Descargamos el paquete el cual nos instalará la key GPG del repositorio de Microsoft
wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.debInstalamos el software
sudo apt-get update
sudo apt-get install sysinternalsebpf
sudo apt-get install sysmonforlinuxCreamos el fichero
vi /opt/sysmon/sysmonconfig.xmlAgregamos la configuración
<Sysmon schemaversion="4.81">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<Rule name="TechniqueID=T1037,TechniqueName=Boot or Logon Initialization Scripts" groupRelation="or">
<TargetFilename condition="begin with">/etc/init/</TargetFilename>
<TargetFilename condition="begin with">/etc/init.d/</TargetFilename>
<TargetFilename condition="begin with">/etc/rc.d/</TargetFilename>
</Rule>
</FileCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<Rule name="TechniqueID=T1053.003,TechniqueName=Scheduled Task/Job: Cron" groupRelation="or">
<TargetFilename condition="is">/etc/cron.allow</TargetFilename>
<TargetFilename condition="is">/etc/cron.deny</TargetFilename>
<TargetFilename condition="is">/etc/crontab</TargetFilename>
<TargetFilename condition="begin with">/etc/cron.d/</TargetFilename>
<TargetFilename condition="begin with">/etc/cron.daily/</TargetFilename>
<TargetFilename condition="begin with">/etc/cron.hourly/</TargetFilename>
<TargetFilename condition="begin with">/etc/cron.monthly/</TargetFilename>
<TargetFilename condition="begin with">/etc/cron.weekly/</TargetFilename>
<TargetFilename condition="begin with">/var/spool/cron/crontabs/</TargetFilename>
</Rule>
</FileCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or">
<Image condition="end with">wget</Image>
<Image condition="end with">curl</Image>
<Image condition="end with">ftpget</Image>
<Image condition="end with">tftp</Image>
<Image condition="end with">lwp-download</Image>
</Rule>
</FileCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<Rule name="TechniqueID=T1543.002,TechniqueName=Create or Modify System Process: Systemd Service" groupRelation="or">
<TargetFilename condition="begin with">/etc/systemd/system</TargetFilename>
<TargetFilename condition="begin with">/usr/lib/systemd/system</TargetFilename>
<TargetFilename condition="begin with">/run/systemd/system/</TargetFilename>
<TargetFilename condition="contains">/systemd/user/</TargetFilename>
</Rule>
</FileCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1021.004,TechniqueName=Remote Services: SSH" groupRelation="and">
<Image condition="end with">ssh</Image>
<CommandLine condition="contains">ConnectTimeout=</CommandLine>
<CommandLine condition="contains">BatchMode=yes</CommandLine>
<CommandLine condition="contains">StrictHostKeyChecking=no</CommandLine>
<CommandLine condition="contains any">wget;curl</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1027.001,TechniqueName=Obfuscated Files or Information: Binary Padding" groupRelation="and">
<Image condition="is">/bin/dd</Image>
<CommandLine condition="contains all">dd;if=</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1033,TechniqueName=System Owner/User Discovery" groupRelation="or">
<CommandLine condition="contains">/var/run/utmp</CommandLine>
<CommandLine condition="contains">/var/log/btmp</CommandLine>
<CommandLine condition="contains">/var/log/wtmp</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1053.003,TechniqueName=Scheduled Task/Job: Cron" groupRelation="or">
<Image condition="end with">crontab</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1059.004,TechniqueName=Command and Scripting Interpreter: Unix Shell" groupRelation="or">
<Image condition="end with">/bin/bash</Image>
<Image condition="end with">/bin/dash</Image>
<Image condition="end with">/bin/sh</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1070.006,TechniqueName=Indicator Removal on Host: Timestomp" groupRelation="and">
<Image condition="is">/bin/touch</Image>
<CommandLine condition="contains any">-r;--reference;-t;--time</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1087.001,TechniqueName=Account Discovery: Local Account" groupRelation="or">
<CommandLine condition="contains">/etc/passwd</CommandLine>
<CommandLine condition="contains">/etc/sudoers</CommandLine>
<CommandLine condition="contains">/etc/sudoers.d/</CommandLine>
<CommandLine condition="contains">/etc/group</CommandLine>
<CommandLine condition="contains">/etc/gshadow</CommandLine>
<CommandLine condition="contains">/etc/security/opasswd</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or">
<Image condition="end with">wget</Image>
<Image condition="end with">curl</Image>
<Image condition="end with">ftpget</Image>
<Image condition="end with">tftp</Image>
<Image condition="end with">lwp-download</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1123,TechniqueName=Audio Capture" groupRelation="and">
<Image condition="contains">/bin/aplay</Image>
<CommandLine condition="contains">arecord</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1136.001,TechniqueName=Create Account: Local Account" groupRelation="or">
<Image condition="end with">useradd</Image>
