Sysmon 11 — DNS improvements and FileDelete events

Olaf Hartong
Apr 28 · 7 min read

The latest release of Sysmon brings a bunch of improvements and introduces EventID 23. Great thanks to Mark for allowing me access to the beta builds.

Please have a look at his video talking about this new release. A great new way of Mark to talk about all new Sysinternals features

Overview

  • Empty strings are replaced with “-“ to work around a WEF bug
  • Adds DnsLookup configuration entry to support disabling of reverse DNS lookups
  • Adds copy-on-delete support to preserve files specified by SID of deleting account, file extension, executables, or specific processes, including logic to preserve files that are shredded (overwritten before delete)
  • Avoids hashing main data stream when it’s marked with FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS, which is used by cloud storage services like OneDrive and Dropbox
  • Synchronously processes ProcessAccess events to ensure that it occurs before the responsible process terminates
  • Sysmon now uses non-executable non-paged pool
  • Several bug fixes addressing configuration parsing issues

Schema

A copy of the new schema is available here

DnsLookup configuration option

<DnsLookup>False</DnsLookup>
Image for post
Image for post
Example configuration header

You can validate its setting with Sysmon.exe -c

Image for post
Image for post
Dns lookups disabled

New: FileDelete Events

Archive directory

-a sets the Archive Directory, this will be placed in the c:\ root. By default this folder is set to Sysmon, you can also configure this in the config file with the <ArchiveDirectory> setting.

Image for post
Image for post
An example install with the ArchiveDirectory set to C:\falconforce

Recover deleted files

Image for post
Image for post
FileDelete Event (23) sample

Obviously I now was curious to see what was archived in my folder, so I fired up PowerShell and looked at my C:\

Image for post
Image for post

While it seemed the falconforce folder was not there, it also wasn’t tagged with the hidden attribute, I tried to access it anyway.

Image for post
Image for post

There we go, it is there it’s just not accessible by my user, it is protected by a System ACL.

There are multiple options now to move on. On a live system I would not change the access rights to this folder, since there might be valuable information there an attacker might not be aware of. On top of that you might inadvertently prevent Sysmon from writing to the folder.

What you could do for instance is spawn a SYSTEM command prompt and copy the required files. This can be done for instance by using PsExec, just run

PsExec.exe -sid cmd

From this command prompt you can browse your directory without touching the ACLs and retrieve any file you’re after.

Image for post
Image for post

As you can see the file names are identical to the hashes that are logged in the event log sample above.

Archived files naming

In my case all are enabled so the archived files are built up by SHA1,MD5,SHA256,IMPHASH joined together followed by the original extension. Should you be using only the SHA1 for instance this hash will then be your file name.

Image for post
Image for post
Image for post
Image for post
Preserved file name example with its SHA1 hash as the filename

Filtering

This can provide great value from a research perspective into Windows internals but there is no added value in a production environment.

Image for post
Image for post
Part of the save process of Notepad++, even these files can be archived

While I am a fan of the “include all, exclude the noise” principle, in this case an alternative method might be more beneficial and will not flood the disk space, especially in a production environment. It eventually all comes down to risk, what are you most interested in capturing in case of malicious activity.

Configuration

<DnsLookup>False</DnsLookup>        
# Disables lookup behaviour, default is True (Boolean)
<ArchiveDirectory>FalconForce</ArchiveDirectory>
# Sets the name of the directory in the C;\ root where preserved files will be saved (String)
<FileDelete onmatch=”include”> and <FileDelete onmatch=”exclude”>
# You can use the following items to configure these in-/excludes
User - UnicodeString
Image - UnicodeString
TargetFilename - UnicodeString
Hashes - UnicodeString
IsExecutable - Boolean
#Obviously you can use all filter conditions to mark file extensions, folders etc as to be archived
is Default, values are equals.
is not Values are different.
contains The field contains this value.
contains any The field contains any of the ; delimited values.
contains all The field contains all of the ; delimited values.
excludes The field does not contain this value.
excludes any The field does not contain one or more of the ; delimited values.
excludes all The field does not contain any of the ; delimited values.
begin with The field begins with this value.
end with The field ends with this value.
less than Lexicographical comparison is less than zero.
more than Lexicographical comparison is more than zero.
image Match an image path (full path or only image name).
#For example
<TargetFilename condition="contains any">.exe;.ps1;.js;.xls;.xlsm</TargetFileName>
<TargetFilename condition="begin with">C:\Windows\Temp</TargetFileName>

Obviously you can utilise my modular configuration as well, which is available on my Github page.

So what?

Scenario 1: Dropper / stager that removes itself after execution (T1193 or T1064 and loads more) or attackers doing it manually

Scenario 2: Wiper software (T1485 and T1488)

Scenario 3: Ransomware (T1486)

Image for post
Image for post

Sysmon recognised the change to this binary and captured the state and preserved the file in the ArchiveDirectory.

Image for post
Image for post
MaybeMalware.exe overwriting ADExplorer.exe and preserving the original in the ArchiveDirectory

Scenario 4: Rudimentary local versioning backups

Obviously there are better ways of doing this but not all systems can or will be equipped with software to do this. Besides that there’s always the possibility of an admin not following procedure while testing some things or an intruder tampering with a certain parameter.

Summarising

One of the important questions for you the user/admin will be: what files are not to be missed and will not swamp your disk in case of normal behaviour of your workstation(s) and server(s).

Tuning, like with a lot of the Sysmon configuration options, will be a vital part in implementing this in a production environment. Make sure not to skip this step.

Start out by only preserving files from a few well known locations malware likes to write and expand it from there.

FalconForce

A team of highly specialized security professionals

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store