Configure Windows endpoints
Configure your Windows endpoints for use with the IBM Security QRadar Endpoint Content Extension.
Procedure
-
Install and configure Sysmon on your Windows endpoints.
- Download Sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
- Extract the .zip file.
- Download the Sysmon configuration from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config) to the same directory to which you downloaded Sysmon.
- Tune Sysmon Event ID 1 in the configuration to exclude any processes you don't want to monitor.
- Tune Sysmon Event ID 7 in the configuration to include images
(.dll) to monitor. Monitoring images can cause a high system load.
- Tune Sysmon Event ID 12, 13 and 14 in the configuration to include common UAC bypass
registry keys by adding the following rules for registry events.
<!-- Registry Events for UAC Bypass Rules --> <RegistryEvent onmatch="include"> <TargetObject condition="contains">\Environment\</TargetObject> <!-- Watch for any changes to user or system environment variables --> <TargetObject condition="contains">\CurVer</TargetObject> <!-- CurVer variable, uses handlers from the specified progid --> <TargetObject condition="contains">\URL Protocol</TargetObject> <!-- Url Protocol variable, creates an association with another progid, whose handlers can be used --> <TargetObject condition="contains">\ICM\Calibration</TargetObject> <!-- Display Calibration Registry Key, used with IColorDataProxy auto elevated interface --> </RegistryEvent>
- Install Sysmon with the configuration.
- For a 32-bit system, navigate to the directory that you downloaded Sysmon to and type the
following command:
sysmon.exe -accepteula -i sysmonconfig-export.xml
- For a 64-bit system, navigate to the directory that you downloaded Sysmon to and type the
following command:
sysmon64.exe -accepteula -i sysmonconfig-export.xml
- For a 32-bit system, navigate to the directory that you downloaded Sysmon to and type the
following command:
- Enable audit process tracking in Local Security Policy.
- Enable Powershell auditing with Script Block Logging.