Hi everyone. I’m back with a new video, this time discussing how critical it is to deploy Microsoft’s free Sysmon utility on all of your RDS and or other multi-user computing platforms, like AVD, Citrix, Parallels RAS and others. In fact, I feel so strongly about Sysmon that my company, RDPSoft, created a product called Sysmundo that extends functionality around it. Sysmundo makes Sysmon easier to deploy, it makes it easier to collect and index all of the data it produces, and it makes it easier to hunt for threats amidst all that archived data.
Why Is it So Important To Install and Run Sysmon on Your RDS and Other End User Computing Systems?
Why do I think Sysmon is such an important tool on multi-user systems like RDS? Put simply, whenever you have lots of different users connecting to the same systems, you have an major ingress point for malware, unapproved programs and other programs installed in user profiles (aka Shadow IT) that can compromise the security and performance of these systems.
You also have an egress point for data to be exfiltrated OUT of your company’s network, which could lead to customer lists and trade secrets getting into the wrong hands.
While the security log can audit some types of user behavior on these multi-user systems, by itself, it doesn’t audit nearly enough. This is where Sysmon becomes a huge help.
Originally written by Mark Russinovich, the CTO of Azure, and others on his Sysinternals team, Sysmon extends user and program behavior auditing much further, tracking many other types of activity. For example, it logs more details about process activity, to include behaviors often used by malware to hide their tracks. It can look at network connections made between systems and identify processes and users who shouldn’t be making those connections, such as an attacker attempting lateral movement from computer to computer over RDP. It can track DNS queries made by users and programs and can log all sorts of files downloaded by users on to your systems.
Beyond that, it can spot when users and programs delete, write, and rename registry keys and values. It can track (and block) file deletions, track and block secure file deletions, detect direct attempts to read from the file system using raw access techniques, and notice the creation of new executable files. It can also log attempts to register malware using WMI event filters and consumers, note interprocess communication between programs using Named Pipes, and spot when the user clipboard changes.
The Reasons Why Many Organizations Have Not Yet Deployed Sysmon or Do Not Audit as Much Activity as They Should
So you can well see, Sysmon is a very powerful tool, but there are several common impediments to organizations deploying it and using it effectively. Those impediments are:
- Automating the deployment of the Sysmon service to Windows systems
- Configuring, reconfiguring, and redeploying the Sysmon config file to those same systems
- The cost associated with sending all of the logged Sysmon data to a SIEM or other log correlation solution
- An easy way to analyze all of this data for threats before or after an incident occurs
Let me now speak briefly about how our Sysmundo tool solves all of the above challenges
Not every IT admin lives and breathes PowerShell scripts, so our Sysmundo utility can easily deploy Sysmon to remote systems for you. It does this by first downloading the Sysmon and PSExec utilities from the Sysinternals website after you install it. From there, you build one or more computer groupings, which you can tie to Active Directory OUs or containers, and you can also select one of the most common Sysmon config files from very popular repositories like SwiftOnSecurity, and adapt it to your own preferences. Finally, you simply select one or more computer groupings, as well as a Sysmon config file, and our Sysmundo solution will push deploy Sysmon with your desired config file to all of the systems in your computer grouping, using PSExec or PowerShell remoting as required.
Later, if you need to tweak your Sysmon config file to reduce noise or suppress false detections, you can utilize the same wizard again to update the Sysmon configuration on all of your computers at once.
Sysmundo Helps You Avoid Data Ingestion Charges to SIEMs So You Can Audit Everything You Want To
Another challenge that IT admins run into when they deploy Sysmon is the sheer volume of logging data it can generate, which consequently increases the cost of SIEM or log correlation tools that charge for data ingestion and data storage. As a result, they log less data then they probably should in an attempt to reduce costs.
We designed our Sysmundo product to avoid that scenario by including an automatic secure archiving service that gathers up compressed copies of Sysmon logs from your systems securely using WinRM, and then performs lightweight indexing of key fields in the log files into a Microsoft SQL instance. By doing this, yet keeping the logs in their native EVTX format, Sysmundo allows you to quickly view, analyze, and threat hunt over log data that is relevant to the behavior, programs, or users you are interested in. It also keeps track of other key fields and performs native EVTX queries against those archived log files to speed up data retrieval even further.
If you’d like to see what Sysmundo can do for you, go to its product page and download it. Without a license, it lets you deploy, reconfigure, and uninstall Sysmon on an unlimited number of systems forever, and it lets you analyze Sysmon data from up to 3 individual systems for 2 weeks. Later, if you’d like a full license to also handle the archiving, centralization, and indexing of data for centralized analysis and reporting, you can purchase it individually OR you can purchase it as part of our Complete Monitoring and Management Bundle for RDS, AVD, or other EUC platforms.
Leave a Reply