📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. What is Sysmon?
  • 3. Create a Sysmon configuration file
  • 4. Install Sysmon driver
  • 5. Increase Sysmon Logfile
  • 6. Query the sysmon logfile
  • 7. Security Questions
  • Answers

Was this helpful?

  1. Forensic Readiness

Windows Sysmon

1. Introduction

At your system administrator job for Contoso, Inc, you want to increase the endpoint logging you have on your Windows systems to catch possible malware. A great solution for this is Sysmon, part of the Microsoft Sysinternals Suite which installs as a kernel driver and is able to report on detailed system events.

2. What is Sysmon?

Windows System Monitor (sysmon) is a kernel-level driver that allows for the selective capture and logging of detailed system actions that happen on a Windows system. Similar to commercial Electronic Data Recording (EDR) security tools, sysmon can capture hashes of running processes, binary image loads, loading and unloading of drivers, raw disk access, network connections, registry changes, and more. This data can be used by developers to debug issues and/or by security professionals looking for suspicious activity.

Sysmon is part of the Windows Sysinternals suite and is available for any supported Windows operating system for free on Microsoft's website, either as standalone or as part of the entire suite. Older versions are also available for legacy Windows versions, however not all features may be present.

3. Create a Sysmon configuration file

To get started with sysmon, you need to have a configuration file which tells it which data needs to be collected. Sysmon is capable of capturing a large variety of data from Windows including process actions, network connections, file access and much more. Configuration files are typically targeted at uncommon actions that are strong indicators of malicious activity.

Sysmon schemaversion="4.22">
  <!-- Capture all the hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include" />
    <!-- Log network connection if the destination port equals 443 -->
    <!-- or 80, and the process isn't InternetExplorer -->
    <NetworkConnect onmatch="include">
      <DestinationPort>443</DestinationPort>
      <DestinationPort>80</DestinationPort>
    </NetworkConnect>
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">iexplore.exe</Image>
          <Image condition="end with">chrome.exe</Image>
    </NetworkConnect>
  </EventFiltering>
</Sysmon>

4. Install Sysmon driver

Sysmon is installed simply by copying the binary to the desired system along with a configuration file and running the following from an Administrator command prompt:

sysmon -i <config xml file>

This will immediately load the driver into memory, start monitoring according to the configuration file and automatically persists across reboots until sysmon -u is run.

You can verify the current configuration in the running sysmon instance by running:

sysmon -c

5. Increase Sysmon Logfile

Now that sysmon is running in the background it is a good idea to increase the log size so that more data can be stored and analyzed.

This can be accomplished with wevtutil.exe by specifying the log provider and the maxsize operator:

wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:100000000

You could also configure log forwarding to a dedicated log collection server with Windows Event Collector but that is beyond the scope of this module.

6. Query the sysmon logfile

In particular, event ID 3 shows network connections so you can look at it to see which processes other than Internet Explorer and Chrome are making connections on ports 80/tcp or 443/tcp.

Query the Microsoft-Windows-Sysmon/Operational log

7. Security Questions

  1. What is one of the ports that will be monitored by this template?

  2. What is one of the processes that will be excluded from monitoring with this template?

  3. What is the full path to one of the Azure executables regularly making Network Connections logged by sysmon?

Answers

  1. 443,80

  2. chrome.exe, iexplore.exe

  3. C:\WindowsAzure\GuestAgent_2.7.41491.1044_2022-04-11_112736\WindowsAzureGuestAgent.exe

PreviousWindows Event LogsNextSysmon: Capture Clipboard

Last updated 3 years ago

Was this helpful?

Sysmon has now been collecting data of background activity in this virtual machine and storing them in the Windows event logs. It uses specific event IDs for different tasks which are detailed the the .

sysmon documentation