Menu

Improving Security Auditing on RDS By Deploying Sysmon (Part 2)

March 31, 2020 - Remote Desktop Security

Hello everyone! My new book on Remote Desktop Security has now been released, and I’m posting some excerpts/topics from the book here on my PureRDS.org blog.  Please click here if you’d like to purchase the Amazon Kindle edition.

If you haven’t already, please read Part 1 of this two part blog series on using Sysmon with Remote Desktop Services.

Installing Sysmon With A Configuration File

The syntax for installing Sysmon with Moti’s configuration file looks like this:

sysmon -accepteula -i config_v17.xml 

At that point, Sysmon will be enabled and logging events of interest in the following Windows event log:

Microsoft
Windows
Sysmon
Operational

How Sysmon Catches Bad Guys Red Handed

To illustrate to you Sysmon’s value as an auditing enhancer, I will try to sneakily download a file from the Internet using PowerShell instead of a web browser. I’ll use the Invoke-WebRequest cmdlet I discussed back in Chapter 6 to do so.

Sysmon immediately catches me red-handed when running Moti Bani’s configuration file, as the following events were logged right as I attempted this action. First, an event is logged showing that PowerShell opened up a network connection to a webserver over port 443:

 Log Name:      Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2/10/2020 8:02:32 AM
Event ID: 3
Task Category: Network connection detected (rule: NetworkConnect)
Level: Information
Keywords:
User: SYSTEM
Computer: myrds.mydomain.local
Description:
Network connection detected:
RuleName:
UtcTime: 2020-02-10 16:02:31.462
ProcessGuid: {356782ae-7ada-5e41-0000-001003643f0a}
ProcessId: 3364
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: mydomain\badactor
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 10.10.0.5
SourceHostname: myrds.mydomain.local
SourcePort: 56944
SourcePortName:
DestinationIsIpv6: false
DestinationIp: xxx.xxx.xxx.45
DestinationHostname: xxx.xxx.xxx.45.static.hax0rshosting.com
DestinationPort: 443
DestinationPortName: https

Then, immediately afterward, Sysmon logs a file creation event in my user profile directory, showing the malware payload that was downloaded:

 Log Name:      Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2/10/2020 8:02:31 AM
Event ID: 11
Task Category: File created (rule: FileCreate)
Level: Information
Keywords:
User: SYSTEM
Computer: myrds.mydomain.local
Description:
File created:
RuleName:
UtcTime: 2020-02-10 16:02:31.767
ProcessGuid: {356782ae-7ada-5e41-0000-001003643f0a}
ProcessId: 3364
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\BadActor\badstuff.exe
CreationUtcTime: 2020-02-10 16:02:31.766

Next Steps … Integrate SysMon With Your SIEM Solution

Given that Sysmon categorizes the logged events so well, it’s easy to configure your central SIEM solution to start ingesting the Sysmon event logs from all of your RDS servers, and then design searches and/or reports that will expose suspicious behaviors by users. Admittedly, you’ll need to tune Sysmon’s configuration over time, as you may have other monitoring software deployed that will generate benign Sysmon events. However, after spending a little time tuning it to your environment, it will become an invaluable forensics and alerting tool that can notify you about initial infiltrations and attacks before they spread.

Andy Milford is the CEO and Founder of RDPSoft, and is a Microsoft MVP in the Enterprise Mobility / Remote Desktop Services area. Prior to starting RDPSoft, Andy was the CEO and Founder of Dorian Software, a log management company acquired by Ipswitch in late 2009. He loves creating easy-to-use yet powerful software solutions for SMBs and emerging enterprise companies.

Leave a Reply

Your email address will not be published. Required fields are marked *