Sysmon: Process Injection
1. Introduction
There is a cat infestation problem in the Contoso.Azure domain. The senior feline control specialist in Contoso reported that process injection is used to download cat pictures. He suggested using Sysmon to track it down. Let's delve into the event log and track down the latest offender.
2. Locate the infected process
As Sysmon is set up, we can query the Windows event log using the PowerShell Get-WinEvent cmdlet. To figure out what we need to filter for, we can use the Sysmon page to find the event ID that we are interested in.
In this case, it is Event ID 11: FileCreate.
We can use the -FilterHashtable parameter to filter out all FileCreate events @{logname='Microsoft-Windows-Sysmon/Operational'; id=11}.
Since this query will give us all file creation events across the system, it will likely be too verbose. We can pipe the previous command to filter down the event log messages based on file path and type: | ?{ if ($.Message -like 'TargetFilename: C:\Users\Administrator\Desktop*.jpg') { $ }}
Run the following command in powershell:
Powershell output:
3. Investigate the infected process
Check process ID of spoolsv.exe
Once you have identified the process writing the files, you can determine that this behavior is abnormal. In the hopes of understanding this anomaly, you will need to gather more information. To query all events that Sysmon recorded for this process, you can use the following command:
This queries the Sysmon log file using the Get-WinEvent cmdlet and filters out all log events where the key is equal to process ID 1148 that we are looking for. To reduce the output, you can sort the results by unique event ID and then wrap the output, so that PowerShell shows the entire line.
From the list of Sysmon event IDs 3 and 11, you can determine that the suspicious process spent most of its time making network connections to a specific host and writing files to disk. Let's find all files the process created.
Let's also check the powershell log for the identified process id 1148
Here we can see that PowerShell starts an IPC listening thread from the given process PID 1148. This also indicates that the given process is executing PowerShell. To confirm your suspicion, see if the process is using System.Management.Automation.dll. For a process to run a PowerShell script, it would have to load System.Management.Automation.dll to communicate with the .NET framework. In theory, any binary could host the System.Management.Automation.dll to execute PowerShell, but very few actually do. You can use Process Explorer to confirm this.
4. Stop the infected process
5. Configure Sysmon
You stopped the hording for the moment. Now, you need to install a more extensive Sysmon template to track down the source.
The senior specialist mentioned that he put together a new Sysmon template based on an open source from SwiftOnSecurity.
6. Find second infected process
For a process to run a PowerShell script, it would have to use System.Management.Automation.dll to communicate with the .NET framework. In theory, any binary could host the System.Management.Automation.dll to execute PowerShell, but very few do. Find processes (other than powershell.exe) that have loaded System.Management.Automation to narrow down the potentially infected processes.
7. Security Questions
What are the two most common Sysmon event IDs created by the infected process?
What was the ParentImage: of the infected process?
What is the file extension for the file type other than .jpg that the infected process writes to the disk?
What is the event ID of the "IPC listening thread on process" event in the Microsoft-Windows-PowerShell/Operational log?
Answers
Event ID 11 and 3
Services.exe
ps1 fileextension
53504
Last updated
