Greetings RDPSoft friends and customers! We’ve just released our brand new Sysmundo solution, that helps you with user observability, digital forensics, and incident response. How so? Sysmundo extends and enhances the Microsoft Sysmon logging utility, which is available to all Microsoft Windows customers as part of the Sysinternals Suite of utilities. Watch the video below and keep reading to understand all the benefits of our new application.
What is Sysmon?
Sysmon is a freeware utility developed by the Sysinternals team at Microsoft, led by luminary Mark Russinovich, CTO of Microsoft Azure. Sysmon is one of myriad tools provided by the Sysinternals team to Windows system administrators, to make their jobs easier.
When deployed on Windows servers and workstations in your environment, Sysmon becomes a “second Security log”, auditing important user and program actions on your systems.
Indispensable for detecting malware, hunting Advanced Persistent Threats, or analyzing user activity in depth, Sysmon tracks nearly 30 different categories of behavior on Windows systems- including programs run, DNS queries made, files created/ downloaded/ deleted, clipboard activity and registry keys created and modified. Sysmon keeps tabs on what your users are doing and whether their behavior is normal or aberrant and suggestive of intrusion.
Why Is It Important to Deploy Sysmon in RDS, AVD, Parallels RAS, Citrix, and Other EUC Environments?
EUC systems, by design, will inherently have multiple different users connecting to them on a regular basis. Therefore, it is important to closely scrutinize activity taking place on those systems, looking for “indicators of compromise.” For example:
- Activity that would be suggestive of Privilege Escalation attempts (e.g. a standard user trying to become an admin)
- Unauthorized downloading of external files onto a terminal server
- A higher than usual rate of clipboard activity for a user, suggesting data exfiltration
- Creation of files in parts of the file system that are not typical to user behavior
- Network connections being opened via atypical processes, suggesting a compromise
- Strange, or uncommon DNS queries
- Modification of certain registry keys and values
What is RDPSoft Sysmundo, and How Does it Enhance the Sysmon Tool?
The traditional approach to deploying and utilizing Sysmon on Windows systems has been to:
- Deploy it via scripts to servers and workstations on your network
- Use a SIEM or log aggregation product to ingest the data
- Write your own reports and queries in the SIEM to examine the collected data
The shortcomings of this approach center around the:
- Difficulty of Sysmon deployment, reconfiguration, and removal
- High data ingestion costs charged by the SIEM vendor
- Costs (and the domain knowledge) associated with writing reports/correlations for Sysmon data, loaded inside the SIEM
We designed Sysmundo to tackle these shortcomings head on, so that Windows administrators can:
- Deploy and change Sysmon configurations more easily
- Archive and use the generated log data in a way that avoids the costs associated with SIEM ingestion
- Quickly search for and analyze events of interest
- Schedule routine reports to detect critical activity
Some of these features are provided for free, and others are accessed via a commercial license- at a very low cost relative to a SIEM, or other log aggregation products. Below, we will break down both the free and commercial features available in Sysmundo.
In this RDPSoft E-Newsletter:
Free Sysmundo Features
As a Freemium product, Sysmundo offers several basic features at no cost, since we want to encourage administrators to deploy Sysmon across your servers and workstations. For example, the unlicensed version of Sysmundo:
- Automatically downloads the Sysmon tool from the Microsoft Sysinternals website. Sysmundo also automatically checks for updates to Sysmon, notifying you and offering to download the latest version when available
- Helps you organize computers into logical groupings (associated with Active Directory Organizational Units or manual lists) for automated and streamlined Sysmon deployments
- Includes links to the most popular Sysmon config file repositories on Github, such as those maintained by SwiftOnSecurity, Olaf Hartong, and Florian Roth. Sysmundo users can add additional config file repositories to the program and can automatically download the latest config files to audition or modify when deploying Sysmon with Sysmundo
- Includes a simple to use GUI wizard for deploying, upgrading, re-configuring, and removing Sysmon on groups of computers, without the need for any scripting
- Allows you to test the log analysis and reporting features against Sysmon logs located on three computers at a time, for 14 days.
Paid Sysmundo Features
The paid version of Sysmundo can:
- Centrally collect and archive all Sysmon logs from your computers
- Index those collected logs into SQL, to make it easy to find events of interest and indicators of compromise
- Normalize all Sysmon field data, so you can powerfully filter and analyze events from multiple logs
- Provide a reporting platform for all of the data
Even more importantly, all of these features are delivered to you at an extremely competitive price. For example, you can license Sysmundo for 5 servers and 25 workstations for only $29.99 per month!
