Create An Agent Based Log Source - Sysmon

You can use this document to collect Sysmon logs and send them to Armor's Log and Data Management platform.

Configure Your Sysmon Service

Configuring Sysmon services uses the Command Line Interface (CLI) feature. For more information, see Security Service CLI Commands.

The following arguments to install and uninstall Sysmon services.

The following arguments are possible parameters for the Logging CLI feature.

COMMAND	ARGUMENTS	RESULT
add-event-logs	"Microsoft-Windows-Sysmon/Operational"	Add the event log to the logging service.
sync-event-logs		Syncs the logging config.
remove-event-logs	"Microsoft-Windows-Sysmon/Operational"	Remove the event log from the logging service

Installation of Sysmon

Install the sysmon service

CODE

C:\.armor\opt\armor.exe sysmon install

Add the event log, specific to Sysmon, to the Armor logging service.

CODE

C:\.armor\opt\armor.exe logging add-event-logs "Microsoft-Windows-Sysmon/Operational"

Sync the logging config

CODE

C:\.armor\opt\armor.exe logging sync-event-logs

Removal of Sysmon

Remove the sysmon service

CODE

C:\.armor\opt\armor.exe sysmon uninstall

Remove the event log from the logging service

CODE

C:\.armor\opt\armor.exe logging remove-event-logs "Microsoft-Windows-Sysmon/Operational"

Sync the logging config

CODE

C:\.armor\opt\armor.exe logging sync-event-logs

Accessing The Datalake

The Armor data lake is a centralized repository for storing Armor collected data.

Log Search In AMP

Navigate to Security -> Log Search and SSO into Chaos Search.
Create a filter by doing the following:
1. Click on Add filter.
2. In Field select wineventlog.log_name
3. Select is for Operator.
4. Enter the value Microsoft-Windows-Sysmon/Operational into the Value field.
5. Click Save.
6. Now set the date range and click Refresh.

Data Presentation

Data consists of documents stored in the datalake. Each document contains all the data related to that particular rule and resource. Below are examples of the table and JSON views:

Table Example

FIELDS	VALUES
@timestamp	Jan 8, 2021 @ 05:22:23.536
#@version	1
t_id	63691655
t_index	1_2177_customer
#_score	1
t_type	doc
tarmor_metadata.customer.account_name	330IncAnywhereGen4Dec6
tarmor_metadata.customer.hostname	EC2AMAZ-V8SB0VH
tarmor_metadata.customer.os_name	Windows 2019
tarmor_metadata.customer.product_name	AA
tarmor_metadata.customer.service_provider	Armor Anywhere
tarmor_metadata.customer.tenant_id	2177
tarmor_metrics.input_port	5515
#armor_metrics.latency.processing	0.105
tarmor_metrics.processing_chain	["KVN_V4_collector_i-029bcb4147f0cd297\|2021-01-07T23:52:23Z","KVN_V4_processor_i-0ebc8bdf5058e3486\|2021-01-07T23:52:23Z"]
tbeat.hostname	EC2AMAZ-V8SB0VH
tbeat.name	EC2AMAZ-V8SB0VH
tbeat.version	6.7.1
tdata_type	wineventlog
#document_size	2,108
tevent_uuid	b478b96d-9bdd-42e4-8a0b-a16878dc5406
texternal_id	6010ee52-85a8-456e-8dea-a7ad32ebc0fd
thostname	EC2AMAZ-V8SB0VH
tindex_type	customer-known
tlabels.parent_id	1
tlogsource.hostname	EC2AMAZ-V8SB0VH
tlogsource.origin	core
tmessage	Network connection detected: RuleName: RDP UtcTime: 2021-01-07 23:52:12.422 ProcessGuid: {5b5555e6-ed17-5fe0-1400-00000000f300} ProcessId: 1048 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: 87.251.67.18 SourceHostname: - SourcePort: 23570 SourcePortName: - DestinationIsIpv6: false DestinationIp: 172.31.80.8 DestinationHostname: EC2AMAZ-V8SB0VH.ec2.internal DestinationPort: 3389 DestinationPortName: ms-wbt-server
#message_size	504
original_timestamp	Jan 8, 2021 @ 05:22:20.639
received_timestamp	Jan 8, 2021 @ 05:22:23.536
tsyslog_timestamp	01-01-2007 23:52
ttags	["core","oslogs","windows","customer","confirmed_external_id"]
ttenant_id	2177
ttype	wineventlog
twineventlog.computer_name	EC2AMAZ-V8SB0VH
twineventlog.event_data.target_user_name	-
twineventlog.event_id	3
twineventlog.level	Information
twineventlog.log_name	Microsoft-Windows-Sysmon/Operational
twineventlog.opcode	Info
twineventlog.process_id	6136
twineventlog.provider_guid	{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
twineventlog.record_number	4196814
twineventlog.source_name	Microsoft-Windows-Sysmon
twineventlog.task	Network connection detected (rule: NetworkConnect)
twineventlog.thread_id	5680
twineventlog.user.domain	NT AUTHORITY
twineventlog.user.identifier	S-1-5-18
twineventlog.user.name	SYSTEM
twineventlog.user.type	User
twineventlog.version	5

