Using Sysmon to Trace Malicious Activity on Windows

October 24, 2017 Security and Compliance, MOVEit

For Windows IT professionals, perhaps the most popular set of troubleshooting tools is Sysinternals, the creation of none other than Mark Russonivich, Microsoft’s CTO of Azure.

The Sysinternals suite has a fantastic array of tools such as PSExec, Process Monitor and Process Explorer among many others. One tool in particular that is a favorite among security professionals is Sysmon. Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.

What Does Sysmon Log Do?

One great feature of Sysmon is that it logs many important events in one place. Instead of attempting to combine events from different logs to troubleshoot, depending on the information you are looking for, you can just view the Sysmon log instead.

Related Article: Advanced PowerShell Functions: Upping Your Game

In this current release (v6.10) Sysmon logs these events:

  • Process creation and termination with image file hash
  • Network connections including source process, IP addresses, port numbers hostnames
  • Changes to file creation time
  • Driver and image loading
  • Remote threads
  • Raw disk access
  • Process memory access

Installing Sysmon

Sysmon can be installed by manually downloading from here or, even better, by using Chocolatey:

PS C:\> choco install sysmon –y

Once downloaded you have several options on how to configure the Sysmon, such as logging network connections and different type of hashes. In this example, I want to install Sysmon and log md5, sha256 hashes and network connections.

PS C:\> sysmon -accepteula –i –h md5,sha256 –n

Once this command runs, the Sysmon service is installed, running, and logging to the Event log at Applications and Service Logs > Microsoft > Windows > Sysmon > Operational. You also have the option of using a configuration file, which can further nail down what you would like to log.

Viewing Sysmon events

Now that Sysmon is logging, let’s take a look at the actual events. You can use the Event viewer GUI in Windows to see events, but if you really want to filter through these events intelligently, I recommend using PowerShell. With the Get-WinEvent cmdlet, we can quickly retrieve events while filtering through them with a hash table.

 

In this example, I use Get-WinEvent to select the first event from the Sysmon log on my local machine. First, I filter these with a hash table, specifying the logname and id (3). Then, I use the Where-Object cmdlet to get only those events that include the IP address of a domain controller “172.16.50.10” and the destination port 88, which shows kerberos activity. Finally, I use Select-Object to only print the message field to the console.

PS C:\> Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3;} | Where {$_.message -like "*172.16.50.10*" -and $_.message -like "*DestinationPort: 88*"} | Select-Object -Property message -First 1 | Format-List

Message : Network connection detected:
          UtcTime: 2017-10-04 13:40:48.031
          ProcessGuid: {17847A67-FBD3-59CC-0000-001069840000}
          ProcessId: 760
          Image: C:\Windows\System32\lsass.exe
          User: NT AUTHORITY\SYSTEM
          Protocol: tcp
          Initiated: true
          SourceIsIpv6: false
          SourceIp: 172.16.42.15
          SourceHostname: MyComputer
          SourcePort: 57353
          SourcePortName:
          DestinationIsIpv6: false
          DestinationIp: 172.16.50.10
          DestinationHostname: DC-1
          DestinationPort: 88
          DestinationPortName: Kerberos

In this next example I want to query all of my Active Directory computers to see if Sysmon has logged a “CreateRemoteThread” event on the lsass.exe process. This could indicate malicious code injection. As you can see I filter the message with Where-Object to catch anything that has “lsass.exe”. In order to grab these events remotely I use Invoke-Command specifying all computers in AD with Get-ADComputer. Please note that this requires Sysmon be installed on all remote machines.

PS C:\ > Invoke-Command -ComputerName (Get-ADComputer -Filter * | Select-Object -ExpandProperty Name) -ScriptBlock {Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=8} | Where-Object {$_.message -like "*lsass.exe*"} | Select-Object PSComputerName,Message | Format-List

I find that one machine (TestMachine) did have that in its Sysmon log:

PSComputerName : TestMachine
Message        : CreateRemoteThread detected:
UtcTime: 2017-10-04 09:26:50.574
SourceProcessGuid: {21360C01-4EA9-59CF-0000-0010547A0000}
SourceProcessId: 456
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {21360C01-4EAE-59CF-0000-0010CDAA0000}
TargetProcessId: 648
TargetImage: C:\Windows\System32\lsass.exe
NewThreadId: 1496
StartAddress: 0x0000000077334B10
StartModule: C:\Windows\system32\kernel32.dll
StartFunction: CtrlRoutine

Conclusion

Due to the low resource overhead of the service, many organizations even install Sysmon by default on all Windows computers. Sysmon on its own is a great tool to use for malicious logging, but used with a SIEM can really help security professionals track activity much easier. With that said, even without a SIEM you can combine Sysmon with PowerShell in order to get some phenomenal insight into your environment.

 

Dan Franciscus

Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog (http://www.winsysblog.com/) or Twitter at @dan_franciscus.

Read next Passwords Don't Work: Multi-Factor Authentication is Essential