Sysmon is a tool that has been adapted greatly in the cyber security industry because of the huge role it plays in end user logging and detection. It is important to understand how to install, configure and use a tool to meet your security detection objectives as an organization.
In this article, I will not be diving into the basics of Sysmon instead, I will be showing you how to configure Sysmon to best meet your detection objectives. As an incident responder or SOC analyst, it is important to know how to tweak the configuration file of any detection tool to minimize false positives and the amount of noise generated.
SwiftOnSecurity has come up with an amazing pre-built configuration file that you can clone here and use it as a starting point. It is constantly being updated to make sure it keeps up with the latest attacker trends.
Once the cloning has completed, run command prompt or PowerShell as an admin, navigate to the location where you stored Sysmon by running the following command:
cd <sysmon download file location>
Install Sysmon using the SwiftOnSecurity configuration file:
sysmon64.exe -acceptula -i sysmonconfig-export.xml
In case you have made changes to your configuration file and need to update it, run the command:
sysmon64.exe -c <configuration file>
SYSMON CONFIGURATION FILE
In this section, I would like us to focus on the sysmon configuration file. By the end of this I hope you will have understood the sysmon configuration file syntax and how to tweak the conditions and filters to best meet your detection objectives and use cases.
Here are a couple of things I have found worth noting when interacting with the configuration file:
1. It is written in XML format
2. <sysmon>…. </sysmon> is the root tag
3. Filters are applied on Sysmon Event IDs. We are basically choosing what we want each Event ID to log.
Below is a sysmon configuration file sample provided by Microsoft
4. All filters fall under the <EventFiltering>…. </EventFiltering> tag andare field names
In the example below, the command line tag is a field name used on the GUI side as shown below
<CommandLine condition="is" >\SystemRoot\System32\smss.exe</Commandline>
5. Rules can contain both the include and exclude filter.
For example, you may need to monitor ports such as 80,443 etc. and some Microsoft processes and services (by default) use these ports for proper functionality. You can use the include filter to instruct Sysmon that all events where destination port is set to 80 or 443 be logged and exclude events where the destination hostname ends with .microsoft.com
Below is an example:
<DestinationHostname condition=“end with">.microsoft.com</DestinationHostname>
Some of the important keywords to take note of when handling the Sysmon configuration file include:
- Onmatch — use this when you want an exact match
- Include — this means that only events where the condition has been met will be logged.
- Exclude — this means that all events will be logged except the ones listed
- Tags — just as any other XML file, Sysmon conditions and filters must be enclosed under its root tag
- condition — it is an expression that sysmon uses to determine what to include and exclude during logging. Example of conditions used with sysmon: is, contains, exclude, include, contains all, is any, exclude all, end with, begin with etc.
To learn more about Sysmon, is a reference link that I have found really helpful.
See you next time!