Signature condition="contains">microsoft</Signature>
+      <Signature condition="contains">windows</Signature>
+    </ImageLoad>
+    <!-- Do not log process termination -->
+    <ProcessTerminate onmatch="include" />
+    <!-- Log process creation  -->
+    <ProcessCreate onmatch="exclude" />
+  </EventFiltering>
+</Sysmon>
+```
+These are the events used by DeepBlueCLI and DeepWhite.
+
+You can go *much* further than this with Sysmon. The Sysinternals Sysmon page has a good basic configuration: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+
+Also see @swiftonsecurity's awesome sysmon config here: https://github.com/SwiftOnSecurity/sysmon-config
+
 ## Generating a Whitelist
 
 Install hashdeep: https://github.com/jessek/hashdeep/releases