Create An Agent Based Log Source - Sysmon

 

You can use this document to collect Sysmon logs and send them to Armor's Log and Data Management platform.

 

Configure Your Sysmon Service


Configuring Sysmon services uses the Command Line Interface (CLI) feature. For more information, see Security Service CLI Commands.

The following arguments to install and uninstall Sysmon services.

COMMAND

ARGUMENTS

RESULT

COMMAND

ARGUMENTS

RESULT

sysmon

install

Installs the Sysmon service.

sysmon

uninstall

Removes the Sysmon service.

 

 

The following arguments are possible parameters for the Logging CLI feature.

COMMAND

ARGUMENTS

RESULT

COMMAND

ARGUMENTS

RESULT

add-event-logs

"Microsoft-Windows-Sysmon/Operational"

Add the event log to the logging service.

sync-event-logs

 

Syncs the logging config.

remove-event-logs

"Microsoft-Windows-Sysmon/Operational"

Remove the event log from the logging service

 

 

Installation of Sysmon


Install the sysmon service

C:\.armor\opt\armor.exe sysmon install

Add the event log, specific to Sysmon, to the Armor logging service.

C:\.armor\opt\armor.exe logging add-event-logs "Microsoft-Windows-Sysmon/Operational"

Sync the logging config

C:\.armor\opt\armor.exe logging sync-event-logs



Removal of Sysmon


Remove the sysmon service

C:\.armor\opt\armor.exe sysmon uninstall

Remove the event log from the logging service

C:\.armor\opt\armor.exe logging remove-event-logs "Microsoft-Windows-Sysmon/Operational"

Sync the logging config

C:\.armor\opt\armor.exe logging sync-event-logs



Accessing The Datalake


The Armor data lake is a centralized repository for storing Armor collected data.

Log Search In AMP

  1. Navigate to Security -> Log Search and SSO into Chaos Search.

  2. Create a filter by doing the following:

    1. Click on Add filter.

    2. In Field select wineventlog.log_name

    3. Select is for Operator.

    4. Enter the value Microsoft-Windows-Sysmon/Operational into the Value field.

    5. Click Save.

    6. Now set the date range and click Refresh.



Data Presentation


Data consists of documents stored in the datalake. Each document contains all the data related to that particular rule and resource. Below are examples of the table and JSON views:

FIELDS

VALUES

FIELDS

VALUES

@timestamp

Jan 8, 2021 @ 05:22:23.536

#@version

1

t_id

63691655

t_index

1_2177_customer

#_score

1

t_type

doc

tarmor_metadata.customer.account_name

330IncAnywhereGen4Dec6

tarmor_metadata.customer.hostname

EC2AMAZ-V8SB0VH

tarmor_metadata.customer.os_name

Windows 2019

tarmor_metadata.customer.product_name

AA

tarmor_metadata.customer.service_provider

Armor Anywhere

tarmor_metadata.customer.tenant_id

2177

tarmor_metrics.input_port

5515

#armor_metrics.latency.processing

0.105

tarmor_metrics.processing_chain

["KVN_V4_collector_i-029bcb4147f0cd297|2021-01-07T23:52:23Z","KVN_V4_processor_i-0ebc8bdf5058e3486|2021-01-07T23:52:23Z"]

tbeat.hostname

EC2AMAZ-V8SB0VH

tbeat.name

EC2AMAZ-V8SB0VH

tbeat.version

6.7.1

tdata_type

wineventlog

#document_size

2,108

tevent_uuid

b478b96d-9bdd-42e4-8a0b-a16878dc5406

texternal_id

6010ee52-85a8-456e-8dea-a7ad32ebc0fd

thostname

EC2AMAZ-V8SB0VH

tindex_type

customer-known

tlabels.parent_id

1

tlogsource.hostname

EC2AMAZ-V8SB0VH

tlogsource.origin

core

tmessage

Network connection detected: RuleName: RDP UtcTime: 2021-01-07 23:52:12.422 ProcessGuid: {5b5555e6-ed17-5fe0-1400-00000000f300} ProcessId: 1048 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: 87.251.67.18 SourceHostname: - SourcePort: 23570 SourcePortName: - DestinationIsIpv6: false DestinationIp: 172.31.80.8 DestinationHostname: EC2AMAZ-V8SB0VH.ec2.internal DestinationPort: 3389 DestinationPortName: ms-wbt-server

