Hello everyone! My new book on Remote Desktop Security has now been released, and I’m posting some excerpts/topics from the book here on my PureRDS.org blog. Please click here if you’d like to purchase the Amazon Kindle edition.
If you haven’t already, please read Part 1 of this two part blog series on using Sysmon with Remote Desktop Services.
Installing Sysmon With A Configuration File
The syntax for installing Sysmon with Moti’s configuration file looks like this:
sysmon -accepteula -i config_v17.xml
At that point, Sysmon will be enabled and logging events of interest in the following Windows event log:
Microsoft
Windows
Sysmon
Operational
How Sysmon Catches Bad Guys Red Handed
To illustrate to you Sysmon’s value as an auditing enhancer, I will try to sneakily download a file from the Internet using PowerShell instead of a web browser. I’ll use the Invoke-WebRequest cmdlet I discussed back in Chapter 6 to do so.
Sysmon immediately catches me red-handed when running Moti Bani’s configuration file, as the following events were logged right as I attempted this action. First, an event is logged showing that PowerShell opened up a network connection to a webserver over port 443:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2/10/2020 8:02:32 AM
Event ID: 3
Task Category: Network connection detected (rule: NetworkConnect)
Level: Information
Keywords:
User: SYSTEM
Computer: myrds.mydomain.local
Description:
Network connection detected:
RuleName:
UtcTime: 2020-02-10 16:02:31.462
ProcessGuid: {356782ae-7ada-5e41-0000-001003643f0a}
ProcessId: 3364
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: mydomain\badactor
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 10.10.0.5
SourceHostname: myrds.mydomain.local
SourcePort: 56944
SourcePortName:
DestinationIsIpv6: false
DestinationIp: xxx.xxx.xxx.45
DestinationHostname: xxx.xxx.xxx.45.static.hax0rshosting.com
DestinationPort: 443
DestinationPortName: https
Then, immediately afterward, Sysmon logs a file creation event in my user profile directory, showing the malware payload that was downloaded:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2/10/2020 8:02:31 AM
Event ID: 11
Task Category: File created (rule: FileCreate)
Level: Information
Keywords:
User: SYSTEM
Computer: myrds.mydomain.local
Description:
File created:
RuleName:
UtcTime: 2020-02-10 16:02:31.767
ProcessGuid: {356782ae-7ada-5e41-0000-001003643f0a}
ProcessId: 3364
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\BadActor\badstuff.exe
CreationUtcTime: 2020-02-10 16:02:31.766
Next Steps … Integrate SysMon With Your SIEM Solution
Given that Sysmon categorizes the logged events so well, it’s easy to configure your central SIEM solution to start ingesting the Sysmon event logs from all of your RDS servers, and then design searches and/or reports that will expose suspicious behaviors by users. Admittedly, you’ll need to tune Sysmon’s configuration over time, as you may have other monitoring software deployed that will generate benign Sysmon events. However, after spending a little time tuning it to your environment, it will become an invaluable forensics and alerting tool that can notify you about initial infiltrations and attacks before they spread.
Leave a Reply