updates for linux version of sysmon

Author: darkoperator

chapters/configuration.md

@@ -242,7 +242,7 @@ We can filter on the Field Names defined in the data elements. They are defined
 
 ![Fields definition](./media/image12.png)
 
-As of the latest version we have defined as event types:
+As of the latest version we have defined as event types, one does need to be aware that not all fields and all event types will apply to both Sysmon fo Windows and Sysmon for Linux:
 
 * **NetworkConnect** - Network connections made by processes on the system; both TCP and UDP
 
@@ -276,6 +276,10 @@ As of the latest version we have defined as event types:
 
 * **ClipboardChange** - Stores and logs text that is stored in to the clipboard by processes and context of who stored the text.
 
+* **ProcessTampering** - Detects some of the techniques of "hollow" and "herpaderp" where a process image is replace.
+
+* **FileDeleteDetected** - Only logs file deletion or file wipes.
+
 Configuration File
 ==================
 
@@ -475,7 +479,7 @@ Event SYSMONEVENT_FILE_DELETE
  Archived: -
 ```
 
-In case the configurations are cleared, the default one will take over:
+In case the configurations are cleared, the default one will take over, in the case of Windows:
 
 * **ProcessCreation**
 
@@ -487,7 +491,13 @@ In case the configurations are cleared, the default one will take over:
 
 * **SHA1 for Images**
 
-Since any user in the system can read the rule binary data, an attacker can operate around rule configurations once they have read them by:
+For Linux the default configuration is:
+
+* **ProcessCreation**
+
+* **ProcessTermination**
+
+In the case of Windows any user in the system can read the rule binary data, an attacker can operate around rule configurations once they have read them by:
 
 * Execute tasks not logged.
 
@@ -497,10 +507,33 @@ Existing tools for parsing rules out of the registry break often as Sysmon is up
 
 It is also important to monitor any process that access the Sysmon service process to prevent suspension of the process or modification of it in memory.
 
+For Linux only the root account can read and modify the the sysmon configuration file and its binary info. But the syslog file on most systems
+
 Configuration Deployment
 ------------------------
 
-Most environments that have the capabilities to leverage Sysmon enhanced log collection also have software deployment systems like Altiris, System Center Configuration Manager, Desired State Configuration, etc. This is why these are just general recommendations.
+Most environments that have the capabilities to leverage Sysmon enhanced log collection also have software deployment systems like Altiris, System Center Configuration Manager, Desired State Configuration, etc for Windows in the case of Linux we can leverage Ansible, Chef, Puppet and many other solutions. This is why these are just general recommendations.
+
+Sylog Message Size
+------------------
+
+Syslog message size limits are dictated by the syslog transport mapping in use. By default the rsyslog package which is one of the most popular packages in distributions limit the size to 1024 bytes. It is important to prevent parsing errors of the structured data to set max sizes that match the size and transport of the messages configured for your given Syslog package. This is achieved using the **FieldSizes** XML element and setting a size for the CommandLine and Image field sizes. We can specify the field and the length we want for the field like in the example bellow.
+
+```xml
+<Sysmon schemaversion="4.81">
+  <FieldSizes>CommandLine:100,Image:100</FieldSizes>
+  <EventFiltering>
+    
+  </EventFiltering>
+</Sysmon>
+```
+
+Fields that could benefit of this are:
+
+* Image
+* ParentImage
+* CommandLine
+* ParentCommandLine
 
 Deployment Script
 -----------------

chapters/file_delete_detected.md

@@ -9,7 +9,6 @@ It leverages the Sysmon minidriver and we should considered it altitude number w
 
 The minidriver monitors for three I/O request packets (IRP) IRP_MJ_CREATE, IRP_MJ_CLEANUP, and IRP_MJ_WRITE for file creates, complete handle closes, and writes respectively.
 
-
 ### Event information
 
 The file delete event fields are:
@@ -18,7 +17,7 @@ The file delete event fields are:
 
 * **UtcTime**: Time in UTC when event was created
 
-* **ProcessGuid**: Process Guid of the process that deletec the file
+* **ProcessGuid**: Process Guid of the process that deleted the file
 
 * **ProcessId**: Process ID used by the OS to identify the process that deleted the file (child)
 
@@ -28,5 +27,4 @@ The file delete event fields are:
 
 **Hashes**: Full hash of the file with the algorithms in the HashType field. This is also the filename of the saved file in the ArchiveDirectory
 
-This event type is recomended for those cases where there is a large number of false positive for a given rule but still it is of value to log the action or the rule has false positives for files that could be of great size like archive file or image files like ISO, IMG and others. 
-
+This event type is recommended for those cases where there is a large number of false positive for a given rule but still it is of value to log the action or the rule has false positives for files that could be of great size like archive file or image files like ISO, IMG and others.

chapters/process-creation.md

@@ -67,11 +67,19 @@ when querying for events.
 
 In Linux the advantage provided by Sysmon is that the data is structured in a wa that makes it easier to parse and leverage in a SIEM that leverages the logs. Bellow is an auditd example of the "ping -c 8.8.8.8" command.
 
-```
+```conf
 type=PROCTITLE msg=audit(10/26/2021 12:51:14.046:1385) : proctitle=-bash 
 type=PATH msg=audit(10/26/2021 12:51:14.046:1385) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=401163 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
 type=PATH msg=audit(10/26/2021 12:51:14.046:1385) : item=0 name=/usr/bin/ping inode=394173 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=net_raw cap_fi=none cap_fe=1 cap_fver=2 cap_frootid=0 
 type=CWD msg=audit(10/26/2021 12:51:14.046:1385) : cwd=/root 
 type=EXECVE msg=audit(10/26/2021 12:51:14.046:1385) : argc=4 a0=ping a1=-c a2=3 a3=8.8.8.8 
 type=SYSCALL msg=audit(10/26/2021 12:51:14.046:1385) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55c090caa2b0 a1=0x55c090ca9050 a2=0x55c090cb0750 a3=0x8 items=2 ppid=9313 pid=10184 auid=carlos uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=ping exe=/usr/bin/ping subj=unconfined key=(null)
 ```
+
+Here is the same command logged in Sysmon where the event is contained in XML format.
+
+```xml
+Oct 26 13:11:11 ubuntu sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2021-10-26T20:11:11.156042000Z"/><EventRecordID>216077</EventRecordID><Correlation/><Execution ProcessID="1032" ThreadID="1032"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ubuntu</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2021-10-26 20:11:11.159</Data><Data Name="ProcessGuid">{2424faa4-60df-6178-315b-20b68b550000}</Data><Data Name="ProcessId">2669</Data><Data Name="Image">/usr/bin/ping</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">ping -c 3 8.8.8.8</Data><Data Name="CurrentDirectory">/home/carlos/Desktop</Data><Data Name="User">carlos</Data><Data Name="LogonGuid">{2424faa4-0000-0000-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data Name="TerminalSessionId">3</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{2424faa4-60b3-6178-0517-a76010560000}</Data><Data Name="ParentProcessId">2641</Data><Data Name="ParentImage">/usr/bin/bash</Data><Data Name="ParentCommandLine">bash</Data><Data Name="ParentUser">carlos</Data></EventData></Event>
+```
+
+In addition to this having a unique LogonGUID and ProcessGUID for correlation makes correlation much quicker.

