├── .gitignore ├── Build ├── Sysmon.md ├── bullet_style.tex ├── chapter_break.tex ├── inline_code.tex ├── listings-setup.tex ├── md2pdf.sh ├── metadata.yml ├── pandoc.css ├── pdf_properties.tex └── pygments.theme ├── README.md ├── chapters ├── Sysmon.md ├── WMI-events.md ├── clipboard-capture.md ├── configuration.md ├── cover.png ├── create-remote-thread.md ├── dns-query.md ├── driver-loading.md ├── eBPF.md ├── file-block-exe.md ├── file-blockshredding.md ├── file-create-time-change.md ├── file-create.md ├── file-delete.md ├── file-stream-creation-hash.md ├── file_delete_detected.md ├── image-loading.md ├── install_linux.md ├── install_windows.md ├── media │ ├── image1.png │ ├── image10.png │ ├── image11.png │ ├── image12.png │ ├── image13.png │ ├── image14.png │ ├── image15.png │ ├── image16.png │ ├── image17.png │ ├── image18.png │ ├── image19.png │ ├── image2.png │ ├── image20.png │ ├── image21.png │ ├── image22.png │ ├── image23.png │ ├── image24.png │ ├── image25.png │ ├── image26.png │ ├── image27.png │ ├── image28.png │ ├── image29.png │ ├── image3.png │ ├── image30.png │ ├── image31.png │ ├── image32.png │ ├── image33.png │ ├── image34.png │ ├── image35.png │ ├── image36.png │ ├── image37.png │ ├── image38.png │ ├── image39.png │ ├── image4.png │ ├── image40.png │ ├── image41.png │ ├── image42.png │ ├── image43.png │ ├── image44.png │ ├── image45.png │ ├── image46.png │ ├── image47.png │ ├── image48.png │ ├── image49.png │ ├── image5.png │ ├── image50.png │ ├── image51.png │ ├── image52.png │ ├── image53.png │ ├── image54.png │ ├── image55.png │ ├── image56.png │ ├── image57.png │ ├── image58.png │ ├── image59.png │ ├── image6.png │ ├── image60.png │ ├── image61.png │ ├── image62.png │ ├── image63.png │ ├── image64.png │ ├── image65.png │ ├── image66.png │ ├── image67.png │ ├── image68.png │ ├── image7.png │ ├── image8.png │ ├── image9.png │ └── tslogo.png ├── metadata.yml ├── named-pipes.md ├── network-connections.md ├── operational-events.md ├── pandoc.css ├── process-access.md ├── process-creation.md ├── process-events.md ├── process-tampering.md ├── process-termination.md ├── raw-access-read.md ├── registry-actions.md ├── sysmon-changelog.md ├── sysmon-events.md ├── the-sysmon-driver.md └── what-is-sysmon.md └── examples ├── Exchange_CVE_2021_26855.xml ├── FileDeleteDetected.xml └── NetConnBaseline.xml /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | chapters/.DS_Store 3 | -------------------------------------------------------------------------------- /Build/bullet_style.tex: -------------------------------------------------------------------------------- 1 | % https://stackoverflow.com/questions/22156999/how-to-change-the-style-of-bullets-in-pandoc-markdown 2 | 3 | \usepackage{enumitem} 4 | \usepackage{amsfonts} 5 | 6 | \setlist[itemize,1]{label=$\bullet$} 7 | \setlist[itemize,2]{label=$\circ$} 8 | \setlist[itemize,3]{label=$\star$} 9 | 10 | %% \setlist[itemize,2]{label=$\diamond$} 11 | %% \setlist[itemize,1]{label=$\star$} 12 | %% \setlist[itemize,1]{label=$\bullet$} 13 | %% \setlist[itemize,1]{label=$\checkmark$} 14 | 15 | -------------------------------------------------------------------------------- /Build/chapter_break.tex: -------------------------------------------------------------------------------- 1 | %% Adds pagebreak between chapters 2 | % from comments of accepted answer 3 | % https://superuser.com/questions/601469/getting-chapters-to-start-on-a-new-page-in-a-pandoc-generated-pdf 4 | \usepackage{sectsty} 5 | \sectionfont{\clearpage} 6 | 7 | % accepted answer gave error 8 | %\usepackage{titlesec} 9 | %\newcommand{\sectionbreak}{\clearpage} 10 | 11 | -------------------------------------------------------------------------------- /Build/inline_code.tex: -------------------------------------------------------------------------------- 1 | %% https://stackoverflow.com/questions/40975004/pandoc-latex-change-backtick-highlight 2 | \usepackage{fancyvrb,newverbs,xcolor} 3 | 4 | %\definecolor{Light}{gray}{.90} 5 | %% https://martin-thoma.com/colors-in-latex/ 