Improving your detection with Sysmon, Sigma & ELK

Before Starting

If you want to automate the deployment of the tooling here…

Please see my Github for a .ps1 script to automate the install of the above, all you’ll need to do is retrieve your unique configuration for winlogbeat from Logzio.


  • Set your execution policy to unrestricted
  • Use a test VM
  • Run powershell as Admin before running the script

Benefits of SIGMA

Sigma is an open standard for writing rules that can be used in SIEM and log management solutions. Imagine Snort rules for NIDS, YARA for malware… Sigma for SIEM.

The first set of resources you need to get started are:

  • The rule schema reference:
  • GitHub Repo:
  • Visual Studio Code
  • YAML Plugin for VS Code

There are a multitude for use cases:

  • Improving detection methods
  • Sharing rules for platforms like MISP
  • If you’re an MSSP or even a SOC with multiple log solutions, you can now share one rule for many systems i.e. Splunk, CarbonBlack, MDATP.

Sysmon primer

Our use case at Vanguard Cyber Security, is to develop some SIEM Use Cases based around red team scripts. We use Sysmon coupled with ELK as our log solution.

Sysmon is created by Microsoft and is growing as a contender for being a fantastic out the box logging solution, with massive insights into your devices such as DNS queries, command line, powershell and as of today, process hollowing (Event ID 25)

You can find a list of the events here:

We install Sysmon, configured with SwiftOnSecurity’s configuration which tunes out a lot of ‘noise’. This is here:

Installing Sysmon is also in SwiftOnSecurity’s repository.

Logzio (Hosted ELK to make life easy)

As mentioned, for this we’ll use ELK. At Vanguard Cyber Security we adopted a partnership with for them to host our ELK SIEM in the Cloud. Due to Covid-19 and an evermore growing requirement for a remote SOC, are enabling us during that transition. also make the process of shipping data to your SIEM super simple, your certificate and configuration are already generated, then it’s a case of installing the correct beats agent. All tutorials are supplied and the solution is scalable and elastic (No elastic pun intended on ELK 😉). homepage
Instructions to install Sysmon logging to

Generating data to write rules from

So that’s boring stuff out the way — Your logs are coming in, your SIEM is up, you’re ready to write rules. Now you just need data to base your rule development off!

Depending on your research you can do anything within reason to your test machine. So for example:

  • Malware execution
  • Lateral movement
  • Data exfiltration

You can get as specific as you want even down to investigating specific parts of a malware samples capabilities. For our research, we’ll use Atomic Red Team scripts by RedCanary:

One of RedCanary’s main beliefs behind the philosophy of the Atomic Red Team project is that we need to keep learning how adversaries operate. Vanguard Cyber Security share this belief and we spend a lot of resource on research and development of our detection techniques, fitting them to any customer use case.

Another beauty of the RedCanary Philosophy is that they believe a test should have the ability to be run in less than 5 minutes… If you have a lot of research like us, then quick and repeatable is perfect for that low hanging fruit.

We will execute the scripts using their execution framework:

To install both the scripts and framework:

IEX (IWR '' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

Writing the rules

The first part is generating activity, for this article I’ll invoke Mimikatz, to see what attacks are available for a technique, you can use the syntax:

Invoke-AtomicTest [TacticNumber] -ShowDetailsBrief

For more info, I’d recommend going to the AtomicRedTeam repo:

We will now use these events to select certain fields and create our Sigma rules…

The reason we do these exercises is to see what events we see (or don’t see). In this case, we seen less than expected for credential dumping.

As above, I took a template from the Sigma repository and edited the fields, the best way to get started is to slightly tweak existing rules before you get used to the schema.

When you copy your rule into, you’ll find that you can translate it to your preferred SIEM.

Twitter: @mikecybersec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

TryHackMe — Kenobi

Cloud expenses and software engineers

Fixed: Cannot upgrade pip in Python virtual environment

Hexagonal architecture and Domain Driven Design

Building Android App Bundle with Jenkins

Munin, the Monitoring of the Gods!

Let’s Build! Developing Apps and Components on the Salesforce Platform

How to Unit Test a GORM Application With Sqlmock



Twitter: @mikecybersec

More from Medium

[Day 17] Cloud Elf Leaks | Advent of Cyber 3 (2021)

Enabling Root User in Kali Linux

MAL: Malware Introductory — TryHackMe CTF

Log4Shell — Intrusion Analysis