How to configure EventSentry to detect threats like APTs, Mimikatz, malicious traffic and others with Sysmon
Sysmon is a free driver-based utility that supplements Windows's built-in audit capabilities. Combining Sysmon with EventSentry's monitoring capabilities enables users to detect a number of potential threats on their monitored servers and workstations.
Scythe, an enterprise adversary emulation platform, performed a Purple Team Exercise with an EventSentry client and created a number of event log packages in EventSentry, many utilizing Sysmon, that detect a variety of adversary behaviors. Many of these behaviors are common among threat actors while some are specific to the tactics, techniques, and procedures of a particular adversary. When assigned, these rules can detect malicious activity like:
- Processes communicating with known malicious IP addresses
- APT activity
- Buhtrap Input Capture
- Credential Dumping
- Drivers with suspicious activity
- Processes gaining persistence
To start using the Scythe filter rules, follow the steps below:
- Deploy Sysmon to all systems that are utilizing these rules. See KB 437 on how to automatically deploy (and/or configure) Sysmon with EventSentry
- Download the .reg package below
- Import the package in the management console. Click on "Packages", select "Import" and select the previously downloaded package
- Select all packages in the list - all packages start with [Scythe]
- Review the package properties (select package, click Properties) and make sure that the correct action is referenced
All packages are configured to be global and will automatically be activated ("Dynamic Activation") on all hosts that have Sysmon installed.
Once deployed, alerts will be sent to the selected email action. While the filter rules have been customized to reduce the number of noise, users may still receive some false positives depending on their environment. False positives can easily be removed by creating exclude filters.
scythe_rev6.reg
