husk/build/enumeration/windows/sysmon.html

<!doctype html>
<html lang="en">
    <center>
    <head>
        
    
        <script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
        <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
        <script type="text/javascript" src="/static/js/auto-complete.js"></script>
        <script type="text/javascript" src="/static/js/lunr.min.js"></script>
        <script type="text/javascript" src="/static/js/search.js"></script>
        <link rel="stylesheet" href="/static/stylesheet.css">
        <link rel="stylesheet" href="/static/auto-complete.css">
        <br>
        <title>The Real Hugo</title>
        <meta name="viewport" content="width=device-width, initial-scale=1">
        

    </head>
    <body>
        <!-- topmenu -->
    <div class="menu">
    <a href="/" style="text-decoration:none">Husk</a>
    </div>
    <div class="search-container">    
        <label for="search-by"><i class="fas fa-search"></i></label>
        <input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
        <!--button type="submit"><i class="search"></i>&#128269;</button>-->
        <span data-search-clear=""><i class="fas fa-times"></i></span>
    </div>

</div>
    <div class="menu">
    </div>
    <!--br><br-->
    </center>
<p></p>
        <div class="columns">
        <!-- Sidebar -->
<div class="column column-1">
  <ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
</ul>
</div>
<div class="column column-2"> 
       <span class="body">
           <style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#sysmon">Sysmon</a><ul>
<li><a href="#paths">Paths</a></li>
<li><a href="#configuration">Configuration</a></li>
<li><a href="#installation">Installation</a></li>
<li><a href="#best-practices">Best Practices</a></li>
<li><a href="#filtering-events">Filtering Events</a><ul>
<li><a href="#filtering-events-with-powershell">Filtering Events with Powershell</a></li>
</ul>
</li>
<li><a href="#evasion-techniques">Evasion Techniques</a><ul>
<li><a href="#detecting-evasion-techniques-with-powershell">Detecting Evasion Techniques with Powershell</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<h1 id="sysmon">Sysmon</h1>
<p>Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events. </p>
<h2 id="paths">Paths</h2>
<ul>
<li>Logfiles</li>
</ul>
<div class="codehilite"><pre><span></span><code>Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
</code></pre></div>

<h2 id="configuration">Configuration</h2>
<ul>
<li><a href="https://github.com/SwiftOnSecurity/sysmon-config">SwiftOnSecurity</a></li>
<li><a href="https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml">ION-Storm</a></li>
</ul>
<h2 id="installation">Installation</h2>
<div class="codehilite"><pre><span></span><code>Downloads-SysInternalsTools C:<span class="se">\S</span>ysinternals
</code></pre></div>

<h2 id="best-practices">Best Practices</h2>
<ul>
<li>Exclude, not include events</li>
<li>CLI gives further control over filters</li>
</ul>
<div class="codehilite"><pre><span></span><code>Get-WinEvent
</code></pre></div>

<div class="codehilite"><pre><span></span><code>wevutil.exe
</code></pre></div>

<ul>
<li>Know the env before implementation</li>
</ul>
<h2 id="filtering-events">Filtering Events</h2>
<ul>
<li>Actions -&gt; Filter Current Log</li>
</ul>
<h3 id="filtering-events-with-powershell">Filtering Events with Powershell</h3>
<ul>
<li>Logged Events containing port 4444</li>
</ul>
<div class="codehilite"><pre><span></span><code>Get-WinEvent -Path &lt;Path to Log&gt; -FilterXPath <span class="s1">&#39;*/System/EventID=3 and */EventData/Data[@Name=&quot;DestinationPort&quot;] and */EventData/Data=4444&#39;</span>
</code></pre></div>

<ul>
<li>Logged Events containing lsass.exe</li>
</ul>
<div class="codehilite"><pre><span></span><code>Get-WinEvent -Path &lt;Path to Log&gt; -FilterXPath <span class="s1">&#39;*/System/EventID=10 and */EventData/Data[@Name=&quot;TargetImage&quot;] and */EventData/Data=&quot;C:\Windows\system32\lsass.exe&quot;&#39;</span>
</code></pre></div>

<ul>
<li>Rats and C2</li>
</ul>
<div class="codehilite"><pre><span></span><code>Get-WinEvent -Path &lt;Path to Log&gt; -FilterXPath <span class="s1">&#39;*/System/EventID=3 and */EventData/Data[@Name=&quot;DestinationPort&quot;] and */EventData/Data=&lt;Port&gt;&#39;</span>
</code></pre></div>

<h2 id="evasion-techniques">Evasion Techniques</h2>
<ul>
<li>Alternate Data Streams</li>
<li>Injections</li>
<li>Masquerading</li>
<li>Packing/Compression</li>
<li>Recompiling</li>
<li>Obfuscation</li>
<li>Anti-Reversing Techniques</li>
<li>Remote Thread (OpenThread, ResumeThread)</li>
</ul>
<h3 id="detecting-evasion-techniques-with-powershell">Detecting Evasion Techniques with Powershell</h3>
<div class="codehilite"><pre><span></span><code>Get-WinEvent -Path &lt;Path to Log&gt; -FilterXPath <span class="s1">&#39;*/System/EventID=15&#39;</span>
Get-WinEvent -Path &lt;Path to Log&gt; -FilterXPath <span class="s1">&#39;*/System/EventID=8&#39;</span>
</code></pre></div>
        </span>
</div>
</div>
<div id="footer">
         
<p></p>
    <center>
            &copy; Stefan Friese
    </center>
            
        </div>

        <script>
    function linkClick(obj) {
       if (obj.open) {
           //console.log('open');
                       if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
                           sessionStorage.removeItem(obj.id);
                       }
           sessionStorage.setItem(obj.id,"open");
           console.log(obj.id);
       } else {
           //console.log('closed');
            sessionStorage.removeItem(obj.id);
      }
    }

    let _keys = Object.keys(sessionStorage);
    if (_keys) {
       for ( let i = 0; i < _keys.length; i++ ) {
            document.getElementById(_keys[i])['open'] = 'open';
       }
    }
</script>            
    <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
    <script type="text/x-mathjax-config">
    MathJax.Hub.Config({
      config: ["MMLorHTML.js"],
      jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
      extensions: ["MathMenu.js", "MathZoom.js"]
    });
    </script>
    </body>
</html>