I have been seeing more and more chatter on the interwebs where security researchers (Kevin Beaumont, InfoSec Taylor Swift) are using Microsoft Sysinternals System Monitor (Sysmon) to help with threat hunting. I had no knowledge of what it really was, but after doing some digging I found that it is a very powerful tool. I can’t believe that it is not installed and turned on with a default configuration out of the box to be honest. In this blog post I will attempt to walk you through following:
- Install and configure Sysmon
- Configure Splunk Universal Forwarder on your system with Sysmon installed
- Install and configure Splunk Add-on for Microsoft Sysmon
Hopefully at the end of this article you will have a server running Sysmon and a splunk server that is actively logging Sysmon events.
What is Sysmon?
This is a brief summary taken form the Sysmon site here. You should visit his page so you can download and also get more in depth understanding of what it is we are going to enable.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
It is worth mentioning that this logging is extremely noisy by default. You can and should use an xml configuration file to get rid of most of the noise. I am using a configuration file from SwiftOnSecurity. You will need to tweak it based on your environment. Dont be scared of this file. When you open it up it looks pretty verbose but hey if you are here reading this, i am guessing you aren’t afraid of a little cough… xml! For instance when running in an AWS environment Sysmon will capture wmic commands that the e2c service runs on your windows servers periodically. You may also have some type od software automatic updates that will occasionally trigger
Installing Sysymon
- Download and extract Sysmon to a directory of your choosing.
- Download the SwiftOnSecurity configuration file(s) merge the extra-NamedPipes.xml into the extra-NamedPipes.xml if you want to. This file will eventually need to be in the same directory as your Sysmon executable
- Here are the command line options options for Sysmon
If you are using AWS then you should merge this into your config
- Once you have all of this in place open up a command prompt and run the command below. the -n option is the important one to use if you want to capture\log network connections
c:\SysinternalsSuite>Sysmon64.exe -i sysmonconfig-export.xml -l -n
Executing Psexec from a remote machine I get this entry once the process is created
As you can see Sysmon has captured the process creation and execution. Digging into the message details this is what you will see. A wealth of information
Lets get this forwarding to our Splunk server now that we have Sysmon installed. You will need to download and install the windows Slpunk Universal forwarder. Of course this requires a Splunk Account which you should already have since you have Splunk installed on a management server somewhere. If not visit one of my earlier posts to get this up and running.
More great reading on Sysmon from @infosectactico (Carlos Perez) Aka DarkOperator!
After the Splunk Universal forwarer has been installed you will need to do two things
Configure Splunk to ingest your Sysmon logs
There is an Splunk Add-on that will help you ingest these Sysmon logs into Splunk.
Provides a data input and CIM-compliant field extractions for Microsoft Sysmon. The Microsoft Sysmon utility provides data on process creation (including parent process ID), network connections, and much more.
This add-on was originally created by Adrian Hall. We appreciate Adrian’s contribution and his willingness to turn over control to the current team for ongoing maintenance and development.
- Login to your Splunk server via the web admin
- Install a new add-on
Configure your Splunk Universal forwarder to send Sysmon logs to Splunk
Okay locate your input.conf file and edit with your favorite text editor. It should be located somewhere similar to this
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.confand add the following
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldestStart Splunking!
Open up the Splunk search and execute a search
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
-SmUrF3R5
