Windows Logging Expansion via Sysmon: A Comprehensive Guide to Improving Your Security Posture with Advanced Logging

In today’s world, it’s more important than ever to have a strong security posture. Malware and other threats are becoming increasingly sophisticated, and traditional security measures may not be enough to protect your organization’s assets. That’s where Sysmon comes in.

Sysmon is a powerful tool that can help you detect and respond to security threats in real-time. It’s a free Windows system service and device driver that logs system activity to the Windows event log. With Sysmon, you can gain deep visibility into your system’s activity and detect suspicious behavior that may indicate a security breach.

In this guide, we’ll cover everything you need to know to get started with Sysmon, including what it is, how it works, and how to implement it using the Swift on Security template.

What is Sysmon?

Sysmon is a Windows system service and device driver that monitors system activity and logs events to the Windows event log. It can monitor a wide range of system activity, including process creation, network connections, and file system activity. Sysmon logs this activity in a format that is easy to analyze and search, so you can quickly identify suspicious behavior. It was developed by Mark Russinovich, a Microsoft Technical Fellow and cybersecurity expert. Sysmon provides detailed information about system activity, including process creation, network connections, and file system activity.

Sysmon is designed to be lightweight and efficient, so it won’t impact system performance. It can be configured to log only the events that are relevant to your organization, so you won’t be inundated with irrelevant data.

Why use Sysmon?

There are many reasons to use Sysmon, including:

• Improved threat detection: Sysmon provides deep visibility into system activity, so you can detect threats that may not be visible with traditional security measures.
• Real-time monitoring: Sysmon logs events in real-time, so you can respond quickly to security threats.
• Lightweight and efficient: Sysmon won’t impact system performance, so you can use it on even the busiest systems.
• Customizable: Sysmon can be configured to log only the events that are relevant to your organization, so you won’t be inundated with irrelevant data.

Configuring Sysmon

To get started with Sysmon, you’ll need to download and install it on your Windows systems. You can download Sysmon from the Microsoft website.

After installing Sysmon, the next step is to customize the logging settings to fit the specific needs of your organization. The majority of a Sysmon project involves fine-tuning the sysmon.xml configuration file. Fortunately, there are pre-configured templates available that we would recommend checking out:

The Swift on Security template is a pre-configured Sysmon configuration file that is designed to log the events that are most relevant to security professionals. It was developed by Brian Swift, a well-known cybersecurity journalist and expert.

An additional resource for Sysmon configuration is the Sysmon-Modular project by Olaf Hartong. This project provides modular XML configurations for each supported Sysmon Event ID, which can be incredibly helpful for fine-tuning Sysmon configurations. The project also includes a few pre-configured configurations, in addition to the modular configurations, to provide a starting point for users.

Here are some tips for configuring Sysmon:

• Starting with a general template, such as the ones shown above, is an excellent way to configure Sysmon. These templates are designed to log the events that are most important to security professionals and provide a solid foundation for configuring Sysmon. They are well commented and easy to understand.
• It is crucial to tailor the configuration to meet the specific needs of your organization. Simply deploying a template without making any changes is likely to result in either too much or too little log ingestion. Furthermore, configuring Sysmon in this way will significantly enhance your understanding of its capabilities and how to parse relevant logs.
• Test your configuration: Once you’ve configured Sysmon, it’s important to test your configuration to ensure that it’s working properly. A misconfigured configuration file can stop Sysmon ingestion entirely! Always test on unimportant computers before deploying enterprise wide.

