Views:

Detecting MITRE ATT&CK techniques using Sysmon

After applying these rules the Deep Security Agent will detect any events related to process creation, process termination, network connection, file creation, registry value set or pipe creation and can generate log inspection events. These events have been mapped to techniques enumerated in the MITRE ATT&CK Framework.
 

Configuring Sysmon for use with the Log Inspection rules

  1. Download Sysmon from https://download.sysinternals.com/files/Sysmon.zip and extract the contents to a temporary folder.
  2. Download the latest configuration file (DSSysmonConfig.xml) from Gitub here  and extract the contents to the same folder as in Step 1.
  3. Open an elevated command prompt in the same directory as the extracted file in steps 1 and 2 and run the following command:  sysmon.exe –accepteula –I DSSysmonConfig.xml
An example of how to deploy Sysmon through GPO (with a link to a helper batch file) can be found at the end of this article below. 

For more details about Sysmon and its additional uses, refer to official Microsoft documentation here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
 
 
Please note that the rules will work ONLY with Trend Micro Deep Security Agent version 12.0.0-360 or higher.
 
 

Configuring the Log Inspection Rules in Deep Security

  1. Go to Computer > Log Inspection > Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.

    SevClipping

  2. Go to  Computer or Policy > Log Inspection > 1009771 - Microsoft Windows Sysmon Events - 1 > Properties > Configuration. 

    Configuration


    The administrator will need to tune the priority of the various Rule IDs to be greater than the Severity Clipping levels noted in the previous step to get the corresponding alert. Details about each Rule ID can be found by matching it to the ATT&CK IDs listed here: https://attack.mitre.org/techniques/enterprise/ .
  3. Repeat the same steps performed in step 2 for  1009777 - Microsoft Windows Sysmon Events - 2 .


Instructions on how to deploy Sysmon via GPO

The following steps may be used to deploy Sysmon in an Active Directory environment using Group Policy Objects (GPO).
 
Please note, there are many different enterprise methods of deploying software and tools and this is one example. Sysmon can be deployed any way administrators prefer, as long as the correct configuration file is used.
  1. Download the helper deploy_sysmon.bat file (zipped) from here .  (Zip SHA256: 98a7687993ec64195b477d98afef2986aac8c1d33aa0fd802db026f544333590)
  2. Create a file share that allows all computers read-only access.  Note:  only selected accounts should have write access to this folder dues to the sensitivity of the files.  A common location to use is the SYSVOL folder of the domain, but organizational requirements may vary.
  3. Edit the first line of the deploy_sysmon.bat file to the file share created in Step 2.
  4. Copy all five (5) files mentioned in this article to the share:  deploy_sysmon.bat, DSSysmonConfig.xml, Eula.txt, sysmon.exe and sysmon64.exe
  5. Using a AD account with appropriate permissions (usually Domain Admin), use the Windows Group Policy Management Console to create a new GPO and link either to the root domain or an appropriate OU.
  6. Edit the policy and navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).
  7. In the right pane, double click on Startup.
  8. Click Add.
  9. In 'Script Name' enter the full UNC path to the deploy_sysmon.bat file, or click on Browse and navigate to the network location.
  10. Click OK and then Click OK once more.
As the Group Policy updates for each computer in the selected scope, Sysmon will be deployed.  Whenever an update to the configuration file is required, simply update the DSSysmonConfig.xml file and it will get deployed at the next GPO refresh interval.
Keywords: Sysmon Log