#message_size

504

original_timestamp

Jan 8, 2021 @ 05:22:20.639

received_timestamp

Jan 8, 2021 @ 05:22:23.536

tsyslog_timestamp

01-01-2007 23:52

ttags

["core","oslogs","windows","customer","confirmed_external_id"]

ttenant_id

2177

ttype

wineventlog

twineventlog.computer_name

EC2AMAZ-V8SB0VH

twineventlog.event_data.target_user_name

-

twineventlog.event_id

3

twineventlog.level

Information

twineventlog.log_name

Microsoft-Windows-Sysmon/Operational

twineventlog.opcode

Info

twineventlog.process_id

6136

twineventlog.provider_guid

{5770385f-c22a-43e0-bf4c-06f5698ffbd9}

twineventlog.record_number

4196814

twineventlog.source_name

Microsoft-Windows-Sysmon

twineventlog.task

Network connection detected (rule: NetworkConnect)

twineventlog.thread_id

5680

twineventlog.user.domain

NT AUTHORITY

twineventlog.user.identifier

S-1-5-18

twineventlog.user.name

SYSTEM

twineventlog.user.type

User

twineventlog.version

5

{ "_score": 1, "_type": "doc", "_source": { "document_size": 2108, "@timestamp": "2021-01-07T23:52:23.536Z", "tenant_id": "2177", "armor_metadata.customer.tenant_id": "2177", "hostname": "EC2AMAZ-V8SB0VH", "wineventlog.provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "wineventlog.process_id": "6136", "message_size": 504, "wineventlog.computer_name": "EC2AMAZ-V8SB0VH", "_id": 63691655, "tags": "[\"core\",\"oslogs\",\"windows\",\"customer\",\"confirmed_external_id\"]", "armor_metrics.processing_chain": "[\"KVN_V4_collector_i-029bcb4147f0cd297|2021-01-07T23:52:23Z\",\"KVN_V4_processor_i-0ebc8bdf5058e3486|2021-01-07T23:52:23Z\"]", "armor_metadata.customer.hostname": "EC2AMAZ-V8SB0VH", "wineventlog.opcode": "Info", "armor_metrics.input_port": "5515", "original_timestamp": "2021-01-07T23:52:20.639Z", "logsource.origin": "core", "wineventlog.user.domain": "NT AUTHORITY", "wineventlog.user.identifier": "S-1-5-18", "wineventlog.log_name": "Microsoft-Windows-Sysmon/Operational", "wineventlog.version": "5", "wineventlog.level": "Information", "wineventlog.thread_id": "5680", "wineventlog.user.name": "SYSTEM", "received_timestamp": "2021-01-07T23:52:23.536Z", "data_type": "wineventlog", "armor_metadata.customer.account_name": "330IncAnywhereGen4Dec6", "event_uuid": "b478b96d-9bdd-42e4-8a0b-a16878dc5406", "wineventlog.task": "Network connection detected (rule: NetworkConnect)", "syslog_timestamp": "Jan 7 23:52:23", "labels.parent_id": "1", "armor_metadata.customer.service_provider": "Armor Anywhere", "beat.version": "6.7.1", "external_id": "6010ee52-85a8-456e-8dea-a7ad32ebc0fd", "message": "Network connection detected: RuleName: RDP UtcTime: 2021-01-07 23:52:12.422 ProcessGuid: {5b5555e6-ed17-5fe0-1400-00000000f300} ProcessId: 1048 Image: C:\\Windows\\System32\\svchost.exe User: NT AUTHORITY\\NETWORK SERVICE Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: 87.251.67.18 SourceHostname: - SourcePort: 23570 SourcePortName: - DestinationIsIpv6: false DestinationIp: 172.31.80.8 DestinationHostname: EC2AMAZ-V8SB0VH.ec2.internal DestinationPort: 3389 DestinationPortName: ms-wbt-server", "armor_metrics.latency.processing": 0.10485601425170898, "wineventlog.record_number": "4196814", "wineventlog.event_data.target_user_name": "-", "type": "wineventlog", "armor_metadata.customer.product_name": "AA", "beat.name": "EC2AMAZ-V8SB0VH", "beat.hostname": "EC2AMAZ-V8SB0VH", "armor_metadata.customer.os_name": "Windows 2019", "@version": 1, "wineventlog.event_id": "3", "index_type": "customer-known", "logsource.hostname": "EC2AMAZ-V8SB0VH", "wineventlog.user.type": "User", "wineventlog.source_name": "Microsoft-Windows-Sysmon" }, "_id": "63691655", "_index": "1_2177_customer" }



