Added Sysmon-events, modified DHCP-logging configuration.

JSCU-CND · web-flow · commit bbd03ec79fa0 · 2021-08-26T15:09:10.000+02:00
* Added Sysmon-events to the subscription configuration.
* Changed the logging-configuration for DHCP events from a registry-key, which was unreliable, to PowerShell-commands.
diff --git a/WindowsEventIDMapping.json b/WindowsEventIDMapping.json
@@ -1154,6 +1154,234 @@
             }
         }
     },
+    "Microsoft Sysmon": {
+        "events":{
+            "Sysmon Service Status Changed ": {
+                "0": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Sysmon Service Status Changed"
+                }
+            },
+            "Process creation": {
+                "1": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Process creation"
+                }
+            },
+            "Process changed file creation time": {
+                "2": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "A process changed a file creation time"
+                }
+            },
+            "Network connection": {
+                "3": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Network connection"
+                }
+            },
+            "Sysmon service state changed": {
+                "4": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Sysmon service state changed"
+                }
+            },
+            "Process terminated": {
+                "5": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Process terminated"
+                }
+            },
+            "Driver loaded": {
+                "6": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Driver loaded"
+                }
+            },
+            "Image loaded": {
+                "7": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Image loaded"
+                }
+            },
+            "Create Remote Thread": {
+                "8": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "CreateRemoteThread"
+                }
+            },
+            "Raw Access Read": {
+                "9": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "RawAccessRead"
+                }
+            },
+            "Process Access": {
+                "10": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "ProcessAccess"
+                }
+            },
+            "File Create": {
+                "11": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "FileCreate"
+                }
+            },
+            "Registry Create/Delete": {
+                "12": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "RegisteryEvent (Object create and Delete)"
+                }
+            },
+            "Registry Value Set": {
+                "13": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "RegisteryEvent value set"
+                }
+            },
+            "Registry Key/Value Rename": {
+                "14": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "RegisteryEvent key and value rename"
+                }
+            },
+            "File Create Stream Hash": {
+                "15": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "FileCreateStreamHash"
+                }
+            },
+            "Service Configuration Change": {
+                "16": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "ServiceConfigurationChange"
+                }
+            },
+            "Pipe Created": {
+                "17": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "PipeEvent pipe created"
+                }
+            },
+            "Pipe Connected": {
+                "18": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "PipeEvent pipe connected"
+                }
+            },
+            "WMI Filter Activity": {
+                "19": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "WMIEvent WMIEvenFilter activity detected"
+                }
+            },
+            "WMI Consumer Activity": {
+                "20": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "WMIEvent Consumer activity detected"
+                }
+            },
+            "WMI Consumer to Filter Activity": {
+                "21": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "WMIEvent Consumer to filter activity detected"
+                }
+            },
+            "DNS Query": {
+                "22": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "DNSEvent DNS Query"
+                }
+            },
+            "File Delete": {
+                "23": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "FileDelete a file delete was detected"
+                }
+            },
+            "Clipboard Change": {
+                "24": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "ClipboardChange new content in clipboard"
+                }
+            },
+            "Process Tampering": {
+                "25": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "ProcessTampering process image change"
+                }
+            },
+            "File Delete Detected": {
+                "26": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "File Delete Detected"
+                }
+            },
+            "Error": {
+                "255": {
+                    "level": "Information",
+                    "channel": "Microsoft-Windows-Sysmon/Operational",
+                    "provider": "Microsoft-Windows-Sysmon",
+                    "notes": "Sysmon error"
+                }
+            }
+        }
+    },
     "Windows Defender": {
         "events": {
             "ACG Audit": {
diff --git a/WindowsEventLogging.adoc b/WindowsEventLogging.adoc
@@ -24,6 +24,7 @@ The table below provides an overview of the events further described in section
 | Network Activity (<<network-activity-policy, policy>>, <<network-activity-default,default>>) | Network activity on the host which wasn't included in other categories, e.g. DHCP leases, DNS, Remote Desktop use and BITS jobs. | Low
 | Scheduled Tasks (<<scheduled-tasks-policy, policy>>, <<scheduled-tasks-default, default>>) | Records the creation and modification of Scheduled Tasks. | Low
 | <<Services>> |  Records the creation and modification of services. | Low
+| <<System Monitor (Sysmon), Sysmon>> | Provides additional detection capabilities such as information about process creations, network activity, loading of drivers and more. | Depends on rule sets
 | <<System Security Extension>> | Records the loading of extension packages such as Security Support Providers (SSP) or Password Filters into the Local Security Authority (LSA) process. | Low
 | <<System Status>> | Records startup and shutdown of systems. Records application crashes and hangs. | Low
 | <<Object Access>> | Records access to network shares and objects that have system access control lists (SACL) specified. | High
@@ -107,20 +108,22 @@ Some organizations have guidelines or policies in place to limit the use of exte
 The events described here are aimed at providing additional context during analysis such as having a history of DHCP leases or domain names that may have been resolved in the past.
 
