Sysmon

 If you are unfamiliar with Sysmon, it essentially is an extension to your existing Windows Logging. It generates all sorts of alerts that for some reason are not default for Windows. The information that can be extracted from Sysmon is invaluable and it isn't all that noisy either. In all there are 21 different types of Sysmon event but we are only going to address a few to get started as this will give you a good basis on setting Sysmon up and how to utilize Graylog to it's full potential to monitor your network as efficiently as possible.

 
 

EVENT ID 1

Event ID 1 is generated upon a new process creation. This event is one of my favorites because you can essentially log everything someone does on a workstation. From opening up chrome to opening up a PDF, this event ID will identify the parent application that the process originated from as well as a hash of that parent application, which you can easily upload to a site such as VirusTotal.com to verify if the application is malicious or not.

 

EVENT ID 2

One way malicious actors attempt to cover their footsteps is through a method called "time stomping" which essentially attempts to change the creation/modified time stamps on files. This Event will monitor when changes are made to those time stamps. In addition to a process creation, Event ID 2 will generate a terminated process. This can be useful when doing forensic work on an infected machine to identify normal malware activity such as killing processes that malware will create to help cover it's tracks.

 

EVENT ID 3

The focus of Event ID 3 is identifying a network connection initiated by an application. Pivoting in a network is key to a malicious actor navigating throughout a network. This event will easily identify applications such as telnet, netcat, nmap, or any of type of application a malicious actor may put on a machine to navigate throughout a network, as well as the destination IP address the machine is attempting to connect too. It can be a bit noisy in some instances, mainly with applications likes Java, but once you create initial filters in your XML file, this event should be relatively quiet and you will want to dig further any time this event ID is generated.