Here’s the detailed feature list for the paid version of Sysmundo:
- Automatic, AGENTLESS archiving of Sysmon logs from computers, once or multiple times a day, to local “hot storage”. Logs are also stored, compressed, in long-term “cold storage”
- Logs in “cold storage” can be thawed at any time and re-indexed for analysis
- Lightweight indexing of archived Sysmon logs into SQL, making it easy to analyze and review certain types of activity by date/time range, users, computers, and programs
- Additional analysis is supported for “live” Sysmon logs and previously saved Sysmon logs
- “Pre-load” filtering on key fields for specific Sysmon categories is supported- whereby discovered values are pre-populated to filter against, drastically reducing log load times. For instance, perhaps you want to see all programs launched by Windows Explorer by a select group of users? After a few clicks, that information is loaded into an analysis window
- Sysmundo’s Data Analyzer window parses and normalizes key fields from specific Sysmon event categories, making them easily groupable, sortable, and filterable
- Right mouse clicking on events of interest raises a context menu to learn more about specific field data via a Google search
- Sysmundo understands correlated fields between different Sysmon event categories, and lets you perform “drill down” correlation when performing analysis against a set of log data
- Discovered/filtered events can be exported to CSV and Excel files
- Sysmundo ships with over two dozen reports that focus on different Sysmon categories and user/program behavior. Reports can be run manually or scheduled against prior day collected log data
Sysmundo Is Included in RDPSoft’s Complete Monitoring and Management Bundle.
Already a Complete Monitoring and Management Bundle customer? Contact us now to request the Sysmundo licensing you’re entitled to, for the number of RDS/AVD servers you’re already licensing. And, if you’d like to add more licenses so you can deploy Sysmundo on your non-EUC servers or workstations, let us know and we can give you a discounted price to cover those systems as well.
It’s just another way we’d like to say thank you for your continued loyalty and to deliver even more value to you.
If you’re not currently a Complete Monitoring and Management Bundle customer, contact us for a quote to convert your existing product subscriptions into a bundle subscription.
A Remote Desktop Commander Maintenance Release Is Now Available
We just posted a maintenance release of the Remote Desktop Commander Suite (Version 6.5.5). While this version does not have new features, it does have the following bug fixes as documented in the following KB articles:
- The online Stamen Map Tile Provider was discontinued, which causes the Geolocate RDS Logons and Logon Failures dashboard to show a blank white screen instead of a map.
- Some online transactional mail servers that have switched to TLS 1.2 may be incompatible with Remote Desktop Commander SMTP scheduled report relays.
To request an upgrade to Version 6.5.5, please visit https://www.rdpsoft.com/upgrade
Version 7, the next major release of the Remote Desktop Commander Suite, should become available in Q1 of 2024.
Remote Desktop Canary v4 Almost Ready!
While we’ve put a ton of development focus this year onto our new Sysmundo product, we haven’t forgotten about our other solutions. In a few weeks, we plan on releasing Remote Desktop Canary v4. Here is a sneak peak of the new features coming to Version 4:
- The ability to edit multiple workflows at one time, to change common settings like login time thresholds, login credentials, and much more
- A special, newly designed Program Tester applet, that checks to see if applications launch normally when Remote Desktop Canary performs a synthetic RDP login. You can configure this new Program Tester applet to evaluate the text in the title bar of a launched program, or any text that appears in internal windowed controls in the program’s user interface. Then, if that text is seen or not seen, the login test will succeed or fail accordingly
- The ability to immediately automatically retry failed connections a few times before actually generating an alert.
- A brand new Workflow Design Wizard that will let you quickly build workflows to test your RDS collections, or individual RDS servers, in an intuitive and easy way. No more downloading of RDP files will be required.
We’re Now an Authorized Parallels RAS Reseller
Here at RDPSoft, we absolutely love pure Microsoft Remote Desktop Services, and think it is 100% the most cost-effective way to provide virtual desktops and apps to your users. That said, we also know that sometimes organizations outgrow RDS, or have more complex feature needs which are not provided by RDS.
When that time comes, it’s tempting to look towards Azure Virtual Desktop or Citrix, but these platforms often bring much unneeded expense, that can swamp your IT department’s budget. For this reason, we highly recommend that any customer looking to switch from RDS seriously examine Parallels RAS by Alludo. We believe so strongly in this platform – especially when compared to alternatives like Citrix and AVD – that we became a Parallels reseller and partner this year.
Our CEO, Andy Milford, is a Parallels VIPP, and actually just wrote a comprehensive blog article at his PureRDS.org site, summarizing some of the most powerful features that Parallels RAS brings to the table- in terms of how it extends regular Microsoft Remote Desktop Services.
You may also watch this recent video of Andy Milford discussing Parallels RAS, its benefits, and his opinion on the state of the EUC market in general:
If you’d like to learn more about Parallels RAS, including getting a reseller quote and cost analysis of switching to Parallels RAS from RDS, please fill out the form here and we’ll get back in touch with you shortly.