Sysmon 10.0 - New features and changes

Olaf Hartong
Jun 12 · 4 min read

Last night (June 11th 2019) Mark Russinovich released a new version of Sysmon, raising it to 10.0, and this is a great upgrade!

This release brings two new features which I’ve been eagerly awaiting, OriginalFileName in ProcessCreate (EventID-1) and ImageLoaded (EventID-7) events and a new event type DNS events! Additionally the schema for Pipe Events was also extended.

SwiftOnSecurity and I were fortunate enough to have some pre-release versions to play with and Swift teased the new feature here

If you haven’t read my running blog series on the use of Sysmon, please refer to Endpoint detection Superpowers on the cheap — part 1 and onwards.

I also built a Splunk app for ThreatHunting which will receive a huge update at BlackHat this summer.

Changes to version 10.0

The first thing I noticed when looking at the schema is that the version changed to 4.21, a copy is here

<manifest schemaversion=”4.21" binaryversion=”9.10">

This make sense since there are some additions:

  • OriginalFileName, which adds the PE Original Filename to EventID 1 and 7
  • EventType to Named Pipe events (17 & 18)
  • DNS events (22)

OriginalFileName

Looking at the EventLog, the Process Create and Image Load events have the OriginalFileName field added to them, this is derived from the PE header of the file.

One thing to note is that it has to be used by the developer, in Microsofts case nearly all binaries do incorporate this, so most of the so called LOLbins will be visible this way. This is not foolproof either because an attacker can also change this in a HEX editor, but that will also change the hash of the file. Most common practise at the moment is only to rename the file so add this to your configuration.

This will make it a lot harder for malware and/or actors to rename binaries to try and avoid detection based on the original file name / path.

Named Pipe EventType

This now allows for instance filtering on ConnectPipe (18) events to only see the creation, saving a lot of data.

DNS

Event type 22 has been added, bringing us DNS logging, this is a great feature to get! Also the implementation is quite interesting. By adding the request and response into the same event it’ll make it a lot easier to investigate these events, and lower the volume of data a bit at the same time!

You can even filter on the Image field in your config to exclude certain noisy processes. For instance Microsoft Defender ATP clones a LOT of requests from other processes in its operation. I trust it enough no to be highjacked by an attacker to whitelist it, saving quite a bunch of log entries. There are more examples like this, and I'm sure your environment has a few of these processes as well. This is an amazing asset!! Most commercial solutions out there are not even able to do this.

ProcessGUID is also incorporated in the events, so in order to find out which what other events are tied to the requesting process you can easily correlate it through this field.

However, make sure to properly test your configuration once you’ll enable this. As most of you know DNS can be quite noisy so this can bite you with large data volumes.

DNS over HTTPS

Keep in mind there is also the DNS over HTTPS (DoH) protocol, these requests will not show up in here as this works (hence the name) over HTTPS.

Depending on your configuration you might be able to see the activity in EventID 3 (NetworkConnection), but you will not see the request itself. The only thing you might be able to see is unexpected processes calling out to one of the DoH providers.

I'd suggest using another log source to cover this one, like Bro (Zeek), proxy, firewall, NetFlow, PCAPs since you can also see the packet sizes that way.

Configuration

SwiftOnSecurity has an Alpha configuration available here

My sysmon-modular configuration is not ready for dealing with the rule grouping through the scripts. I’ve generated a configuration and adopted most of Swifts DNS work into my version here.

I'll work on a modular version and also on more filters for DNS and incorporate the OriginalFileName. Keep watching this space for that.

Rule Groups

The rule group configuration has not been changed, not the processing (yet!). I have good hope that multiple groups per event type will be added in future releases, which will make Sysmon even more powerful and will significantly reduce the volume of logs while improving the detection rate on raw logs.

Thanks for reading, enjoy this release of Sysmon!

Olaf Hartong

Written by

Photographer | InfoSec | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon