He knows I got a nice bag of little tools and thus I introduced the sysadmin to sysmon. I would recommend to install on each and every Windows system. It logs much more than what a standard windows system logs and is thus a treasure chest for any incident responder.
You can download the 32-bit and the 64-bit version from sysinternals. I prefer to make my sysinternals tools from http://live.sysinternals.com.
The installation is pretty straight forward. You open a command prompt with Administrator privileges and go to the directory where you've downloaded sysmon. I will reference during the rest of this post to sysmon.exe depending on your platform you will need to reference the 32-bit or 64-bit version.
To install it run sysmon.exe -i --accepteula. This outputs
System Monitor v4.1 - System activity monitor
Copyright (C) 2014-2016 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Software needs to be configured. I like my logs verbose so lets go over the the options:
-c Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.
-h Specify the hash algorithms used for image identification (default is SHA1). It supports multiple algorithms at the same time. Configuration entry: HashAlgorithms.
-i Install service and driver. Optionally take a configuration file.
-l Log loading of modules. Optionally take a list of processes to track.
-m Install the event manifest (done on service install as well).
-n Log network connections. Optionally take a list of processes to track.
-r Check for signature certificate revocation. Configuration entry: CheckRevocation.
-u Uninstall service and driver.
I configure my systems the following way:
sysmon -c -l -n -r
I like my hash to be sha1 because that makes it easy to submit to websites like virustotal.
You can find the logs created by sysmon in the event viewer (you need administrative privileges).
- Open the event viewer
- Go to Applications and Services logs
- Go to Microsoft
- Go to Windows
- Go to Sysmon
- Go to Operational
Remember that it is a good practice to split off your event logs to a separate disk if the I/O is a bottle neck. When you right click on operational and request the properties you can change the log path and the log size. Since I like verbose logs I've set mine to at least 250 MB (249984 KB) and cyclical.
Now that everything is configured it is time to restart the service. Open a powershell prompt with elevated privileges and do:
Digging for Gold
The last step to figure out what is going on is of course log analysis. There are a couple of event IDs
EventID 1 shows you process creation
UtcTime: 2016-08-01 14:24:12.390
CommandLine: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /s
Event ID 2 shows you when a file was created
File creation time changed:
UtcTime: 2016-08-01 14:24:22.358
CreationUtcTime: 2015-12-18 08:35:35.991
PreviousCreationUtcTime: 2016-08-01 14:24:22.343
Event ID 3 shows you the network connections
Network connection detected:
UtcTime: 2016-08-01 14:24:19.240
User: NT AUTHORITY\SYSTEM
Event ID 5 shows you when a process is terminated
UtcTime: 2016-08-01 14:24:17.398
As you can see there is a tremendous amount of info available for an incident responder. If you want some cool ideas what you can do with the data I recommend you to read this excellent post by CrowdStrike will help you get amazing value out of the collected data.