From 2b02f627e128a65e02907d56e01848a427eb0251 Mon Sep 17 00:00:00 2001
From: thejanit0r <84283998+thejanit0r@users.noreply.github.com>
Date: Sun, 3 Dec 2023 01:56:22 +0100
Subject: [PATCH] Update configuration.md

Added links to tools that can be used to convert the configuration binary blob stored in the registry back to XML
---
 chapters/configuration.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/chapters/configuration.md b/chapters/configuration.md
index 25d6f70..91c49de 100644
--- a/chapters/configuration.md
+++ b/chapters/configuration.md
@@ -505,6 +505,11 @@ In the case of Windows any user in the system can read the rule binary data, an
 
 Existing tools for parsing rules out of the registry break often as Sysmon is updated, since the way the information is structured in the binary blob is not documented. However, an attacker can export and import into the test system and use Sysmon to read the configuration.
 
+Tools that allow to recover the XML configuration file from the binary blob stored in the registry:
+
+- https://github.com/thejanit0r/sysmon-bin2xml
+- https://github.com/mattifestation/PSSysmonTools
+
 It is also important to monitor any process that access the Sysmon service process to prevent suspension of the process or modification of it in memory.
 
 For Linux only the root account can read and modify the the sysmon configuration file and its binary info. But the syslog file on most systems