This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Log - Sysmon 6 Windows Event Collection

Log - Sysmon 6 Windows Event Collection

EricPartington
Employee EricPartington
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-02-28 10:31 AM

There have been some very interesting recent papers and presentations regarding Sysmon 6.0 and detection of threats on endpoints using Windows logging. 

Mark R. RSAC 2017 presentation

There are also some very interesting templates that can be applied to Sysmon 6.0 that help focus the logging on events that are relevant to endpoint investigations and threat detection.  One of the best that I have seen so far is this one.

SwiftOnSecurity - GitHub sysmonconfig

There is also a very interesting summary and description of Sysmon and other templates and hunting processes here as well as presentations (the BotConf one is interesting)

MHaggis - GitHub - Sysmon DFIR

 

All of this is excellent but how do you get Sysmon 6.0 logs into NetWitness (NW) Logs and start using this knowledge to look for suspicious events in your environment (and by extension reduce you windows logging volumes to just those events that you need potentially).

 

Using the default Microsoft Windows Event Forwarding (WEF) that I have posted about previously I attempted to collect sysmon logs and pulling them into NW Logs to start using for reporting or alerting.

  1. Start with setting up WEF (WEC)
  2. Install Sysmon on that same Collection point so that the log would show up in the collection source option for the subscription (there may be a better way to do this but thats all I could figure out)
  3. Using the Sysmon template and Sysmon 6.0 I followed the steps to install, accept the eula and install as service
  4. Add that event source for the Subscription (after reboot) (Application And Service Logs - Microsoft - Windows - Sysmon - Operational)
    1. pastedImage_1.png
  5. Now you are ready to pull in Sysmon logs, set up the client side
  6. On each client that you want to install Sysmon on, copy the sysmon 6.0 binary and the template and install as you did on the Collection server (sysmon.exe -accepteula -i sysmonconfig-export.xml)
  7. Reboot the client and now you should see the sysmon logs being created locally, and then hopefully captured by WEF and pulled centrally.
    1. pastedImage_2.png
  8. Now with WEF set up properly you should see these events in NW Logs
    1. pastedImage_3.png
  9. You can also add the collection log to your WinRM configuration so that you can collect Sysmon logs if you are not using WEF
    1. pastedImage_5.png
    2. Add channel : Microsoft-Windows-Sysmon/Operational

 

Events will look like this using the native windows parsers

pastedImage_7.png

 

I also noticed that there was an app from MHaggis that calls out a number of events to check for that could be flagged to highlight events to look for that I have translated into an application rule that you could import to begin to flag on the really important stuff from Sysmon.

There are other interesting rules that appear to be possible, that will be investigated but if anyone has done their own work please comment and add to this post.

 

name="sysmon-critical-processes" rule="device.class='windows hosts' && event.source = 'microsoft-windows-sysmon' && process ends process ends '\\powershell.exe','\\msbuild.exe','\\psexec.exe','\\at.exe','\\schtasks.exe','\\net.exe','\\vssadmin.exe','\\utilman.exe','\\wmic.exe','\\mshta.exe','\\wscript.exe','\\cscript.exe','\\cmd.exe','\\whoami.exe','\\mmc.exe','\\systeminfo.exe','\\csvde.exe'" alert=eoc type=application

 

[update:

added a fuller application rule list based on the splunk app that was posted by MHaggis.  Still testing out some of the converted rules to nwr to see if they fire as expected but figured I'd post what I have for now if anyone else wants to test them out in a better environment]

 

Looks to be promising, as always test and verify but comments and suggestions are always welcome to help move this forward.

windows-sysmon-critical-process.nwr.zip
  • dfir
  • eventid
  • log
  • Microsoft
  • NetWitness
  • NW
  • NWP
  • rsa
  • RSA NetWitness
  • RSA NetWitness Platform
  • sysmon
  • wef
  • Windows
  • winrm
  • wmi
windows-sysmon-critical-process.nwr.zip
5 Likes
Share
5 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.