February 16, 2021
To help you monitor your Microsoft Windows security, Blumira’s incident detection team has released a number of new Sysmon security detection rules to help identify potential attacker activity in your environment. Our security team is always developing and writing new detections to keep up with evolving threats on an ongoing basis.
What is Sysmon?
Sysmon (or System Monitor) is part of the Sysinternals software package, now owned by Microsoft. It enriches standard Windows logs by producing higher-level monitoring of events such as process creations, network connections and changes to the file system.
It’s very easy to install and deploy. See Lead Incident Detection Engineer Amanda Berlin’s How to Enable Sysmon for our three-step instructions that will help you turn on an incredible amount of advanced logging for greater visibility and enhanced threat detection.
Why You Should Enable Sysmon
With Sysmon enabled, Blumira can start streaming your Windows logs to our platform for deeper threat analysis. We can help you detect, alert and respond to common threats, including attackers moving laterally through your environment, escalating privileges, collecting data for exfiltration, and more.
To see how you can easily integrate with your Microsoft environment and deploy a SIEM in a few hours, sign up for a free trial of Blumira.
New Sysmon Security Detections From Blumira
The following Sysmon detections (written by Incident Detection Engineer Brian Laskowski) are now integrated into Blumira’s cloud SIEM platform to provide prioritized alerts on Windows-related findings, and offer playbooks for threat response.
Each of them map to the MITRE ATT&CK framework, a widely-referenced knowledge base for developing specific threat models and methodologies across all industries and in the infosec community.
Detection Rule: Enable Remote Services: Remote Desktop Protocol in the Registry
A common technique used by threat actors is to use built-in remote access tools like Remote Desktop Protocol (RDP) to allow for lateral movement or persistence in an environment. This provides the threat actor with access that can blend in with normal traffic in an environment. This tactic is frequently used in drive by open RDP attacks, and some botnet malware may do it as well.
Maps to the MITRE ATT&CK Framework: T1021.001, Tactic: Lateral Movement
Detection Rule: Local Accounts Added to Administrators Group
A common technique used by threat actors is to add new accounts locally on a system and then add that local account to the administrators’ group. This provides the threat actor with a privileged account to persist in an environment.
Maps to the MITRE ATT&CK Framework: T1078.003, Tactics: Defense Evasion, Persistence, Privilege Escalation, Initial Access
Detection Rule: Security Software Discovery – AV Discovery via WMI
Windows Management Instrumentation (WMI) is a built-in Microsoft utility for administering Windows systems. Its ability to interrogate the software on a system makes it ideal for threat actors to use while profiling a system as well. Using it to query for antivirus (AV) has been seen both from hands-on keyboard threat actors to being used by commodity botnets. Investigate to see if this was executed by approved software or administrators.
Maps to the MITRE ATT&CK Framework: T1518.001, Tactic: Discovery
Detection Rule: Compress Data for Exfiltration With RAR
RAR file archives tend to be unusual in a normal Windows enterprise network, and user zipping via the command line is even less common. While this may be legitimate activity, the action should be investigated to make sure that it is not a threat actor zipping critical data for exfiltration (stealing data). Review the recent activity on the machine and look for other anomalies, or whether the user has a history of this activity, or if it is a part of normal business processes.
Maps to the MITRE ATT&CK Framework: T1560.001, Tactic: Collection
Detection Rule: Enumeration for Credentials in Registry
In many Windows environments, credentials and passwords can be found in multiple locations, left by users or software. One location threat actors often look for credentials is in the Windows registry hives; these can often contain passwords that may allow the threat actor to move laterally or escalate privileges.
Maps to the MITRE ATT&CK Framework: T1552.002, Tactic: Credential Access
Detection Rule: Process Injection
When a threat actor gains a foothold on a system, one of the tasks they need to perform is elevation of privileges to allow them full access to the system. One way they do this is through process injection in which their malicious code is injected into the memory of a higher-privilege process running as SYSTEM. This activity can also be seen when a threat actor then tries to access sensitive data like credentials from the LSASS (Local Security Authority Subsystem Service) process memory. Some software can also use this technique in normal operations, but this alert should be thoroughly investigated before closing. This tactic is extremely common in commodity malware, post-exploitation tool kits, and advanced adversary groups.
Maps to the MITRE ATT&CK Framework: T1055.004, Tactics: Defense Evasion, Privilege Escalation
To see how you can easily integrate with your Microsoft environment and deploy a SIEM in a few minutes, sign up for a free version of Blumira.
Additional Microsoft Security Resources
Use Case: Microsoft Security
Easily detect and respond to Microsoft security risks, exploits and threats with Blumira’s cloud SIEM. Deploy in hours, without a security team.
Guide to Microsoft Security
To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
Protect Against Active Directory Attacks
Blumira has released a new tool on GitHub to help you easily protect against Active Directory credential attacks like Kerberoasting that can lead to ransomware infection.
