Sending Sysmon Logs to Elastic ELK stack
Let’s pickup where we left off. If you haven’t done so already, please do check out the previous writeup on how to setup Elastic Stack, Logstash, and Kibana (ELK). Now that we have that prepared, let’s go ahead and get started downloading and configuring files to prepare for sysmon log ingest!
first things first…we need to download and install sysmon 😸
[Installing Sysmon]
go here to grab it: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
then we need to install it and then add our config changes. Feel free to change the config to your liking.
the config template I start with:
<Sysmon schemaversion="4.40">
<HashAlgorithms>*</HashAlgorithms>
<CheckRevocation/>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<CreateRemoteThread onmatch="exclude"></CreateRemoteThread>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="exclude"></ImageLoad>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude"></ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileCreateTime onmatch="include"></FileCreateTime>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="exclude"></NetworkConnect>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="include"></ProcessTerminate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<DriverLoad onmatch="exclude"></DriverLoad>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="include"></RawAccessRead>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude">
</ProcessAccess>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="exclude"></FileCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include"></RegistryEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileCreateStreamHash onmatch="exclude"></FileCreateStreamHash>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<PipeEvent onmatch="exclude"></PipeEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<WmiEvent onmatch="exclude"></WmiEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<DnsQuery onmatch="exclude"></DnsQuery>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include"></FileDelete>
</RuleGroup>
</EventFiltering>
</Sysmon>
save as config.xml and then fire up sysmon!
sysmon64.exe -accepteula –i config.xml -l -n <– -l and -n enables checking loaded modules and checking network connections
sysmon64.exe -c <– shows your current config
[Installing Winlogbeat]
https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.9.0-windows-x86_64.zip
download and extract it to the folder of your choosing:
next, right click and edit winlogbeat.yml in your favorite Text editor:
here are the changes you make (powershell logging optional):
<–use your server ip here
<–use your server ip here
Okay, almost done! next, we need to go into powershell. We will want to temporarily bypass the powershell Execution Policy so we can run scripts.
powershell -ExecutionPolicy Bypass
next, we want to install the winlogbeat service:
finally, start the service
start-service winlogbeat
Return to Kibana and check for new logs!!!
that’s it! Next time, we’ll use Elastic to discover unwanted programs on our machine, combing through logs collected via sysmon! 😸
I may also introduce a python program that uses pefile to scan executables for malicious windows api function imports and exports if I have time. See you then!
Leave a comment