Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 7
Sysmon documentation
1. Sysmon Basics · Research and understand Sysmon for Linux. What is it, and what functionalities does it offer? o What is Sysmon: Sysmon is a tool that helps users and admins monitoring and logging activity on a particular system. This includes system uptime, network connections, filesystem writes, etc… It helps identifying malicious activity and how possible malware is entering the system
o What are the functionalities:
▪ Logging system events from operating system ▪ Tracking user activity ▪ Detecting unauthorized changing system configurations ▪ Auditing user account access
· How does it differ from the traditional Windows Sysmon tool?
o Sysmon for Windows has more mature features due to its longer development history, in Linux some Event ID’s are not integrated (yet) o Windows version integrates with Windows Event Log o Linux version uses system calls for event logging and writes logs via syslog
· Install and configure Sysmon for Linux on a test machine.
<Sysmon schemaversion="4.70"> <EventFiltering> <!-- Event ID 1 == ProcessCreate. Log all newly created processes --> <RuleGroup name="" groupRelation="or"> <ProcessCreate onmatch="exclude"/> </RuleGroup> <!-- Event ID 3 == NetworkConnect Detected. Log all network connections --> <RuleGroup name="" groupRelation="or"> <NetworkConnect onmatch="exclude"/> </RuleGroup> <!-- Event ID 5 == ProcessTerminate. Log all processes terminated --> <RuleGroup name="" groupRelation="or"> <ProcessTerminate onmatch="exclude"/> </RuleGroup> <!-- Event ID 9 == RawAccessRead. Log all raw access read --> <RuleGroup name="" groupRelation="or"> <RawAccessRead onmatch="exclude"/> </RuleGroup> <!-- Event ID 10 == ProcessAccess. Log all open process operations --> <RuleGroup name="" groupRelation="or"> <ProcessAccess onmatch="exclude"/> </RuleGroup> <!-- Event ID 11 == FileCreate. Log every file creation --> <RuleGroup name="" groupRelation="or"> <FileCreate onmatch="exclude"/> </RuleGroup> <!--Event ID 23 == FileDelete. Log all files being deleted --> <RuleGroup name="" groupRelation="or"> <FileDelete onmatch="exclude"/> </RuleGroup> </EventFiltering> </Sysmon>
▪ Apply configuration : ▪ sysmon -accepteula -i /opt/config.xml · Experiment with basic configuration options. o Basic configurations can be changed by changing the config.html file
· Explore the Sysmon for Linux user interface
o Output from Sysmon can be viewed using: ▪ tail -f /var/log/syslog this will display the complete Sysmon log files (following the config file)
· Familiarize yourself with the information Sysmon captures.
Sysmon for Linux follows a similar approach to Sysmon for Windows in terms of event IDs. However, there are currently fewer supported events in the Linux version. Here's a breakdown of the currently supported Event IDs in Sysmon for Linux: o Event ID 1: ProcessCreate: This event captures information whenever a new process is created on the system. o Event ID 3: NetworkConnect: This event logs details about network connections made by processes. o Event ID 5: ProcessTerminate: This event captures information when a process terminates. o Event ID 9: RawAccessRead: This event monitors raw disk reads performed by processes. o Event ID 11: FileCreate: This event logs information whenever a file is created. o Event ID 23: FileDelete: This event captures information when a file is deleted. 2. Monitoring System Activity · Simulate common system activities: Create, modify, and delete files, Start and stop processes, Establish network connections. · Analyze the generated Sysmon logs. Can you identify the events corresponding to your simulated activities? o Create, modify and delete files: ▪ Simulate: ▪ Create a file: touch /Desktop/testfile.txt ▪ # Modify the file echo "Adding some content" >> /Desktop/testfile.txt ▪ # Delete the file rm /Desktop/testfile.txt ▪ Monitor: ▪ By filtering on event ID 11 & 23 we can monitor all events that are related on file creation and file deletion ▪ A specific event ID to monitor file modification is not available in Sysmon for Linux. Sysmon for Windows does have this event ID ▪ Use the following command: sudo tail -f /var/log/syslog | sudo/opt/sysmon/sysmonLogView -e 11, 23 o Start and stop process: ▪ Simulate: ▪ Start process (e.g.: sleep 60 seconds: command: sleep 60 & ▪ Get PID: command: PID=$! ▪ Stop process: command: kill $PID ▪ Monitor: ▪ By filtering on even ID 1 (ProcessCreate) and ID 5 (ProcessTerminate) we can filter on these events in the log files ▪ Command: sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1,5 o Establish Network connection ▪ Simulate: ▪ We will simulate/establish a network connection by using the ping command. e.g.: ▪ Command: ping -c 10 www.google.com ▪ Monitoring: ▪ By filtering on Event ID 3, we can have an overview of established network connections. ▪ Command: sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 3 · Explore specific log entries and understand the captured details.