Enterprise installation and Best Practices

Deploying Sysmon enterprise-wide can be done using Group Policy and PowerShell. Here are the steps you can follow:

1. Download the Sysmon zip file and extract all files to the desktop (or any folder).
2. Under your domains NETLOGON folder place a ‘Sysmon’ Folder.
3. In this folder, place all the files from the sysmon installation, and your sysmonconfig.xml file.
4. Update the source paths of the script below and place it in the Sysmon Folder with the name Symon.ps1
   $sourceSysmonConfig = "\\domain.local\NETLOGON\Sysmon\sysmonconfig.xml"
$sourceSysmon64 = "\\domain.local\NETLOGON\Sysmon\Sysmon64.exe"
$destSysmonConfig = "C:\Windows\System32\Sysmon\sysmonconfig.xml"
$destSysmon64 = "C:\Windows\System32\Sysmon\Sysmon64.exe"
Copy sysmonconfig.xml and Sysmon64.exe to destination folders
Copy-Item $sourceSysmonConfig $destSysmonConfig
Copy-Item $sourceSysmon64 $destSysmon64
Start-Sleep 5
Run Sysmon64.exe with the specified parameters
& $destSysmon64 -accepteula -i $destSysmonConfig
Write-Host "Sysmon64.exe has been installed on this system."
Overwrite sysmonconfig.xml in the destination folder with the latest version from the source folder
Copy-Item $sourceSysmonConfig $destSysmonConfig -Force|
Write-Host "sysmonconfig.xml has been updated."
Run Sysmon64.exe with the updated configuration
& $destSysmon64 -c $destSysmonConfig
Write-Host "Sysmon64.exe has been updated with the latest configuration."
5. Open the Group Policy Management Console (gpmc.msc) and create a new Group Policy Object (GPO).
6. Edit the GPO and navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
7. Click on the “Startup” tab and then click on “Powershell Scripts”.
8. Select ‘Browse’. Navigate to the Sysmon Folder and select Sysmon.ps1. Make sure you navigate there with your domain path! Like this: \\domain.local\NETLOGON\Sysmon\Sysmon.ps1
9. Click on “OK” to save the script.
10. Close the GPO editor and link the GPO to the appropriate OU in Active Directory.
11. Wait for Group Policy to update on computers, or run the command gpupdate /force on each computer to force an update. Keep in mind computers will need to be rebooted to deploy this script!
12. Verify that Sysmon is running on each computer by checking the Event Viewer and looking for events logged by Sysmon.

Note: This method assumes that your organization uses Active Directory and Group Policy for managing computers. If you are using a different management tool, such as Microsoft Intune, you will need to modify the deployment steps accordingly.

Analyzing Sysmon logs

Once you’ve configured Sysmon and it’s logging events, you’ll need to analyze the logs to detect security threats. Sysmon logs a lot of data, so it’s important to know what to look for.

Designing the Machine Learning needed to correlate Sysmon events would be entirely it’s own post, however, here are some tips for analyzing Sysmon logs:

• Use a SIEM: A SIEM (Security Information and Event Management) system can help you analyze Sysmon logs and detect security threats. A SIEM can aggregate and correlate events from multiple sources and provide a centralized view of your organization’s security posture. Check out https://TridentStack.com for a fully managed SIEM/SOC/SOAR solution!
• Look for patterns: When analyzing Sysmon logs, look for patterns that may indicate a security threat. For example, multiple failed logon attempts may indicate a brute-force attack.
• Use threat intelligence: Threat intelligence can help you identify known threats and detect suspicious behavior. You can use threat intelligence feeds to enrich your Sysmon logs and identify potential threats. For example: Sysmon can assign MIT&RE Tactics! Read more about that here!

Conclusion

Sysmon is an essential tool for improving the security posture of any organization. It provides deep visibility into system activity, which can help detect threats that may not be visible with traditional security measures. Sysmon is lightweight and efficient, won’t impact system performance, and can be customized to log only the events that are relevant to your organization. By using Sysmon, organizations can detect and respond to security threats in real-time, helping to protect their assets and maintain a strong security posture.

Here at TridentStack we heavily utilize Sysmon across our own environment and across the environment of every customer we deploy to. We manage the deployment, and the machine learning analysis of each and every log. Feel free to reach out to sales@tridentstack.com to learn more! Or for professional deployment services check out professionalservices@tridentstack.com.

PS. Sysmon is on Linux too, although it’s outside the scope of this article we recommend you check it out!