1 minute read

Let’s pickup where we left off. If you haven’t done so already, please do check out the previous writeup on how to setup Elastic Stack, Logstash, and Kibana (ELK). Now that we have that prepared, let’s go ahead and get started downloading and configuring files to prepare for sysmon log ingest!

first things first…we need to download and install sysmon 😸

[Installing Sysmon]

go here to grab it: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

then we need to install it and then add our config changes. Feel free to change the config to your liking.

the config template I start with:

  <Sysmon schemaversion="4.40">
  <HashAlgorithms>*</HashAlgorithms>
  <CheckRevocation/>
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <CreateRemoteThread onmatch="exclude"></CreateRemoteThread>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <ImageLoad onmatch="exclude"></ImageLoad>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <ProcessCreate onmatch="exclude"></ProcessCreate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <FileCreateTime onmatch="include"></FileCreateTime>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <NetworkConnect onmatch="exclude"></NetworkConnect>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <ProcessTerminate onmatch="include"></ProcessTerminate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <DriverLoad onmatch="exclude"></DriverLoad>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <RawAccessRead onmatch="include"></RawAccessRead>
    </RuleGroup> 
    <RuleGroup name="" groupRelation="or">
        <ProcessAccess onmatch="exclude">
    </ProcessAccess>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <FileCreate onmatch="exclude"></FileCreate>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <RegistryEvent onmatch="include"></RegistryEvent>
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
      <FileCreateStreamHash onmatch="exclude"></FileCreateStreamHash>
    </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <PipeEvent onmatch="exclude"></PipeEvent>
  </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <WmiEvent onmatch="exclude"></WmiEvent>
  </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <DnsQuery onmatch="exclude"></DnsQuery>
  </RuleGroup>
  <RuleGroup name="" groupRelation="or">
    <FileDelete onmatch="include"></FileDelete>
  </RuleGroup>
  </EventFiltering>
</Sysmon>

save as config.xml and then fire up sysmon!

sysmon64.exe -accepteula –i config.xml -l -n <– -l and -n enables checking loaded modules and checking network connections

sysmon64.exe -c <– shows your current config

[Installing Winlogbeat]

https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.9.0-windows-x86_64.zip

download and extract it to the folder of your choosing:

image

next, right click and edit winlogbeat.yml in your favorite Text editor:

image

here are the changes you make (powershell logging optional):

image

image <–use your server ip here

image <–use your server ip here

Okay, almost done! next, we need to go into powershell. We will want to temporarily bypass the powershell Execution Policy so we can run scripts.

powershell -ExecutionPolicy Bypass

next, we want to install the winlogbeat service:

image

finally, start the service

start-service winlogbeat

Return to Kibana and check for new logs!!!

image

that’s it! Next time, we’ll use Elastic to discover unwanted programs on our machine, combing through logs collected via sysmon! 😸

I may also introduce a python program that uses pefile to scan executables for malicious windows api function imports and exports if I have time. See you then!

Leave a comment