Improving your detection with Sysmon, Sigma & ELK

Before Starting

Please see my Github for a .ps1 script to automate the install of the above, all you’ll need to do is retrieve your unique configuration for winlogbeat from Logzio.

Advice:

  • Set your execution policy to unrestricted
  • Use a test VM
  • Run powershell as Admin before running the script

Benefits of SIGMA

The first set of resources you need to get started are:

  • The rule schema reference:
  • GitHub Repo:
  • Visual Studio Code
  • YAML Plugin for VS Code

There are a multitude for use cases:

  • Improving detection methods
  • Sharing rules for platforms like MISP
  • If you’re an MSSP or even a SOC with multiple log solutions, you can now share one rule for many systems i.e. Splunk, CarbonBlack, MDATP.

Sysmon primer

Sysmon is created by Microsoft and is growing as a contender for being a fantastic out the box logging solution, with massive insights into your devices such as DNS queries, command line, powershell and as of today, process hollowing (Event ID 25)

You can find a list of the events here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events

We install Sysmon, configured with SwiftOnSecurity’s configuration which tunes out a lot of ‘noise’. This is here:

Installing Sysmon is also in SwiftOnSecurity’s repository.

Logzio (Hosted ELK to make life easy)

Logz.io also make the process of shipping data to your SIEM super simple, your certificate and configuration are already generated, then it’s a case of installing the correct beats agent. All tutorials are supplied and the solution is scalable and elastic (No elastic pun intended on ELK 😉).

Logz.io homepage
Instructions to install Sysmon logging to Logz.io

Generating data to write rules from

Depending on your research you can do anything within reason to your test machine. So for example:

  • Malware execution
  • Lateral movement
  • Data exfiltration

You can get as specific as you want even down to investigating specific parts of a malware samples capabilities. For our research, we’ll use Atomic Red Team scripts by RedCanary:

One of RedCanary’s main beliefs behind the philosophy of the Atomic Red Team project is that we need to keep learning how adversaries operate. Vanguard Cyber Security share this belief and we spend a lot of resource on research and development of our detection techniques, fitting them to any customer use case.

Another beauty of the RedCanary Philosophy is that they believe a test should have the ability to be run in less than 5 minutes… If you have a lot of research like us, then quick and repeatable is perfect for that low hanging fruit.

We will execute the scripts using their execution framework:

To install both the scripts and framework:

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

Writing the rules

Invoke-AtomicTest [TacticNumber] -ShowDetailsBrief

For more info, I’d recommend going to the AtomicRedTeam repo:

We will now use these events to select certain fields and create our Sigma rules…

The reason we do these exercises is to see what events we see (or don’t see). In this case, we seen less than expected for credential dumping.

As above, I took a template from the Sigma repository and edited the fields, the best way to get started is to slightly tweak existing rules before you get used to the schema.

When you copy your rule into Uncoder.io, you’ll find that you can translate it to your preferred SIEM.

Twitter: @mikecybersec