There have been some very interesting recent papers and presentations regarding Sysmon 6.0 and detection of threats on endpoints using Windows logging.
Mark R. RSAC 2017 presentation
There are also some very interesting templates that can be applied to Sysmon 6.0 that help focus the logging on events that are relevant to endpoint investigations and threat detection. One of the best that I have seen so far is this one.
SwiftOnSecurity - GitHub sysmonconfig
There is also a very interesting summary and description of Sysmon and other templates and hunting processes here as well as presentations (the BotConf one is interesting)
MHaggis - GitHub - Sysmon DFIR
All of this is excellent but how do you get Sysmon 6.0 logs into NetWitness (NW) Logs and start using this knowledge to look for suspicious events in your environment (and by extension reduce you windows logging volumes to just those events that you need potentially).
Using the default Microsoft Windows Event Forwarding (WEF) that I have posted about previously I attempted to collect sysmon logs and pulling them into NW Logs to start using for reporting or alerting.
- Start with setting up WEF (WEC)
- Install Sysmon on that same Collection point so that the log would show up in the collection source option for the subscription (there may be a better way to do this but thats all I could figure out)
- Using the Sysmon template and Sysmon 6.0 I followed the steps to install, accept the eula and install as service
- Add that event source for the Subscription (after reboot) (Application And Service Logs - Microsoft - Windows - Sysmon - Operational)
- Now you are ready to pull in Sysmon logs, set up the client side
- On each client that you want to install Sysmon on, copy the sysmon 6.0 binary and the template and install as you did on the Collection server (
sysmon.exe -accepteula -i sysmonconfig-export.xml) - Reboot the client and now you should see the sysmon logs being created locally, and then hopefully captured by WEF and pulled centrally.
- Now with WEF set up properly you should see these events in NW Logs
- You can also add the collection log to your WinRM configuration so that you can collect Sysmon logs if you are not using WEF
- Add channel : Microsoft-Windows-Sysmon/Operational
Events will look like this using the native windows parsers
I also noticed that there was an app from MHaggis that calls out a number of events to check for that could be flagged to highlight events to look for that I have translated into an application rule that you could import to begin to flag on the really important stuff from Sysmon.
There are other interesting rules that appear to be possible, that will be investigated but if anyone has done their own work please comment and add to this post.
name="sysmon-critical-processes" rule="device.class='windows hosts' && event.source = 'microsoft-windows-sysmon' && process ends process ends '\\powershell.exe','\\msbuild.exe','\\psexec.exe','\\at.exe','\\schtasks.exe','\\net.exe','\\vssadmin.exe','\\utilman.exe','\\wmic.exe','\\mshta.exe','\\wscript.exe','\\cscript.exe','\\cmd.exe','\\whoami.exe','\\mmc.exe','\\systeminfo.exe','\\csvde.exe'" alert=eoc type=application
[update:
added a fuller application rule list based on the splunk app that was posted by MHaggis. Still testing out some of the converted rules to nwr to see if they fire as expected but figured I'd post what I have for now if anyone else wants to test them out in a better environment]
Looks to be promising, as always test and verify but comments and suggestions are always welcome to help move this forward.
5 Comments
