Sysmon
Hey you, welcome to my blog. Today i will be sharing my learnings on using sysmon.
Many applications record errors and events in proprietary error logs, each with their own format and user interface. Data from different applications can’t easily be merged into one complete report, requiring system administrators or support representatives to check a variety of sources to diagnose problems. Event logging provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event logging service records events from various sources and stores them in a single collection called an event log
. The Event Viewer
enables you to view logs; the programming interface also enables you to examine logs.
In addition to enabling Windows Advanced Auditing, you can use sysmon to increase the visibility of your environment. According to the official documentation, sysmon (System Monitor)
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Sysmon was written by Mark Russinovich and Thomas Garnier
Sysmon Capabilities
Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Includes a session GUID in each event to allow correlation of events on same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Logs opens for raw read access of disks and volumes.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
With that said, you can then proceed to download sysmon which is part of the sysinternals suite. As at the time of writing this, i’ll be using Sysmon v13.33
Once you extract the file you’ll find three files.
- EULA
- Sysmon.exe (For x32 systems)
- Sysmon64.exe (For x64 systems)
We can then explore the help options before proceeding with installation.
Default Installation
To do a simple installation, we can specify:
-i
which installs sysmon with default settings.-n
specifies we want to also monitor network-accepteula
ensures EULA is automatically accepted upon installation, otherwise you will be interactively prompted to accept it.
We can then check the current configuration by using -c
parameter as shown below:
If you want to inspect the default configuration schema, you can use the -s
switch
Once we have installed sysmon, we can look at the logs generated in Event Viewer
under Application and Services Logs/Microsoft/Windows/Sysmon/Operational
Since we specified -n
, we are going to get a bunch of Network . It is normally disabled by default
Lets have a look at the details of one event
Alternatively, you can also view it in a friendly or XML view.
Another thing to note is that the default configuration schema has event ID’s starting from 1-26. However, you may get an event with an ID of 255. This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load and certain tasked could not be performed or a bug exists in the Sysmon service. You can report any bugs on the Sysinternals forum or over Twitter (@markrussinovich).
In this case from the screenshot below, we can see different events with different IDs.
To get more information about each ID, you can read through the official documentation.
Custom Install
We can also run sysmon with a configuration file of our choice by appending -c
parameter to reconfigure our active sysmon. In this case, i will be using a configuration file from SwiftOnSecurity which you can fork and tweak to your liking. Its a file template with default high-quality event tracing.
The configuration is highly commented and designed to be self-explanatory to assist you in this customization to your environment.
We can then dump the current config to confirm that it actually worked:
For Instance if i spin powershell, we should have a Process Create event
We can also try download Mimikatz and run it to see what Event ID’s are triggered.
- Say we download mimikatz from SourceForge
- Sysmon will trigger an Event with an ID of 15
This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a
Zone.Identifier
“mark of the web” stream.
- Event ID 1 will also be triggered when I extract the zipped file showing us the current Directory.
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier.
- Event ID 11 will be triggered
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
- Say we try bypassing execution policy, we trigger Event ID 1 again.
- Event ID 5 was finally triggered when i terminated the process
Conclusion
- Sysmon is NOT a whitelist solution or HIDS correlation engine, it is a computer change logging tool. Sysmon’s purpose is providing context during a threat or problem investigation. Legitimate processes are routinely used by threats - do not blindly exclude them.
- Sysmon is not hardened against an attacker with admin rights. Additionally, the configuration file used offers an attacker, willing to study it, limited ways to evade some of the logging. If you are in a very high-threat environment, you should consider a broader, log-most approach.
On Jul 24, 2021, @markrussinovich gave a hint of development of sysmon for linux.
Sysmon for Linux is coming along nicely. ePBF FTW. pic.twitter.com/XUnafk7Q9p
— Mark Russinovich (@markrussinovich) July 24, 2021
3 months down the line, he released it and can be found on github
And it's here: Sysmon for Linux! https://t.co/aA3v8214hG
— Mark Russinovich (@markrussinovich) October 14, 2021
I am excited to try it out sometime and will do a blog on the same, so stay tuned.😉 On my next blog, i will show you how to integrate and collect sysmon logs and visualize them with Wazuh. Until next time, take care and keep safe. ✌🏼
Comments powered by Disqus.