Hello everyone! My new book on Remote Desktop Security has now been released, and I’m posting some excerpts/topics from the book here on my PureRDS.org blog. Please click here if you’d like to purchase the Amazon Kindle edition.
Out of all of the amazing free tools available at Microsoft’s Sysinternals website, Sysmon is simply indispensable as a supplemental event logging engine. It is incredible in terms of being able to detect malware, and/or other unauthorized use of programs. Therefore, it’s critical that you both deploy this tool to your RDS systems and that you collect and monitor the events it generates. If you do this correctly, you may be able to shut down an attempted compromise of your Remote Desktop Services deployment, before it really gets going. You should make this utility standard on any of your production servers, even the ones not public facing, so you can audit administrator activities and watch for internal threats.
Where to Download Sysmon
So, first things first – you will need to download Sysmon from the Sysinternals website here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
The Activities on Your Remote Desktop Servers That Sysmon Can Detect And Log
When installed from the command line, it generates a service and a companion device driver that intercepts and logs all sorts of system events to a special Windows event log. Here’s a list of some examples:
• Detailed information on process creation/program startup
• Network connections that processes make
• When device drivers are loaded
• When one process creates a thread in another process, which is a common code injection technique used by malware
• File and registry key creations
The entire list of what it can monitor is tremendous. That being said, with those logging capabilities, it is extremely important to tailor the sorts of events it monitors. This will increase the “signal to noise” ratio in such a way that only suspicious events get recorded, and normal software operations do not flood the Sysmon log.
How To Tailor What Activity Sysmon Logs With Configuration Files
Fortunately, several individuals have taken it upon themselves to author and publish Sysmon configuration files that have already been tuned to screen for malware – which you can then further tweak to suit your monitoring requirements.
Moti Bani, a Microsoft employee who blogs frequently about security, is one such individual. First, read his blog post entitled “Sysinternal Sysmon Suspicious Activity Guide” located here: https://docs.microsoft.com/en-us/archive/blogs/motiba/sysinternals-sysmon-suspicious-activity-guide
You may then download his well-tailored Sysmon configuration file from his GitHub repository here: https://github.com/MotiBa/Sysmon/