MITRE ATT&CK® Ransomware Module Deployment Guide - Import and Synchronize the Module
General Deployment Requirements
The deployment of this module assumes the following:
- The overall LogRhythm deployment is in a fully deployed and healthy state.
- LogRhythm version 7.2.1 or later is installed.
General Data Collection Requirements
When enabling the MITRE ATT&CK Ransomware Module rules in your environment, be aware of the following considerations regarding data collection. Detailed data collection requirements are included in the MITRE ATT&CK Ransomware Module User Guide:
- Detection of many of the adversarial techniques in the MITRE framework requires logging at the endpoint.
- Many of the detections require command-line parameter logging.
- Endpoint logging solutions must be configured to log the objects (such as processes, directories, and registry entries) cited in the AIE Rules.
Logging and Monitoring Configuration
Configure Command Line Parameter Logging
Command line parameter logging must be enabled for several of the AI Engine rules in the MITRE ATT&CK Ransomware Module. The following instructions explain how to enable command line parameter logging for the MS Windows Event Logging XML - Security and MS Windows Event Logging XML - Sysmon 8/9/10 log source types.
Command line parameter logging for MS Windows Event Logging XML - Security logs
Two group policy settings must be enabled in Microsoft Windows: Audit Process Creation and Include command line in process creation events.
- Audit Process Creation. Enable the following setting in Windows Group Policy:
- Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking
- Policy Name: Audit Process Creation
- Include command line in Process Creation Events. Enable the following setting in Windows Group Policy:
- Policy Location: Computer Configuration > Administrative Templates > System > Audit Process Creation
- Policy Name: Include command line in process creation events
For more information, see https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing.
Command line parameter logging for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon process creation events (Event ID 1) provide extended information about newly-created processes, including their command line parameters.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the names of processes that will be logged.
If Microsoft Sysmon is already deployed in your organization, review the <ProcessCreate> section of your Sysmon configuration file and ensure that it does not exclude the process names cited in AI Engine Rules Log Sources section later in this document.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
- The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- A starter Sysmon configuration file which includes the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Ransomware Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config
Configure PowerShell Logging
PowerShell Script Block logging must be enabled for visibility into the PowerShell commands that are executed.
- Turn on PowerShell Script Block Logging. Enable the following setting in Windows Group Policy:
- Policy Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell
- Policy Name: Turn on PowerShell Script Block Logging
Configure Registry Monitoring
Registry Monitoring must be deployed and configured for several of the AI Engine rules in the MITRE ATT&CK Ransomware Module. The following instructions explain how to enable Registry Monitoring logging for the MS Windows Event Logging XML – Security, MS Windows Event Logging XML - Sysmon 8/9/10 and LogRhythm Registry Integrity Monitor log source types.
Registry Monitoring configuration for MS Windows Event Logging XML - Security logs
Configuring Registry Monitoring for the Windows Security logs is a two-step process: enable the group policy settings for Audit Registry and configure the Audit settings for the registry keys that you wish to monitor.
- Enable Audit Registry. Enable the following setting in Windows Group Policy:
- Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access
- Policy Name: Audit Registry
Configure the Audit Settings for the registry keys that you wish to monitor
To configure Registry Auditing Settings, follow the guidance at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
Registry Monitoring configuration for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon registry modification events (Event ID 12, 13 & 14) provide information about registry objects being added, deleted, set or renamed.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the registry key paths of processes that will be monitored.
If Microsoft Sysmon is already deployed in your organization, review the <RegistryEvent> section of your Sysmon configuration file and ensure that it does not exclude the registry paths cited in AI Engine Rules Log Sources section later in this document.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
- The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- A starter Sysmon configuration file which will include the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Ransomware Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config
Registry monitoring configuration for LogRhythm Registry Integrity Monitor logs
LogRhythm Sysmon includes the Registry Integrity Monitor feature.
Configure a Registry Integrity Monitor Policy to include the registry paths cited in the AI Engine Rules Log Sources table later in this document.
For information on the configuration of Registry Integrity Monitor, see the Registry Integrity Monitoring section in the LogRhythm SIEM Help, available under Documentation & Downloads on the LogRhythm Community.
