I wish I had an EDR vendor sover me a dev agent lớn test how much sự kiện data I can capture from an endpoint, but for now I love sầu khổng lồ useSysmonwhen it comes down to lớn endpoint visibility. In this post I will show you how lớn install sysmon & use custom configurations to filter noise & still get the visibility you need to hunt for advanced adversaries. Additionally, as you might already know, we need some type of log forwarder to send logs to our ELK stack. In case you didn"t know,Elasticprovides several products besides Elasticsearch, Logstash and Kibamãng cầu, and the one that will help us live sầu stream Windows event logs to our ELK staông xã is namedWinlogbeat.In this post, I will also show you how to phối it up & integrate it with our ELK stachồng configurations.

Bạn đang xem: Opendistro for elasticsearch and how bitergia is using it

Requirements

Tools


Sysmonis a Windows system service và device driver that, once installed on a system, remains resident across system reboots lớn monitor & log system activity to lớn the Windows sự kiện log.In contrast lớn common Antivirus/HIDS solutions, Systháng performs system activity deep monitoring, và log high-confidence indicators of advanced attacks.Sysmon is using a device driver và a service that is running in the background & loads very early in the boot process.
Match an image path (full path or only image name). For example: lsass.exe cộ will match c:windowssystem32lsass.exe

Great Sysmon Use Cases

Sysmon-dfir - Michael Haggis (Github)

Installing Sysmon

I had already installed Sysmon V5 in my systems, but with a recent update from Mark Russinovich, I needed lớn update a few images, và content in this post.
*
Figure 1. Sysmon V6 FYI release.
To get started tải về Systháng V6 from here.
*
Figure 2. Sysmon V6 Download page.
Extract contents of the zipped tệp tin lớn a preferred directory.
*
Figure 3. Extracting files khổng lồ tools directory.
Launch cmd.exe cộ as administrator, navigate lớn the folder where sysmon was extracted khổng lồ, & if you want to lớn know what systháng can vì chưng just type:systháng.exe cộ /?
*
Figure 4. Sysmon Menu.
We can go ahead and try a basic installation by running the following command:sysmon.exe pháo -i -accepteula -h md5,sha256,imphash -l -n- i : Install Service and driver. Optionally take a configuration file.-h : Specify the hash algorithms used for image identifications-l : Log loading of modules. Optionally take a danh sách of processes lớn track-n : Log network connections
*
Figure 5. Installing Systháng.
Now, if we run Eventviewer as administrator and browse toApplications và Services Logs > Microsoft > Windows > Sysmon > Operational,you will see that Sysmon is already working and generating logs as shown in figure 6 below.
*
Figure 6. Sysmon Logs.
You can also view the configuration which Sysmon is running on by typing:sysmon.exe pháo -c
*
Figure 7. Current Configuration.

How bởi vì we update our current configuration and apply rules khổng lồ it?

systháng.exe -c Your_custom_config.xmlYou can use my StartLogging.xml config as a basic first script khổng lồ start. This script has several Event IDs set to lớn Log everything
, và this is because I want you to tune it your way.. I just had a few exclusions already set there specially for Event IDs 1, 3, 6, 7, 10, 11, 12,13,14to lớn help you a little bit with filtering some initial noise.Lets update our current config và apply our StartLogging.xmlconfiguration.
*
Figure 8. Updating current configuration and showing it on console.
You will not see many logs being generated, but that will change as soon as you start testing a few things. We have sầu not set up our winlogbeat data shipper, but I will highly recommkết thúc to lớn turn winlogbeat services off until you tune your systháng configuration so that it captures the main anomalies from the attachồng you are executing. Once you are comfortable with your sysmon config, turn on your winlogbeat service and you will be able lớn see the events in your Kibana dashboard.This can be a good time to take a snapshot on your endpoints with Sysmon installed.

Getting started with Winlogbeat

Stay in the windows computer where you phối up Systháng. To get started, tải về Winlogbeat from here
& copy the unzipped folder khổng lồ C:Program Files as indicated by the Getting Started Winlogbeat Guide.
*
Figure 9. Winlogbeat Download page.
*
Figure 10. Save the zipped file khổng lồ your drive sầu.

Xem thêm: Staking Là Gì - Ý Nghĩa Của Nó Trong Đầu Tư

*
Figure 11. Winlogbeat folder unzipped.
*
Figure 12. Copying winlogbeat thư mục khổng lồ indicated location.
*
Figure 13. Winlogbeat thư mục copied lớn C:Program Files .
Open PowerShell as administrator, navigate to lớn the winlogbeat folder contents và run the install-winlogbeat-service.ps1 powershell script..install-winlogbeat-service.ps1
*
Figure 14. Run PowerShell as administrator.
*
Figure 15. Navigate to your winlogbeats thư mục.
*
Figure 16. Running install-service-winlogbeat.ps1 script. Also, using Run Once option.
Next, run notepad as administrator. This will allow us to edit the winlogbeat config file & saving it without having "access denied" warning messages. Once notepad is open, open the winlogbeat.yml file in your winlogbeat thư mục.
*
Figure 17. Opening notepad as administrator.
*
Figure 18. Opening winlogbeat.yml file in notepad.
You will now be able lớn edit what log types it collects. We will add the following line after - name: SystemAdd: - name: Microsoft-windows-sysmon/operational
*
Figure 19. Original first part of the winlogbeat config.
*
Figure đôi mươi. Adding Sysmon Logs to the configuration.
Next, you can see that elastictìm kiếm by mặc định is configured to be the output to lớn use when sending the data collected by the beat. We are going khổng lồ change that by doing the following:Add a # sign before Output đầu ra.elastictìm kiếm (as shown in figure 22)Add a # sign beforehosts: <"localhost:9200"> (as shown in figure 22 below)
*
Figure 21. Original Elastictìm kiếm output configuration.
*
Figure 22. Adding # signs to lớn the Elasticsearch output section lớn disable the output.
Now, it is time khổng lồ configure the Logstash Outputof the winlogbeat configuration. As you can see, we can phối up the certificate that we created in our Ubuntu server in our previous post. We are going to make some changes to this part, but first make sure you have your cert created as shown in figure 24 below. If you did not create the certificate & private key in the previous host, I recommend to lớn go bachồng lớn it & bởi vì it before we continue.
*
Figure 23. Original Logstash Output đầu ra section.
*
Figure 24. Making sure cert exists in our ELK hệ thống.
Use PSCP..exe cộ to retrieve sầu the certificate from the ELK VPS. Make sure SSH services are running in your ELK VPS before doing this. You can tải về PSCP.exe as part of a Putty bundle from here.

Xem thêm: Nội Dung Phim Hậu Cung Như Ý Truyện : 7 Cảnh Lấy Cạn Nước Mắt Của Khán Giả

*
Figure 25. PSCP.exe cộ to lớn retrieve certificate from ELK VPS via SSH.
Once you are ready run the following:.PSCP..EXE

Chuyên mục: Kiến thức bổ ích