6 | %% https://en.wikibooks.org/wiki/LaTeX/Colors 7 | \definecolor{Light}{HTML}{F4F4F4} 8 | 9 | \let\oldtexttt\texttt 10 | \renewcommand{\texttt}[1]{ 11 | \colorbox{Light}{\oldtexttt{#1}} 12 | } 13 | 14 | -------------------------------------------------------------------------------- /Build/listings-setup.tex: -------------------------------------------------------------------------------- 1 | \lstset{ 2 | basicstyle=\ttfamily, 3 | numbers=left, 4 | numberstyle=\footnotesize, 5 | stepnumber=1, 6 | numbersep=5pt, 7 | backgroundcolor=\color[RGB]{248,248,248}, 8 | showspaces=false, 9 | showstringspaces=false, 10 | showtabs=false, 11 | tabsize=2, 12 | captionpos=b, 13 | breaklines=true, 14 | breakatwhitespace=true, 15 | breakautoindent=true, 16 | escapeinside={\%*}{*)}, 17 | linewidth=\textwidth, 18 | basewidth=0.5em, 19 | postbreak=\mbox{\textcolor{red}{$\hookrightarrow$}\space}, 20 | } 21 | 22 | \definecolor{maroon}{rgb}{0.5,0,0} 23 | \definecolor{darkgreen}{rgb}{0,0.5,0} 24 | 25 | \lstdefinelanguage{XML} 26 | { 27 | basicstyle=\ttfamily, 28 | morestring=[s]{"}{"}, 29 | morecomment=[s]{?}{?}, 30 | morecomment=[s]{!--}{--}, 31 | commentstyle=\color{darkgreen}, 32 | moredelim=[s][\color{black}]{>}{<}, 33 | moredelim=[s][\color{red}]{\ }{=}, 34 | stringstyle=\color{blue}, 35 | identifierstyle=\color{maroon} 36 | } 37 | 38 | \definecolor{dkgreen}{rgb}{0,0.6,0} 39 | \definecolor{ltgray}{rgb}{0.5,0.5,0.5} 40 | 41 | \usepackage{listings} 42 | \lstset{% 43 | backgroundcolor=\color{white}, 44 | basicstyle=\footnotesize, 45 | breakatwhitespace=false, 46 | breaklines=true, 47 | captionpos=b, 48 | commentstyle=\color{dkgreen}, 49 | deletekeywords={...}, 50 | escapeinside={\%*}{*)}, 51 | extendedchars=true, 52 | frame=single, 53 | keepspaces=true, 54 | keywordstyle=\color{blue}, 55 | language=SQL, 56 | morekeywords={*,modify,MODIFY,...}, 57 | numbers=left, 58 | numbersep=15pt, 59 | numberstyle=\tiny, 60 | rulecolor=\color{ltgray}, 61 | showspaces=false, 62 | showstringspaces=false, 63 | showtabs=false, 64 | stepnumber=1, 65 | tabsize=4, 66 | title=\lstname 67 | } 68 | 69 | \lstdefinelanguage{powershell}{ 70 | morekeywords={Add-Content,Add-PSSnapin,Clear-Content,% 71 | Clear-History,Clear-Host,Clear-Item,% 72 | Clear-ItemProperty,Clear-Variable,% 73 | Compare-Object,Connect-PSSession,ConvertFrom-String,% 74 | Convert-Path,Copy-Item,Copy-ItemProperty,% 75 | Disable-PSBreakpoint,Disconnect-PSSession,% 76 | Enable-PSBreakpoint,Enter-PSSession,Exit-PSSession,% 77 | Export-Alias,Export-Csv,Export-PSSession,ForEach-Object,% 78 | Format-Custom,Format-Hex,Format-List,Format-Table,% 79 | Format-Wide,Get-Alias,Get-ChildItem,Get-Clipboard,% 80 | Get-Command,Get-ComputerInfo,Get-Content,Get-History,% 81 | Get-Item,Get-ItemProperty,Get-ItemPropertyValue,Get-Job,% 82 | Get-Location,Get-Member,Get-Module,Get-Process,% 83 | Get-PSBreakpoint,Get-PSCallStack,Get-PSDrive,Get-PSSession,% 84 | Get-PSSnapin,Get-Service,Get-TimeZone,Get-Unique,Get-Variable,% 85 | Get-WmiObject,Group-Object,help,Import-Alias,Import-Csv,% 86 | Import-Module,Import-PSSession,Invoke-Command,Invoke-Expression,% 87 | Invoke-History,Invoke-Item,Invoke-RestMethod,Invoke-WebRequest,% 88 | Invoke-WmiMethod,Measure-Object,mkdir,Move-Item,Move-ItemProperty,% 89 | New-object,New-Alias,New-Item,New-Module,New-PSDrive,New-PSSession,% 90 | New-PSSessionConfigurationFile,New-Variable,Out-GridView,% 91 | Out-Host,Out-Printer,Pop-Location,powershell_ise.exe,% 92 | Push-Location,Receive-Job,Receive-PSSession,Remove-Item,% 93 | Remove-ItemProperty,Remove-Job,Remove-Module,Remove-PSBreakpoint,% 94 | Remove-PSDrive,Remove-PSSession,Remove-PSSnapin,Remove-Variable,% 95 | Remove-WmiObject,Rename-Item,Rename-ItemProperty,Resolve-Path,% 96 | Resume-Job,Select-Object,Select-String,Set-Alias,Set-Clipboard,% 97 | Set-Content,Set-Item,Set-ItemProperty,Set-Location,% 98 | Set-PSBreakpoint,Set-TimeZone,Set-Variable,Set-WmiInstance,% 99 | Show-Command,Sort-Object,Start-Job,Start-Process,Start-Service,% 100 | Start-Sleep,Stop-Job,Stop-Process,Stop-Service,Suspend-Job,% 