|
1 | 1 | <!-- |
2 | 2 | sysmon-config | A Sysmon configuration focused on default high-quality event tracing and easy customization by the community |
3 | | - Master version: 70alpha | Date: 2019-05-10 |
4 | | - Master author: @SwiftOnSecurity, other contributors also credited in-line or on Git |
5 | | - Master project: https://github.com/SwiftOnSecurity/sysmon-config |
6 | | - Master license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. |
| 3 | + Source version: 70alpha | Date: 2019-05-10 |
| 4 | + Source author: @SwiftOnSecurity, other contributors also credited in-line or on Git |
| 5 | + Source project: https://github.com/SwiftOnSecurity/sysmon-config |
| 6 | + Source license: Creative Commons Attribution 4.0 | You may privatize, fork, edit, teach, publish, or deploy for commercial use - with attribution in the text. |
7 | 7 |
|
8 | 8 | Fork version: <N/A> |
9 | 9 | Fork author: <N/A> |
|
23 | 23 | client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly |
24 | 24 | as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations. |
25 | 25 |
|
26 | | - NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change event logging tool. |
| 26 | + NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool. |
27 | 27 | Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate |
28 | 28 | processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation. |
29 | 29 |
|
|
43 | 43 |
|
44 | 44 | TECHNICAL: |
45 | 45 | - Run sysmon.exe -? for a briefing on Sysmon configuration. |
46 | | - - Sysmon 9+ supports nested/multi-conditional rules. https://posts.specterops.io/putting-sysmon-v9-0-and-or-grouping-logic-to-the-test-c3ec27263df8 |
47 | 46 | - Sysmon 8+ can track which rule caused an event to be logged through the "RuleName" field. |
48 | 47 | - If you only specify exclude for a filtering subsection, everything in that subsection is logged by default. |
49 | 48 | - Some Sysmon monitoring abilities are not meant for widely deployed general-purpose use due to performance impact. Depends on environment. |
|
71 | 70 | <EventFiltering> |
72 | 71 |
|
73 | 72 | <!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]--> |
74 | | - <!--COMMENT: All process launched will be included, except for what matches a rule below. It's best to be as specific as possible, to |
| 73 | + <!--COMMENT: All process launched will be logged, except for what matches a rule below. It's best to be as specific as possible, to |
75 | 74 | avoid user-mode executables imitating other process names to avoid logging, or if malware drops files in an existing directory. |
76 | 75 | Ultimately, you must weigh CPU time checking many detailed rules, against the risk of malware exploiting the blindness created. |
77 | 76 | Beware of Masquerading, where attackers imitate the names and paths of legitimate tools. Ideally, you'd use both file path and |
|
106 | 105 | <Image condition="is">C:\Windows\system32\sndVol.exe</Image> <!--Microsoft:Windows: Volume control--> |
107 | 106 | <Image condition="is">C:\Windows\system32\sppsvc.exe</Image> <!--Microsoft:Windows: Software Protection Service--> |
108 | 107 | <Image condition="is">C:\Windows\system32\wbem\WmiApSrv.exe</Image> <!--Microsoft:Windows: WMI performance adapter host process--> |
109 | | - <IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes--> |
| 108 | + <IntegrityLevel condition="is">AppContainer</IntegrityLevel> <!--Microsoft:Windows: Don't care about sandboxed processes. May need to revisit this decision.--> |
110 | 109 | <ParentCommandLine condition="begin with">%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows</ParentCommandLine> <!--Microsoft:Windows:CommandShell: Triggered when programs use the command shell, but doesn't provide attribution for what caused it--> |
111 | 110 | <ParentCommandLine condition="is">C:\windows\system32\wermgr.exe -queuereporting</ParentCommandLine> <!--Microsoft:Windows:Windows error reporting/telemetry--> |
112 | 111 | <ParentImage condition="is">C:\Windows\system32\SearchIndexer.exe</ParentImage> <!--Microsoft:Windows:Search: Launches many uninteresting sub-processes--> |
|
845 | 844 | It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2. |
846 | 845 | This section of Sysmon configuration will require your full judgement and knowledge of your org's priorities. There is no correct answer.--> |
847 | 846 |
|
848 | | - <!--OPERATIONS: Chrome and Firefox often prefetch DNS lookups it sees on a page, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off. |
| 847 | + <!--OPERATIONS: Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off. |
849 | 848 | Search for Group Policy for these browsers to configure this.--> |
850 | 849 |
|
851 | 850 | <!--OPERATIONS: Most DNS traffic is web advertising. To significantly reduce DNS queries and malware ads, enable client-side advertising filtering via Group Policy. This is easy. |
|
857 | 856 | <!--CONFIG: DNS poisoning is an issue during threat investigations. Try to only exclude ROUTINE system-level queries you know are strongly validated with HTTPS or code signing.--> |
858 | 857 | <!--CONFIG: If you exclude microsoft.com, someone could register malware-microsoft.com and it wouldn't be logged. Use leading "END WITH" with leading . or "IS" operators.--> |
859 | 858 | <!--CONFIG: Be very specific in exclusions. Threat actors use legitimate services, too. Dont exclude all of AWS or Azure or Google or CDNs!--> |
860 | | - <!--CONFIG: Popularity data: [ http://s3-us-west-1.amazonaws.com/umbrella-static/index.html ] [ https://better.fyi/trackers/alexa-top-500-news/ ] |
| 859 | + <!--CONFIG: Popularity data: [ http://s3-us-west-1.amazonaws.com/umbrella-static/index.html ] [ https://better.fyi/trackers/alexa-top-500-news/ ] --> |
861 | 860 |
|
862 | 861 | <!--CRITICAL: Do NOT exclude "wpad" lookups. This is a MitM vector routinely used by attackers. Disable WPAD or enforce client-side DNSSEC for AD domain lookups.--> |
863 | 862 | <!--CRITICAL: Do NOT exclude IPv6 lookups.--> |
864 | 863 |
|
865 | | - <!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryType, QueryStatus, QueryResults--> |
| 864 | + <!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, QueryName, QueryType, QueryStatus, QueryResults (can't filter on)--> |
866 | 865 |
|
867 | 866 | <!--BELOW: These domains should not be excluded at the top level. Be specific if you want to reduce noise under them.--> |
868 | 867 | <!-- Rejected: .cloudapp.net, customer content [ https://blogs.technet.microsoft.com/ptsblog/2012/06/18/security-consideration-when-using-cloudapp-net-domain-as-production-environment-in-windows-azure/ ] --> |
|
871 | 870 | <!-- Rejected: .windows.net, customer content --> |
872 | 871 | <!-- Rejected: *github.com, customer content--> |
873 | 872 |
|
874 | | - <RuleGroup name="Dns" groupRelation="or"> |
| 873 | + <RuleGroup name="" groupRelation="or"> |
875 | 874 | <DnsQuery onmatch="exclude"> |
876 | 875 | <!--Network noise--> |
877 | 876 | <QueryName condition="end with">.arpa.</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.--> |
|
0 commit comments