Sysmon 8.0, a leap forward in event annotation
Last night (for me) Mark Russinovich released a new version of Sysmon, raising it to 8.0. This release brings a feature which I’ve been eagerly awaiting, the option to tag rules with something that is visible in the logging.
This will make my sysmon-modular configuration a lot more powerful. Since the MITRE tagging now also will be in your log files, this will make searching and hunting a lot more powerful. Additionally it will give you the option to annotate these logs in order to understand where some events are coming from.
If you haven’t read my running blog series on using Sysmon, please refer to Endpoint detection Superpowers on the cheap — part 1 and onwards.
The first thing I noticed when looking at the schema is that the version changed to 4.1
<manifest schemaversion=”4.1" binaryversion=”8.00">
This make sense since the following entry has been added to all relevant EventIDs;
<data name=”RuleName” inType=”win:UnicodeString” outType=”xs:string” />
Looking at the EventLog, the new events clearly have the RuleName field added to them, now let’s make good use of them and fill them with relevant data.
Adding a name to a rule is simply done by adding a name=”xxx” condition to the type declaration. I had to fuzz this a bit but go there soon enough. The resulting config module will look like this;
Or in code;
<Image name="Id='T1028',Technique='Windows Remote Management'" condition="end with">wsmprovhost.exe</Image>
Executing wsmprovhost.exe will now result in the following EventLog entry;
I’ve chosen to include the Id as well as the Technique description to make it more recognizable without being too verbose. Both are easily captured through a simple regex in the log management and extracted into searchable fields.
I’ll commence with updating my Sysmon-modular configuration asap and update my github page.