101 | Tee-Object,Trace-Command,Wait-Job,Where-Object,Write-Output% 102 | }, 103 | morekeywords={Do,Else,For,ForEach,Function,If,In,Until,While}, 104 | alsodigit={-}, 105 | sensitive=false, 106 | morecomment=[l]{\#}, 107 | morecomment=[n]{<\#}{\#>}, 108 | morestring=[b]{"}, 109 | morestring=[b]{'}, 110 | morestring=[s]{@'}{'@}, 111 | morestring=[s]{@"}{"@} 112 | } 113 | 114 | -------------------------------------------------------------------------------- /Build/md2pdf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script based on https://learnbyexample.github.io/tutorial/ebook-generation/customizing-pandoc/ 3 | 4 | Help() 5 | { 6 | # Display Help 7 | echo "Generate guide PDF from a master MarkDown file." 8 | echo 9 | echo "Syntax: md2pdf.sh ./Build/ " 10 | echo 11 | exit 12 | } 13 | 14 | while getopts ":h" option; do 15 | case $option in 16 | h | *) # display Help 17 | Help 18 | exit;; 19 | esac 20 | done 21 | 22 | if [ -z "$1" ] 23 | then 24 | Help 25 | exit 26 | fi 27 | 28 | SCRIPT=$(readlink -f "$0") 29 | SCRIPTPATH=$(dirname "$SCRIPT") 30 | echo -e "\e[1;32m Running Pandoc to generate the LaTex file. \e[0m" 31 | pandoc "$1" \ 32 | -f gfm \ 33 | --toc \ 34 | --listings \ 35 | --include-in-header ${SCRIPTPATH}/Build/chapter_break.tex \ 36 | --include-in-header ${SCRIPTPATH}/Build/inline_code.tex \ 37 | --include-in-header ${SCRIPTPATH}/Build/bullet_style.tex \ 38 | --include-in-header ${SCRIPTPATH}/Build/pdf_properties.tex \ 39 | --include-in-header ${SCRIPTPATH}/Build/listings-setup.tex \ 40 | --highlight-style ${SCRIPTPATH}/Build/pygments.theme \ 41 | -V toc-title='Table of contents' \ 42 | -V linkcolor:blue \ 43 | -V geometry:a4paper \ 44 | -V geometry:margin=2cm \ 45 | -V mainfont="DejaVu Serif" \ 46 | -V monofont="DejaVu Sans Mono" \ 47 | --pdf-engine=xelatex \ 48 | -o /tmp/temp.tex 49 | 50 | echo -e "\e[1;32m Running Perl to format the output. \e[0m" 51 | fn="${2%.*}" 52 | 53 | perl -0777 -pe 's/begin\{document\}\n\n\K(.*?^\}$)(.+?)\n/$2\n\\thispagestyle{empty}\n\n$1\n/ms' /tmp/temp.tex > ${SCRIPTPATH}/${fn}.tex 54 | 55 | echo -e "\e[1;32m Generating PDF. \e[0m" 56 | xelatex ${SCRIPTPATH}/${fn}.tex > ${SCRIPTPATH}/pdfgen.log 57 | 58 | echo -e "\e[1;32m Cleanning temp files. \e[0m" 59 | rm /tmp/temp.tex "$fn".{tex,toc,aux,log} 60 | 61 | -------------------------------------------------------------------------------- /Build/metadata.yml: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Sysmon Missing Manual" 3 | author: "Carlos Perez" 4 | rights: "TrustedSec LLC, Creative Commons Non-Commercial Share Alike 4.0" 5 | language: "en-US" 6 | subtitle: Open Source Sysinternals Sysmon Community Guide 7 | date: 28.01.2020 8 | publisher: TrustedSec Inc. 9 | ibooks: 10 | version: 1.0 11 | stylesheet: pandoc.css 12 | cover-image: media/cover.png 13 | --- -------------------------------------------------------------------------------- /Build/pandoc.css: -------------------------------------------------------------------------------- 1 | /* 2 | * I add this to html files generated with pandoc. 3 | */ 4 | 5 | html { 6 | font-size: 100%; 7 | overflow-y: scroll; 8 | -webkit-text-size-adjust: 100%; 9 | -ms-text-size-adjust: 100%; 10 | } 11 | 12 | body { 13 | color: #444; 14 | font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', serif; 15 | font-size: 12px; 16 | line-height: 1.7; 17 | padding: 1em; 18 | margin: auto; 19 | max-width: 42em; 20 | background: #fefefe; 21 | } 22 | 23 | a { 24 | color: #0645ad; 25 | text-decoration: none; 26 | } 27 | 28 | a:visited { 29 | color: #0b0080; 30 | } 31 | 32 | a:hover { 33 | color: #06e; 34 | } 35 | 36 | a:active { 37 | color: #faa700; 38 | } 39 | 40 | a:focus { 41 | outline: thin dotted; 42 | } 43 | 44 | *::-moz-selection { 45 | background: rgba(255, 255, 0, 0.3); 46 | color: #000; 47 | } 48 | 49 | *::selection { 50 | background: rgba(255, 255, 0, 0.3); 51 | color: #000; 52 | } 53 | 54 | a::-moz-selection { 55 | background: rgba(255, 255, 0, 0.3); 56 | color: #0645ad; 57 | } 58 | 59 | a::selection { 60 | background: rgba(255, 255, 0, 