Splunking with Sysmon — A Beginner’s Guide
This Article covers Installation of Sysmon, its configuration and then integration with Splunk Enterprise in order to do Threat Hunting .
The Objectives behind this article are
• Install Sysmon on a Windows machine
• Generate different Process Logs
• Collect those Logs with Splunk
• Analyze the Logs
However you might be wondering on what is Sysmon and why do you even need it in the first Place. If you do not know what is Sysmon then here are few Key Points to remember.
• System Monitor (Sysmon) is part of SysInternals Tools .It is a windows system service and device driver . Once it is installed on a system, it remains resident across system reboots to monitor and log system activity to the Windows event log.
• It provides detailed information about process creations, network connections, and changes to file creation time.
- It Logs process creation with full command line for both current and parent processes.
Here is a Sample of Logs generated by Sysmon .
You can read more about it on Microsoft Sysmon documentation Page .
Why it is required
Now you might be wondering on why Is it required .To be honest , the main reason is very Old and obvious . If you are working as Security Analyst in a Security Operations Center (SOC), you must have noticed that Windows Event Logs do not always provide you the necessary Logs and if you enable Object based auditing than it generates too many logs and thus makes it difficult to get any useful results .
In case of Sysmon ,once deployed with a good configuration ,you can turn on and off different kinds of Logs . These Logs are too the Point and very useful . Sysmon Events can be collected by using Windows Event Collection or any SIEM Agent . In our article ,we will use a SIEM Agent which is Splunk Universal Forwarder . However once you have the logs as part of Windows Event Logs , any SIEM Solution will be able to collect it and analyze it . Once Logs are collected , they will be analyzed by your SIEM Solution and you will be able to identify malicious or anomalous activity and understand how intruders and malware operate on your network. However please note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.
Now lets get started .We need to perform these steps in order to have a successful Integration .
• Download Sysmon
• Installation of Sysmon with Default Configuration
• Installation of Sysmon with Advanced Configuration
• Generate Logs via Atomic red team
• Review Logs
• Deploy Splunk
• Configure Splunk
• Collect Logs
• Review Logs
Here are the links that will be used for the above steps .
To download Sysmon and Sample Configuration , you can download it from Microsoft Sysmon Download Page . Once downloaded, you can deploy it with Default Configuration using this command .
sysmon -accepteula -i
Please note that default configuration is very limited and it will process images (executables) hashed with sha1 and no network monitoring . However if our objective is to find an executable which is trying to make internal or external network connections than we need to enable that . Now in order to do that ,you can use two approaches . The difficult approach is to make a Sysmon configuration file from Scratch and keep on adding different Images for monitoring . The Easy and best approach is to trust others and use Ready to use Sysmon Configuration files from any of these Two reliable industry Sources . These Configuration files are mapped with MITRE ATT&CK Framework .
You can download any of the above XML files from their Github Repositories . Please ensure that you download the file in the right manner . Right clicking on the file and saving it as a link as shown below will corrupt the file and you will keep banging your head in the wall if it is not working . As a matter of fact , it did happen to me .
To download the file correctly , click on Code and Download Zip .
Once file is downloaded, you can open it with any XML Editor and see if it looks OK . Than you can open the Command as Administrator and update the configuration with this command .
sysmon -accepteula -i sysmonconfig3.xml
Once configuration is updated ,you will get a similar message .
Now you can open different applications like Firefox , Chrome ,U torrent etch and generate different Logs . You can also generate Logs via Atomic red team .
Once you have the Logs , Open Event Viewer and go to the below mentioned path to review those Logs .
Microsoft-Windows-Sysmon/Operational
Now we are done with our first Part . If you still have some doubts and you are still hesitating ,you can visit here to see one of my detailed Sysmon Installation video for the whole Process . It should be able to address some of your doubts.
Integration with Splunk
Now we should download and Deploy Splunk . To download ,you can use this Splunk download link . Splunk Installation is pretty Simple . However you might need to register with them in order to download Splunk Software . Once downloaded and Installed on your Local machine , access it with the user admin and the password that you chose during installation . Then go to Settings | Data Inputs | Local Log Event Collections and choose as shown below .
For a Corporate Installation , you need to create an Input file and assign it the relevant Universal Forwarder . The file should look like this .
# Separate App for Sysmon Inputs
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = main
renderXml = true
Once Logs are collected ,you can search them via index=main as shown below .
Once you have the logs ,you can analyze them and based on it ,you can exclude few Processes . In order to see a demo ,you can look at this Splunking with Sysmon video Session which shows how to Install and Configure Splunk and then how to exclude certain Processes .
