- 1009771 - Microsoft Windows Sysmon Events - 1
- 1009777 - Microsoft Windows Sysmon Events - 2
Detecting MITRE ATT&CK techniques using Sysmon
Configuring Sysmon for use with the Log Inspection rules
- Download Sysmon from https://download.sysinternals.com/files/Sysmon.zip and extract the contents to a temporary folder.
- Download the latest configuration file (DSSysmonConfig.xml) from Gitub here and extract the contents to the same folder as in Step 1.
- Open an elevated command prompt in the same directory as the extracted file in steps 1 and 2 and run the following command: sysmon.exe –accepteula –I DSSysmonConfig.xml
For more details about Sysmon and its additional uses, refer to official Microsoft documentation here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
Configuring the Log Inspection Rules in Deep Security
Instructions on how to deploy Sysmon via GPO
- Download the helper deploy_sysmon.bat file (zipped) from here . (Zip SHA256: 98a7687993ec64195b477d98afef2986aac8c1d33aa0fd802db026f544333590)
- Create a file share that allows all computers read-only access. Note: only selected accounts should have write access to this folder dues to the sensitivity of the files. A common location to use is the SYSVOL folder of the domain, but organizational requirements may vary.
- Edit the first line of the deploy_sysmon.bat file to the file share created in Step 2.
- Copy all five (5) files mentioned in this article to the share: deploy_sysmon.bat, DSSysmonConfig.xml, Eula.txt, sysmon.exe and sysmon64.exe.
- Using a AD account with appropriate permissions (usually Domain Admin), use the Windows Group Policy Management Console to create a new GPO and link either to the root domain or an appropriate OU.
- Edit the policy and navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).
- In the right pane, double click on Startup.
- Click Add.
- In 'Script Name' enter the full UNC path to the deploy_sysmon.bat file, or click on Browse and navigate to the network location.
- Click OK and then Click OK once more.