0.3); 61 | color: #0645ad; 62 | } 63 | 64 | p { 65 | margin: 1em 0; 66 | } 67 | 68 | img { 69 | max-width: 100%; 70 | } 71 | 72 | h1, h2, h3, h4, h5, h6 { 73 | color: #111; 74 | line-height: 125%; 75 | margin-top: 2em; 76 | font-weight: normal; 77 | } 78 | 79 | h4, h5, h6 { 80 | font-weight: bold; 81 | } 82 | 83 | h1 { 84 | font-size: 2.5em; 85 | } 86 | 87 | h2 { 88 | font-size: 2em; 89 | } 90 | 91 | h3 { 92 | font-size: 1.5em; 93 | } 94 | 95 | h4 { 96 | font-size: 1.2em; 97 | } 98 | 99 | h5 { 100 | font-size: 1em; 101 | } 102 | 103 | h6 { 104 | font-size: 0.9em; 105 | } 106 | 107 | blockquote { 108 | color: #666666; 109 | margin: 0; 110 | padding-left: 3em; 111 | border-left: 0.5em #EEE solid; 112 | } 113 | 114 | hr { 115 | display: block; 116 | height: 2px; 117 | border: 0; 118 | border-top: 1px solid #aaa; 119 | border-bottom: 1px solid #eee; 120 | margin: 1em 0; 121 | padding: 0; 122 | } 123 | 124 | pre, code, kbd, samp { 125 | color: #000; 126 | font-family: monospace, monospace; 127 | _font-family: 'courier new', monospace; 128 | font-size: 0.98em; 129 | } 130 | 131 | pre { 132 | white-space: pre; 133 | white-space: pre-wrap; 134 | word-wrap: break-word; 135 | } 136 | 137 | b, strong { 138 | font-weight: bold; 139 | } 140 | 141 | dfn { 142 | font-style: italic; 143 | } 144 | 145 | ins { 146 | background: #ff9; 147 | color: #000; 148 | text-decoration: none; 149 | } 150 | 151 | mark { 152 | background: #ff0; 153 | color: #000; 154 | font-style: italic; 155 | font-weight: bold; 156 | } 157 | 158 | sub, sup { 159 | font-size: 75%; 160 | line-height: 0; 161 | position: relative; 162 | vertical-align: baseline; 163 | } 164 | 165 | sup { 166 | top: -0.5em; 167 | } 168 | 169 | sub { 170 | bottom: -0.25em; 171 | } 172 | 173 | ul, ol { 174 | margin: 1em 0; 175 | padding: 0 0 0 2em; 176 | } 177 | 178 | li p:last-child { 179 | margin-bottom: 0; 180 | } 181 | 182 | ul ul, ol ol { 183 | margin: .3em 0; 184 | } 185 | 186 | dl { 187 | margin-bottom: 1em; 188 | } 189 | 190 | dt { 191 | font-weight: bold; 192 | margin-bottom: .8em; 193 | } 194 | 195 | dd { 196 | margin: 0 0 .8em 2em; 197 | } 198 | 199 | dd:last-child { 200 | margin-bottom: 0; 201 | } 202 | 203 | img { 204 | border: 0; 205 | -ms-interpolation-mode: bicubic; 206 | vertical-align: middle; 207 | } 208 | 209 | figure { 210 | display: block; 211 | text-align: center; 212 | margin: 1em 0; 213 | } 214 | 215 | figure img { 216 | border: none; 217 | margin: 0 auto; 218 | } 219 | 220 | figcaption { 221 | font-size: 0.8em; 222 | font-style: italic; 223 | margin: 0 0 .8em; 224 | } 225 | 226 | table { 227 | margin-bottom: 2em; 228 | border-bottom: 1px solid #ddd; 229 | border-right: 1px solid #ddd; 230 | border-spacing: 0; 231 | border-collapse: collapse; 232 | } 233 | 234 | table th { 235 | padding: .2em 1em; 236 | background-color: #eee; 237 | border-top: 1px solid #ddd; 238 | border-left: 1px solid #ddd; 239 | } 240 | 241 | table td { 242 | padding: .2em 1em; 243 | border-top: 1px solid #ddd; 244 | border-left: 1px solid #ddd; 245 | vertical-align: top; 246 | } 247 | 248 | .author { 249 | font-size: 1.2em; 250 | text-align: center; 251 | } 252 | 253 | @media only screen and (min-width: 480px) { 254 | body { 255 | font-size: 14px; 256 | } 257 | } 258 | @media only screen and (min-width: 768px) { 259 | body { 260 | font-size: 16px; 261 | } 262 | } 263 | @media print { 264 | * { 265 | background: transparent !important; 266 | color: black !important; 267 | filter: none !important; 268 | -ms-filter: none !important; 269 | } 270 | 271 | body { 272 | font-size: 12pt; 273 | max-width: 100%; 274 | } 275 | 276 | a, a:visited { 277 | text-decoration: underline; 278 | } 279 | 280 | hr { 281 | height: 1px; 282 | border: 0; 283 | border-bottom: 1px solid black; 284 | } 285 | 286 | a[href]:after { 287 | content: " (" attr(href) ")"; 288 | } 289 | 290 | abbr[title]:after { 291 | content: " (" attr(title) ")"; 292 | } 293 | 294 | .ir a:after, a[href^="javascript:"]:after, a[href^="#"]:after { 295 | content: ""; 296 | } 297 | 298 | pre, blockquote { 299 | border: 1px solid #999; 300 | padding-right: 1em; 301 | page-break-inside: avoid; 302 | } 303 | 304 | tr, img { 305 | page-break-inside: avoid; 306 | } 307 | 308 | img { 309 | max-width: 100% !important; 310 | } 311 | 312 | @page :left { 313 | margin: 15mm 20mm 15mm 10mm; 314 | } 315 | 316 | @page :right { 317 | margin: 15mm 10mm 15mm 20mm; 318 | } 319 | 320 | p, h2, h3 { 321 | orphans: 3; 322 | widows: 3; 323 | } 324 | 325 | h2, h3 { 326 | page-break-after: avoid; 327 | } 328 | } 329 | -------------------------------------------------------------------------------- /Build/pdf_properties.tex: -------------------------------------------------------------------------------- 1 | % https://tex.stackexchange.com/questions/23235/eliminate-edit-pdf-properties-added-by-pdflatex 2 | 3 | \usepackage{hyperref} 4 | 5 | \hypersetup{ 6 | pdftitle={Sysmon Community Guide}, 7 | pdfauthor={Carlo Perez}, 8 | pdfsubject={Sysinternals Sysmon}, 9 | pdfkeywords={Sysmon} 10 | } 11 | 12 | -------------------------------------------------------------------------------- /Build/pygments.theme: -------------------------------------------------------------------------------- 1 | { 2 | "text-color": null, 3 | "background-color": "#f8f8f8", 4 | "line-number-color": "#aaaaaa", 5 | "line-number-background-color": null, 6 | "text-styles": { 7 | "Other": { 8 | "text-color": "#007020", 9 | "background-color": null, 10 | "bold": false, 11 | "italic": false, 12 | "underline": false 13 | }, 14 | "Attribute": { 15 | "text-color": "#7d9029", 16 | "background-color": null, 17 | "bold": false, 18 | "italic": false, 19 | "underline": false 20 | }, 21 | "SpecialString": { 22 | "text-color": "#bb6688", 23 | "background-color": null, 24 | "bold": false, 25 | "italic": false, 26 | "underline": false 27 | }, 28 | "Annotation": { 29 | "text-color": "#60a0b0", 30 | "background-color": null, 31 | "bold": true, 32 | "italic": true, 33 | "underline": false 34 | }, 35 | "Function": { 36 | "text-color": "#06287e", 37 | "background-color": null, 38 | "bold": false, 39 | "italic": false, 40 | "underline": false 41 | }, 42 | "String": { 43 | "text-color": "#4070a0", 44 | "background-color": null, 45 | "bold": false, 46 | "italic": false, 47 | "underline": false 48 | }, 49 | "ControlFlow": { 50 | "text-color": "#007020", 51 | "background-color": null, 52 | "bold": true, 53 | "italic": false, 54 | "underline": false 55 | }, 56 | "Operator": { 57 | "text-color": "#666666", 58 | "background-color": null, 59 | "bold": false, 60 | "italic": false, 61 | "underline": false 62 | }, 63 | "Error": { 64 | "text-color": "#ff0000", 65 | "background-color": null, 66 | "bold": true, 67 | "italic": false, 68 | "underline": false 69 | }, 70 | "BaseN": { 71 | "text-color": "#40a070", 72 | "background-color": null, 73 | "bold": false, 74 | "italic": false, 75 | "underline": false 76 | }, 77 | "Alert": { 78 | "text-color": "#ff0000", 79 | "background-color": null, 80 | "bold": true, 81 | "italic": false, 82 | "underline": false 83 | }, 84 | "Variable": { 85 | "text-color": "#19177c", 86 | "background-color": null, 87 | "bold": false, 88 | "italic": false, 89 | "underline": false 90 | }, 91 | "BuiltIn": { 92 | "text-color": null, 93 | "background-color": null, 94 | "bold": false, 95 | "italic": false, 96 | "underline": false 97 | }, 98 | "Extension": { 99 | "text-color": null, 100 | "background-color": null, 101 | "bold": false, 102 | "italic": false, 103 | "underline": false 104 | }, 105 | "Preprocessor": { 106 | "text-color": "#bc7a00", 107 | "background-color": null, 108 | "bold": false, 109 | "italic": false, 110 | "underline": false 111 | }, 112 | "Information": { 113 | "text-color": "#60a0b0", 114 | "background-color": null, 115 | "bold": true, 116 | "italic": true, 117 | "underline": false 118 | }, 119 | "VerbatimString": { 120 | "text-color": "#4070a0", 121 | "background-color": null, 122 | "bold": false, 123 | "italic": false, 124 | "underline": false 125 | }, 126 | "Warning": { 127 | "text-color": "#60a0b0", 128 | "background-color": null, 129 | "bold": true, 130 | "italic": true, 131 | "underline": false 132 | }, 133 | "Documentation": { 134 | "text-color": "#ba2121", 135 | "background-color": null, 136 | "bold": false, 137 | "italic": true, 138 | "underline": false 139 | }, 140 | "Import": { 141 | "text-color": null, 142 | "background-color": null, 143 | "bold": false, 144 | "italic": false, 145 | "underline": false 146 | }, 147 | "Char": { 148 | "text-color": "#4070a0", 149 | "background-color": null, 150 | "bold": false, 151 | "italic": false, 152 | "underline": false 153 | }, 154 | "DataType": { 155 | "text-color": "#902000", 156 | "background-color": null, 157 | "bold": false, 158 | "italic": false, 159 | "underline": false 160 | }, 161 | "Float": { 162 | "text-color": "#40a070", 163 | "background-color": null, 164 | "bold": false, 165 | "italic": false, 166 | "underline": false 167 | }, 168 | "Comment": { 169 | "text-color": "#9c9c9c", 170 | "background-color": null, 171 | "bold": false, 172 | "italic": false, 173 | "underline": false 174 | }, 175 | "CommentVar": { 176 | "text-color": "#60a0b0", 177 | "background-color": null, 178 | "bold": true, 179 | "italic": true, 180 | "underline": false 181 | }, 182 | "Constant": { 183 | "text-color": "#880000", 184 | "background-color": null, 185 | "bold": false, 186 | "italic": false, 187 | "underline": false 188 | }, 189 | "SpecialChar": { 190 | "text-color": "#4070a0", 191 | "background-color": null, 192 | "bold": false, 193 | "italic": false, 194 | "underline": false 195 | }, 196 | "DecVal": { 197 | "text-color": "#40a070", 198 | "background-color": null, 199 | "bold": false, 200 | "italic": false, 201 | "underline": false 202 | }, 203 | "Keyword": { 204 | "text-color": "#007020", 205 | "background-color": null, 206 | "bold": true, 207 | "italic": false, 208 | "underline": false 209 | } 210 | } 211 | } 212 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 |

3 | 4 | # TrustedSec Sysmon Community Guide 5 | 6 |

Creative Commons License

7 | 8 | This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/), please attribute to TrustedSec LLC 9 | 10 | ###### You are free to: 11 | 12 | **Share** — copy and redistribute the material in any medium or format. 13 | 14 | **Adapt** — remix, transform, and build upon the material. 15 | 16 | The authors encourage you to redistribute this content as widely as possible, but require that you give credit to the primary authors below, and that you notify us on GitHub of any improvements you make. 17 | 18 | Table of Contents 19 | ================= 20 | 21 | * [What is Sysmon](./chapters/what-is-sysmon.md) 22 | 23 | * Sysmon on Windows 24 | 25 | * [The Sysmon Driver](./chapters/the-sysmon-driver.md) 26 | 27 | * [Install and Configuration](./chapters/install_windows.md) 28 | 29 | * Sysmon on Linux 30 | 31 | * [sysinternalsEBPF](./chapters/eBPF.md) 32 | 33 | * [Install and Configuration](./chapters/install_linux.md) 34 | 35 | * [Configuration](./chapters/configuration.md) 36 | 37 | * Sysmon Events 38 | 39 | * [Process Events](./chapters/process-events.md) 40 | 41 | * [Process Creation](./chapters/process-creation.md) 42 | 43 | * [Process Termination](./chapters/process-termination.md) 44 | 45 | * [Process Access](./chapters/process-access.md) 46 | 47 | * File Events 48 | 49 | * [File Create](./chapters/file-create.md) 50 | 51 | * [File Create Time Change](./chapters/file-create-time-change.md) 52 | 53 | * [File Stream Creation Hash](./chapters/file-stream-creation-hash.md) 54 | 55 | * [File Delete](./chapters/file-delete.md) 56 | 57 | * [File Delete Detected](./chapters/file_delete_detected.md) 58 | 59 | * [File Block EXE](./chapters/file-block-exe.md) 60 | 61 | * [File Block Shredding](./chapters/file-blockshredding.md) 62 | 63 | * [Named Pipes](./chapters/named-pipes.md) 64 | 65 | * [Driver Loading](./chapters/driver-loading.md) 66 | 67 | * [Registry Actions](./chapters/registry-actions.md) 68 | 69 | * [Image Loading](./chapters/image-loading.md) 70 | 71 | * [Network Connections](./chapters/network-connections.md) 72 | 73 | * [Create Remote