JSON Example

CODE

{
  "_score": 1,
  "_type": "doc",
  "_source": {
    "document_size": 2108,
    "@timestamp": "2021-01-07T23:52:23.536Z",
    "tenant_id": "2177",
    "armor_metadata.customer.tenant_id": "2177",
    "hostname": "EC2AMAZ-V8SB0VH",
    "wineventlog.provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
    "wineventlog.process_id": "6136",
    "message_size": 504,
    "wineventlog.computer_name": "EC2AMAZ-V8SB0VH",
    "_id": 63691655,
    "tags": "[\"core\",\"oslogs\",\"windows\",\"customer\",\"confirmed_external_id\"]",
    "armor_metrics.processing_chain": "[\"KVN_V4_collector_i-029bcb4147f0cd297|2021-01-07T23:52:23Z\",\"KVN_V4_processor_i-0ebc8bdf5058e3486|2021-01-07T23:52:23Z\"]",
    "armor_metadata.customer.hostname": "EC2AMAZ-V8SB0VH",
    "wineventlog.opcode": "Info",
    "armor_metrics.input_port": "5515",
    "original_timestamp": "2021-01-07T23:52:20.639Z",
    "logsource.origin": "core",
    "wineventlog.user.domain": "NT AUTHORITY",
    "wineventlog.user.identifier": "S-1-5-18",
    "wineventlog.log_name": "Microsoft-Windows-Sysmon/Operational",
    "wineventlog.version": "5",
    "wineventlog.level": "Information",
    "wineventlog.thread_id": "5680",
    "wineventlog.user.name": "SYSTEM",
    "received_timestamp": "2021-01-07T23:52:23.536Z",
    "data_type": "wineventlog",
    "armor_metadata.customer.account_name": "330IncAnywhereGen4Dec6",
    "event_uuid": "b478b96d-9bdd-42e4-8a0b-a16878dc5406",
    "wineventlog.task": "Network connection detected (rule: NetworkConnect)",
    "syslog_timestamp": "Jan 7 23:52:23",
    "labels.parent_id": "1",
    "armor_metadata.customer.service_provider": "Armor Anywhere",
    "beat.version": "6.7.1",
    "external_id": "6010ee52-85a8-456e-8dea-a7ad32ebc0fd",
    "message": "Network connection detected: RuleName: RDP UtcTime: 2021-01-07 23:52:12.422 ProcessGuid: {5b5555e6-ed17-5fe0-1400-00000000f300} ProcessId: 1048 Image: C:\\Windows\\System32\\svchost.exe User: NT AUTHORITY\\NETWORK SERVICE Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: 87.251.67.18 SourceHostname: - SourcePort: 23570 SourcePortName: - DestinationIsIpv6: false DestinationIp: 172.31.80.8 DestinationHostname: EC2AMAZ-V8SB0VH.ec2.internal DestinationPort: 3389 DestinationPortName: ms-wbt-server",
    "armor_metrics.latency.processing": 0.10485601425170898,
    "wineventlog.record_number": "4196814",
    "wineventlog.event_data.target_user_name": "-",
    "type": "wineventlog",
    "armor_metadata.customer.product_name": "AA",
    "beat.name": "EC2AMAZ-V8SB0VH",
    "beat.hostname": "EC2AMAZ-V8SB0VH",
    "armor_metadata.customer.os_name": "Windows 2019",
    "@version": 1,
    "wineventlog.event_id": "3",
    "index_type": "customer-known",
    "logsource.hostname": "EC2AMAZ-V8SB0VH",
    "wineventlog.user.type": "User",
    "wineventlog.source_name": "Microsoft-Windows-Sysmon"
  },
  "_id": "63691655",
  "_index": "1_2177_customer"
}

