Security Information & Event Management Design: Why you need enhanced logging on windows using Sysmon?

Enhanced logging is taking detailed information about events happening on a system to determine if there any suspicious events occurring such as Word downloading a file from the internet.

Windows systems by default are not configured for enhanced logging, in fact most windows systems logs will only contain events from a short time frame. In addition, these logs are often cleared by attackers to cover their tracks, this is a good reason to embark on a centralised logging project with a SIEM.

Often SIEM vendors will just suggest to clients to log all events from their systems to make sure that they “don’t miss anything”, however in my previous post here, I showed how this strategy negatively impacts clients.

Rarely do they advocate enhanced logging of commands as this would add significantly more events making SIEM systems prohibitively expensive.

Enhanced logging includes events such as process creation, registry access to name a few. For example, a process creation event happens when you interact with your desktop such as opening Word document.

Some SIEM vendors will suggest using command line logging as a way to gain extra visibility but this of course will add extra events, command line logging is often implanted using Group Policy “Audit Process Creation” setting as shown below:-

audit-process-creation

Whilst Group Policy may at first seem an attractive method as it can be easily deployed, this will then give you events with an ID of 4688 - “a new process has been created” in the Security Log.

The main problem with this approach is that there are lots of benign system events on windows running which create new processes on a regular basis as shown below :-

legitimate-windows-processes

Unfortunately, using Group Policy is an “all or nothing” option so there is no way to filter these events out. This has the effect of creating “noise events” rather than events necessary for detecting attacks. This means that most businesses do not enable “audit process creation” for their SIEM solutions.

Enter Sysmon, a tool published by Microsoft currently on version 7.02.

Sysmon provides twenty events (not just process creation) covering detailed information about what is happening on a windows-based system. Some of these include:-

  • Process creation and termination.
  • Windows Registry key access, creation and deletion.
  • Network connections.
  • File hashes.
  • Windows Management Instrumentation (WMI) events.

There is also a guide on looking for suspicious activity published by Microsoft here.

Sysmon’s crucial advantage is the ability to filter events so that we can remove those benign windows events that would otherwise fill up our SIEM solution.

Additionally, we gain visibility into more events that matter when coupled targeted event filtering.

Defence Logic has incorporated Sysmon as part of our SIEM Design process giving our solution an enhanced logging capability without the noise. Lastly, here is a question when considering a SIEM solution, “What level of Sysmon support does your product provide?”

Lastly, here are some pictures of our solution detecting a well known password dumping tool called Mimikatz.

mimikatz-event

Happy Enhanced logging.