Monday, August 1, 2016

Sysmon ... digging for gold

When things are bizarre, weird and strange often people come and see their incident response team. This incident wasn't different some process wasn't doing what the admin was expecting it would do but he didn't knew what it was doing.

He knows I got a nice bag of little tools and thus I introduced the sysadmin to sysmon. I would recommend to install on each and every Windows system. It logs much more than what a standard windows system logs and is thus a treasure chest for any incident responder.

You can download the 32-bit and the 64-bit version from sysinternals. I prefer to make my sysinternals tools from

The installation is pretty straight forward. You open a command prompt with Administrator privileges and go to the directory where you've downloaded sysmon. I will reference during the rest of this post to sysmon.exe depending on your platform you will need to reference the 32-bit or 64-bit version.

To install it run sysmon.exe -i --accepteula. This outputs

System Monitor v4.1 - System activity monitor
Copyright (C) 2014-2016 Mark Russinovich and Thomas Garnier
Sysinternals -

Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

Software needs to be configured. I like my logs verbose so lets go over the the options:

-c   Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.
-h   Specify the hash algorithms used for image identification (default is SHA1). It supports multiple algorithms at the same time. Configuration entry: HashAlgorithms.
-i   Install service and driver. Optionally take a configuration file.
-l   Log loading of modules. Optionally take a list of processes to track.
-m   Install the event manifest (done on service install as well).
-n   Log network connections. Optionally take a list of processes to track.
-r   Check for signature certificate revocation. Configuration entry: CheckRevocation.
-u   Uninstall service and driver.

I configure my systems the following way:
sysmon -c -l -n -r

I like my hash to be sha1 because that makes it easy to submit to websites like virustotal.

The Logs
You can find the logs created by sysmon in the event viewer (you need administrative privileges).

  1. Open the event viewer
  2. Go to Applications and Services logs
  3. Go to Microsoft
  4. Go to Windows
  5. Go to Sysmon
  6. Go to Operational

Remember that it is a good practice to split off your event logs to a separate disk if the I/O is a bottle neck. When you right click on operational and request the properties you can change the log path and the log size. Since I like verbose logs I've set mine to at least 250 MB (249984 KB) and cyclical.

Now that everything is configured it is time to restart the service. Open a powershell prompt with elevated privileges and do:

restart-service sysmon

Digging for Gold
The last step to figure out what is going on is of course log analysis. There are a couple of event IDs

EventID 1 shows you process creation
Process Create:
UtcTime: 2016-08-01 14:24:12.390
ProcessGuid: {ddfd1a0f-5b8c-579f-0000-0010f4d2d004}
ProcessId: 7204
Image: C:\Windows\System32\mmc.exe
CommandLine: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /s
CurrentDirectory: C:\WINDOWS\system32\
LogonGuid: {---}
LogonId: 0x4d0c45f
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=F5DC12D658402900A2B01AF2F018D113619B96B8
ParentProcessGuid: {ddfd1a0f-62f2-579c-0000-0010f1060400}
ParentProcessId: 2940
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\WINDOWS\Explorer.EXE

Event ID 2 shows you when a file was created

File creation time changed:
UtcTime: 2016-08-01 14:24:22.358
ProcessGuid: {ddfd1a0f-3a92-579f-0000-0010c31a2804}
ProcessId: 2996
Image: C:\Users\\Desktop\portable\firefox\FirefoxPortable\App\firefox\firefox.exe
TargetFilename: C:\Users\
CreationUtcTime: 2015-12-18 08:35:35.991
PreviousCreationUtcTime: 2016-08-01 14:24:22.343

Event ID 3 shows you the network connections
Network connection detected:
UtcTime: 2016-08-01 14:24:19.240
ProcessGuid: {ddfd1a0f-62d5-579c-0000-0010eb030000}
ProcessId: 4
Image: System
Protocol: udp
Initiated: false
SourceIsIpv6: false
SourcePort: 137
SourcePortName: netbios-ns
DestinationIsIpv6: false
DestinationPort: 137
DestinationPortName: netbios-ns

Event ID 5 shows you when a process is terminated
Process terminated:
UtcTime: 2016-08-01 14:24:17.398
ProcessGuid: {ddfd1a0f-5b8c-579f-0000-00103dcfd004}
ProcessId: 5684
Image: C:\Windows\System32\dllhost.exe

As you can see there is a tremendous amount of info available for an incident responder. If you want some cool ideas what you can do with the data I recommend you to read this excellent post by CrowdStrike will help you get amazing value out of the collected data.

No comments: