Search another article?
How to configure and run AWA – Advanced Windows Audit
AWA is an SGBox feature that leverage on the Microsoft Sysmon free Tool to increase the visibility of your Windows environment. AWA will help to detect malicious activity and promote better understanding of the in-deep aspect of Windows machines, by tracking many events and detailed information such as DNS Queries, Inbound/Outbound Connections, Registry changes, File tampering, Process Creation, Process Memory Usage, and many more.
AWA PACKAGE | The AWA Package comes with a rich set of dashboards to explore and drill on the information gathered. SGBox easy approach to customization, will allow customers to extend base packages based on their needs, creating new LCE Detections, Reports and Dashboards. |
REAL TIME MONITORING | It is very easy and useful to create specific alert using the detailed AWA generated events to monitor the under the hood process and potential malicious activities. |
MITRE ATT&CK MAPPING | Based on the work of Olaf Hartong, on the Sysmon configuration file, AWA is also capable to map specific events to the MITRE ATT&CK framework. The AWA package extends the MITRE mapping capability with specific functionalities as the on-line Tactic & Techniques viewer matrix, or the Dashboard embedded contextual Technique browser. |
CUSTOMIZABLE | AWA Sysmon configuration file is completely customizable, so the starting set can be extended to include customer needed events generation by updating the configuration. For example, it is possible to monitor the termination of specific process, the changes made to a specific registry key and many other hidden events. |
EASY SETUP | The AWA Package is extremely easy to install and deploy, so switch from a normal to an in-deep visibility is a matter of minutes. Sysmon and his, SGBox customized, configuration can be easily deployed through a GPO login script or any other Software Distribution tool, it does not require a machine reboot. Once the Sysmon executable has been deployed you just need to install the SGBox Advanced Windows Auditing package to have everything up and running. |
First of all you need to download Sysmon and the its configuration file. Install it in the computer you want to monitor
TIP
The package currently support Sysmon v13.02, so please be sure to install and configure the proper Sysmon version. Please follow the previous links to download the right Sysmon version and the corresponding configuration file.
After that you need to download the AWA package from SGBox: SCM > Application > Packages > AWA – Advanced Windows Audit. After installed: Run the package, select the hosts with Sysmon installed, then click on Install
The AWA package -as explained before- creates a lot of classes, reports as dashboards. You can see the Sysmon events in Windows Sysmon Events class.
You can select one of the interested events and analyzed it.
Search in the event the Mitre Technique ID. In this case is the parameter TID.
From SCM > Dashboard > Dashboard. Create new dashboard and select Mitre Att&ck. Select the parameter you want to see and in particular the Mitre parameter
The discovered techniques will turn on on the dashboard.