Welcome back! Its Day 6 and today our focus will be on Sysmon (System Monitoring). Now, its getting really interesting and by the end of this we should have one more agent in our Fleet.
Introduction
Being able to see what our endpoints are doing is very important to a SOC Analyst as this can help pinpoint where attacks/threats may have originated. This visibility into an endpoint is very important especially when investigating a compromise. However, for Windows systems logging is usually done by default but the default log settings aren’t enough, as it does not track certain events (such as; process creation, hashes of file executed etc.).
We can modify the auditing settings to enable these events or we can install a tool called SYSMON which can collect data that will b helpful during an investigation.
What is Sysmon (System Monitoring)?
Sysmon is a free Microsoft add-on tool (part of Sysinternals suite) used for Windows logging and it provides a lot of telemetry that can help increases the chances of detecting malicious activities amongst other things. Sysmon has the capability to monitor evens like; process creation, file creations, network monitoring and many more.
It is quite customizable with the aid of a configuration file which is optional but highly recommended by experts so as to be able to control what events should be logged.
Sysmon brings an important field called `Process GUID` which can be used to correlate events. Sysmon also captures network connections which includes; source & destination IPs, ports processes etc. involved in making the connection. Network logging is usually disabled by default and is usually enabled via the configuration.
The latest version of Sysmon (v15.15) has up to 30 event IDs which include:
- Process creation — Event ID 1
- Network connections — Event ID 3
- Driver/Image Load & Create Remote Thread — Event ID 6/7/8
- Process Access — Event ID 10
- DNS Event (DNS Query) — Event ID 22
This link provides more information about Sysmon’s Event identification methods.
With all of the introduction to what Sysmon is out of the way, let’s get right down to the installation
Installing Sysmon
To install Sysmon on our Windows server:
- Open the Edge browser and search for Sysmon in the search bar. Click on the Microsoft Learn link and proceed to download Sysmon .
- To download the configuration file for Sysmon, you search for `olaf sysmon config` (on a new tab if you like) and proceed to the GitHub page shown.
- Scroll down till you find the `sysmonconfig.xml`. Click on it to open it.
- On the `sysconfig.xml` page, click on `Raw`, then right-click on the page and select `Save as` to save the file in the Downloads folder.
- Next, you extract the Sysmon folder.
Open PowerShell in the folder by pressing `SHIFT+Right-click`.
- This should open PowerShell as an Administrative user.
- In the shell, type in `.\sysmon64.exe -i ..\sysmonconfig.xml` and ENTER. Then follow the interface to install.
Setting up Elastic agent with Sysmon
Here we will be creating a policy for our Windows server and installing an agent on it
- Click on `Add agent`, then you name your policy accordingly and click `Create policy`
-
-
-
- When the policy has been created, some information will be displayed. Scroll down to `Install Elastic Agent on your host`, click on the `Windows ` tab and copy the shell command in the box.
- Paste the command in the Windows Server PowerShell. Now the agent tries to install but was unsuccessful because it was supposed to generate a self-signed certificate. So to do this we add the flag ` — insecure` to the copied installation command and run it again
- Clear out the screen, hit the UP arrow key and add ` — insecure` to the command. It should install successfully and the changed will be reflected on Kibana.
- The agent enrollment will be confirmed in Fleet.
There you have it, we have both our Fleet server and Windows server. Although, we still have one more server policy to add but for the next time I’ll be tying to ingest data from the systems we have by adding integrations and maybe try out a few attacks if possible.
Till next time, stay CyberCurious!
Stay CyberAwesome!!!
