diff --git a/z-AlphaVersion.xml b/z-AlphaVersion.xml index 93bd302..3d06d5f 100644 --- a/z-AlphaVersion.xml +++ b/z-AlphaVersion.xml @@ -10,37 +10,43 @@ Fork project: Fork license: - REQUIRED: Sysmon version 9.02 or higher (due to changes in syntax and bug-fixes) + REQUIRED: Sysmon version 9.10 or higher (due to changes in syntax and bug-fixes) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon - Note that 6.03 and 7.01 have critical fixes for filtering, it's recommended you stay updated. + Note that 6.03 and 7.01 have critical fixes for filtering, it's VERY recommended you stay updated. NOTE: To collect Sysmon logs centrally for free, see https://aka.ms/WEF | Command to allow log access to the Network Service: wevtutil.exe sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS) NOTE: Do not let the size and complexity of this configuration discourage you from customizing it or building your own. - This configuration is based around known, high-signal event tracing, and thus appears complicated, but it's only very + This configuration is based around known, high-signal event tracing, and thus appears complicated, but it is only very detailed. Significant effort over years has been invested in front-loading as much filtering as possible onto the client. This is to make analysis of intrusions possible by hand, and to try to surface anomalous activity as quickly - as possible to any technician armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations. + as possible to technicians armed only with Event Viewer. Its purpose is to democratize system monitoring for all organizations. NOTE: Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool. Do NOT ignore everything possible. Sysmon's purpose is providing context during a threat or problem investigation. Legitimate processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation. - NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, you may remove the section. - You can remove DNS from the Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22 + NOTE: By default this monitors DNS, which is extremely noisy. If you are starting out on your monitoring journey, just remove that section. + You can remove DNS events from Event Viewer screen by applying a 'Filter Current View' for event IDs of: -22 Additionally, if you want to monitor DNS, you should deploy client-side adblocking to reduce lookups. See the DNS section for info. - NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing - to study it, many ways to evade some of the logging. If you are in a very high-threat environment, you should consider a much broader - log-most approach. However, in the vast majority of cases, an attacker will bumble along through multiple behavioral traps which - this configuration monitors, especially in the first minutes. Even APT do not send their A-team unless they know you're hardened. - 10% of the effort gets 95% of the results. They rely on nobody watching because almost nobody does. Your effort makes the difference. - NOTE: This configuration is designed for PER-MACHINE installs of Chrome and OneDrive. That moves their binaries out of user-controlled folders. Otherwise, attackers could imitate these common applications, and bypass your logging. Below are silent upgrades you can do, no user impact: https://docs.microsoft.com/en-us/onedrive/per-machine-installation https://cloud.google.com/chrome-enterprise/browser/download/ + + NOTE: Sysmon is not hardened against an attacker with admin rights. Additionally, this configuration offers an attacker, willing + to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader, + log-most approach. However, in the vast majority of cases, an attacker will bumble through multiple behavioral traps which + this configuration monitors, especially in the first minutes. Even APT do not send their A-team unless they know you're hardened. + 10% of the effort gets 95% of the results. APT rely on nobody watching because almost nobody does. Your effort makes the difference. + + What matters is you. Start acting like it. Start demanding it. I spent 10 years not doing that. I regret every moment I didn't. + YOU make the difference. I went from a department with nothing, to a deparment with everything. And yet, PEOPLE are what matter. + If you are reading this, you are already far along the path to changing the world for the better. Advocate for yourself. + Find somewhere new if you are selfless, yet unvalued. These words are what I would have told an earlier me. I wish I did. + You are already the candidate of the future. A mirror will never tell truth. Tools can only show what you already beleive. NOTE: If you encounter unexplanable event inclusion/exclusion, you may have a second Sysmon instance installed under a different exe filename. To clear this, try downloading the latest version and uninstalling with -u force. If it hangs, kill the processes and run it again to cleanup.