Improving your detection with Sysmon, Sigma & ELK
Before Starting
If you want to automate the deployment of the tooling here…
Please see my Github for a .ps1 script to automate the install of the above, all you’ll need to do is retrieve your unique configuration for winlogbeat from Logzio.
Advice:
- Set your execution policy to unrestricted
- Use a test VM
- Run powershell as Admin before running the script
Benefits of SIGMA
Sigma is an open standard for writing rules that can be used in SIEM and log management solutions. Imagine Snort rules for NIDS, YARA for malware… Sigma for SIEM.
The first set of resources you need to get started are:
- The rule schema reference:
- GitHub Repo:
- Visual Studio Code
- YAML Plugin for VS Code
There are a multitude for use cases:
- Improving detection methods
- Sharing rules for platforms like MISP
- If you’re an MSSP or even a SOC with multiple log solutions, you can now share one rule for many systems i.e. Splunk, CarbonBlack, MDATP.
Sysmon primer
Our use case at Vanguard Cyber Security, is to develop some SIEM Use Cases based around red team scripts. We use Sysmon coupled with ELK as our log solution.
Sysmon is created by Microsoft and is growing as a contender for being a fantastic out the box logging solution, with massive insights into your devices such as DNS queries, command line, powershell and as of today, process hollowing (Event ID 25)
You can find a list of the events here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
We install Sysmon, configured with SwiftOnSecurity’s configuration which tunes out a lot of ‘noise’. This is here:
Installing Sysmon is also in SwiftOnSecurity’s repository.
Logzio (Hosted ELK to make life easy)
As mentioned, for this we’ll use ELK. At Vanguard Cyber Security we adopted a partnership with Logz.io for them to host our ELK SIEM in the Cloud. Due to Covid-19 and an evermore growing requirement for a remote SOC, Logz.io are enabling us during that transition.
Logz.io also make the process of shipping data to your SIEM super simple, your certificate and configuration are already generated, then it’s a case of installing the correct beats agent. All tutorials are supplied and the solution is scalable and elastic (No elastic pun intended on ELK 😉).
Generating data to write rules from
So that’s boring stuff out the way — Your logs are coming in, your SIEM is up, you’re ready to write rules. Now you just need data to base your rule development off!
Depending on your research you can do anything within reason to your test machine. So for example:
- Malware execution
- Lateral movement
- Data exfiltration
You can get as specific as you want even down to investigating specific parts of a malware samples capabilities. For our research, we’ll use Atomic Red Team scripts by RedCanary:
One of RedCanary’s main beliefs behind the philosophy of the Atomic Red Team project is that we need to keep learning how adversaries operate. Vanguard Cyber Security share this belief and we spend a lot of resource on research and development of our detection techniques, fitting them to any customer use case.
Another beauty of the RedCanary Philosophy is that they believe a test should have the ability to be run in less than 5 minutes… If you have a lot of research like us, then quick and repeatable is perfect for that low hanging fruit.
We will execute the scripts using their execution framework:
To install both the scripts and framework:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomicsWriting the rules
The first part is generating activity, for this article I’ll invoke Mimikatz, to see what attacks are available for a technique, you can use the syntax:
Invoke-AtomicTest [TacticNumber] -ShowDetailsBrief
For more info, I’d recommend going to the AtomicRedTeam repo:
We will now use these events to select certain fields and create our Sigma rules…
The reason we do these exercises is to see what events we see (or don’t see). In this case, we seen less than expected for credential dumping.
As above, I took a template from the Sigma repository and edited the fields, the best way to get started is to slightly tweak existing rules before you get used to the schema.
When you copy your rule into Uncoder.io, you’ll find that you can translate it to your preferred SIEM.
Links to help you
Installing WinlogBeat 7
Logz.io Signup
Atomic Red Team Repository
Sysmon
SwiftOnSecurity Sysmon Config (Sysmon install tutorial in here too)
