Sysmon & Snare

Owned by rthornton
Last updated: Jan 13, 2022 by Steve Challans
3 min read

Sysinternals Sysmon is a valuable tool provided by Microsoft that enables extended logging capabilities in Microsoft Windows based systems. Some of the logging capabilities include:

  • Logs process creation with full command line for both current and parent processes, as well as a hash of the process image.

  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.

  • Logs loading of drivers or DLLs with their signatures and hashes.

  • Logs opens for raw read access of disks and volumes.

  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.

  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.

  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

These extended logging capabilities, provide valuable forensic log data that can be used to identify malicious or anomalous system activity. Helping organisations to understand how intruders and malware operate across their networks. More information on Sysmon and its capabilities can be found at this link. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Forwarding Sysmon logs with Snare agents

Sysmon logs all activity to the Windows event log, in recent versions of Windows (Vista and above) the log data can be found in “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational" (on older systems, events are written to the “System" event log). With Sysmon log data stored in the Windows event log, Snare agents can be easily configured to collect and send this data to all configured destinations. The standard windows policies will collect and send al the custom event logs which includes sysmon type events.

Sysmon Installation/Configuration

Before being able to forward its logs, Sysmon will need to be correctly installed and configured.

  1. Download the zipped Sysmon package from this link. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

  2. Extract the files to a suitable location.

  3. Using cmd, navigate to the extracted location and run sysmon -accepteula -i to install Sysmon with default settings (process images hashed with SHA1 and no network monitoring).

  4. Once installed, confirm log data is being generate by navigating to “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational" in the Windows event viewer and ensure logs exist.

The above steps install Sysmon with a default configuration, this enables a small subset of the logging capabilities. An XML file can be supplied to the Sysmon installation command, to configure the required features. More details can be found here https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon along with an example XML configuration file here .

Snare Agent Configuration

By default, the Snare Windows Agent will collect Sysmon log data using the out-of-the-box Audit Policies. Specifically the last Audit Policy targeting “Custom” windows event logs:

Screenshot of default audit policy to capture Sysmon events.

If this audit policy has been altered/deleted, a dedicated Audit Policy can be created to collect Sysmon log data only.

  1. Login to the Snare agent and create a new Audit Policy by going to “Audit Policy” and select “Add”.

  2. Set the “Identify the high level event” option to “Ant event(s)”.

  3. Set the “Source Search Term” to “Microsoft-Windows-Sysmon”.

  4. Check all items in “Identify the event types to be captured”.

  5. Save the policy.

  6. Select the “Apply Configuration & Restart Service” option on the navigation menu.

Screenshot of Audit policy configuration in Snare agent.

Sysmon log data will now be forwarded to all configured destinations.