The "PCS Girls Community" presents:
- This config file contains Sysmon v15.0.
- And includes Event IDs 27,28,29.
Sysmon has two configuration type:
1- Targetting: These configuration's will collect logs of special events and useful for Threat Hunting
2- Tracking: These configuration's will collect more logs (also some noisy logs) to fill dashboards abd useful for SOC and correlation engines.
I create this mixed configuration. I fork sysmon modular and then mix it with other fork's and my knowledge about detection and threat hunting.
-
Significant-01: This configuration contains the protection channel which is called "FileBlockExecutable" and is generated when Sysmon detects and blocks the creation of executable files , Event ID= 27.
-
Significant-02: This configuration contains the protection channel which is called "File Executable Detected" and is generated when Sysmon detects the creation of a new executable file (PE format) , Event ID= 29.
Note: This configuration will raise your events (5x of sysmon modular default configuration), so be careful and re-calculate your license, resource's data lifecycle policie's.
Florian Roth @Neo23x0
Tobias Michalski @humpalum
Christian Burkard @phantinuss
Nasreddine Bencherchali @nas_bench
@magicsword-io (LOLDrivers)
on May2,2023: Update EventCode=12 and Sub.Technique 1547.014 about Boot or Logon Autostart Execution: Active Setup Tactics: Persistence, Privilege Escalation Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.
We want to install sysmon a little different to protect it more. so we will change process name from "sysmon" to "pcsgmon", change drive name to "pcsgdrv" and change service name to "pcsgservice". follow the example:
1) Get Ready:
Download last version of Sysmon from Microsoft or Sysinternals.
Download symon cofig file in here (Download) and copy in you downloaded sysmon folder.
Rename "sysmon64.exe" or "sysmon.exe" to another name, to hide it (with different name) in process list. for example we rename "sysmon64.exe" to "pcsgmon.exe"
2) Installation
Run powershell or cmd with Admin Rights (Run as Admin) and change path to your sysmon folder
Install command: pcsgmon.exe -accepteula -i "sysmon-pcsg-daena-default.xml" -d pcsgdrv
3) Change Service
After install, open "regedit.exe" and go to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcsgmon
Now change DisplayName: PCSG Service
And change Description: Enables PCSG process live
also you can use these steps for your SIEM agent installation
👩💻 Join Our Community: #PCSGCommunity
Post by Daena: github.com/Daenaa
Telegram: t.me/persiancsgirls
LinkedIn: linkedin.com/groups/12007305
.