Hunting with Sysmon
Previously I mentioned I would release my simple generic Splunk App to help anyone almost instantly operationalize Sysmon data. So, here it is! It is nothing completely fancy or of superior wizardry caliber, but it will get you everything you ever wanted to begin monitoring for evil in your environment. The goal of this project is to contribute back to the InfoSec industry in relation to Threat Hunting. I believe we all need to share our hunting methodologies along with tools. I hope this teaches those who want to learn something new, but also inspires those to test out Sysmon+Splunk and get full value out of endpoint data.
What type of data does Sysmon Collect?
I have collected many sample configuration and resources of Sysmon setups, deployments, use (hunting etc.) and recent presentations on my Github site:
sysmon-dfir — Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.github.com
Basic, getting started, configuration:
To the more advanced configuration:
It’s simple. I know. It will get you to where you need to be though, I promise. The magic of this app is not the dashboard pictured above, but it is the gold that is in the saved searches that I want to point you to.
app_splunk_sysmon_hunter - Splunk App to assist Sysmon Threat Huntinggithub.com
I attempted to name the saved searches what they are and I hope they make sense. I will continuously be updating this app with new saved searches.
Powershell — All PoSh by computer
Powershell — EncodedCommand
Powershell — EventDescription
schtasks — run
schtasks — delete
schtasks — create
schtasks — change
schtasks — all
If you plan to contribute — I hope this makes sense, if not — let’s discuss and make this better.
Threat hunting is many things and I believe this App+Sysmon will get you started in the right direction of hunting and finding bad things quickly. Out of the box, I have created reports for the many things that are top of mind across the industry.
Critical Process Check
In total out of the box you get 47 searches that will help you get started with Sysmon and threat hunting. How about that for sharing!?
Many of these came from TomU talk at BotConf and my previous experience with using Carbon Black in Splunk.
Additional items may be reviewed here:
hunt-detect-prevent - Lists of sources and utilities utilized to hunt, detect and prevent evildoers.github.com
Hit me up on twitter or in the comments here.
Indirectly the following have contributed to this app, either in Sysmon or in Splunk. Thank you for sharing.
Tom Ueltschi — @c_APT_ure
Future for the App
- Splunk Data Model — depending upon how much data consumed
- Network data analysis
- Hopefully more dashboards that are sexy
- Adaptive response framework
- Built in Alerts