Using Sysmon in Threat Hunting Processes
It is very important to be able to make sense of cyber threats, examine activities on the system, and collect logs from different sources during operational processes. These are important situations for threat hunters. At this point, the Sysmon tool appears.
Sysmon is a tool developed by Microsoft (developed by Mark Russinovich) that records the activities on the system on which it is installed.
It has almost the same functionality as Windows Event Logs, but provides more visibility than Windows Event Logs. It may not completely replace an EDR product, but it is a powerful tool as open source. It records the movements, activities and security warnings occurring in the system and provides the analyst with the opportunity to examine them in more detail. It can also integrate with different SIEM solutions. General features are as follows.
Sysmon Features:
- It records the events occurring on a process.
- It provides information about network connections and records the events occurring on them.
- File creation timestamps record changes.
- It records access statuses to process memory.
- Records raw disk access states.
To talk about its installation, it can be summarized in its simplest form in a few items:
- Sysmon, https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon It is downloaded from .
- Then, the downloaded zip file is extracted and the .exe file inside is run as an administrator (alternatively, this can be done with a powershell or cmd to be run as an administrator).
- As for configuration https://github.com/SwiftOnSecurity/sysmon-config from the site “sysmonconfig-export.xmlThe repo containing it is downloaded and unzipped. It is then transferred to the directory of the previously downloaded sysmon file.
- Finally, a cmd or powershell is opened in this directory with administrator authority and the "sysmon.exe -accepteula -i sysmonconfig-export.xml" command is run for the configuration process and the process is completed. Speaking of this file, there is information and definitions about how the sysmon will log activities.
Location of Sysmon Logs: Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational
An example view of examining the Sysmon logs is as follows. It has a very simple interface.
There are sysmon event IDs with different characteristics on the sysmon logs that should be known before threat hunting. Records of different activities taking place in the system can be viewed through these events. To examine them in order:
Event ID 1 (Process Creation): It provides and logs detailed information about the processes occurring in the system.
Event ID 2 (FileCreateTime): It is used to check the time to create a new file on the system and the integrity of the file creation time and logs it.
Event ID 3 (NetworkConnect): Logs TCP/UDP (network) connections on the machine.
Event ID 4 (Sysmon service state changed): Reports and logs the status of the Sysmon service (started, stopped).
Event ID 5 (ProcessTerminate): It logs the termination of a process on the system.
Event ID 6 (DriverLoad): Provides information about the driver installed in the system. The hash and signature information configured on the system is verified. The signature indicates whether the file was removed after it was uploaded. It also logs this.
Event ID 7 (Image loaded): Logs when a module is loaded in a particular process.
Event ID 8 (CreateRemoteThread): In the event that occurs here, it detects that a process creates a workflow in another process and logs it. This technique is actively used by malware to inject code and hide on the system.
Event ID 9 (RawAccessRead): The RawAccessRead event detects and logs situations such as a process reading from the driver using the “\\.\” notation.
Event ID 10 (Process Access): It accesses event reports when a process runs another process. It is an operation usually followed by informational queries or reading and writing of the address space of the target process. This enables detection of tools used by hackers who read the memory contents of processes, such as the local security authority, to steal credentials. It also logs this.
Event ID 11 (FileCreate): It is logged when a file is created or overwritten. To explain a little more, it is used to monitor autostart locations like the startup folder, as well as temp and download directories, where malware is commonly recorded at the time of first contact.
Event ID 12 (RegistryEvent – Object create and delete): It logs system deletions, changes to Registry locations, or certain malicious registry changes.
Event ID 13 (RegistryEvent – Value Set): In this Event ID, changes to the registry value are logged.
Event ID 14 (RegistryEvent – Key and Value Rename): In this Event ID, the new name of the renamed key or value is logged.
Event ID 15 (FileCreateStreamHash): When a named file traffic is generated, it is logged and events are generated and logged that log the hash of the contents of the named stream as well as the contents of the file to which the flow is assigned.
Event ID 16 (Service Configuration Change): Changes to the Sysmon configuration are recorded in this log when there is an update to the filtering rules.
Event ID 17 (PipeEvent – Pipe Created): Occurs when a channel is created between the client and the server. It logs this. Malware often uses these channels for inter-process communication.
Event ID 18 (PipeEvent – Pipe Connected): It logs when a channel connection is established between the client and the server.
Event ID 19 (WmiEvent – WmiEventFilter Activity Detected): When a WMI event filter is detected, one of the methods used by malware, it logs the WMI namespace, filter name and filter expression.
Event ID 20 (WmiEvent – WmiEventCostumer Activity Detected): WMI logs its customers by detecting the customer name and destination.
Event ID 21 (WmiEvent – WmiEventCostumerTo Filter Activity Detected): When the client connects to a filter, it logs the client name and filter path.
Event ID 22 (DNSEvent – DNS query): When a process executes a DNS query, it logs the success or failure of the result, regardless of whether it is cached or not.
Event ID 23 (FileDelete – File Delete archived): When a file is deleted in the system, it records it in the log. In addition, the deleted file is also saved in ArchiveDirectory (Default file is C:\Sysmon).
Event ID 24 (ClipboardChange – New Content in the Clipboard): Logs when there is a change in the contents of the system clipboard.
Event ID 25 (ProcessTampering – Process image change): It logs when conditions such as “hollow” or “herpaderp” are detected, which are process hiding techniques.
Event ID 26 (FileDeleteDetected – File Delete Logged): It logs when a file is deleted.
Event ID 255 (Error): If an error occurs in the operation of the Sysmon service or if the system is under high load, it logs this.
To give an example of the logging situation, when we call powershell.exe via cmd, a record as event id 8 appears in the Sysmon logs.
Resources Used:
- https://www.socinvestigation.com/threat-hunting-using-sysmon-advanced-log-analysis-for-windows/
- https://systemweakness.com/list-of-sysmon-event-ids-for-threat-hunting-4250b47cd567
- https://alhydrtprk.medium.com/sysmon-kurulum-ve-yap%C4%B1land%C4%B1rmas%C4%B1-dc567d502bf6
- http://www.syspanda.com/index.php/2017/10/10/threat-hunting-sysmon-word-document-macro/
- https://github.com/SwiftOnSecurity/sysmon-config
- https://tec-refresh.com/threat-detection-with-sysmon/