Sysmon is a free driver-based utility that supplements Windows's built-in audit capabilities. Combining Sysmon with EventSentry's monitoring capabilities enables users to detect a number of potential threats on their monitored servers and workstations.
Scythe, an enterprise adversary emulation platform, performed a Purple Team Exercise with an EventSentry client and created a number of event log packages in EventSentry, many utilizing Sysmon, that detect a variety of adversary behaviors. Many of these behaviors are common among threat actors while some are specific to the tactics, techniques, and procedures of a particular adversary. When assigned, these rules can detect malicious activity like:
To start using the Scythe filter rules, follow the steps below:
All packages are configured to be global and will automatically be activated ("Dynamic Activation") on all hosts that have Sysmon installed.
Once deployed, alerts will be sent to the selected email action. While the filter rules have been customized to reduce the number of noise, users may still receive some false positives depending on their environment. False positives can easily be removed by creating exclude filters.