|
10 | 10 | Fork project: <N/A> |
11 | 11 | Fork license: <N/A> |
12 | 12 |
|
13 | | - REQUIRED: Sysmon version 9.02 or higher (due to changes in syntax and bug-fixes) |
| 13 | + REQUIRED: Sysmon version 9.10 or higher (due to changes in syntax and bug-fixes) |
14 | 14 | https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon |
15 | | - Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated. |
| 15 | + Note that 6.03 and 7.01 have critical fixes for filtering, it's VERY recommended you stay updated. |
16 | 16 |
|
17 | 17 | NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF | Command to allow log access to the Network Service: |
18 | 18 | wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS) |
19 | 19 |
|
20 | 20 | NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own. |
21 | | - This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very |
| 21 | + This configuration is based around known, high-signal event tracing, and thus appears complicated, but it is only very |
22 | 22 | detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the |
23 | 23 | client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly |
24 | | - as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations. |
| 24 | + as possible to technicians armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations. |
25 | 25 |
|
26 | 26 | NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool. |
27 | 27 | Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate |
28 | 28 | processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation. |
29 | 29 |
|
30 | | - NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, you may remove the section. |
31 | | - You can remove DNS from the Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22 |
| 30 | + NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, just remove that section. |
| 31 | + You can remove DNS events from Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22 |
32 | 32 | Additionally, if you want to monitor DNS, you should deploy client-side adblocking to reduce lookups. See the DNS section for info. |
33 | 33 |
|
34 | | - NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing |
35 | | - to study it, many ways to evade some of the logging. If you are in a very high-threat environment, you should consider a much broader |
36 | | - log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which |
37 | | - this configuration monitors, especially in the first minutes. Even APT do not send their A-team unless they know you're hardened. |
38 | | - 10% of the effort gets 95% of the results. They rely on nobody watching because almost nobody does. Your effort makes the difference. |
39 | | -
|
40 | 34 | NOTE: This configuration is designed for PER-MACHINE installs of Chrome and OneDrive. That moves their binaries out of user-controlled folders. |
41 | 35 | Otherwise, attackers could imitate these common applications, and bypass your logging. Below are silent upgrades you can do, no user impact: |
42 | 36 | https://docs.microsoft.com/en-us/onedrive/per-machine-installation |
43 | 37 | https://cloud.google.com/chrome-enterprise/browser/download/ |
| 38 | + |
| 39 | + NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing |
| 40 | + to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader, |
| 41 | + log-most approach. However, in the vast majority of cases, an attacker will bumble through multiple behavioral traps which |
| 42 | + this configuration monitors, especially in the first minutes. Even APT do not send their A-team unless they know you're hardened. |
| 43 | + 10% of the effort gets 95% of the results. APT rely on nobody watching because almost nobody does. Your effort makes the difference. |
| 44 | + |
| 45 | + What matters is you. Start acting like it. Start demanding it. I spent 10 years not doing that. I regret every moment I didn't. |
| 46 | + YOU make the difference. I went from a department with nothing, to a deparment with everything. And yet, PEOPLE are what matter. |
| 47 | + If you are reading this, you are already far along the path to changing the world for the better. Advocate for yourself. |
| 48 | + Find somewhere new if you are selfless, yet unvalued. These words are what I would have told an earlier me. I wish I did. |
| 49 | + You are already the candidate of the future. A mirror will never tell truth. Tools can only show what you already beleive. |
44 | 50 |
|
45 | 51 | NOTE: If you encounter unexplanable event inclusion/exclusion, you may have a second Sysmon instance installed under a different exe filename. |
46 | 52 | To clear this, try downloading the latest version and uninstalling with -u force. If it hangs, kill the processes and run it again to cleanup. |
|
0 commit comments