killchain-compendium/Enumeration/Windows/Sysmon.md

1.9 KiB

Sysmon

Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.

Paths

  • Logfiles
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

Configuration

Installation

Downloads-SysInternalsTools C:\Sysinternals

Best Practices

  • Exclude, not include events
  • CLI gives further control over filters
Get-WinEvent
wevutil.exe
  • Know the env before implementation

Filtering Events

  • Actions -> Filter Current Log

Filtering Events with Powershell

  • Logged Events containing port 4444
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
  • Logged Events containing lsass.exe
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
  • Rats and C2
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'

Evasion Techniques

  • Alternate Data Streams
  • Injections
  • Masquerading
  • Packing/Compression
  • Recompiling
  • Obfuscation
  • Anti-Reversing Techniques
  • Remote Thread (OpenThread, ResumeThread)

Detecting Evasion Techniques with Powershell

Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'