System Monitor (Sysmon) is one of the most common add-ons for Windows logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic. Sysmon is part of the Sysinternals package and is owned by Microsoft.
What is Sysmon
Sysmon is part of the Sysinternals software package and is useful for extending the default Windows logs with higher-level monitoring of events and process creations. Sysmon contains detailed information about process creations, networks connections, and file changes.
Interesting data available:
- Process creation and access
- Network connections tracking
- Drivers and DLL loading
- WMI monitoring
- File hashes
- Process ID
- …..
Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Multiple hashes can be used at the same time.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Includes a session GUID in each event to allow correlation of events on the same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Logs opens for raw read access of disks and volumes.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Automatically reload configuration if changed in the registry.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
More information about Sysmon (source Microsoft)
In this blog the usage of the Microsoft Sentinel Sysmon connector for getting Sysmon related events.
Sysmon event ID’s
- Event ID 1: Process creation
- Event ID 2: A process changed a file creation time
- Event ID 3: Network connection
- Event ID 4: Sysmon service state changed
- Event ID 5: Process terminated
- Event ID 6: Driver loaded
- Event ID 7: Image loaded
- Event ID 8: CreateRemoteThread
- Event ID 9: RawAccessRead
- Event ID 10: ProcessAccess
- Event ID 11: FileCreate
- Event ID 12: RegistryEvent (Object create and delete)
- Event ID 13: RegistryEvent (Value Set)
- Event ID 14: RegistryEvent (Key and Value Rename)
- Event ID 15: FileCreateStreamHash
- Event ID 16: ServiceConfigurationChange
- Event ID 17: PipeEvent (Pipe Created)
- Event ID 18: PipeEvent (Pipe Connected)
- Event ID 19: WmiEvent (WmiEventFilter activity detected)
- Event ID 20: WmiEvent (WmiEventConsumer activity detected)
- Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
- Event ID 22: DNSEvent (DNS query)
- Event ID 23: FileDelete (File Delete archived)
- Event ID 24: ClipboardChange (New content in the clipboard)
- Event ID 25: ProcessTampering (Process image change)
- Event ID 26: FileDeleteDetected (File Delete logged)
- Event ID 255: Error
Installing Sysmon
For installing Sysmon use the installer to install it on relevant servers. Once Sysmon is installed, we can configure the Microsoft Sentinel connector to collect the Sysmon events from the relevant servers. For downloading Sysmon:
-
- Download Sysmon
- Download the Sysmon configuration file Note: more configuration files are available. For example: BlueTeamsLabs (useful for the Sentinel workbook)
For large-scale deployment use GPO and include the Sysmon configuration file as an argument.
Example: sysmon.exe -accepteula -i sysmonconfig-export.xml
Once Sysmon is installed and starts logging actions, you can find the event log by opening the local Event Viewer and going to the event path: Windows Logs – Applications and Services Logs – Microsoft – Windows -Sysmon
The Operational Log will show all the relevant Sysmon logging:
Configuring Microsoft Sentinel
Microsoft Monitoring Agent collects the data from the machines. With the Microsoft Monitoring Agent it is possible to collect logs from a machine and push it into the Log Analytics workspace (Sentinel).
Multiple ways are available to connect the server with the Log Analytics gateway. In this case the explanation of the Microsoft Monitoring Agent event collector. From the Security Event connector page, it is possible to download the Windows Agent or direct from the Log Analytics workspace view.
For Sentinel you can use the Sentinel connector or use a separate Log Analytics connector.
- Go to the Azure Portal
- Click on Log Analytics workspace
- Open the created or existing Log Analytics workspace
- Open Agent Management
- Click on Windows servers
Based on the screenshot no Windows computers/ servers are connected. For connecting the first machine. Download the Windows Agent and copy the ID/ Primary key from the Agent management page to configure the workspace.
After some time the first devices are connected to the Agent Management overview.
Use the following Query to view the recent onboarded devices:
Configuring Sysmon events
Now it is required to configure the Agent configuration for collecting the Sysmon event log. For configuring the Sysmon events:
- Go to the Azure Portal
- Click on Log Analytics workspace
- Open the Log Analytics workspace
- Open Agents configuration
- Click on Add Windows event logs
- By default Sysmon is not listed, just type the following Microsoft-Windows-Sysmon/Operational
- Apply the configuration
Query Event collection
After some time the first Sysmon data is available in Microsoft Sentinel. use the below query for checking the Sysmon event collection.
Sysmon event check:
Event
| where Source == “Microsoft-Windows-Sysmon”
| limit 100
Specific Sysmon Event check:
Event
| where Source == “Microsoft-Windows-Sysmon”
| where EventID in (11, 12)
| project TimeGenerated, Computer, EventID,RenderedDescription
| limit 100
Parse the Sysmon data
For using the data with Sentinel detection rules/ workbooks is it required to parse the data with a Sysmon event parser. For using a good parser with support for the ATT&CK workbook. See step9: Github BlueTeamLabs
For creating the function. Paste the KQL -> Save as function and fill in the function name.
Below image: Saved the parser as a function named Sysmon.
Map the events with ATT&CK framework
Within Sentinel, multiple workbooks are available. For mapping events with the ATT&CK framework use the Sysmon workbook. For installing the Sysmon Threat Hunting workbook:
- Go to Workbooks
- Open templates
- Search for Sysmon
- Select the Sysmon Threat Hunting template
Following the instructions to pass all the requirements for the use of this workbook.
Overview ATT&CK Trigger dashboard
Overview of the insights and mapped MITRE ATT&CK framework data from the Sysmon events collector.
Detection rules
Based on the Sysmon parsed data is it possible to create detection rules. BlueTeamLabs creates a couple of analytic rules based on the parsed Sysmon data. Some examples:
Sysmon
| where EventID == 1
and (process_path contains “powershell.exe”
or process_path contains “powershell_ise.exe”
or process_path contains “psexec.exe”)
Sysmon
| where EventID == 1 and (process_command_line contains “*remove-item*”
or process_command_line contains “vssadmin*Delete Shadows /All /Q*”
or process_command_line contains “*wmic*shadowcopy delete*”
or process_command_line contains “*wbdadmin* delete catalog -q*”
or process_command_line contains “*bcdedit*bootstatuspolicy ignoreallfailures*”
or process_command_line contains “*bcdedit*recoveryenabled no*”)
Sources
- Microsoft Monitoring Agent Setup: https://docs.microsoft.com/en-us/services-hub/health/mma-setup
- Log Analytics agent data sources in Azure Monitor: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-data-sources
- BlueTeamLabs Detections: https://github.com/BlueTeamLabs/sentinel-attack/tree/master/detections
- BlueTeamLabs general information: https://github.com/BlueTeamLabs/sentinel-attack