1.8 KiB
1.8 KiB
Sysmon
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
Paths
- Logfiles
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
Configuration
Installation
Downloads-SysInternalsTools C:\Sysinternals
Best Practices
- Exclude, not include events
- CLI gives further control over filters
Get-WinEvent
wevutil.exe
- Know the env before implementation
Filtering Events
- Actions -> Filter Current Log
Filtering Events with Powershell
- Logged Events containing port 4444
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
- Logged Events containing lsass.exe
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
- Rats and C2
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
Evasion Techniques
- Alternate Data Streams
- Injections
- Masquerading
- Packing/Compression
- Recompiling
- Obfuscation
- Anti-Reversing Techniques
- Remote Thread (OpenThread, ResumeThread)
Detecting Evasion Techniques with Powershell
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'