Helpful Fields For Searching The Datalake


FIELD

FILTER BY

wineventlog.log_name

Microsoft-Windows-Sysmon/Operational

wineventlog.task

the task name

wineventlog.event_id

the event id eg : 1,2,3,4,5,6,7

wineventlog.source_name

Microsoft-Windows-Sysmon

 

 



Adding A Filter


To add additional filters, click on the Add Filter Button.

Then set the field to one of the helpful fields above, select the operator, put in the value and hit save. The data is now filtered on a specific log_name, event_id or other field selected.



Sysmon Rules


RULE

DESCRIPTION

PsExec Process Observed on a Compromised Host

This rule triggers when a PsExec process has been detected on a host that has been identified as likely compromised.

Administrative Share Accessed from a Compromised Host

Detects hosts that have been identified as likely compromised when they access Administrative shares.

Network Share Accessed from a Compromised Host

Detects hosts that have been identified as likely compromised when they access networked shares.

Powershell Process Observed on a Compromised Host

This rule triggers when a powershell process has been detected on a host that has been identified as likely compromised.

Metasploit PSExec Module Usage

Detects the Metasploit implementation of the PSExec tool.

Excessive System Tools Usage from a Single Host

Detects a large volume of several system tools being used from a single system.

Excessive Network Share Access Failures from a Compromised Host

Detects hosts that have been identified as likely compromised when they access several networked shares in a short time period.

Powershell Script Created by a Remote Management Service

Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, creates a PowerShell script file.

Unsigned Executable Loaded In Sensitive System Process

This rule is triggered on any attempt to load an unsigned executable file into sensitive system processes.

Mimikatz IMP Hash Observed

Detects successful process creation matching the hash of 'Invoke Mimikatz PowerShell (IMP)'.

Potential Keylogger Detected

This rule triggers when a potential keylogger tool is detected.

Service Binary Path Update Followed by Remote Thread Creation

This rule triggers when a service binary path is updated and a remote thread is created by the same process.

Executable Loaded from Temp Directory

This rule triggers when an executable is loaded from a temp directory.

Remote Management Service Connected to lsass Pipe

Detects when a remote management service is connected to lsass pipe.

Unusual Value Size in Windows Registry

This rule triggers when a value with an unusual size is set in Windows Registry.

Service Binary Path Update Followed by User or Group Modification

This rule triggers when a service binary path is updated and a user or a group is modified on the same host.

Suspicious Access to lsass Process From Unknown Call Trace

This rule triggers when a suspicious access to lsass is initiated from an unknown call trace.

Fileless UAC Bypass using Windows Event Viewer

Detects when a registry event uses Windows Event Viewer has been detected.

Process Launched from Unusual Directory

This rule triggers when a process is launched from an unusual directory.

Excessive Use of SC Command

This rule triggers when the Service Control command is frequently used on a single host.

Service Installed on a Compromised Host

This rule triggers when a service has been created on a host that has been identified as likely compromised.

Thread Creation by a Process Launched from a Shared Folder

Detects when a process launched from a shared folder is creating a thread into another process.

Group or Account Discovery

Detects when a command related to group or account discovery is detected.

Unsigned Driver Loaded In Windows Kernel

This rule triggers when any unsigned driver is loaded in Kernel.