 ===== Address Assignment (DHCP)
-Records the assignment of IP addresses to interfaces. This information can be useful during analysis to determine which IP address was assigned to a system at some point in time. For these events to be available the DHCP-Client channel must be enabled. You can configure a Registry Key that enables the channel domain-wide using Group Policies.
+Records the assignment of IP addresses to interfaces. This information can be useful during analysis to determine which IP address was assigned to a system at some point in time. 
 
-`Computer Configuration -> Preferences -> Windows Settings -> Registry -> New -> Registry Item`
+For these events to be available the DHCP-Client and DHCPv6-Client channel must be enabled. There are multiple ways these channels can be enabled but we found that using PowerShell provides the most reliable result.
 
-DHCPv4: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Dhcp-Client/Operational`
+[source,powershell]
+----
+$logs = Get-WinEvent -ListLog "Microsoft-Windows-Dhcp*-Client/Operational"
+Foreach($log in $logs) {
+    $log.IsEnabled = $true
+    $log.MaximumSizeInBytes = $10MB
+    $log.SaveChanges()
+}
+----
 
-DHCPv6: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Dhcpv6-Client/Operational`
+You should distribute these commands across your domain according to your company's deployment strategy using elevated privileges. Deployment using configuration management software is preferred. Alternatively you can use something like an apply once scheduled task using group policiesfootnote:[https://www.faqforge.com/windows-server-2016/configure-scheduled-task-item-using-group-policy/].
 
-[cols="1,1,1,1"]
-|===
-| Value Name | Value Type | Value data |  Configure for
-
-| Enabled | REG_DWORD | 1 | All
-|===
 
 ===== Name Resolution (DNS)
 Malware may attempt to resolve domain names for the retrieval of additional files or communicating with Command & Control servers. Collecting DNS queries can be helpful in order to enable the discovery of compromise or intrusion during analysis.
@@ -329,6 +332,10 @@ In addition to the <<Scheduled Tasks, Object Access>> policy, events in the dedi
 ==== Services
 Records failures and crashes of Windows Services. The installation of new services is tracked by <<System Security Extension>>.
 
+==== System Monitor (Sysmon)
+Microsoft Sysmon provides additional detection capabilities, based on a user-specified configuration. If you have Sysmon configured in your environment, you should add the events to your collection strategy. If you are using our default subscription file, the events are already included.
+
+Our current advice does not cover the deployment or configuration of Sysmon. If you have deployed Sysmon, you should tweak your configuration for your environment to prevent spamming of events.
 
 ==== System Status
 Events in this category include: startup and shutdown of a system, application crashes and modifications to the system time. Tracking the startup and shutdown events of a system can provide additional context during analysis. Unstable or crashing applications may be an indication of malicious activity or exploitation attempts.
@@ -398,6 +405,29 @@ This table can be used to configure your central collection.
 | Microsoft-Windows-Security-Mitigations/UserMode| Microsoft-Windows-Security-Mitigations | 22 | True
 | Microsoft-Windows-Security-Mitigations/UserMode| Microsoft-Windows-Security-Mitigations | 23 | True
 | Microsoft-Windows-Security-Mitigations/UserMode| Microsoft-Windows-Security-Mitigations | 24 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 0 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 1 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 2 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 3 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 4 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 5 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 6 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 7 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 8 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 9 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 10 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 11 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 14 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 15 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 16 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 18 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 21 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 22 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 23 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 24 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 25 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 26 | True
+| Microsoft-Windows-Sysmon/Operational| Microsoft-Windows-Sysmon | 255 | True
 | Microsoft-Windows-TaskScheduler/Operational| Microsoft-Windows-TaskScheduler | 200 | True
 | Microsoft-Windows-TaskScheduler/Operational| Microsoft-Windows-TaskScheduler | 201 | True
 | Microsoft-Windows-TerminalServices-RDPClient/Operational| Microsoft-Windows-TerminalServices-ClientActiveXCore | 1024 | True
@@ -527,3 +557,4 @@ This table can be used to configure your central collection.
 |===
 
 
+
diff --git a/subscriptions/subscription.xml b/subscriptions/subscription.xml