Helpful Fields For Searching The Datalake

FIELD	FILTER BY
wineventlog.log_name	Microsoft-Windows-Sysmon/Operational
wineventlog.task	the task name
wineventlog.event_id	the event id eg : 1,2,3,4,5,6,7
wineventlog.source_name	Microsoft-Windows-Sysmon

Adding A Filter

To add additional filters, click on the Add Filter Button.

Then set the field to one of the helpful fields above, select the operator, put in the value and hit save. The data is now filtered on a specific log_name, event_id or other field selected.

Sysmon Rules

RULE	DESCRIPTION
PsExec Process Observed on a Compromised Host	This rule triggers when a PsExec process has been detected on a host that has been identified as likely compromised.
Administrative Share Accessed from a Compromised Host	Detects hosts that have been identified as likely compromised when they access Administrative shares.
Network Share Accessed from a Compromised Host	Detects hosts that have been identified as likely compromised when they access networked shares.
Powershell Process Observed on a Compromised Host	This rule triggers when a powershell process has been detected on a host that has been identified as likely compromised.
Metasploit PSExec Module Usage	Detects the Metasploit implementation of the PSExec tool.
Excessive System Tools Usage from a Single Host	Detects a large volume of several system tools being used from a single system.
Excessive Network Share Access Failures from a Compromised Host	Detects hosts that have been identified as likely compromised when they access several networked shares in a short time period.
Powershell Script Created by a Remote Management Service	Detects if any remoting service, such as wsmprovhost, psexesvc, or wmiprvse, creates a PowerShell script file.
Unsigned Executable Loaded In Sensitive System Process	This rule is triggered on any attempt to load an unsigned executable file into sensitive system processes.
Mimikatz IMP Hash Observed	Detects successful process creation matching the hash of 'Invoke Mimikatz PowerShell (IMP)'.
Potential Keylogger Detected	This rule triggers when a potential keylogger tool is detected.
Service Binary Path Update Followed by Remote Thread Creation	This rule triggers when a service binary path is updated and a remote thread is created by the same process.
Executable Loaded from Temp Directory	This rule triggers when an executable is loaded from a temp directory.
Remote Management Service Connected to lsass Pipe	Detects when a remote management service is connected to lsass pipe.
Unusual Value Size in Windows Registry	This rule triggers when a value with an unusual size is set in Windows Registry.
Service Binary Path Update Followed by User or Group Modification	This rule triggers when a service binary path is updated and a user or a group is modified on the same host.
Suspicious Access to lsass Process From Unknown Call Trace	This rule triggers when a suspicious access to lsass is initiated from an unknown call trace.
Fileless UAC Bypass using Windows Event Viewer	Detects when a registry event uses Windows Event Viewer has been detected.
Process Launched from Unusual Directory	This rule triggers when a process is launched from an unusual directory.
Excessive Use of SC Command	This rule triggers when the Service Control command is frequently used on a single host.
Service Installed on a Compromised Host	This rule triggers when a service has been created on a host that has been identified as likely compromised.
Thread Creation by a Process Launched from a Shared Folder	Detects when a process launched from a shared folder is creating a thread into another process.
Group or Account Discovery	Detects when a command related to group or account discovery is detected.
Unsigned Driver Loaded In Windows Kernel	This rule triggers when any unsigned driver is loaded in Kernel.
UAC Bypass - Scheduled Task Configured to Run with Highest Privileges	Detects a potential User Account Control bypass when a scheduled task is configured to run with the highest privileges.
Credential Dumping using SAM Registry Key	Detects when a resource is enumerating users sub-keys.
Download via Encoded Command Initiated	This rule triggers when a download of a PowerShell script is initiated from cmd.exe or Powershell.
