This release brings two new features which I’ve been eagerly awaiting, OriginalFileName in ProcessCreate (EventID-1) and ImageLoaded (EventID-7) events and a new event type DNS events! Additionally the schema for Pipe Events was also extended.
If you haven’t read my running blog series on the use of Sysmon, please refer to Endpoint detection Superpowers on the cheap — part 1 and onwards.
I also built a Splunk app for ThreatHunting which will receive a huge update at BlackHat this summer.
Changes to version 10.0
The first thing I noticed when looking at the schema is that the version changed to 4.21, a copy is here
<manifest schemaversion=”4.21" binaryversion=”9.10">
This make sense since there are some additions:
- OriginalFileName, which adds the PE Original Filename to EventID 1 and 7
- EventType to Named Pipe events (17 & 18)
- DNS events (22)
Looking at the EventLog, the Process Create and Image Load events have the OriginalFileName field added to them, this is derived from the PE header of the file.
One thing to note is that it has to be used by the developer, in Microsofts case nearly all binaries do incorporate this, so most of the so called LOLbins will be visible this way. This is not foolproof either because an attacker can also change this in a HEX editor, but that will also change the hash of the file. Most common practise at the moment is only to rename the file so add this to your configuration.
This will make it a lot harder for malware and/or actors to rename binaries to try and avoid detection based on the original file name / path.
Named Pipe EventType
This now allows for instance filtering on ConnectPipe (18) events to only see the creation, saving a lot of data.
Event type 22 has been added, bringing us DNS logging, this is a great feature to get! Also the implementation is quite interesting. By adding the request and response into the same event it’ll make it a lot easier to investigate these events, and lower the volume of data a bit at the same time!
You can even filter on the Image field in your config to exclude certain noisy processes. For instance Microsoft Defender ATP clones a LOT of requests from other processes in its operation. I trust it enough no to be highjacked by an attacker to whitelist it, saving quite a bunch of log entries. There are more examples like this, and I'm sure your environment has a few of these processes as well. This is an amazing asset!! Most commercial solutions out there are not even able to do this.
ProcessGUID is also incorporated in the events, so in order to find out which what other events are tied to the requesting process you can easily correlate it through this field.
However, make sure to properly test your configuration once you’ll enable this. As most of you know DNS can be quite noisy so this can bite you with large data volumes.
DNS over HTTPS
Keep in mind there is also the DNS over HTTPS (DoH) protocol, these requests will not show up in here as this works (hence the name) over HTTPS.
Depending on your configuration you might be able to see the activity in EventID 3 (NetworkConnection), but you will not see the request itself. The only thing you might be able to see is unexpected processes calling out to one of the DoH providers.
I'd suggest using another log source to cover this one, like Bro (Zeek), proxy, firewall, NetFlow, PCAPs since you can also see the packet sizes that way.
SwiftOnSecurity has an Alpha configuration available here
My sysmon-modular configuration is not ready for dealing with the rule grouping through the scripts. I’ve generated a configuration and adopted most of Swifts DNS work into my version here.
I'll work on a modular version and also on more filters for DNS and incorporate the OriginalFileName. Keep watching this space for that.
The rule group configuration has not been changed, not the processing (yet!). I have good hope that multiple groups per event type will be added in future releases, which will make Sysmon even more powerful and will significantly reduce the volume of logs while improving the detection rate on raw logs.
Thanks for reading, enjoy this release of Sysmon!