Sysmon Deployment Presentation
Month: January 2017
On 28/11/2016 Sysmon v5 was released delivering nice features. In this post I will describe some use cases for the new events. If you are new to Sysmon please start with the presentation from Marc Russinovich at RSA 2016.
Another nice presentation by @c_APT_ure at Botconf https://www.botconf.eu/2016/advanced-incident-detection-and-threat-hunting-using-sysmon-and-splunk/
I have stopped my description of Sysmon events in EventID 9.Before version 5
EventID 10 ProcessAccess was added.
You can use it to monitor access to lsass.exe. The challenge is to filter legitimate processes that generate this event.
In version 5 the 2 highlights are
1.EventID 11 which enables the monitoring of startup folder
2. Event IDs 12,13,14 for registry monitoring. These 3 events have the same descriptor in sysmon.xml (RegistryEvent) so a registry key that is put in this configuration section is monitored for all actions (add,delete,Value set,rename).
There is also EventID 15 which logs the hashes of attachments
As it is expected if in the configuration of sysmon you just include these events without filtering your log management system will be dead :-). Filtering is crucial for deplying sysmon at scale.