UPDATE (2019/05/16): Latest versions of Wazuh support native JSON ingestion, check here an updated version of this blog post.

Being a system security admin is not easy nowadays. Every day there are new vulnerabilities that put in jeopardy the integrity of our environments. Mark Russinovich, currently CTO of Microsoft Azure, was one of the developers who founded and launched Winternals, a subdivision of Microsoft. It offers technical resources and utilities to manage, diagnose, troubleshoot and monitor a Microsoft Windows environment. Sysinternals, a toolkit provided by Winternals, contains, among other great tools, Sysmon, an antimalware tool for advanced users.

Sysmon is a command line tool which allows us to monitor and track processes taking place in our computers. With the right configuration, suspicious behaviors can be detected and the detailed information will be stored in the generated log. For instance, the creation of a new process will be detected by Sysmon as “Event number 1”. This event will contain critical information that we could use to configure an active response or adopt other type of security measures.

Our goal in this article is to illustrate a simple example that shows how to use Sysmon together with Wazuh monitoring capabilities. More specifically, we want Wazuh to generate an alert every time Powershell is executed. This is just an example of a process, meaning that you can create your own use case with any other relevant process to you.

Sysmon dashboard

Prerequisites for monitor Sysmon events

  • Wazuh HIDS v1.1+
  • Windows 7 or higher.

Sysmon installation and configuration

In order to modify the Sysmon default configuration, which is needed for the purpose of this article, it is necessary to create an XML file. Below you can see an XML configuration that would work for Sysmon to generate the right log when Powershell is executed:

<Sysmon schemaversion="3.30">
 <HashAlgorithms>md5</HashAlgorithms>
 <EventFiltering>
 <!--SYSMON EVENT ID 1 : PROCESS CREATION-->
 <ProcessCreate onmatch="include">
 <Image condition="contains">powershell.exe</Image>
 </ProcessCreate>
 <!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM-->
 <FileCreateTime onmatch="include"></FileCreateTime>
 <!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED-->
 <NetworkConnect onmatch="include"></NetworkConnect>
 <!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON STATUS MESSAGES, THIS LINE IS INCLUDED FOR DOCUMENTATION PURPOSES ONLY-->
 <!--SYSMON EVENT ID 5 : PROCESS ENDED-->
 <ProcessTerminate onmatch="include"></ProcessTerminate>
 <!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL-->
 <DriverLoad onmatch="include"></DriverLoad> 
 <!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
 <ImageLoad onmatch="include"></ImageLoad>
 <!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED-->
 <CreateRemoteThread onmatch="include"></CreateRemoteThread>
 <!--SYSMON EVENT ID 9 : RAW DISK ACCESS-->
 <RawAccessRead onmatch="include"></RawAccessRead> 
 <!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS-->
 <ProcessAccess onmatch="include"></ProcessAccess>
 <!--SYSMON EVENT ID 11 : FILE CREATED-->
 <FileCreate onmatch="include"></FileCreate>
 <!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION-->
 <RegistryEvent onmatch="include"></RegistryEvent>
 <!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED-->
 <FileCreateStreamHash onmatch="include"></FileCreateStreamHash> 
 <PipeEvent onmatch="include"></PipeEvent>
 </EventFiltering>
</Sysmon>

This simple XML provides to Sysmon the directive to log when a process that contains “powershell.exe” is created.
Installation and configuration steps:

  1. You can download Sysmon at this link.
  2. Built the XML file yourself as shown above or download it from here. Move the configuration file (XML) to the same folder containing the Sysmon binaries.
  3. Launch CMD with administrator privileges. Install the file as follows:
Sysmon64.exe -accepteula -i sysconfig.xml

We have now told Sysmon to use our configuration XML file instead of the default.

Time to test if it works. Launch Powershell and go to the Sysmon section on EventViewer (Applications and Services Logs/Microsoft/Windows/Sysmon/Operational):

Sysmon events

The event details are shown below:

Sysmon section

As seen above, the log give us full details regarding the creation of this process, such as, timestamp, process id, command line, directory, user, logon id, parent process, etc. Useful information that might help to prevent any harmful action.

