For Windows IT professionals, perhaps the most popular set of troubleshooting tools is Sysinternals, the creation of none other than Mark Russonivich, Microsoft’s CTO of Azure.
The Sysinternals suite has a fantastic array of tools such as PSExec, Process Monitor and Process Explorer among many others. One tool in particular that is a favorite among security professionals is Sysmon. Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.
What Does Sysmon Log Do?
One great feature of Sysmon is that it logs many important events in one place. Instead of attempting to combine events from different logs to troubleshoot, depending on the information you are looking for, you can just view the Sysmon log instead.
Related Article: Advanced PowerShell Functions: Upping Your Game
In this current release (v6.10) Sysmon logs these events:
- Process creation and termination with image file hash
- Network connections including source process, IP addresses, port numbers hostnames
- Changes to file creation time
- Driver and image loading
- Remote threads
- Raw disk access
- Process memory access
Installing Sysmon
Sysmon can be installed by manually downloading from here or, even better, by using Chocolatey:
PS C:\> choco install sysmon –y
Once downloaded you have several options on how to configure the Sysmon, such as logging network connections and different type of hashes. In this example, I want to install Sysmon and log md5, sha256 hashes and network connections.
PS C:\> sysmon -accepteula –i –h md5,sha256 –n
Once this command runs, the Sysmon service is installed, running, and logging to the Event log at Applications and Service Logs > Microsoft > Windows > Sysmon > Operational. You also have the option of using a configuration file, which can further nail down what you would like to log.
Viewing Sysmon events
Now that Sysmon is logging, let’s take a look at the actual events. You can use the Event viewer GUI in Windows to see events, but if you really want to filter through these events intelligently, I recommend using PowerShell. With the Get-WinEvent cmdlet, we can quickly retrieve events while filtering through them with a hash table.
In this example, I use Get-WinEvent to select the first event from the Sysmon log on my local machine. First, I filter these with a hash table, specifying the logname and id (3). Then, I use the Where-Object cmdlet to get only those events that include the IP address of a domain controller “172.16.50.10” and the destination port 88, which shows kerberos activity. Finally, I use Select-Object to only print the message field to the console.
PS C:\> Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3;} | Where {$_.message -like "*172.16.50.10*" -and $_.message -like "*DestinationPort: 88*"} | Select-Object -Property message -First 1 | Format-List
Message : Network connection detected:
UtcTime: 2017-10-04 13:40:48.031
ProcessGuid: {17847A67-FBD3-59CC-0000-001069840000}
ProcessId: 760
Image: C:\Windows\System32\lsass.exe
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 172.16.42.15
SourceHostname: MyComputer
SourcePort: 57353
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 172.16.50.10
DestinationHostname: DC-1
DestinationPort: 88
DestinationPortName: Kerberos
In this next example I want to query all of my Active Directory computers to see if Sysmon has logged a “CreateRemoteThread” event on the lsass.exe process. This could indicate malicious code injection. As you can see I filter the message with Where-Object to catch anything that has “lsass.exe”. In order to grab these events remotely I use Invoke-Command specifying all computers in AD with Get-ADComputer. Please note that this requires Sysmon be installed on all remote machines.
PS C:\ > Invoke-Command -ComputerName (Get-ADComputer -Filter * | Select-Object -ExpandProperty Name) -ScriptBlock {Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=8} | Where-Object {$_.message -like "*lsass.exe*"} | Select-Object PSComputerName,Message | Format-List
I find that one machine (TestMachine) did have that in its Sysmon log:
PSComputerName : TestMachine
Message : CreateRemoteThread detected:
UtcTime: 2017-10-04 09:26:50.574
SourceProcessGuid: {21360C01-4EA9-59CF-0000-0010547A0000}
SourceProcessId: 456
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {21360C01-4EAE-59CF-0000-0010CDAA0000}
TargetProcessId: 648
TargetImage: C:\Windows\System32\lsass.exe
NewThreadId: 1496
StartAddress: 0x0000000077334B10
StartModule: C:\Windows\system32\kernel32.dll
StartFunction: CtrlRoutine
Conclusion
Due to the low resource overhead of the service, many organizations even install Sysmon by default on all Windows computers. Sysmon on its own is a great tool to use for malicious logging, but used with a SIEM can really help security professionals track activity much easier. With that said, even without a SIEM you can combine Sysmon with PowerShell in order to get some phenomenal insight into your environment.
Dan Franciscus
Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog (http://www.winsysblog.com/) or Twitter at @dan_franciscus.