Thread](./chapters/create-remote-thread.md) 74 | 75 | * [Raw Access Read](./chapters/raw-access-read.md) 76 | 77 | * [DNS Query](./chapters/dns-query.md) 78 | 79 | * [WMI Events](./chapters/WMI-events.md) 80 | 81 | * [Clipboard Capture](./chapters/clipboard-capture.md) 82 | 83 | * [Process Image Tampering](./chapters/process-tampering.md) 84 | 85 | ## Current State: 86 | 87 | Microsoft Sysinternals Sysmon is an ever changing piece of software provided by Microsoft free for its users. As such it is constantly being updated and new featured are added. As it relates to configurations this guide tries to be as open as possible since each environment is unique and recomendations are based on these contraints as much as possible. The guide is made Open Source so that as Sysmon evolves the comunity helps in expanding and maintaining the guide. 88 | 89 | ## Contributing 90 | 91 | Please use the issues system or GitHub pull requests to make corrections, contributions, and other changes to the text - we welcome your contributions! 92 | 93 | ## Credits 94 | 95 | This guide was originally written and edited by Carlos Perez of TrustedSec LLC. 96 | 97 | - **[MIT license](http://opensource.org/licenses/mit-license.php)** 98 | - Copyright 2020 © TrustedSec LLC. 99 | -------------------------------------------------------------------------------- /chapters/WMI-events.md: -------------------------------------------------------------------------------- 1 | WMI Events 2 | ========== 3 | 4 | WMI events, both temporary and permanent (survive a reboot), have been used for 5 | over a decade by vendors and enterprise users to automate actions on systems. 6 | Attackers leverage events in the same manner for automating actions and for 7 | persistence. Attackers will create or modify existing event components (APT 28, 8 | 29) on systems for which they gain administrator privilege. WMI events are those 9 | events that happen when a specific Event Class instance is created or they are 10 | modified in the WMI Model. 11 | 12 | An attacker can monitor (and take certain actions) when these events occur by 13 | using subscriptions that monitor for them. 14 | 15 | There are two types of WMI Event Subscriptions: 16 | 17 | - **Temporary** - Subscription is active as long as the process that created 18 | the subscription is active (They run under the privilege of the process) 19 | 20 | - **Permanent** - Subscription is stored in the CIM Database and is active 21 | until removed from it (They always run as SYSTEM) 22 | 23 | All event subscriptions have three components: 24 | 25 | - **Filter** - WQL Query for the events we want 26 | 27 | - **Consumer** - An action to take upon triggering the filter 28 | 29 | - **Binding** - Registers a filter to a consumer 30 | 31 | The filter and consumer are created individually and then registered together. 32 | The actions that Sysmon filters on are those for permanent events. Sysmon will 33 | only log **ActiveScript** and **CommandLine** consumers since these are the ones 34 | abused by attackers. 35 | 36 | Fields for the Filter creation, modification, or deletion are: 37 | 38 | - **RuleName**: Rule name for filter 39 | 40 | - **EventType**: Will always be *WmiFilterEvent* 41 | 42 | - **UtcTime**: Time event happened 43 | 44 | - **Operation**: Created, modified or deleted 45 | 46 | - **User**: User that performed the action 47 | 48 | - **EventNamespace**: WMI Namespace where object was created 49 | 50 | - **Name**: Name of the filter 51 | 52 | - **Query**: Query defined for the filter 53 | 54 | The fields for Consumer creation, modification, or deletion are: 55 | 56 | - **RuleName**: Rule name for filter 57 | 58 | - **EventType**: Will always be *WmiConsumerEvent* 59 | 60 | - **UtcTime**: Time event happened 61 | 62 | - **Operation**: Created, modified, or deleted 63 | 64 | - **User**: User that performed the action 65 | 66 | - **Name**: Name of the consumer 67 | 68 | - **Type**: Type of consumer 69 | 70 | - **Destination**: Command or Script being executed 71 | 72 | The fields for