chapters/process-events.md

@@ -4,7 +4,7 @@ Process Events
 
 Sysmon can log process creation, process termination and process access events. The process events are captured via ObjRegisterCallbacks at the kernel level using its driver, and contain a unique, deterministically generated ProcessGuid and LogonGuid that are unique to their process instance and LSA logon session respectively. 
 
-The ProcessGuid and LoginGuid make tracking individual process and users much easier. The ProcessGuid attribute is used in all events associated with its process, and, unlike a ProcessID, will not be reused by the host system later.  The LogonGuid attirbute similarly is assigned to a login session of a particular user, and will not be reused later as a LoginID would.
+The ProcessGuid and LoginGuid make tracking individual process and users much easier. The ProcessGuid attribute is used in all events associated with its process, and, unlike a ProcessID, will not be reused by the host system later.  The LogonGuid attribute similarly is assigned to a login session of a particular user, and will not be reused later as a LoginID would.
 
 ![ProcessGUID Source](./media/image31.png)
 

chapters/what-is-sysmon.md

@@ -65,10 +65,8 @@ The Linux version supports given the OS and technologies a smaller number of eve
 |Sysmon Config Change| 16
 |File Delete|23
 
-
-
 The Sysmon version for Linux  is an open-source version of the tool, developed to collect security events from Linux environments using eBPF (Extended Berkeley Packet Filter) and placing the captured events in to Syslog for easy consumption by existing centralized log collection solutions.
 
-Sysmon for Linux use the sysinternalsEBPF library to allow it to capture actions against files on disk and network actions. eBPF is a technology that allows to run the program at the Kernel level in a sandbox allowing it to capture read and. Sysmon leverages this technology to capture information on processes, reads and writes to block devices and also for Socket and TCP/IP actions before they reach a network interface. This behaviour is similar to that of mini filter drivers in Windows that allow for the capture of events as they are executed by the APIs in the OS. 
+Sysmon for Linux use the sysinternalsEBPF library to allow it to capture actions against files on disk and network actions. eBPF is a technology that allows to run the program at the Kernel level in a sandbox allowing it to capture read and. Sysmon leverages this technology to capture information on processes, reads and writes to block devices and also for Socket and TCP/IP actions before they reach a network interface. This behavior is similar to that of mini filter drivers in Windows that allow for the capture of events as they are executed by the APIs in the OS.
 
 The sysinternalsEBPF and Sysmon for Linux are Open Source projects, this allows the community to contribute and to further expand the capabilities of the tools. They can be found at https://github.com/Sysinternals. Both Projects are written in C and in each repository they include documentation on how to build the utilities.