Post

Monitoring with Sysmon

Posted Updated
Preview Image
By lr2t9iz 2 min read

In previous posts, we have discussed how to collect logs and index them in the S1EM. However, we encountered some challenges. For example, we can obtain PowerShell events, but what about cmd logs? Or when we get Task Scheduler logs but cannot see the trigger and action? In this post, we will address these issues with a service called Sysmon.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Sysmon Installation

Installing Sysmon is extremely simple. You only need to download the installer from the official website and then run the following command.

  • Install
    1
2
3

    sysmon -accepteula -i
# > sysmon installed.
# > SysmonDrv installed.
  • Sysmon is rule-based, so with the previous command, we essentially install it without any configuration. We can validate the installation with the following command.
    1
2

    sysmon -c
# > No rule installed

Sysmon Configuration

Since Sysmon is rule-based, we can create custom rules to monitor the techniques we discussed in previous posts. By defining specific rules, we can fine-tune Sysmon to detect particular activities and events that are relevant to our environment.

  • We will save the following rules in custom-rules.xml to load it into Sysmon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <!-- Process Creation (1) -->
    <RuleGroup groupRelation="or">
      <ProcessCreate onmatch="include">
        <Rule name="PowerShell" groupRelation="or">
          <OriginalFileName name="Command and Scripting Interpreter: PowerShell(T1059.001)" condition="contains any">powershell.exe</OriginalFileName>
          <Image name="Command and Scripting Interpreter: PowerShell(T1059.001)" condition="image">powershell.exe</Image>
        </Rule>
        <Rule name="Scheduled Task/Job" groupRelation="or">
          <OriginalFileName name="Scheduled Task/Job: Scheduled Task(T1053.005)" condition="contains any">schtasks.exe</OriginalFileName>
          <Image name="Scheduled Task/Job: Scheduled Task(T1053.005)" condition="image">schtasks.exe</Image>
        </Rule>
      </ProcessCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>
  • We will load our config
    1
2

    sysmon -c .\custom-rules.xml
# > Configuration updated.
  • We will configure our S1EM using the following configuration:
  • We will obtain image

Sysmon Modular Config

To keep configurations organized and easy to maintain, we will use Olaf Hartong’s repository, sysmon-modular. First, we need to download the base configuration and then load it into Sysmon with the following command.

1
2
3
4
5
6

# download config
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml" -OutFile "sysmonconfig.xml"

# load config
sysmon64 -c .\sysmonconfig.xml
# > Configuration updated.
  • We can review the events collected by Sysmon by running the following command.
    1

    Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10 | Select-Object Id, TaskDisplayName, Message

    image

In conclusion, by integrating Sysmon with our SIEM and utilizing custom rules, we can significantly enhance our monitoring and threat detection capabilities. This setup allows us to capture detailed and relevant security events, providing us with better visibility into potential threats and enabling more effective monitoring.

Stay with us for our next post, where we will dive deeper into analyzing and responding to these events.

blueteam, monitoring
difficulty:low endpoint os:windows
This post is licensed under CC BY 4.0 by the author.