02 Januar 2025
Information:
I have for a long time been writing detection for the
Sysmon made by
Sysinternals by Microsoft. The config file is very well tested
on live attacks and a lot of malware. Tested with Atomic-Red test
tools as well. It have been tested in
Blue-teams/ Red-Team pen-tests with
high success. It is used in forensic cases to monitor behavior on hacked
/ malware infected systems.
There have been a high focus on only log what is importent.
If you log everything that Sysmon can log, you will get way to many
logs from the endpoints send to your SIEM system. That can have
impact on licenses on SIEM systems and so on.
If you use "undocumented" config files, you basically don´t known
why something is logged in the first place. This config is documnted
in it self, with rule names and references to MITRE, LOBAS and so
on. So you will know why and what is logged and send to SIEM. From
there you can build near Real-Time Alerting. It is a verry good
starting point if you are new to Sysmon and what it can do.
Sinse Sysmon support "rule
based detections". Many of the rules have been written as souch. This help to keep the amount of logs send to SIEM down.
It also helps a lot when writing rule based destections that logs
only gets collected when the are importent.
Detection types
All detections are made with rule names, and are related to MITRE,
LOLAPPS, LOLBAS, LOLDRIVERS, and an so on. An implementation of Sysinternal
Autoruns detections have been added as well. By using the rule names
in any detections, will help a lot when writing alerting for SIEM
Systems.
Note: You will need to customize network detections in Event ID 3 to
match your needs. I highly recommend that.
Working on
The Sysmon config is verry well maintanied. All
Sysmon event ID's except from "Event ID 24: ClipboardChange" are
covered.
The Sysmon config can be used on Sysmon from version 15.00. (Sysmon schema version: 4.90).
Logs send to SIEM systems like Security Onion (elastic) and
Splunk works verry. But I reccormed to use it with
Winlogbeat from elastic and sending your logs to
Security Onion. And i also reccormed that you use proper Windows
logging set by Security policys and GPO's.
Sysmon install / uninstall / Auto update Config file
Sysmon Install / Uinstall / Config Update script is included.
This makes it verry easy to Install / uninstall Sysmon and update the
Sysmon Config file on clients and servers just by changing 1 file on
a central location. I can reccormend the use of your own web-server. You can auto update all
clients and servers with my lates config file by using Task
Scheduler in Windows. Config files for Task Scheduler is included
for you to import to Task Scheduler. You just have to change from
where you want hosts to get the config file from in the PowerShell
script.
Monitoring of Sysmon on endpoint.
It is easy to monitor Sysmon tampering. This is done with monoroting
af network event, file changes and so.
I have a complet list in my own elastic for that.
Password protection on all Zip
files
If you want to run and test all configs
you now have to use a password to unzip any files.
You can request the password by sending a request mail. You can find
it on my contact page.
Winlogbeat,
registry files and setup instructions.
Filename:
Install_pack.zip
SHA1:d555045efc16b4f80088074e5133b38170d5104a
Sysmon with install / uninstall scripts and auto update scripts.
Filename: Sysmon_15.15_Config_70.zip
SHA1: d9e6a59aeadc7ba6586dc1f47caf1961ec0d6378
Sysmon Cheatsheet
Filename: Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e
14-01-2025
Changes:
- Sysmon Config 70
- Remote tools
02-01-2025
Changes:
- Sysmon Config 69
- Wi-Fi Discovery
15-12-2024
Changes:
- Sysmon Config 68
- FIN6 Detection
22-11-2024
Changes:
- Sysmon Config 67
- Active Scannig
- File Block
14-11-2024
Changes:
- Sysmon Config 66
- File Block Unwanted remote admin tools
- LOLBINS
- Sysmon tampering
2-11-2024
Changes:
- Sysmon Config 65
- Remote Access Software
18-10-2024
Changes:
- Sysmon Config 57
- LOLAPPS - Persistence
15-10-2024
Changes:
- Sysmon Config 56
- Backup for data xfil