Sysinternals Sysmon unleashed
Warning: This post recommends Sysmon monitoring policy implementations that are not official Microsoft recommendations. Readers are encouraged to review and test all policy recommendations prior to their implementation in a production environment. Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In contrast to common Antivirus/HIDS solutions, Sysmon performs system activity deep monitoring, and log high-confidence indicators of advanced attacks.
Sysmon is using a device driver and a service that is running in the background and loads very early in the boot process.
Sysmon monitors the following activities:
- Process creation (with full command line and hashes)
- Process termination
- Network connections
- File creation timestamps changes
- Driver/image loading
- Create remote threads
- Raw disk access
- Process memory access
Some of these events can be gathered up by enabling Windows built-in auditing, yet the detail level provided by Sysmon is much higher. When it comes to analysis, Sysmon doesn’t provide any; you can use other tools to visualize and investigate the raw events, for example: SIEM, Microsoft SCOM, Splunk and Azure OMS.
Sysmon is a command-line tool; once downloaded from the Microsoft Sysinternals web site the installation is straightforward: Open elevated (“Run as Administrator”) command line and type the following command: Sysmon /?
Here is the output:
|System Monitor v4.12 - System activity monitorCopyright (C) 2014-2016 Mark Russinovich and Thomas GarnierSysinternals - www.sysinternals.comUsage:Install: sysmon -i [-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]][-l [<process,...>]Configure: sysmon -c [--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]][-l [<process,...>]]]Uninstall: sysmon -u-c Update configuration of an installed Sysmon driver or dump thecurrent configuration if no other argument is provided. Optionallytake a configuration file.-h Specify the hash algorithms used for image identification (defaultis SHA1). It supports multiple algorithms at the same time.Configuration entry: HashAlgorithms.-i Install service and driver. Optionally take a configuration file.-l Log loading of modules. Optionally take a list of processes to track.-m Install the event manifest (done on service install as well).-n Log network connections. Optionally take a list of processes to track.-r Check for signature certificate revocation.Configuration entry: CheckRevocation.-u Uninstall service and driver.The service logs events immediately and the driver installs as a boot-start driver to capture activity from early inthe boot that the service will write to the event log when it starts.On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". Onolder systems, events are written to the System event log.If you need more information on configuration files, use the '-? config' command. More examples are available on theSysinternals website.Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted toaccept it.Neither install nor uninstall requires a reboot.|
Let’s take a look at the install option available. Two basic options are offered:
- Set up the tool with default configuration
- Define the desired configuration directly from the command line or from a configuration file
Let’s start with the default configuration by running the following command:
|C:\>sysmon -i -accepteulaSystem Monitor v4.12 - System activity monitorCopyright (C) 2014-2016 Mark Russinovich and Thomas GarnierSysinternals - www.sysinternals.comSysmon installed.SysmonDrv installed.Starting SysmonDrv.SysmonDrv started.Starting Sysmon.Sysmon started.|
That’s it; Sysmon is now installed (installation, or uninstallation, does require a reboot).
The default configuration includes the following events:
- Process create (with SHA1)
- Process terminate
- Driver loaded
- File creation time changed
- Sysmon service state changed
You can view the configuration by using the following command: Sysmon -c
Here is the output:
|System Monitor v4.12 - System activity monitorCopyright (C) 2014-2016 Mark Russinovich and Thomas GarnierSysinternals - www.sysinternals.comCurrent configuration:- Service name: Sysmon- Driver name: SysmonDrv- HashingAlgorithms: SHA1- Network connection: disabled- Image loading: disabled- CRL checking: disabled- Process Access: disabledNo rules installedtd>|
Once installed, Sysmon does its job automatically in the background. You can find out the results in the Event Viewer.
The events are written to Application and Services Logs/Microsoft/Windows/Sysmon/Operational log (For earlier - unsupported - versions of Windows, it places those under the Windows System log).
One thing that can help you here is to increase the event log size, I usually use 200 MB, with this command:
wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:209715200
Many events include the hash value of the process. Hash value is the result of a calculation that was performed on a file, and used to uniquely identify files, as well as look up potential threat details using online services such as TotalHash and VirusTotal.
From a malware analysis perspective, you’re better off using SHA256 or IMPHASH than MD5.
Using the default setup option as we used above is limited, because we can’t apply advanced filtering and unleash the full potential of the tool.
Sysmon can be used with an XML configuration file, which allows you to use advanced and flexible filtering rules, specify the type of hashes and deploy it across the organization. The XML file can be applied during installation and changed any time later.
Under EventFiltering you can select any supported event that you want to include or exclude, here we are using the DriverLoad tag as an example.
If you are just using the tag without a filter, the rule (onmatch) has opposite effect!
For example, this line will configure Sysmon to log all driver load events (because we are not using any filter):
While this line will configure Sysmon to log drivers load events except (filter) if the signature is Microsoft Windows
The XML configuration file supports the following conditions:
|is||Default, values are equals|
|is not||Values are different|
|contains||The field contains this value|
|excludes||The field does not contain this value|
|begin with||The field begins with this value|
|end with||The field ends with this value|
|less than||Lexicographical comparison is less than zero|
|more than||Lexicographical comparison is more than zero|
|image||Match an image path (full path or only image name)|
Full sample XML configuration file is available here: https://github.com/MotiBa/Sysmon/blob/master/config_v3.xml
Once applied, the configuration is stored in the registry under this key:HKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters.
Sysmon features some of the most effective events you need to collect to trace attacker activity and increase host visibility, you can consider the events as breadcrumbs that attackers drop along the way.
The recommendations shown here is intended only to be a starting baseline guide to administrators. Each organization must make its own decisions regarding the threats they face.
A common mistake is to only monitor servers or domain controllers. Since the vast majority of malicious hacking initially occurs on workstations, not monitoring workstations is ignoring the best and earliest source of information.
|Event Class||Event IDs||Rate||Author’s Recommendation||Importance|
|Process Create||1||Low-Medium||Log these events||Detect initial infection and malware child processes.Hashes captured by the Sysmon driver can be investigated using VirusTotal.com|
|Process Terminate||2||Low-Medium||Log these events (for forensic investigations)||Useful for forensic investigations. May be correlated with process creation events|
|Drive Load||6||Low||Detect device drivers loading|
|Image Load||7||High||Log these events (for forensic investigations)||Detect DLL injection, unsinged DLL loading|
|File Creation Time Changed||2||Medium-High||Log these events||Detect anti-forensic activity (timestamp changed to cover tracks)|
|Network Connection||3||High||Log these events (use filtering)||Identify network activity, connection to malware C&C servers, connection to ransomware server to download encryption keys|
|CreateRemoteThread||8||Low-Medium||Log these events||Detect code injections used by malwareCredential theft tools also use this technique to inject their code into the LSASS process|
|RawAccessRead||9||Low||Log these events||Detect dropping off SAM or NTDS.DIT from compromised hosts|