Highlighted
kevquinlan Honored Contributor.
Honored Contributor.
2816 views

FlexConnector for Microsoft Sysmon

Scope

Extraction and Categorisation of the “Microsoft-Windows-Sysmon/Operational” Windows Event Log using Microfocus ArcSight Windows Native SmartConnector

References:

Technical Details

The following table highlights the Software and versions tested during development of this FlexConnector.

 

 

Device or Log Source: Microsoft Sysmon

Version tested: 10.x

ArcSight SmartConnector Version: Windows Native - At least 7.4

 

Sysmon Vendor Precis

Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In contrast to common Antivirus/HIDS solutions, Sysmon performs system activity deep monitoring, and log high-confidence indicators of advanced attacks.

Sysmon is using a device driver and a service that is running in the background and loads very early in the boot process.

Sysmon monitors the following activities:

  • Process creation (with full command line and hashes)
  • Process termination
  • Network connections
  • File creation timestamps changes
  • Driver/image loading
  • Create remote threads
  • Raw disk access
  • Process memory access
  • WMI Use
  • DNS Queries

Some of these events can be gathered up by enabling Windows built-in auditing, yet the detail level provided by Sysmon is much higher. When it comes to analysis, Sysmon doesn’t provide any; you can use other tools to visualize and investigate the raw events, for example: ArcSight, SIEM, Microsoft SCOM, Splunk and Azure OMS.

Constraints

  • Microfocus ArcSight SmartConnector Framework at least 7.4 (For automatic IPv6 Parsing) 64 bit
  • For Workstations and large deployments it is advisable / preferable to utilise Windows Event Forwarding to gather the relevant logs rather than use direct Collection. Configuration of Windows Event Forwarding is out of scope of this document. More information can be found within the Microfocus ArcSight SmartConnector for Windows Native documentation and Windows Event Log Forwarding guidance from Microsoft (see references)

Audit and Event Logs

The following audit trail targets are supported for production systems:

Audit function / log Description

Microsoft-Windows-Sysmon/Operational

Windows Event Log Located: \Applications and Services Logs\Microsoft\Windows\Sysmon

The event log can be added to the Custom Log field for all devices monitored by a Windows Native SmartConnector.

Configure Auditing

The tool is installed and configured following the guidance from Microsoft.

https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/

Note that without effective planning, testing and tuning of the Sysmon tool, the volume of the events captured will be extremely high in production and of low quality.

A number of good practice sysmon configurations exist and should be tailored for the target organisation.
An example of a tailored Sysmon config file exists in this repository:

Sysmon, when installed as a service, automatically logs to the Microsoft-Windows-Sysmon/Operational Event Log.

FlexConnector Installation Connector Details

This guide assumes a SmartConnector for Windows (Native) is already configured as per the relevant HPE Configuration guide.

  • Connector Type: ArcSight SmartConnector for Windows (Native)

Installation Steps

The files have been provided in a zip file or via a link

  1. 1.    Download the FlexConnector files from the respository (hosted on GitHub):
  1. 2.    The repository contains two folders acp / fcp which contain the parser and categorisation files required:
    • acp\categorizer\current\microsoft\sysmon.csv
    • fcp\winc\microsoft_windows_sysmon_operational\ microsoft_windows_sysmon.sdkkeyvaluefilereader.properties
    • fcp\winc\microsoft_windows_sysmon_operational\ microsoft_windows_sysmon.map.csv
  1. 3.    Copy the FlexConnector folders / files to the in scope Windows Native SmartConnectors or the Windows Native SmartConnector used for Windows Event Forwarding event collection.
    • <CONNECTOR_HOME>\current\user\agent\
    • Verify the above files and folders have successfully copied across.
  1. 4.    Using either runagentsetup.bat or ArcSight Management Centre update the in scope list of servers to add the following custom Event log name:
    •     Microsoft-Windows-Sysmon/Operational

  • or add directly to the agent.properties file:

agents[0].windowshoststable[0].eventlogtypes=Microsoft-Windows-Sysmon/Operational

  1. 6.    Restart the Windows Native Connector service.  
    • Confirm events are coming in by creating an Active Channel with a device Vendor  of “Microsoft” and Device Product of “Sysmon”

 

Caveats: Released to the community as is, with no support or guarantees from either me or my employer. Please test in a none production environment before deploying.

 

** Updated for Sysmon v10.x **

11 Replies
StevenD Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

@kevquinlan

     I took the liberty of updating your parser/map file for the v8 version of Sysmon. More specifically for the WMI events introduced in v6.11 of Sysmon. Since malicious actors and pentesting frameworks commonly have provisioings for using WMI Filters/Consumers as persistence mechanisms, this should provide a bit more visibility into it.

 

I've added conditional mappings for Event ID's 19, 20, and 21. Updates are attached, feel free to correct anything you feel needs it. Let me know what you tweak if you don't mind.

Regards

kevquinlan Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Thanks

the maintained version of this is hosted on the GitHub site - should cover up to V8 of the Sysmon tool.

https://github.com/S3COPS/ArcSight-Sysmon-FlexConnector 

Keeping things updated on the Microfocus Marketplace seems to be impossible.

Kev

StevenD Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Nice... I must have pulled your from Github right before you added the WMI bindings. Looks like ours match up mostly the same though.

I'll just pull down your latest one... We block GitHub at work, so it's a hassle to check updated repos.

kevquinlan Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Leave it for 24 hours - i have a few to do items for the V8 version to add to the parser - there are a couple of new tokens introduced that mean a juggle around.
If there are any other tweaks / issues you have found, feel free to let me know.

I will post an update above when done

Cheers

Kev

kevquinlan Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Now updated for Sysmon V10.
includes new DNS query Events
https://github.com/S3COPS/ArcSight-Sysmon-FlexConnector
Ignore the Marketplace version as Microfocus seem unable to let me update it.
StevenD Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Awesome, this was literally on my punch list to update today.

Thanks!
kevquinlan Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Thanks. There may be a few tweaks over the coming days in case any bugs / updates come out - so keep an eye on the Github for latest versions.
0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

10-4 . I'm waiting for the stable build of Swift's config as a baseline before I really commit it to production...should be enough of a buffer for all the dust to settle.

I'm happy to test/contribute if you need another set of hands/eyes.
0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

@kevquinlan  Just interested in your thoughts on a few tweaks I made below. Mainly visibility/consistency changes.

#Added various image/target image so that file name/file hash matching is easier next to each other and there's no analyst confusion what the hash is for.
event.fileName=__oneOf(TargetFilename,ImageLoaded,TargetImage,Image)

# Added RuleName in v8 - Changed from dvcfacility to reason for fitment/visibility.
event.reason=RuleName

 

 

kevquinlan Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Thanks Steven

Perfectly sensible mappings - i cant see any issues.

I have updated the files on Git https://github.com/S3COPS/ArcSight-Sysmon-FlexConnector - Feel free to submit pull requests directly via GIT if you see anything like this as a lot of the Microfocus emails wind up in Clutter / Junk!

I have left the deviceFacility mapping in place for now, just in case any content already uses it, but have added event.reason (thought i had already used this one!)

for filename i have added your recommendation, but i am conscious that some of the submessages may also override this - let me know how you get on.

Cheers

Kev

 

 

0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: FlexConnector for Microsoft Sysmon

Awesome, thanks for letting me contribute!

I'll submit through GitHub now... MF emails usually hit my junk folder as well.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.