Vulnarex | Elite Cybersecurity Learning Platform

#If You Can't See the Attack, You Can't Stop It—Instrument Now#link

Post-breach, the number one failure is insufficient logging. Sysmon on Windows, auditd on Linux, and macOS Unified Logging generate the telemetry needed to detect privilege escalation, lateral movement, and persistence. This lesson teaches you to configure detailed auditing, ship logs to a SIEM, and create detection rules that catch real-world attack patterns—not just noise.

Windows Sysmon: Endpoint Telemetry Goldmine

Sysmon (System Monitor) is a Windows service that logs detailed process creation (Event ID 1), network connections (3), file creation (11), and much more. A well-tuned Sysmon configuration (e.g., SwiftOnSecurity's template) cuts noise and highlights suspicious activity. Deploy via GPO or SCCM. Use Sysmon logs to detect process hollowing, credential dumping, and lateral movement via PSExec.

Install Sysmon with a community config

root@vulnarex:~#Sysmon64.exe -accepteula -i sysmonconfig-export.xml

After installation, Event Viewer → Applications and Services Logs/Microsoft/Windows/Sysmon/Operational will populate with telemetry.

Linux Auditd: System Call Auditing for Detection

auditd can log system calls, file accesses, and user commands based on rules in /etc/audit/rules.d/. Add rules to monitor sensitive files (-w /etc/shadow -p wa), track privilege escalation (a always,exit -S execve -F euid=0), and log changes to critical configs. Use 'auditctl -l' to list rules. Ship logs to a central server using audispd plugins. Auditd is essential for detecting root actions.

bash

# Add audit rules to monitor /etc/passwd and execve as root
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
sudo auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -k root_commands
sudo auditctl -l   # verify rules loaded

info

💡 Use the 'ausearch' tool to query audit logs: 'ausearch -k root_commands' to see all root executions. Combine with 'aureport' for summaries.

macOS Unified Logging: Filtering the Firehose

macOS's unified logging system (log stream, log show) collects system and app logs in a single database. Use predicates to filter for security-relevant events: authorization failures, TCC denials, and process execs. Example: 'log stream --predicate 'subsystem == "com.apple.TCC"'. Forward these to a SIEM using a forwarding agent. The log data is voluminous, so precise filtering is key.

▪Deploy Sysmon with a proven configuration on all Windows endpoints.
▪Implement auditd rules to monitor sensitive files and privilege escalation on Linux.
▪Configure macOS unified log forwarding to capture TCC denials and authorization failures.
▪Ship all logs to a centralized SIEM and build correlation rules for known attack patterns.

STRICT SECURE AUDIT RULE

⚠️ Sysmon and auditd can generate massive log volumes. Plan storage and bandwidth accordingly, and use filtering to reduce noise before forwarding.

quiz BLOCK (★ 50 XP)

Which Sysmon event ID would you look for to detect a LSASS credential dump?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Logging Configuration Lab