Configure Wazuh agent to monitor Sysmon events

We assume the Wazuh agent is installed and running in the computer being monitored. It is necessary to tell this agent that we want to monitor Sysmon events. For that, we need to include this code as part of the configuration of the agent by modifying ossec.conf accordingly:

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Restart the agent to apply the changes.

Configure Wazuh manager

A new rule needs to be added to local_rules.xml in the Wazuh manager to match the Sysmon event generated by the execution of Powershell. This rule will allow the manager to trigger an alert every time it gets this type of event.

<group name="sysmon,">
 <rule id="255000" level="12">
 <if_group>sysmon_event1</if_group>
 <field name="sysmon.image">\powershell.exe||\.ps1||\.ps2</field>
 <description>Sysmon - Event 1: Bad exe: $(sysmon.image)</description>
 <group>sysmon_event1,powershell_execution,</group>
 </rule>
</group>

This rule would be a “child” rule of the Sysmon ruleset provided by wazuh. As you can see, it has been customized to grab the Sysmon “Event number 1” when the Image field is “powershell”. Note that we can play with the alert level as desired. In this case, we have put level 12, pretty high, which means this event is very important to us from a security standpoint.

We need to restart the manager to apply changes.

Below is a sample of a Json alert generated by Wazuh:

{
 "timestamp": "2017-03-24T00:56:21+0000",
 "rule": {
 "level": 12,
 "description": "Sysmon - Event 1: Bad exe: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
 "id": "255000",
 "firedtimes": 9,
 "groups": [
 "sysmon",
 "sysmon_event1",
 "powershell_execution"
 ]
 },
 "agent": {
 "id": "004",
 "name": "Windows_1",
 "ip": "172.31.21.211"
 },
 "manager": {
 "name": "managername"
 },
 "srcuser": "WIN-VIHPK3T86T7\Albert2",
 "full_log": "2017 May 25 16:54:20 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-VIHPK3T86T7: Process Create: UtcTime: 2017-05-25 16:54:20.652 ProcessGuid: {9ADBFDD8-0C3C-5967-0300-20108FC61600} ProcessId: 16s4 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: \"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe\" CurrentDirectory: C:\Users\Administrator\ User: WIN-VIHPK3T86T7\Administrator LogonGuid: {9ADBFDD8-0C3C-5967-0300-20108FC61600} LogonId: 0x1403ea TerminalSessionId: 3 IntegrityLevel: High Hashes: MD5=F6C714F1020F9BBF6A8534AC8AD7662F ParentProcessGuid: {9ADAFDC8-0B2A-5927-0000-00106F1E1400} ParentProcessId: 788 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE",
 "program_name": "WinEvtLog",
 "id": "1",
 "sysmon": {
 "processGuid": "{9ADBFDD8-0C3C-5967-0300-20108FC61600}",
 "processId": "1676",
 "image": "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
 "commandLine": "\"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe\"",
 "currentDirectory": "C:\Users\Administrator\",
 "logonGuid": "{9ADBFDD8-0C3C-5967-0300-20108FC61600}",
 "logonId": "0x1413ca",
 "terminalSessionId": "3",
 "integrityLevel": "High",
 "hashes": "F6C714F1020F9BBF6A8534AC8AD7662F",
 "parentProcessGuid": "{9ADAFDC8-0B2A-5927-0000-00106F1E1400}",
 "parentProcessId": "788",
 "parentImage": "C:\Windows\explorer.exe"
 },
 "decoder": {
 "parent": "windows",
 "name": "windows"
 },
 "location": "WinEvtLog"
}

Visualization

The Wazuh App is customizable and allows us to present the data in different ways as per our convenience. Below you can find a sample of a dashboard.

Wazuh app dashboard showing alerts

At a glance we can see users who have executed Powershell, the parent process, the evolution day by day of this kind of events, the computer with more activity, etc. This dashboard can be downloaded here.

This is how we can use use Wazuh to monitor Sysmon events that are important to us. Additionally, we can easily go a step further and execute active responses based on the Sysmon events, such as running scripts, killing processes, etc. This might be part of a future article.

References

If you have any questions about this, join our Slack #community channel or contact us vía twitter! Our team and other contributors will help you.