Sysmon v11.10 - Sysmon Modular - Wazuh - Ohh My!

[Buddha Man]

Blackhills Infosec discusses their own implementation of Sysmon outside of Wazuh:

https://www.blackhillsinfosec.com/how-to-deploy-windows-optics-commands-downloads-instructions-and-screenshots/

What's notable is they discuss a infosec tuned version of a sysmon modular config that allows you to dynamically build a custom sysmon xml configuration file. 

https://github.com/olafhartong/sysmon-modular 

And... we have the new sysmon v11.10 to add to the mix.

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon  

The modular sysmon states it might not be completely compatible with sysmon v11.10. I am currently using the z-AlphaVersion.xml and a 10.x version of sysmon with some custom Wazuh alerts I found in this group on production endpoints (it works great).

I have started testing this modular sysmon config system and v11.10. The issue I'm having is creating the Wazuh custom alerts to work with it. My old Wazuh custom sysmon alerts work fine but I don't think they capture any of the new sysmon alerts in the modular sysmon config/

Just wondering what others may have (will do) with these building blocks.

- Buddha

 

[eva....@wazuh.com]

Hello,

Unfortunately, we haven’t got rules for the new Sysmon event. We will read these blog posts to try to create new rules.
At the moment only can say that if you need help to create you some rule, send us the event and we will help you.

I recommend you create rules to group new events as do the existing rules. Then, create rules child to generate the alerts you want.
Attached is an example of rules (although it seems that you already have experience in creating rules):

<group name="windows, windows_sysmon">

  <rule id="100000" level="0">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^17$</field>
    <description>Sysmon - Event 17: PipeEvent (Pipe Created)</description>
    <options>no_full_log</options>
    <group>sysmon_event_17,</group>
  </rule>

  <rule id="100001" level="0">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^18$</field>
    <description>Sysmon - Event 18: PipeEvent (Pipe Connected)</description>
    <options>no_full_log</options>
    <group>sysmon_event_18,</group>
  </rule>

  <rule id="100002" level="0">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^19$</field>
    <description>Sysmon - Event 19: WmiEvent (WmiEventFilter activity detected)</description>
    <options>no_full_log</options>
    <group>sysmon_event_19,</group>
  </rule>

  <rule id="100003" level="0">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^20$</field>
    <description>Sysmon - Event 20: WmiEvent (WmiEventConsumer activity detected)</description>
    <options>no_full_log</options>
    <group>sysmon_event_20,</group>
  </rule>

  <rule id="100004" level="0">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^21$</field>
    <description>Sysmon - Event 21: WmiEvent (WmiEventConsumerToFilter activity detected)</description>
    <options>no_full_log</options>
    <group>sysmon_event_21,</group>
  </rule>

  <rule id="100005" level="0">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^22$</field>
    <description>Sysmon - Event 22: DNSEvent (DNS query)</description>
    <options>no_full_log</options>
    <group>sysmon_event_22,</group>
  </rule>

</group>

Regards,
Eva

​