Programming Environment Started with a Privileged Account	Detects when a programming environment has been started with a privileged account.
Suspicious Access to lsass Process	This rule triggers when a process connects to lsass that does not normally.
Process Launched by an Unusual Process	This rule triggers when a process that is not supposed to have child launches a process.
Excessive Administrative Share Access Failures from the Same Host	Detects repeated failures to access administrative shares from the same host.
Thread Creation by a Process Launched from a Temp Directory	This rule triggers when a thread is created by a process launched from a temp directory.
Detected an Unquoted Service Binary Path with Spaces	Detects if an unquoted service binary path contains spaces. A file path that is not enclosed within quotation marks and contains spaces in the path can be leveraged.
Service Binary Path Update Followed by Network Connection	Detects if a process attempts to configure or add a service and detects if the same process creates an outbound connection.
PsExec Process Masquerading	This rule triggers when PsExec IMP Hash is detected for another process name.
Process Launched from a Temp Directory	This rule triggers when a process is launched from a temp directory. Temporary directories are common staging locations for malware execution or data exfiltration.
Unusual Parent for a System Process	This rule triggers when an unusual parent is found for a system process.
Thread Creation into lsass Process	This rule triggers when a thread is created into lsass process.
Fileless UAC Bypass using sdclt	This rule triggers when a UAC bypass using sdclt has been detected.
Unsigned Executable Loaded in lsass	This rule triggers when an unsigned driver is loaded in lsass.
Rundll32 with qwerty Argument Usage	This rule triggers when rundll32 is executed with qwerty argument, which could indicate the presence of a Ransomware (type Locky).
Service Configured to Use a Pipe	This rule triggers when a service is configured to use a pipe.
Remote Process Execution on Multiple Hosts	This rule triggers when remote management service are creating process on multiple hosts.
Service Configured to Use Powershell	This rule triggers when a service is configured to use Powershell.
Scheduled Task Created on Multiple Hosts	This rule triggers when a scheduled task has been created on mulitple hosts.
Service Binary Located in a Shared Folder	This rule triggers when a service binary is located in a shared folder.
Process Launched from a Shared Folder	This rule triggers when a process is launched from a shared folder.
Fileless UAC Bypass using Fodhelper	This rule triggers when a UAC bypass using Fodhelper has been detected.
Shadow Copies Deletion	This rule triggers when deletion of shadow copies is detected.
Potential Credential Dumping Tool Detected	This rule triggers when a potential credential dumping tool is detected.
Pipe Created Followed by Service Binary Path Update	This rule triggers when a pipe is created and the service binary path is updated to connect to it.
Scheduled Task Created on a Compromised Host	This rule triggers when a scheduled task has been created on a compromised host.
Lsass Process Connected to a Pipe	This rule triggers when an lsass process is being connected to a pipe.
Thread Creation into a System Process	This rule triggers when a process is creating a thread into a system process.
Malicious Service Installed	This rule triggers when a service categorized as malicious has been installed.
Hidden Network Share Added	This rule triggers when a hidden Network Share has been added.
Thread Creation into a Process Different from the Initial One	This rule triggers when a process is creating a thread into another process.
Network Share Added to a Compromised Host	This rule triggers when a network share has been added to a compromised host.
System Process Launched from Unusual Directory	This rule triggers when a system process is launched from an unusual directory.
Encoded Command Malicious Usage in a Programming Environment	This rule triggers when an encoded command is used in a programming environment type cmd or Powershell.

Troubleshooting

Make sure that winlogbeat is configured for sysmon.

Make sure you have synched up the logs.

CODE

C:\.armor\opt\armor.exe logging sync-event-logs