Threat Hunting using Sysmon – Advanced Log Analysis for Windows

0

Overview

In every operation team monitoring plays a vital role to proactively monitor and detect emerging cyber threats, it became more challenging to gather or correlate events from different logs or security sources, to add intelligence to raw data. 

System monitoring with SYSMON has emerged as a new way of proactive monitors windows internal which includes various features such as log monitoring or gathering log system activity to the Windows event log.

an open-source windows system service and device driver, which is more familiar with its advanced features like process creations, network connections, and changes to file creation time. even its usually gets integrated with many SIEM tools like Splunk and Qradar.

Features of sysmon

Sysmon monitors the following activities:

  • Process creation (with full command line and hashes)
  • Process termination
  • Network connections
  • File creation timestamps changes
  • Driver/image loading
  • Create remote threads
  • Raw disk access
  • Process memory access

Installation steps

A Simple command-line option to get install and uninstall Sysmon.

  1. Download Sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
  2. Extract the .zip file.
  3. Right-click the .exe file for your system and select Run as administrator.
    • For a 32-bit system, choose Sysmon.exe.
    • For a 64-bit system, choose Sysmon64.exe.

List of Sysmons Event IDs

Before working with sysmon it is mandatory to know the Event ids with their relative information. Sysmon has generally 26 unique event id associated with its functions, Each has its own configuration file. 

IDTag
1 ProcessCreateProcess Create : A detailed information about the process created
2 FileCreateTimeFile creation time  Used to check integrity of file creationtime
3 NetworkConnectNetwork connection detected : Event logs TCP/UDP connections on the machine
4 Sysmon service state changedSysmon service state change : The service state change event reports the state of the Sysmon service (started or stopped).
5 ProcessTerminateProcess terminated : A detailed information about the process termination
6 DriverLoadDriver Loaded : A detailed information about the drive installed in addition with HASH value
7 ImageLoadImage loaded : The image loaded event logs when a module is loaded in a specific process
8 CreateRemoteThreadCreateRemoteThread detected : Event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes
9 RawAccessReadRawAccessRead detected : The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation.
10 ProcessAccessProcess accessed : The event reports when a process opens another process
11 FileCreateFile created : File create operations are logged when a file is created or overwritte
12 RegistryEventRegistry object added or deleted : Registry key and value create and delete operations map to this event type, 
13 RegistryEventRegistry value set : This Registry event type identifies Registry value modifications.
14 RegistryEventRegistry object renamed : This Registry event type identifies Registry value renamed
15 FileCreateStreamHashFile stream created : This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream.
16 ServiceConfigurationChangeSysmon configuration change : Event triggered when Sysmon configuration change 
17 PipeEventNamed pipe created : This event generates when a named pipe is created.
18 PipeEventNamed pipe connected : This event logs when a named pipe connection is made between a client and a server.
19 WmiEventWMI filter : When a WMI event filter is registered
20 WmiEventWMI consumer : This event logs the registration of WMI consumers
21 WmiEventWMI consumer filter : When a consumer binds to a filter, this event logs the consumer name and filter path.
22 DNSQueryDNS query : This event is generated when a process executes a DNS query
23 FileDeleteFile Delete archived : A file was deleted. Additionally to logging the event, the deleted file is also saved in the ArchiveDirectory
24 ClipboardChangeNew content in the clipboard : This event is generated when the system clipboard contents change.
25 ProcessTamperingProcess image change : This event is generated when process hiding techniques such as “hollow” or “herpaderp” are being detected.
26 FileDeleteDetectedFile Delete logged : A file was deleted.

Working with sysmon

In general sysmon can be access via two different way

  1. GUI
  2. Command Line

GUI

Sysmon generally resides inside the event viewer, to access the sysmon, navigate to event viewer → Applications and Services Logs → Microsoft →  Windows →  Sysmon. A detailed summary of every event gets listed with its associated event ids.

Event 1 → Process Create : A detailed information about the process created, 

It summarises the recent process with its information included with process name, GUID, the original filename, and with the HASH value.

Event 3 → Network connection detected : Event logs which are typically associated with TCP/UDP connections on the machine, 

Hence It summarises the recent network activity included with processed, protocol,src_ip, hostname,src_port,dest_port and much more information.

Event 16 → Sysmon configuration change : Event triggered when Sysmon configuration change 

As we already discussed sysmon has some basic configuration when it gets installed if there are any configuration changes once it gets triggered with some events whit event id 16. This states the integrity of the configuration file.

Accessing SYSMON via CMD

  1. Open the powershell terminal 
  1. Enter the following cmd

$test = Get-WinEvent - LogName “Microsoft-Windows-Sysmon/Operational” | where ($_.id -eq 5)

The above mention query get to extract all the log which are associated with the event id 5

Conclusion

The tool Sysmon has been used across by various cybersecurity professionals, especially for malware analysis, forensics analysis and Security operation. The simple tools are more familiar for their robust usage and performance.

Reference

  • https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
  • https://cqureacademy.com/blog/hacks/sysmon
  • https://www.blumira.com/enable-sysmon/
  • https://www.blumira.com/enable-sysmon/

Previous articleTypes of Email Attacks & Active Countermeasures
Next articleMalware Hiding Techniques in Windows Operating System
Harisuthan
A Cyber Security Aspirant Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here