Bro-Sysmon integrates Windows Sysmon with Zeek(Bro). The initial open source announcement can be found on the Salesforce Engineering Blog. The code can be found on Github. Here we will be discussing a way to stand up an environment to test it out.

Overview

The test environment will be a single Linux host with VirtualBox installed to run a Windows virtual host. All traffic from the Windows host will be sent to a VirtualBox Host-Only Adapter. The diagram below illustrates the different components and how they are connected.

Bro-Sysmon Test Environment

Linux Host, the system with CentOS 7 installed that will host the Windows virtual machine VirtualBox Windows Virtual Machine which will forward Sysmon logs via WinlogBeat WinLogBeat to forward Sysmon events to a logstash receiver Logstash configured with a beats listener and writes to disk sysmon-Broker.py will tail the log and generate events to be sent to Zeek Zeek (Bro) configured to monitor the virtual machine’s adapter and receive events via broker

The black line is the network traffic as it is routed to the internet. The traffic is sent to the host-only interface and Iptables will be configured to forward traffic received and forward it to the internet. Zeek will be configured to monitor the host-only interface, vboxnet0. Note that the interface names on the Linux box may differ in your environment.

The red line is the path of the Windows logs being sent to Zeek. WinLogBeat will forward logs to Logstash on the Linux host and written to disk. The sysmon-broker.py script will tail the file and publish events to Zeek where scripts can be used.

Setting up the Linux Host

I started with a system that met the requirements to run VirtualBox and installed CentOS. During the installation I chose to install with GNOME Desktop and enabled the network interface. Continue on and set a root password and add a user. Wait for the installation to complete and then reboot. For simplicity, all actions will be performed as root for this tutorial. Remember to implement least privilege access in production builds.

Once it’s rebooted, log in and perform a system update and reboot again.

yum update -y && sudo reboot

Next we will log in and install dependencies.

yum install -y epel-release

yum install -y binutils qt gcc make patch libgomp glibc-headers glibc-devel kernel-headers kernel-devel dkms gcc-c++ flex bison cmake libpcap-devel java openssl-devel python-devel swig zlib-devel git iptables-services dnsmasq python-pip

pip install ipaddress

The necessary files to test out Bro-Sysmon are located on Github. We will clone the repository and copy the configurations to the right locations later in the process.



git clone cd ~git clone https://github.com/salesforce/bro-sysmon.git

Install Zeek. The official install guide can be found at docs.zeek.org. This guide is helpful for customization and installation on different operating systems.

cd ~

git clone --recursive git://git.bro.org/bro

cd bro

./configure --prefix=/opt/bro

make -j7

sudo make install

Zeek will monitor vboxnet0 after VirtualBox has been installed. We will install VirtualBox later, but first need to get Zeek ready. We can do this quickly with the following command.

sudo sed -i 's/eth0/vboxnet0/g' /opt/bro/etc/node.cfg

There are 2 dependencies required for Bro-Sysmon. We need to install JA3 and HASSH.



git clone

sudo cp -r ja3/bro /opt/bro/share/bro/site/ja3

git clone

sudo cp -r hassh/bro /opt/bro/share/bro/site/hassh

sudo echo "@load ./ja3" >> /opt/bro/share/bro/site/local.bro

sudo echo "@load ./hassh" >> /opt/bro/share/bro/site/local.bro cd ~git clone https://github.com/salesforce/ja3.git sudo cp -r ja3/bro /opt/bro/share/bro/site/ja3git clone https://github.com/salesforce/hassh sudo cp -r hassh/bro /opt/bro/share/bro/site/hasshsudo echo "@load ./ja3" >> /opt/bro/share/bro/site/local.brosudo echo "@load ./hassh" >> /opt/bro/share/bro/site/local.bro

To install Bro-Sysmon, change to the bro-sysmon directory and copy the bro directory to /opt/bro/share/bro/site directory. Then modify local.bro to load the directory.

cd ~/bro-sysmon

sudo cp -r bro /opt/bro/share/bro/site/bro-sysmon

sudo echo "@load ./bro-sysmon" >> /opt/bro/share/bro/site/local.bro

Broker Install

Broker is the communication library needed to send events to Zeek. The code is found on Github. Download the source and install.



git clone --recursive

cd broker

./configure

make -j7

make install cd ~git clone --recursive https://github.com/bro/broker.git cd broker./configuremake -j7make install

Install Logstash

The official guide can be found on elastic.co.

We will need to add a configuration for yum to know where to locate the package. To do this, create the the file /etc/yum.repo.d/logstash.repo with the following context.



name=Elastic repository for 6.x packages

baseurl=

gpgcheck=1

gpgkey=

enabled=1

autorefresh=1

type=rpm-md [logstash-6.x]name=Elastic repository for 6.x packagesbaseurl= https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1gpgkey= https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1autorefresh=1type=rpm-md

After adding the repository for logstash we can now install Logstash.

yum install logstash -y

We will now create the Logstash configuration file to listen on a port expecting beats formatted data.

cp ~/bro-sysmon/logstash_beats_WindowsSysmon.conf /etc/logstash/conf.d/winlogbeat.conf

sudo /usr/share/logstash/bin/system-install /etc/logstash/startup.options systemd

Finally, we can enable and start the Logstash service.

systemctl enable logstash

systemctl restart logstash

The system is now configured to receive Sysmon events and monitor the network traffic generated from the Virtualbox host. Now let’s get started installing VirtualBox, creating the host and configuring the system to forward Sysmon to Zeek!

Set Up Virtualization Environment

To make this as quick and painless as possible we’ll be downloading Microsoft’s Windows 10 Virtualbox image. This will take some time so grab a beverage and get ready for a bit of a break. After the download finishes, unzip the archive and the image will be ready to be imported into VirtualBox.



wget

unzip MSEdge.Win10.VirtualBox.zip cd ~wget https://az792536.vo.msecnd.net/vms/VMBuild_20180425/VirtualBox/MSEdge/MSEdge.Win10.VirtualBox.zip unzip MSEdge.Win10.VirtualBox.zip

To install VirtualBox we need to configure a yum repository.



wget

yum install -y VirtualBox-6.0 cd /etc/yum.repos.d/wget http://download.virtualbox.org/virtualbox/rpm/rhel/virtualbox.repo yum install -y VirtualBox-6.0

After the install is complete we will open VirtualBox and import the Windows image.

cd ~

vboxmanage import MSEdge\ -\ Win10.ova

Create a new host-only network by opening the File menu and selecting “Host Network Manager”. Create a new network, usually defaults with the name “vboxnet0".

(Alternative is to use command line to create the host-only interface.)

vboxmanage hostonlyif create

vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1

VBoxManage dhcpserver add --ifname vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0 --lowerip 192.168.56.100 --upperip 192.168.56.200

VBoxManage dhcpserver modify --ifname vboxnet0 --enable

Select the Windows VM and open the settings dialogue menu. Update Windows VM to host only adapter by navigating to the network interface menu and set to host-only adapter with network of vboxnet0.

Set Up IP forwarding

I choose to use iptables for IP forwarding. This required firewalld to be disabled. Then IP Forwarding is configured.

systemctl stop firewalld

systemctl disable firewalld

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

sysctl -p /etc/sysctl.conf

systemctl restart network

Create a script to setup the necessary routing in your home directory. In my case the interface to access the internet is enp5s0. Verify the interface you should use via ifconfig and modify appropriately.

#!/bin/sh

iptables -A FORWARD -i enp0s9 -j ACCEPT

iptables -A FORWARD -o enp0s3 -j ACCEPT

iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE

We need to enable iptables service. Then we will run the script and save the iptables configuration to restart on boot.

systemctl enable iptables

/bin/sh ~/setup_routing.sh

service iptables save

We need to set up DNS forwarding by configuring dnsmasq. Modify /etc/dnsmasq.conf to be the following content.

server=/localnet/192.168.200.1

interface=enp0s9

listen-address=192.168.200.1

conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

We will then restart the dnsmasq service to enable the configuration.

systemctl restart dnsmasq

We have done a lot of work to this point. Time to reboot the system to finish installation of drivers.

reboot

The system now has been configured to forward traffic, monitor traffic and receive logs and host the Windows machine. Start up the Windows VM and configure Sysmon and WinLogBeats.

Sysmon Install

Download Windows Sysmon from https://download.sysinternals.com/files/Sysmon.zip. Extract to a directory copy it’s contents to C:\Program Files\Sysmon.

Download Swift on Security’s Sysmon configuration and move to C:\Program Files\Sysmon\sysmon-config.xml

Install Sysmon with desired configuration using a command prompt running as administrator.

sysmon.exe -i sysmon-config.xml -accepteula

WinLogBeat Install

Download WinLogBeat — https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.5.4-windows-x86_64.zip

Extract contents and move to C:\Program Files\WinLogBeat

Modify winlogbeat.yaml to forward Sysmon events to our logstash receiver.

winlogbeat.event_logs:

-name: Microsoft-Windows-Sysmon/Operational

output.logstash:

hosts:["192.168.200.1:9000"]

Run manually to verify traffic is being sent to 192.168.56.1 on port 9000.

winlogbeat.exe -c winlogbeat.yml

Install service via command line prompt with administrator privileges.

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

Select “Run Once”. Start winlogbeat service via the services console.

The Windows VM is now fully configured and events should be flowing into /tmp/WindowsSysmon.json. We can now start Zeek to monitor vboxnet0 to analyze traffic originating from the Windows VM.

/opt/bro/bin/broctl deploy

This will start Zeek so the python script will be able to establish peering and send events to Zeek.

The last piece of the process it to read the WindowsSysmon.json logs via the sysmon-Broker.py script. The script is designed to be run in the foreground so errors and key details can be made visible.

Start sysmon-broker.py using python2.7 including argument the IP where Zeek is listening and the file containing the JSON Sysmon eve

python ~/bro-sysmon/sysmon-Broker.py 127.0.0.1 WindowsSysmon.json &

Now everything is up and running and logs should be created in /opt/bro/logs/current directory. Here’s an example of the output.

The following events will be made available to script land to handle Sysmon.

Event ID 1: event process_created Event ID 2: event process_change_file_time Event ID 3: event sysmon_networkConnection Event ID 5: event sysmon_procTerminate Event ID 6:event sysmon_driverLoaded Event ID 7: event sysmon_imageLoaded Event ID 8: event sysmon_createRemoteThread Event ID 9: event sysmon_rawAccessRead Event ID 10: event sysmon_processAccess Event ID 11: event sysmon_fileCreate Event ID 12: event sysmon_registryEvent Event ID 13: event sysmon_registryEvent Event ID 14: event sysmon_registryEvent Event ID 15: sysmon_fileCreateStreamHash Event ID 17 & 18: sysmon_pipeEvent Event ID 19: sysmon_wmiEvent19 Event ID 10: sysmon_wmiEvent20 Event ID 21: sysmon_wmiEvent21

Conclusion

This guide provides a detailed description of how to stand up a build configured to monitor a virtual machine with Zeek. Every operating system build may be different, but the core components remain the same. Leveraging this system, you can monitor a Windows host’s activity and map that activity to network traffic. There are techniques to be aware of that can lead to disinformation. This integration provides access to logs that indicate process manipulation. Bro-Sysmon provides access to much more than just Sysmon data. Bro-Sysmon provides access to all Windows Event Logs!