Sysmon ... digging for gold

When things are bizarre, weird and strange often people come and see their incident response team. This incident wasn't different some process wasn't doing what the admin was expecting it would do but he didn't knew what it was doing.

He knows I got a nice bag of little tools and thus I introduced the sysadmin to sysmon. I would recommend to install on each and every Windows system. It logs much more than what a standard windows system logs and is thus a treasure chest for any incident responder.

Download
You can download the 32-bit and the 64-bit version from sysinternals. I prefer to make my sysinternals tools from http://live.sysinternals.com.

Installation
The installation is pretty straight forward. You open a command prompt with Administrator privileges and go to the directory where you've downloaded sysmon. I will reference during the rest of this post to sysmon.exe depending on your platform you will need to reference the 32-bit or 64-bit version.

To install it run sysmon.exe -i --accepteula. This outputs

System Monitor v4.1 - System activity monitor
Copyright (C) 2014-2016 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

Configuration
Software needs to be configured. I like my logs verbose so lets go over the the options:

-c   Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.
-h   Specify the hash algorithms used for image identification (default is SHA1). It supports multiple algorithms at the same time. Configuration entry: HashAlgorithms.
-i   Install service and driver. Optionally take a configuration file.
-l   Log loading of modules. Optionally take a list of processes to track.
-m   Install the event manifest (done on service install as well).
-n   Log network connections. Optionally take a list of processes to track.
-r   Check for signature certificate revocation. Configuration entry: CheckRevocation.
-u   Uninstall service and driver.


I configure my systems the following way:
sysmon -c -l -n -r

I like my hash to be sha1 because that makes it easy to submit to websites like virustotal.

The Logs
You can find the logs created by sysmon in the event viewer (you need administrative privileges).

1. Open the event viewer
2. Go to Applications and Services logs
3. Go to Microsoft
4. Go to Windows
5. Go to Sysmon
6. Go to Operational

Remember that it is a good practice to split off your event logs to a separate disk if the I/O is a bottle neck. When you right click on operational and request the properties you can change the log path and the log size. Since I like verbose logs I've set mine to at least 250 MB (249984 KB) and cyclical.

Now that everything is configured it is time to restart the service. Open a powershell prompt with elevated privileges and do:

restart-service sysmon

Digging for Gold
The last step to figure out what is going on is of course log analysis. There are a couple of event IDs

EventID 1 shows you process creation
Process Create:
UtcTime: 2016-08-01 14:24:12.390
ProcessGuid: {ddfd1a0f-5b8c-579f-0000-0010f4d2d004}
ProcessId: 7204
Image: C:\Windows\System32\mmc.exe
CommandLine: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /s
CurrentDirectory: C:\WINDOWS\system32\
User:
LogonGuid: {---}
LogonId: 0x4d0c45f
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=F5DC12D658402900A2B01AF2F018D113619B96B8
ParentProcessGuid: {ddfd1a0f-62f2-579c-0000-0010f1060400}
ParentProcessId: 2940
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\WINDOWS\Explorer.EXE


Event ID 2 shows you when a file was created


File creation time changed:
UtcTime: 2016-08-01 14:24:22.358
ProcessGuid: {ddfd1a0f-3a92-579f-0000-0010c31a2804}
ProcessId: 2996
Image: C:\Users\\Desktop\portable\firefox\FirefoxPortable\App\firefox\firefox.exe
TargetFilename: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\85YY0LRHLX4IUPLTXXXZ.temp
CreationUtcTime: 2015-12-18 08:35:35.991
PreviousCreationUtcTime: 2016-08-01 14:24:22.343

Event ID 3 shows you the network connections
Network connection detected:
UtcTime: 2016-08-01 14:24:19.240
ProcessGuid: {ddfd1a0f-62d5-579c-0000-0010eb030000}
ProcessId: 4
Image: System
User: NT AUTHORITY\SYSTEM
Protocol: udp
Initiated: false
SourceIsIpv6: false
SourceIp: 10.127.255.255
SourceHostname:
SourcePort: 137
SourcePortName: netbios-ns
DestinationIsIpv6: false
DestinationIp: 10.127.12.160
DestinationHostname:
DestinationPort: 137
DestinationPortName: netbios-ns

Event ID 5 shows you when a process is terminated
Process terminated:
UtcTime: 2016-08-01 14:24:17.398
ProcessGuid: {ddfd1a0f-5b8c-579f-0000-00103dcfd004}
ProcessId: 5684
Image: C:\Windows\System32\dllhost.exe

As you can see there is a tremendous amount of info available for an incident responder. If you want some cool ideas what you can do with the data I recommend you to read this excellent post by CrowdStrike will help you get amazing value out of the collected data.

Git for Windows Users with Git GUI

In my previous post i've set up a git server. In this post I will focus on Windows and git from a never-used-before standpoint. How to use git is not part of this series but there are some good YouTube videos where you can learn the basics

Git GUI
Since my users are typical Windows users that like to point and click in a GUI I went for Git GUI which can be found at https://git-for-windows.github.io/

After the installation some configuration needs to be done before you can start using it.

Setting up your local repository
To set up your local copy of the repository we need to create a directory. When you right click in your window you have in the shell menu the Git Gui Here option you should click.




This opens the Git GUI window where you can choose "Create New Repository". It will ask you to select a directory to create the repository.

Choose "browse" and click immediately "select folder". This will select the folder you just created to create you repository in.

Click "Create" and this will create the git repository for you. A new Git GUI window will open up.






Coupling the remote repository to the local repository






The first action is to chose the remote server, so we do Ctrl+A. This will pop up a new window asking you for the name of the repository and the location.

The name of the powershell repository I created in the previous post was "powershell" and the location was "bob@server.com:/export/git/powershell".

A prompt appears for bob's password and the data is fetched from the repository.







Working with the local repository
When you are satisfied with your work you open up the Git GUI for the local repository and then you need to "stage all the changed files to commit" (Ctrl-I).


 Next you add your commit message, on the quality of commit messages can be written books but the same principles of good communication always apply.

Finally you hit the commit button to commit it to the local repository and if you are happy with the end result you push it to the server. This last step will pop up a new window which is pretty straight forward.

Fetching changes from the server
The idea of git is of course to work together on projects thus our last step is to explain how you get the changes from others to your local repository.

The first step is to go into remote, and select fetch from powershell, our repository.












You will be prompted for your password. This fetches the data from the remote repository and thus all the changes. The next step is to merge the changes with the data you already have in your repository.













The merge will show you what has changed since your last synchronization and then you are good to go.

Conclusions
It is not that hard to work with git but it takes the discipline to synchronize your repositories. When you develop new features it is of course recommended to make branches and merge these but that is beyond the scope of this very basic tutorial.