Sysmon processing / auxiliary module

[FernandoDoming]

Inspired by: #2042 a somewhat similar module for sysmon.

What I have added/changed is:

A Sysmon harvesting / processing module for Cuckoo. The guest needs to have Sysmon installed & configured for this to work.

The goal of my change is:

Get Sysmon information into Cuckoo.

What I have tested about my change is:

Deployed locally

[wroersma]

Hey one thing I noticed is that you don't have xmltodict added to be installed as well as the unit tests for this change in config file management.

[ThisIsNotMalware]

Awesome!

[cccs-kevin]

Note that this PR does not work out-of-the-box. As of v2.0.7+, the following changes are required on top of the file changes indicated in this PR:

• It is required to add "sysmon" to the RESULT_UPLOADABLE list in cuckoo/core/resultserver.py
• The xmltodictpython library needs to be installed (pip install xmltodict) as per Sysmon processing / auxiliary module #2518 (comment)
• Per Added Curtain module #2042 (comment), change os.system calls to subprocess.call to avoid potential injection, and use self.startupinfo as indicated in comment

In my setup, sysmon.exe was not running in my VM by default on startup so the following changes were required:

• Add sysmon.exe from https://download.sysinternals.com/files/Sysmon.zip to $CWD/analyzer/windows/bin/
• Add a start() method to the sysmon.py auxiliary module that uses sysmon.exe to make the following call: subprocess.call([os.path.join(self.analyzer.path, "bin", "sysmon.exe"), "-accepteula", "-i"], startupinfo=self.startupinfo)

Hopefully this is useful to someone...