73 lines
1.9 KiB
Markdown
73 lines
1.9 KiB
Markdown
|
# Sysmon
|
||
|
|
||
|
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
|
||
|
|
||
|
## Paths
|
||
|
|
||
|
* Logfiles
|
||
|
```
|
||
|
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
|
||
|
```
|
||
|
|
||
|
## Configuration
|
||
|
|
||
|
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
|
||
|
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
|
||
|
|
||
|
## Installation
|
||
|
|
||
|
```sh
|
||
|
Downloads-SysInternalsTools C:\Sysinternals
|
||
|
```
|
||
|
|
||
|
## Best Practices
|
||
|
|
||
|
* Exclude, not include events
|
||
|
* CLI gives further control over filters
|
||
|
```sh
|
||
|
Get-WinEvent
|
||
|
```
|
||
|
```sh
|
||
|
wevutil.exe
|
||
|
```
|
||
|
* Know the env before implementation
|
||
|
|
||
|
## Filtering Events
|
||
|
|
||
|
* Actions -> Filter Current Log
|
||
|
|
||
|
### Filtering Events with Powershell
|
||
|
|
||
|
* Logged Events containing port 4444
|
||
|
```sh
|
||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
|
||
|
```
|
||
|
* Logged Events containing lsass.exe
|
||
|
```sh
|
||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
|
||
|
```
|
||
|
* Rats and C2
|
||
|
```sh
|
||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
|
||
|
```
|
||
|
|
||
|
## Evasion Techniques
|
||
|
|
||
|
* Alternate Data Streams
|
||
|
* Injections
|
||
|
* Masquerading
|
||
|
* Packing/Compression
|
||
|
* Recompiling
|
||
|
* Obfuscation
|
||
|
* Anti-Reversing Techniques
|
||
|
* Remote Thread (OpenThread, ResumeThread)
|
||
|
|
||
|
### Detecting Evasion Techniques with Powershell
|
||
|
|
||
|
```sh
|
||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
|
||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
|
||
|
```
|
||
|
|
||
|
|