Summary
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
Sysmon logs these additional events in:
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
Trend Micro Deep Security added support for monitoring events generated by Sysmon in Version 12.0.
The following Log Inspection rules are provided to monitor events generated by Sysmon:
- 1009771 - Microsoft Windows Sysmon Events - 1
- 1009777 - Microsoft Windows Sysmon Events - 2
Details
Detecting MITRE ATT&CK techniques using Sysmon
After applying these rules the Deep Security Agent will detect any events related to process creation, process termination, network connection, file creation, registry value set or pipe creation and can generate log inspection events. These events have been mapped to techniques enumerated in the MITRE ATT&CK Framework.
Configuring Sysmon for use with the Log Inspection rules
- Download Sysmon from https://download.sysinternals.com/files/Sysmon.zip and extract the contents to a temporary folder.
- Download the configuration file (DSSysmonConfig.zip) from here (SHA256-2974c7a6403e395e4acd3b1b6103e41f0c7d1d30dfb68627aa2dea30d76dcf0e) and extract the contents to the same folder as in Step 1.
- Open an elevated command prompt in the same directory as the extracted file in steps 1 and 2 and run the following command: sysmon.exe –accepteula –I DSSysmonConfig.xml
For more details about Sysmon and its additional uses, refer to official Microsoft documentation here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
Please note that the rules will work ONLY with Trend Micro Deep Security Agent version 12.0.0-360 or higher.
Configuring the Log Inspection Rules in Deep Security
1. Go to Computer -> Log Inspection -> Advanced and make note of the Severity Clipping levels. These are the minimum levels at which logging events are stored.
2. Go to Computer or Policy -> Log Inspection -> 1009771 - Microsoft Windows Sysmon Events - 1-> Properties -> Configuration
The administrator will need to tune the priority of the various Rule IDs to be greater than the Severity Clipping levels noted in the previous step to get the corresponding alert. Details about each Rule ID can be found by matching it to the ATT&CK IDs listed here: https://attack.mitre.org/techniques/enterprise/.
3. Repeat the same steps performed in step 2 for 1009777 - Microsoft Windows Sysmon Events - 2.