Configure File Monitoring
File Monitoring must be deployed and configured for several of the AI Engine rules in the MITRE ATT&CK Ransomware Module. The following instructions explain how to enable File Monitoring logging for the MS Windows Event Logging XML - Security, MS Windows Event Logging XML - Sysmon 8/9/10, and LogRhythm File Monitor log source types.
File Monitoring configuration for MS Windows Event Logging XML - Security logs
Configuring File Monitoring for the Windows Security logs is a two-step process: enable the group policy settings for Audit File System and configure the Audit settings for the file system paths that you wish to monitor.
- Enable Audit File System. Enable the following setting in Windows Group Policy:
- Policy Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access
- Policy Name: Audit File System
- Configure the Audit Settings for the File System paths that you wish to monitor
- To configure File System Auditing Settings, follow the guidance at: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
File System Monitoring configuration for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon file create events (Event ID 11) provide information about files being added to the file system.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the file system names and paths that will be monitored.
If Microsoft Sysmon is already deployed in your organization, review the <FileCreate> section of your Sysmon configuration file and ensure that it does not exclude the file paths cited in AI Engine Rules Log Sources section later in this document.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
- The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- A starter Sysmon configuration file which will include the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Ransomware Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config
File System monitoring configuration for LogRhythm File Monitor logs
LogRhythm Sysmon includes the File Integrity Monitor feature.
Configure a File Integrity Monitor Policy to include the file system paths cited in the AI Engine Rules Log Sources table later in this document.
For information on the configuration of File Integrity Monitor, see the File Integrity Monitoring section in the LogRhythm SIEM Help, available under Documentation & Downloads on the LogRhythm Community.
Configure File Creation Time Monitoring
File Creation Time Changed configuration for MS Windows Event Logging XML - Sysmon logs
Microsoft Sysmon file creation time events (Event ID 2) provide information about file creation times being changed retroactively in the file system.
Sysmon is configured via an XML configuration file which specifies include and exclude filters for the file system names and paths that will be monitored.
If Microsoft Sysmon is already deployed in your organization, review the <FileCreateTime> section of your Sysmon configuration file and ensure that it does not exclude the file paths cited in AI Engine Rules Log Sources section later in this document.
If Microsoft Sysmon is not deployed in your environment, the following resources can get you started:
- The installation files and configuration instructions for Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- A starter Sysmon configuration file which will include the process creation logging necessary to trigger the AI Rules from the MITRE ATT&CK Ransomware Module: https://github.com/LogRhythm-Labs/Microsoft-SysMon-config
Import and Synchronize the Module
The MITRE ATT&CK Ransomware Module is part of the LogRhythm Knowledge Base (KB). Updating the KB automatically creates the proper AI Engine Rules.
Make sure the MITRE ATT&CK Ransomware Module is imported and enabled, as described in this section.
In the Client Console, click the Tools menu, click Knowledge, and then click Knowledge Base Manager.
To open the Knowledge Base Manager, the Deployment Manager must be closed.
- Under Knowledge Base Modules, find the MITRE ATT&CK Ransomware Module. If the module is available, MITRE ATT&CK is visible in the grid.
If the module name does not appear, update the Knowledge Base by doing either of the following:- Automatic Download. Click Check for Knowledge Base Updates, and then click Synchronize Stored Knowledge Base.
- Manual Download. For manual download instructions, refer to “Import a Knowledge Base” in the LogRhythm Client Console Reference Guide available under Documentation & Downloads in the LogRhythm Community.
- Locate the Enabled column in the grid. If the box is checked, the Module is already enabled and available to users in the SIEM deployment. If the Enabled box is not checked, enable the Module by selecting its Action check box, right-clicking the Module name, then clicking Actions, and clicking Enable Module.
A dialogue box appears to enable the selected module(s). - Leave the Enable Intelligent Indexing on Module Objects cleared unless you fully understand the effects of this setting. For more information, see Intelligent Indexing the LogRhythm Client Console Reference Guide, available under Documentation & Downloads in the LogRhythm Community.