Splunking with Sysmon

By: Shahzad Subhani
This article is about the Installation of Sysmon, its configuration and then integration with Splunk Enterprise in order to do Threat Hunting.

The Objectives behind this article are

  • Install Sysmon on a Windows machine
  • Generate different Process Logs
  • Collect those Logs with Splunk
  • Analyze the Logs

However, you might be wondering what is Sysmon and why do you even need it in First Place. If you do not know what is Sysmon then here are a few Key Points to remember.

  • System Monitor (Sysmon) is part of SysInternals Tools. It is a windows system service and device driver. Once it is installed on a system, it remains resident across system reboots to monitor and log system activity to the Windows event log.
  • It provides detailed information about process creations, network connections, and changes to file creation time.
  • It Logs process creation with a full command line for both current and parent processes.

Here is a Sample of Logs generated by Sysmon.

Sysmon Event Log Sample

You can read more about it on the Microsoft Sysmon documentation Page .

Action Items
Now let’s get started. We need to perform these steps in order to have a successful Integration.

  • Download Sysmon
  • Installation of Sysmon with Default Configuration
  • Installation of Sysmon with Advanced Configuration
  • Generate Logs via the Atomic red team
  • Review Logs
  • Deploy Splunk
  • Configure Splunk
  • Collect Logs
  • Review Logs
    Here are the links that will be used for the above steps.Downloading and Configuring Sysmon
    To download Sysmon and Sample Configuration, you can download it from Microsoft Sysmon Download Page .
    Once downloaded, you can deploy it with Default Configuration using this command .
    sysmon -accepteula -iSysmon Default Installation
    Please note that the default configuration is very limited and it will process images (executables) hashed with sha1 and no network monitoring. However, if our objective is to find an executable which is trying to make internal or external network connections then we need to enable that.Now in order to do that, you can use two approaches. The difficult approach is to make a Sysmon configuration file from Scratch and keep on adding different Images for monitoring. The Easy and best approach is to trust others and use Ready to use Sysmon Configuration files from any of these Two reliable industry Sources. These Configuration files are mapped with MITRE ATT&CK Framework. Olaf Hartong Configuration
    SwiftOnSecurity Configuration

    You can download any of the above XML files from their Github Repositories. Please ensure that you download the file in the right manner. Right-clicking on the file and saving it as a link as shown below will corrupt the file and you will keep banging your head on the wall if it is not working. As a matter of fact, it did happen to me.

    Downloading File from Github

    To download the file correctly, click on Code and Download Zip. Once the file is downloaded, you can open it with any XML Editor and see if it looks OK. Then you can open the Command as Administrator and update the configuration with this command.

    sysmon -accepteula -i sysmonconfig3.xml

    Once the configuration is updated, you will get a similar message.

    Sysmon Configuration Update
    Now you can open different applications like Firefox, Chrome, U torrent etc. and generate different Logs. You can also generate Logs via the Atomic red team. Once you have the Logs, Open the Event Viewer and go to the below-mentioned path to review those Logs.

    Now we are done with our first Part. If you still have some doubts and you are still hesitating, you can visit here to see one of my detailed Sysmon Installation videos for the whole Process. It should be able to address some of your doubts.

    Settings | Data Inputs | Local Log Event Collections and choose as shown below.

    Splunk data input
    For a Corporate Installation , you need to create an Input file and assign it the relevant Universal Forwarder . The file should look like this .

    # Separate App for Sysmon Inputs

    disabled = 0
    start_from = oldest
    current_only = 0
    checkpointInterval = 5
    index = main
    renderXml = true

    Once Logs are collected, you can search them via index=main as shown below.

    Splunk Log Search
    Once you have the logs, you can analyze them and based on them, you can exclude a few Processes.

    In order to see a demo, you can look at this Splunking with Sysmon Session which shows how to Install and Configure Splunk and then how to exclude certain Processes.