<Image condition="end with">adduser</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1203,TechniqueName=Exploitation for Client Execution" groupRelation="and">
<User condition="is">root</User>
<LogonId condition="is">0</LogonId>
<CurrentDirectory condition="is">/var/opt/microsoft/scx/tmp</CurrentDirectory>
<CommandLine condition="contains">/bin/sh</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1485,TechniqueName=Data Destruction" groupRelation="and">
<Image condition="is">/bin/dd</Image>
<CommandLine condition="contains all">dd;of=;if=</CommandLine>
<CommandLine condition="contains any">if=/dev/zero;if=/dev/null</CommandLine>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1505.003,TechniqueName=Server Software Component: Web Shell" groupRelation="and">
<Image condition="contains any">whoami;ifconfig;/usr/bin/ip;/bin/uname</Image>
<ParentImage condition="contains any">httpd;lighttpd;nginx;apache2;node;dash</ParentImage>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1543.002,TechniqueName=Create or Modify System Process: Systemd Service" groupRelation="or">
<Image condition="end with">systemd</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<Rule name="TechniqueID=T1548.001,TechniqueName=Abuse Elevation Control Mechanism: Setuid and Setgid" groupRelation="or">
<Image condition="end with">chmod</Image>
<Image condition="end with">chown</Image>
<Image condition="end with">fchmod</Image>
<Image condition="end with">fchmodat</Image>
<Image condition="end with">fchown</Image>
<Image condition="end with">fchownat</Image>
<Image condition="end with">fremovexattr</Image>
<Image condition="end with">fsetxattr</Image>
<Image condition="end with">lchown</Image>
<Image condition="end with">lremovexattr</Image>
<Image condition="end with">lsetxattr</Image>
<Image condition="end with">removexattr</Image>
<Image condition="end with">setuid</Image>
<Image condition="end with">setgid</Image>
<Image condition="end with">setreuid</Image>
<Image condition="end with">setregid</Image>
</Rule>
</ProcessCreate>
</RuleGroup>
</EventFiltering>
</Sysmon>Cargamos la configuración
sysmon -accepteula -i sysmonconfig.xml
Sysmon v1.0.2 - Monitors system events
Sysinternals - www.sysinternals.com
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2021 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Loading configuration file with schema version 4.81
Configuration file validated.
Created symlink /etc/systemd/system/multi-user.target.wants/sysmon.service → /etc/systemd/system/sysmon.service.Comprobamos el correcto funcionamiento de sysmon
tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.380
ProcessGuid: {439e28f7-a21e-626b-8462-420000000000}
ProcessId: 14892
Image: /opt/omi/bin/omicli
User: omsagent
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.381
ProcessGuid: {439e28f7-a21e-626b-8462-420000000000}
ProcessId: 14892
Image: /opt/omi/bin/omicli
User: omsagent
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.381
ProcessGuid: {439e28f7-a21e-626b-81cf-610d18560000}
ProcessId: 14893
Image: /usr/bin/grep
User: omsagent
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.381
ProcessGuid: {439e28f7-a21e-626b-f547-1da522560000}
ProcessId: 14890
Image: /usr/bin/dash
User: omsagent
Event SYSMONEVENT_CREATE_PROCESS
RuleName: TechniqueID=T1059.004,TechniqueName=Command and Scriptin
UtcTime: 2022-04-29 08:30:22.872
ProcessGuid: {439e28f7-a21e-626b-f5b7-0f4771550000}
ProcessId: 14895
Image: /usr/bin/dash
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: sh -c /opt/omi/bin/omicli wql root/scx "SELECT PercentUserTime, PercentPrivilegedTime, UsedMemory, PercentUsedMemory FROM SCX_UnixProcessStatisticalInformation where Handle='1192'" | grep =
CurrentDirectory: /
User: omsagent
LogonGuid: {439e28f7-0000-0000-e403-000000000000}
LogonId: 996
TerminalSessionId: 4294967295
IntegrityLevel: no level
Hashes: -
ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
ParentProcessId: 1132
ParentImage: -
ParentCommandLine: -
ParentUser: -
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.882
ProcessGuid: {439e28f7-a21e-626b-8462-420000000000}
ProcessId: 14896
Image: /opt/omi/bin/omicli
User: omsagent
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.883
ProcessGuid: {439e28f7-a21e-626b-8462-420000000000}
ProcessId: 14896
Image: /opt/omi/bin/omicli
User: omsagent
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.883
ProcessGuid: {439e28f7-a21e-626b-811f-61c02e560000}
ProcessId: 14897
Image: /usr/bin/grep
User: omsagent
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:22.883
ProcessGuid: {439e28f7-a21e-626b-f5b7-0f4771550000}
ProcessId: 14895
Image: /usr/bin/dash
User: omsagent
Event SYSMONEVENT_PROCESS_TERMINATE
RuleName: -
UtcTime: 2022-04-29 08:30:25.884
ProcessGuid: {439e28f7-7414-626b-0cfd-d7ee18560000}
ProcessId: 1132
Image: /opt/microsoft/omsagent/ruby/bin/ruby
User: omsagent
Por ultimo configuramos los parsers los cuales nos lo podemos encontrar en: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASim%20Sysmon%20for%20Linux
Más información