Detecting a Cyber Attack Part 1 (Sysmon – endpoint install)

Now we are finished with our “Creating a Cyber Attack” (Part 1 here; https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/) series where we showed how a cyber attack is put together, we are now going to move onto detection.

Sysmon has been around for a while now, but recently is really gaining traction as a must have for organisations. Sysmon basically allows enhanced logging of certain events allowing analysts to more easily identify malicious activity, and configure custom alerts and configurations depending on the environment.

Sysmons capabilities include;

  • Logs process creation with full command line for both current and parent processes.
  • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
  • Includes a session GUID in each event to allow correlation of events on same logon session.
  • Logs loading of drivers or DLLs with their signatures and hashes.
  • Logs opens for raw read access of disks and volumes.
  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

For full capability information visit the link below

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

For the configuration file we will be using the @swiftonsecurity template from github at the below URL

https://github.com/SwiftOnSecurity/sysmon-config

This is a great template to start off with, and if you open the xml file every line is commented so it’s also great place to learn. In our demo we need to remove the DNS section as it is not supported in Windows 7.

Right let’s get cracking and get Sysmon installed.

To download the official version of Sysmon go to https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon you’ll need to unzip and save to a convenient location.

Then download the config file from here https://github.com/SwiftOnSecurity/sysmon-config

Now we need to edit the config file, I just did this in good old notepad.

Find the DNS query section, then from “<RuleGroup name=”” groupRelation=”or”> highlight and delete the whole section.

Save your changes, then copy the file so it is in the same folder as your sysmon download.

To install Sysmon you need to run it from an admin cmd prompt, which you can do by right clicking and selecting “run as administrator”.

Once your cmd is open you need to copy the location of your Sysmon files so you can run the command from inside the folder.

type “cd” then paste in your location

Now we just run the cmd as shown below

sysmon.exe -accepteula -i sysmonconfig-export.xml

That’s it! If you receive no errors then Sysmon should be running. Let’s go look at some logs in Event Viewer.

Sysmon logs are stored under

Application and Services Logs/Microsoft/Windows/Sysmon/Operational

The below image shows Sysmon logging us opening Event Viewer

If we now open Firefox we get lot’s of logs showing what it is doing, processes it runs, where it updates from, dlls it uses, and lot’s of other info which if we were hunting malware would be invaluable.

Hoped you enjoyed this quick look at Sysmon, we will be covering it in more detail as we progress.