Full Report
Jordan Drysdale // Tl;dr: Many parsers have been written and several are referenced here. This blog describes a simple parser for Sysmon logs through Event ID (EID) 28 for Microsoft […] The post Parsing Sysmon Logs on Microsoft Sentinel appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Sysmon Event ID 28 Parsing
## Overview
This summary focuses on the implementation and parsing of Sysmon logs, specifically Event IDs (EIDs) 27 and 28, within Microsoft Sentinel for enhanced monitoring and detection capabilities. EID 28 relates to file deletion/shredding events, and EID 27 reports on blocked executable file creation/writing.
## Technical Details
- Type: Technique (Log Generation/Parsing)
- Platform: Windows (Requires Sysinternals Sysmon installed)
- Capabilities: Capturing specific file operational events (blocking file creation/shredding) into Windows logs for SIEM processing. Parsing allows these events to be queryable and meaningful in Microsoft Sentinel.
- First Seen: Ongoing documentation/updates referenced up to March 1, 2023 (for parser relevance). Sysmon schema version 4.83 mentioned as of December 23, 2022.
## MITRE ATT&CK Mapping
The core focus is on system monitoring and defensive measures related to potential adversary actions like file deletion/tampering.
- **TA0005 - Defense Evasion** (Related to blocking adversary attempts to cover tracks via shredding)
- **T1070 - Indicator Removal on Host**
- **T1070.004 - File Deletion** (EID 27/28 configuration specifically targets file shredding attempts)
## Functionality
### Core Capabilities
- **Sysmon Configuration Modification:** Utilizing Sysmon modular configurations (e.g., Olaf Hartong's) to specifically enable logging for EID 27 (FileBlockExecutable) and EID 28 (FileDelete) activities.
- **Event Logging:** Redirecting configured Sysmon EIDs (27 and 28) to the operational Windows logs for ingestion by Microsoft Sentinel/Log Analytics Agents.
- **Log Parsing:** Implementing custom KQL functions (e.g., named `SysmonParser`) within Sentinel to correctly interpret and structure the raw Sysmon log data, making EIDs 27 and 28 queryable.
### Advanced Features
- **File Shredding/Deletion Prevention:** The configuration demonstrated blocking attempts to use SDelete (a shredding utility) against specific monitored files (e.g., in `C:\Users\*\Downloads`).
- **Customized Monitoring Scope:** Restricting blocking/logging to specific directories, such as `C:\Users\*\Downloads`.
## Indicators of Compromise
(This section focuses on the configuration/events generated, not typical malware IOCs.)
- File Hashes: N/A (Focus is on configuration and parsing)
- File Names: `SDelete.exe` (used in demonstration of blocked action)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
- Successful block of file creation/writing based on EID 27 rules.
- Successful logging of file shredding attempts based on EID 28 rules.
## Associated Threat Actors
- Associated threat actors are not specified, as the article details a defensive configuration and parsing technique rather than a specific threat actor operation. The technique is defensive against potential adversary actions like Indicator Removal/File Deletion.
## Detection Methods
- **Signature-based detection:** N/A (Requires specific parsing logic)
- **Behavioral detection:** Detecting the generation of Sysmon EIDs 27 and 28 in the Windows Event Log stream.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Prevention Measures:** Implementing robust Sysmon configurations (leveraging resources like Olaf Hartong's modular config) to enable EIDs 27 and 28 to log adversary attempts to delete or tamper with files.
- **Hardening Recommendations:** Ensuring Microsoft Analytics/Log Analytics agents are correctly configured to ingest Windows Event Logs containing Sysmon data into the workspace. Utilizing the custom parser function (`SysmonParser`) for reliable log analysis.
## Related Tools/Techniques
- Sysinternals Sysmon
- Olaf Hartong's Sysmon Modular (Configuration Generator)
- Microsoft Sentinel (SIEM/Log Analytics Workspace)
- SDelete (Tool used in the demonstration of blocked functionality)