This article provides information about the usage details of the Sysmon tool used in Windows operating system resources and an examination of example scenarios.
System Monitor (Sysmon) is a tool that can record the events and movements occurring in an actively used system. Sysmon is a system service and device driver that performs these recordings via the Event Viewer tool for Windows operating systems. It provides information about processes, network connections, and the creation details of a file.
It is important to know and track Sysmon, especially for advanced log analysis and threat hunting in Windows operating systems. Although the purpose of each event can be somewhat understood from its name, I will give brief explanations of some important ones. It can also help to answer the question of how and where filtering should be used.
Sysmon provides the tracking and logging of techniques found in the MITRE library on the service and device side for advanced-level analysis and threat hunting. The detailed information of the created logs is as follows.
As a recommendation, Logsign offers a configuration file prepared for its customers for Sysmon. With this configuration, you can configure Sysmon, or you can create your own configuration.
Sysmon Event ID List: Event ID 1: Process creation
Process creation activity provides extended information about a newly created process. The full command line provides context about the process execution. The ProcessGUID field is a unique value for this process in a domain to facilitate events. The hash is the full hash value of the file with the algorithms in the HashType field.
Event ID 2: A process changed a file creation time
File creation time change activity is recorded when explicitly changed by a process. This activity helps to track the actual creation time of a file. Attackers can change the file creation time of a backdoor file to show that it was loaded with the operating system. Many processes legitimately change the file creation time, which does not always mean malicious activity.
Event ID 3: Network connection
Network connection activity records TCP/UDP connections on the machine. It is disabled by default. Each connection is associated with a process through the ProcessId and ProcessGUID fields. The event also includes the source and destination host names, IP addresses, port numbers, and IPv6 state.
Event ID 4: Sysmon service state changed
Service state change activity reports the state of the Sysmon service (started or stopped).
Event ID 5: Process terminated
Process termination activity is reported when a process terminates. It provides UtcTime, ProcessGuid, and ProcessId for the process.
Event ID 6: Driver loaded
Driver loading events provide information about a driver loaded into the system. Signature information is provided, as well as configured hash values. The signature is generated asynchronously to indicate whether the file was removed after being loaded.
Event ID 7: Image loaded
The loaded image event is recorded when a module is loaded into a specific process. This event is disabled by default and needs to be configured with the -l option. The module, hash, and signature information are provided, as well as the process into which the module is loaded.
Event ID 8: CreateRemoteThread
The CreateRemoteThread event is detected when a process creates a thread in another process. This technique is used by malicious software to inject code and hide in other processes. The event shows the source and target processes and provides information about the code to be run in the new thread: StartAddress, StartModule, and StartFunction. The StartModule and StartFunction fields are optional and can be empty if the starting address is outside loaded modules or known exported functions.
Event ID 9: RawAccessRead
The RawAccessRead event is detected when a process performs read operations from the driver using the .\ notation. This technique is often used by malicious software to leak data from files that are locked for reading and to avoid file access control tools. The event shows the source process and the target device.
Event ID 10: ProcessAccess
The ProcessAccess event is reported when a process opens another process. This process usually follows querying, reading, and writing the address space of the target process. It is used to detect hack tools used to steal the memory contents of processes like Local Security Authority Subsystem Service (Lsass.exe). If there are diagnostic tools that constantly open processes, significant logs can be generated, so it is recommended to use filters that remove expected accesses.
Event ID 11: FileCreate
File creation operations are recorded when a file is created or overwritten. This event is useful for monitoring automatic startup locations, such as the Startup folder, as well as temporary and download directories where malware may leave infection during startup.
Event ID 12: RegistryEvent (Object Creation and Deletion)
Registry key and value creation and deletion operations are mapped to this event type. This can be useful for monitoring changes to registry automatic startup locations or specific malware registry changes.
Sysmon uses abbreviated versions of registry key names and makes the following mappings:
Event ID 12: REGISTRYEVENT (OBJECT CREATION AND DELETION)Key NameAbbreviationHKEY_LOCAL_MACHINEHKLMHKEY_USERSHKUHKEY_LOCAL_MACHINE\System\ControlSet00xHKLM\System\CurrentControlSetHKEY_LOCAL_MACHINE\ClassesHKCR
Event ID 13: RegistryEvent (Value Set)
This record type identifies and records when DWORD and QWORD type registry values are written.
Event ID 14: RegistryEvent (Key and Value Rename)
Registry key and value renaming operations are assigned to this event type and record the new name of the renamed key or value.
Event ID 15: FileCreateStreamHash
This event is recorded when a named file stream is created and generates events that record the hash value of the content (unnamed stream) of the file assigned to the named stream. Some malware leaves configuration settings or executable files through browser downloads, and this event is intended to capture this by adding the Zone.Identifier "mark of the web" stream to the browser.
Event ID 16: ServiceConfigurationChange
This event records changes in the Sysmon configuration - such as changes in the configuration file or changes made through the command line.
Event ID 17: PipeEvent (Pipe Created) This event is generated when a named pipe is created. Malware often uses named pipes for interprocess communication.
Event ID 18: PipeEvent (Pipe Connected) This event is logged when a named pipe connection is established between a client and server.
Event ID 19: WmiEvent (WmiEventFilter activity detected) This event records the WMI event filter, which is a method commonly used by malware, including the WMI namespace, filter name, and filter expression.
Event ID 20: WmiEvent (WmiEventConsumer activity detected) This event records the WMI consumers and their name, registration, and target.
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected) This event is created when a consumer is connected to a filter, and records the consumer name and the path to the filter.
Event ID 22: DNSEvent (DNS query) This event is created when a process makes a DNS query, whether the result is successful or not, and whether it is cached or not. This event is not present in Windows 7 and earlier versions, as telemetry for this event was added in Windows 8.1.
Event ID 23: FileDelete (Deleted File Archived) A file is deleted. When the event is recorded, the deleted file is also stored in the ArchiveDirectory (by default, C:\Sysmon). Under normal operating conditions, this directory can become unwieldy - see Event ID 26: FileDeleteDetected, which exhibits similar behavior without storing deleted files.
Event ID 24: ClipboardChange (New content added to clipboard) This event is created as the system clipboard content changes.
Event ID 25: ProcessTampering (Process image changed) This event is created when process hiding techniques, such as "hollow" or "herpaderp," are detected.
Event ID 255: Error This event is created when an error occurs within Sysmon. This can happen if certain tasks cannot be performed when the system is under heavy load, or if there is an error in the Sysmon service.
Let's explain with a different example.
In the example below, as a result of the ps encode base64 attack, the following log has been created.
Sysmon has detected that a remote connection command has been executed with base64 code using a powershell terminal as a result of the attack. It provides us with the target IP address, target domain information, and the compromised source user name.
We examine that the attack was carried out with the T1086 technical code in the Mitre library using the Rule.Name column.
We can see that the operation was carried out with a powershell terminal in the Process.Image column information.
When we control the user's process movements related to the event with sysmon by looking at Process.ParrentName: *Excel.EXE, we can say that they executed a malicious code with the excel application.
Sysmon provides us with the hash information of the malicious file run in the powershell terminal so that we can perform reputation checks or block the process with security products using the hash information in the Process.CommandLine column information.