Skip to content
    February 16, 2021

    New Microsoft Sysmon Security Rules

    To help you monitor your Microsoft Windows security, Blumira’s incident detection team has released a number of new Sysmon security detection rules to help identify potential attacker activity in your environment. Our security team is always developing and writing new detections to keep up with evolving threats on an ongoing basis.

    What is Sysmon?

    Sysmon (or System Monitor) is part of the Sysinternals software package, now owned by Microsoft. It enriches standard Windows logs by producing higher-level monitoring of events such as process creations, network connections and changes to the file system.

    It’s very easy to install and deploy. See Lead Incident Detection Engineer Amanda Berlin’s How to Enable Sysmon for our three-step instructions that will help you turn on an incredible amount of advanced logging for greater visibility and enhanced threat detection.

    Why You Should Enable Sysmon

    With Sysmon enabled, Blumira can start streaming your Windows logs to our platform for deeper threat analysis. We can help you detect, alert and respond to common threats, including attackers moving laterally through your environment, escalating privileges, collecting data for exfiltration, and more.

    To see how you can easily integrate with your Microsoft environment and deploy a SIEM in a few hours, sign up for a free trial of Blumira.

    New Sysmon Security Detections From Blumira

    The following Sysmon detections (written by Incident Detection Engineer Brian Laskowski) are now integrated into Blumira’s cloud SIEM platform to provide prioritized alerts on Windows-related findings, and offer playbooks for threat response.

    Each of them map to the MITRE ATT&CK framework, a widely-referenced knowledge base for developing specific threat models and methodologies across all industries and in the infosec community.

    Detection Rule: Enable Remote Services: Remote Desktop Protocol in the Registry
    A common technique used by threat actors is to use built-in remote access tools like Remote Desktop Protocol (RDP) to allow for lateral movement or persistence in an environment. This provides the threat actor with access that can blend in with normal traffic in an environment. This tactic is frequently used in drive by open RDP attacks, and some botnet malware may do it as well.

    Maps to the MITRE ATT&CK Framework: T1021.001, Tactic: Lateral Movement

    Detection Rule: Local Accounts Added to Administrators Group
    A common technique used by threat actors is to add new accounts locally on a system and then add that local account to the administrators’ group. This provides the threat actor with a privileged account to persist in an environment.

    Maps to the MITRE ATT&CK Framework: T1078.003, Tactics: Defense Evasion, Persistence, Privilege Escalation, Initial Access

    Detection Rule: Security Software Discovery – AV Discovery via WMI
    Windows Management Instrumentation (WMI) is a built-in Microsoft utility for administering Windows systems. Its ability to interrogate the software on a system makes it ideal for threat actors to use while profiling a system as well. Using it to query for antivirus (AV) has been seen both from hands-on keyboard threat actors to being used by commodity botnets. Investigate to see if this was executed by approved software or administrators.

    Maps to the MITRE ATT&CK Framework: T1518.001, Tactic: Discovery

    Detection Rule: Compress Data for Exfiltration With RAR
    RAR file archives tend to be unusual in a normal Windows enterprise network, and user zipping via the command line is even less common. While this may be legitimate activity, the action should be investigated to make sure that it is not a threat actor zipping critical data for exfiltration (stealing data). Review the recent activity on the machine and look for other anomalies, or whether the user has a history of this activity, or if it is a part of normal business processes.

    Maps to the MITRE ATT&CK Framework: T1560.001, Tactic: Collection

    Detection Rule: Enumeration for Credentials in Registry
    In many Windows environments, credentials and passwords can be found in multiple locations, left by users or software. One location threat actors often look for credentials is in the Windows registry hives; these can often contain passwords that may allow the threat actor to move laterally or escalate privileges.

    Maps to the MITRE ATT&CK Framework: T1552.002, Tactic: Credential Access

    Detection Rule: Process Injection
    When a threat actor gains a foothold on a system, one of the tasks they need to perform is elevation of privileges to allow them full access to the system. One way they do this is through process injection in which their malicious code is injected into the memory of a higher-privilege process running as SYSTEM. This activity can also be seen when a threat actor then tries to access sensitive data like credentials from the LSASS (Local Security Authority Subsystem Service) process memory. Some software can also use this technique in normal operations, but this alert should be thoroughly investigated before closing. This tactic is extremely common in commodity malware, post-exploitation tool kits, and advanced adversary groups.

    Maps to the MITRE ATT&CK Framework: T1055.004, Tactics: Defense Evasion, Privilege Escalation

    To see how you can easily integrate with your Microsoft environment and deploy a SIEM in a few minutes, sign up for a free version of Blumira.

    Additional Microsoft Security Resources

    Use Case: Microsoft Security
    Easily detect and respond to Microsoft security risks, exploits and threats with Blumira’s cloud SIEM. Deploy in hours, without a security team.

    Guide to Microsoft Security
    To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.

    Protect Against Active Directory Attacks
    Blumira has released a new tool on GitHub to help you easily protect against Active Directory credential attacks like Kerberoasting that can lead to ransomware infection.

    Thu Pham

    Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...

    More from the blog

    View All Posts