UAC Bypass - Scheduled Task Configured to Run with Highest Privileges

Detects a potential User Account Control bypass when a scheduled task is configured to run with the highest privileges.

Credential Dumping using SAM Registry Key

Detects when a resource is enumerating users sub-keys.

Download via Encoded Command Initiated

This rule triggers when a download of a PowerShell script is initiated from cmd.exe or Powershell.

Programming Environment Started with a Privileged Account

Detects when a programming environment has been started with a privileged account.

Suspicious Access to lsass Process

This rule triggers when a process connects to lsass that does not normally.

Process Launched by an Unusual Process

This rule triggers when a process that is not supposed to have child launches a process.

Excessive Administrative Share Access Failures from the Same Host

Detects repeated failures to access administrative shares from the same host.

Thread Creation by a Process Launched from a Temp Directory

This rule triggers when a thread is created by a process launched from a temp directory.

Detected an Unquoted Service Binary Path with Spaces

Detects if an unquoted service binary path contains spaces. A file path that is not enclosed within quotation marks and contains spaces in the path can be leveraged.

Service Binary Path Update Followed by Network Connection

Detects if a process attempts to configure or add a service and detects if the same process creates an outbound connection.

PsExec Process Masquerading

This rule triggers when PsExec IMP Hash is detected for another process name.

Process Launched from a Temp Directory

This rule triggers when a process is launched from a temp directory. Temporary directories are common staging locations for malware execution or data exfiltration.

Unusual Parent for a System Process

This rule triggers when an unusual parent is found for a system process.

Thread Creation into lsass Process

This rule triggers when a thread is created into lsass process.

Fileless UAC Bypass using sdclt

This rule triggers when a UAC bypass using sdclt has been detected.

Unsigned Executable Loaded in lsass

This rule triggers when an unsigned driver is loaded in lsass.

Rundll32 with qwerty Argument Usage

This rule triggers when rundll32 is executed with qwerty argument, which could indicate the presence of a Ransomware (type Locky).

Service Configured to Use a Pipe

This rule triggers when a service is configured to use a pipe.

Remote Process Execution on Multiple Hosts

This rule triggers when remote management service are creating process on multiple hosts.

Service Configured to Use Powershell

This rule triggers when a service is configured to use Powershell.

Scheduled Task Created on Multiple Hosts

This rule triggers when a scheduled task has been created on mulitple hosts.

Service Binary Located in a Shared Folder

This rule triggers when a service binary is located in a shared folder.

Process Launched from a Shared Folder

This rule triggers when a process is launched from a shared folder.

Fileless UAC Bypass using Fodhelper

This rule triggers when a UAC bypass using Fodhelper has been detected.

Shadow Copies Deletion

This rule triggers when deletion of shadow copies is detected.

Potential Credential Dumping Tool Detected

This rule triggers when a potential credential dumping tool is detected.

Pipe Created Followed by Service Binary Path Update

This rule triggers when a pipe is created and the service binary path is updated to connect to it.

Scheduled Task Created on a Compromised Host

This rule triggers when a scheduled task has been created on a compromised host.

Lsass Process Connected to a Pipe

This rule triggers when an lsass process is being connected to a pipe.

Thread Creation into a System Process

This rule triggers when a process is creating a thread into a system process.

Malicious Service Installed

This rule triggers when a service categorized as malicious has been installed.

Hidden Network Share Added

This rule triggers when a hidden Network Share has been added.

Thread Creation into a Process Different from the Initial One

This rule triggers when a process is creating a thread into another process.

Network Share Added to a Compromised Host

This rule triggers when a network share has been added to a compromised host.

System Process Launched from Unusual Directory

This rule triggers when a system process is launched from an unusual directory.

Encoded Command Malicious Usage in a Programming Environment

This rule triggers when an encoded command is used in a programming environment type cmd or Powershell.



Troubleshooting


  1. Make sure that winlogbeat is configured for sysmon.

  2. Make sure you have synched up the logs.

    C:\.armor\opt\armor.exe logging sync-event-logs