Ax1al
Published in

Ax1al

A brief introduction to Sysmon

A boring story :

As a guy who likes to understand threat hunting and how defenders deal with adversaries and their malicious intent, I along with my fellow teammates came up with an idea of a small library which has some info on nation-state backed up adversaries, although we are not a bunch of professional threat hunting trade craft masters but, finally we came with something a quite interesting known as HAWK Base, our goal is to learn more about how threats operate on victim machines, therefore I came up with the conclusion that understanding how malicious events and process creation are detected and how they are being logged?, so after just a random google search on how and which tools or methodologies which aid threat hunters to understand how are malicious or suspicious activity operate on the network. So I just decided to go along understanding Sysmon and a bunch of few fundamentals associated with it, on a small note Sysmon does not provide analysis of the events generated, nor it promises to hide itself from attackers/threats[cited from MSDN].

0x00 : What actually is this term Sysmon and what it actually does?

As per MSDN, Sysmon or System Monitor is a Windows System service and a device driver developed by Mark Russinovich part of Sysinternals, if you don’t know what actually a device driver mean, it is are a sort of software program, used by the kernel of the computer to communicate with the different hardware, well this post is not dedicated towards understanding device drivers, but here’s a small picture which will help you to understand,

Image cited form blog of the windows club.

coming back to our topic, sysmon remains resident, across reboots to monitor and log system activity to the Windows event log or can be said that, reboots does not affect the working of log monitoring activity of sysmon. Sysmon basically collects the events using Windows Event Collection or using SIEM agents and further analysis of them can somehow aid during the process of understanding malicious activity on the network.

0x01 : Setting up Sysmon

Sysmon is available for download here. After downloading the tool, we need to configure it using sysmon configuration file by SwiftOnSecurity , which is available here.

Once, you have downloaded the tool, just open the command prompt and go ahead and type

>Sysmon.exe

This command will enlist you a brief info about Sysmon and lists the flags for various tasks like adding a new configuration file, or might be installing service and driver and further usage.

Now once you have the usage info and the configuration file, make sure to run the command:

>Sysmon.exe -i /path/nameofconfig.xml

to add up the configuration file.

As, once sysmon gets started, we can just make sure if it’s actually running & logging events as desired, if we check out the services we can see sysmon is running

now going ahead to check out if it’s logging events or not, moving ahead with the event viewer, then inside Event viewer, we have a category known as Applications and Services Logging and there’s a small sub category Microsoft which contains another sub category known as Windows, with which you can view list of actions, and then you can definitely find Sysmon over there, going ahead with the Sysmon, we can see the name, type and number of events which has been logged.

Now, we can individually monitor those events, date & time of creation, the task category, Process ID, file name, hashes, Parent Process GUID and a few quite interesting info.

After going through the setup info, we will pick up a random event from the available ones and understand the various properties of it:

So, if we look into the properties of a random event, we are presented with two categories

  • System Data
  • EventData

0x02: Properties of Event Data & Types of events:

The event details is classified or viewed in two types, one of them is the System Data & the other is the event data, so we will look around what those actually mean, taking up an event with an event ID 1 which indicates process creation:

  • RuleName(string) : This field describes the rule name event.
  • UTC Time(datetime) : This field describes the time in UTC for the process creation.
  • ProcessGuid(string) : Maintained by Windows Activation, a ProcessGuid is used in a query to retrieve a worker process, can be used to enumerate the running worker processes and associative properties, this ProcessGuid is unique for each process.
  • ProcessID(int) : The process identifier is an int32 value can be specified as a value assigned when the executable started as logged in.
  • Image(string) : This denotes the presence of the executable listing the exact file path of the image of the executable.
  • FileVersion : The version of the executable which is creating the process.
  • Description & Product & Company : This versions give a quite detailed view about the file which creates the process.
  • CommandLine(string) : This field provides information on full command line execution of the context of process creation.
  • Current Directory(string) : This field provides information on the exact executable path in context of file creation.
  • User(string) : This field gives info on the user in context of the process creation.
  • LogonGuid(string) : This field helps to co-relate logon events, on the computer.
  • LogonId(string) : This field is a number that identifies, the logon session which was initiated
  • TerminalSessionID(int) : This field denotes a user’s operating environment when logging onto a Windows terminal server, each terminal session is assigned a per-server, unique ID at logon.
  • SID : The security ID of the account.
  • Integrity Level(string) : Integrity level or Integrity was introduced to add a layer of defense to help reduce the chance that malicious software will damage the operating system. During a process creation or while accessing an object the integrity of the file is checked here’s a small table which makes it clear :

Hashes(string) : This field denotes the hashes of the file in context of the process creation with their types(MD5, SHA256)and more.

ParentProcessGuid(string) : This filed denotes the parent process Guid, of the process in context of the process creation, if you are curious what Parent Process mean, visit here.

ParentProcessId(string) : This denotes the ParentProcess ID of the process, in context of process creation.

So, this was a brief description about the fields of a random event, next we will list the types of events:

This small mind map lists all the events sysmon generates, the detailed information about the events can be found out here.

So, this was a brief and introductory blog on how one can get started with sysmon, the upcoming blogs will be focused on how to integrate sysmon with SIEM tools for log analysis. If you find any information incorrect, please let me know.

Blog by Nerd of AX1AL, Join us at the discord server.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ax1al

Ax1al

A community for the nerds by the nerds .