L0310 Sysmon Configuration and Installation
- Optics Infrastructure Topology Review
- Build Sysmon Configuration
- Install Sysmon on the Domain Controller
- Install Sysmon on the Member Server
Sysmon is the utility used throughout the Atomic Purple Teaming labs for “system monitoring.” This tool was designed by Mark Russinovich and Thomas Garnier. This utility provides detailed analysis of system processes, file creation events, network connections, and much more.
- Complete Part 1 of 4 of the Windows lab optics infrastructure
- Install Sysmon on the lab’s workstation and domain controller
- Verify Sysmon operations
Build Sysmon Configuration. Install Sysmon with the configuration on the Domain Controller and Workstation. Verify that Sysmon is operating.
Optics Infrastructure Topology Review
The first step of this lab is to review the intended Optics Infrastructure for the APT Lab Environment. Review the below information and when ready, continue to the next section of this lab.
| Component | |
|---|---|
| SYSMON | Tool to monitor system and log interesting bits to Windows Event Log |
| WINDOWS EVENT FORWARDER | Service to forward Windows Event Logs to a collector |
| WINDOWS EVENT COLLECTOR | Service to collect or accept logs from other systems |
| WINLOGBEAT FILEBEAT |
Service to ship specific logs to a system |
| KAFKA / LOGSTASH | Ingestor to accept log inputs over network and parse them and output them into a standardized log format. Can also subscribe to Kafka’s message topics. |
| ELASTICSEARCH | SIEM service designed to accept logs of many types and create customized indices. Allows for granular searching and aggregation. |
| KIBANA | GUI front-end to ElasticSearch |
| SIGMA ELASTICALERT |
Tool to query Log Database, normalize log data and identify critical alerts and notify accordingly. |
After reviewing the Optics Infrastructure Topology above, continue to the next step of the lab where you will begin configuring and installing the components of the Optics Infrastructure.
Build Sysmon Configuration
Logon to the Domain Controller
Connect via Remote Desktop to the Domain Controller, DC01.
See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
dc01 <-----------------------------------VERIFY RESULT
Execution Bypass
Next, we will set ExecutionPolicy to allow us to run additional scripts, even unsigned.
Set-ExecutionPolicy bypass -Force
PS C:\Users\itadmin> Set-ExecutionPolicy bypass -Force
PS C:\Users\itadmin>
Build Sysmon Configuration
Change directory (cd) in to the Sysmon-modular directory and build a new Sysmon configuration file based on the procured packages (sysmon-modular). Then, check the first lines of the file after building.. The following commands will accomplish this task:
cd C:\labs\sysmon-modular\sysmon-modular-master
Import-Module .\Merge-SysmonXml.ps1
Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml
Get-Content ".\sysmonconfig.xml " | select -First 10
PS C:\LABS\sysmon-modular\sysmon-modular-master>
PS C:\LABS\sysmon-modular\sysmon-modular-master> Import-Module .\Merge-SysmonXml.ps1
PS C:\LABS\sysmon-modular\sysmon-modular-master> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]*\*.xml') -AsString | Out-File sysmonconfig.xml
PS C:\labs\sysmon-modular\sysmon-modular-master> Get-Content ".\sysmonconfig.xml " | select -First 10
<Sysmon schemaversion="4.50">
<HashAlgorithms>*</HashAlgorithms>
<!-- This now also determines the file names of the files preserved (String) -->
<CheckRevocation />
<DnsLookup>False</DnsLookup>
<!-- Disables lookup behavior, default is True (Boolean) -->
<ArchiveDirectory>Sysmon</ArchiveDirectory>
<!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)-->
<CaptureClipboard />
<!--This enables capturing the Clipboard changes-->
PS C:\labs\sysmon-modular\sysmon-modular-master>
The Sysmon-modular-master container now has a copy of the generated configuration file.
Copy and Confirm Sysmon Configuration File
Copy this file to the extracted Sysmon container for ease of installation. Then, list the files of the sysmon folder to verify the copy completed successfully.
cp C:\LABS\sysmon-modular\sysmon-modular-master\sysmonconfig.xml c:\labs\sysmon\sysmonconfig.xml
ls c:\labs\sysmon\
Directory: C:\LABS\Sysmon
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/5/2019 11:00 AM 7490 Eula.txt
-a---- 9/9/2020 2:31 PM 4620152 Sysmon.exe
-a---- 9/9/2020 2:26 PM 2475896 Sysmon64.exe
-a---- 9/21/2020 8:49 PM 312188 sysmonconfig.xml
If you see the updated sysmonconfig.xml file, continue to the next step of the lab.
Install Sysmon on the Domain Controller
Log into the Domain Controller, DC01. See Lab L0200 for connection instructions.
Open PowerShell
Launch Windows PowerShell from the Windows Start Menu.
Sysmon Installation
Change the directory to the DC01 Labs fileshare. Next, Install Sysmon with the generated configuration XML file.
cd \\dc01\labs\sysmon\
./sysmon.exe -accepteula -i sysmonconfig.xml
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> ./sysmon.exe -accepteula -i sysmonconfig.xml
System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Loading configuration file with schema version 4.50
Configuration file validated.
Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.
Verify Installation
You may verify the installation of the Sysmon service operations using PowerShell exclusively to confirm that Sysmon is collecting events. After only a few moments of Sysmon install, the Sysmon Log should contain log entries.
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational
ProviderName: Microsoft-Windows-Sysmon
ProviderName: Microsoft-Windows-Sysmon
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
9/21/2020 8:52:15 PM 22 Information Dns query:...
9/21/2020 8:52:09 PM 22 Information Dns query:...
9/21/2020 8:51:27 PM 12 Information Registry object added or deleted:...
9/21/2020 8:51:27 PM 12 Information Registry object added or deleted:...
9/21/2020 8:51:27 PM 12 Information Registry object added or deleted:...
9/21/2020 8:51:27 PM 4 Information Sysmon service state changed:...
9/21/2020 8:51:25 PM 16 Information Sysmon config state changed:...
If Sysmon logs are present, move to the next step of the installation process. You may close RDP connection to DC01.
Continue to the next step of the lab.
Install Sysmon on the Member Server
Connect to the Member Server, WS01 via RDP. See Lab L0200 for connection instructions.
Open PowerShell
Launch Windows PowerShell from the Windows Start Menu.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
PS C:\Users\itadmin>
Sysmon Installation
Change the directory to the DC01 Labs fileshare. Next, Install Sysmon with the generated configuration XML file.
cd \\dc01\labs\sysmon\
./sysmon.exe -accepteula -i sysmonconfig.xml
PS Microsoft.PowerShell.Core\FileSystem::\\dc01\labs\Sysmon> ./sysmon.exe -accepteula -i sysmonconfig.xml
System Monitor v13.01 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Loading configuration file with schema version 4.50
Configuration file validated.
Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.
Verify Installation
You may verify the installation of the Sysmon service operations using PowerShell exclusively to confirm that Sysmon is collecting events. After only a few moments of Sysmon install, the Sysmon Log should contain log entries.
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational
ProviderName: Microsoft-Windows-Sysmon
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
9/21/2020 8:54:56 PM 22 Information Dns query:...
9/21/2020 8:54:55 PM 22 Information Dns query:...
9/21/2020 8:54:55 PM 22 Information Dns query:...
9/21/2020 8:54:53 PM 13 Information Registry value set:...
9/21/2020 8:54:53 PM 12 Information Registry object added or deleted:...
9/21/2020 8:54:53 PM 22 Information Dns query:...
9/21/2020 8:54:53 PM 22 Information Dns query:...
9/21/2020 8:54:53 PM 22 Information Dns query:...
9/21/2020 8:54:46 PM 3 Information Network connection detected:...
9/21/2020 8:54:42 PM 3 Information Network connection detected:...
9/21/2020 8:54:39 PM 3 Information Network connection detected:...
9/21/2020 8:54:36 PM 3 Information Network connection detected:...
9/21/2020 8:54:34 PM 3 Information Network connection detected:...
9/21/2020 8:54:32 PM 3 Information Network connection detected:...
9/21/2020 8:54:29 PM 3 Information Network connection detected:...
9/21/2020 8:54:24 PM 3 Information Network connection detected:...
9/21/2020 8:54:23 PM 7 Information Image loaded:...
9/21/2020 8:54:23 PM 1 Information Process Create:...
9/21/2020 8:54:22 PM 12 Information Registry object added or deleted:...
9/21/2020 8:54:22 PM 12 Information Registry object added or deleted:...
9/21/2020 8:54:22 PM 12 Information Registry object added or deleted:...
9/21/2020 8:54:22 PM 4 Information Sysmon service state changed:...
9/21/2020 8:54:20 PM 16 Information Sysmon config state changed:...
Alternatively, you may also verify the Sysmon service is operating by visiting the Event Viewer and navigating to the Sysmon directory in the Event Viewer’s navigation pane.
Having identified the Sysmon logs in the Domain Controller and Workstation, you have finished this lab. You have completed this lab.
created with the free version of
Markdown Monster