filter to consumer binding are: 73 | 74 | - **RuleName**: Rule name for filter 75 | 76 | - **EventType**: Will always be *WmiBindingEvent* 77 | 78 | - **UtcTime**: Time event happened 79 | 80 | - **Operation**: Created, modified, or deleted 81 | 82 | - **User**: User that performed the action 83 | 84 | - **Consumer**: Consumer path in the CIM Database 85 | 86 | - **Filter**: Filter path in the CIM Database 87 | 88 | When a Permanent Event Subscription is created, an EventID **5861** in 89 | **Microsoft-Windows-WMI-Activity/Operational** is created in **Windows 2012 R2, 90 | Windows 2016,** and **Windows 10 Pro/Enterprise**. 91 | 92 | The event includes the Query and Consumer object information for the 93 | subscription in its data. 94 | 95 | ![Bind Event](media/image62.png) 96 | 97 | It is recommended to log all instances of this event type. 98 | 99 | ```XML 100 | 101 | 102 | * 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | ``` 112 | 113 | Sysmon will not capture components of a permanent event created in the **Root** namespace, only under **Root/Subscription**, an attacker may abuse this gap. Windows WMI Operational logs do capture events created in the **Root** namespace and should be leveraged for redundancy in addition to being able to track: 114 | 115 | * Temporary Events 116 | * WMI Query Errors 117 | * Provider loading 118 | -------------------------------------------------------------------------------- /chapters/clipboard-capture.md: -------------------------------------------------------------------------------- 1 | Clipboard Capture 2 | ================= 3 | 4 | Sysmon will log EventID 24 for when an application stores text in the clipboard. This capability was added in version 12.0 of Sysmon under schema 4.40. When text us stored the event is generated and the text that was copied in to clipboard is stored as a file referenced by the hash in the location specified for deleted files with the same protections on the folder so only applications running under the context of the SYSTEM account can list and read the files. If no folder is specified Sysmon will create a folder under the root of the main drive with its name. 5 | 6 | Before creating filters for even a element of **\** need to be added under the Sysmon element. Once this element is added you can create filters for the event type. The **\** element in the configuration XML controls the location of the saved text. 7 | 8 | As it is obvious this type of data is sensitive since it may contain code, credentials, persona identifiable information or more. This is one of the reasons that the data is not stored in the eventlog but in the heavily permissioned folder. Because of this certain care should be taken when deciding on what systems it would be of value to enable this kind of logging. Recommended system would be servers that have RDP enabled, especially those exposed to untrusted networks. It is important to make sure that administrators of the system know that this is enabled and the danger of putting in scope an RDP window with sensitive text in the clipboard so as to not store sensitive information in systems. It is not recommended to enable this capture on client machines due to the risk of unencrypted sensitive data being stored even if the folder is heavily permissioned with Access Control Lists. 9 | 10 | 11 | The fields for the event are: 12 | 13 | * **RuleName**: Name of rule that triggered the event. 14 | 15 | * **UtcTime**: Time in UTC when event was created 16 | 17 | * **ProcessGuid**: Process Guid of the process that stored the text in the clipboard. 18 | 19 | * **ProcessId**: Process ID of the process that stored the text in the clipboard. 20 | 21 | * **Image**: The process that recorded to the clipboard. 22 | 23 | * **Session**: Session where the process writing to the clipboard is running. This can be system(0) interactive or remote, etc. 24 | 25 | * **ClientInfo**: this will contain the session username, and in case of a remote session the originating hostname, and the IP address when available. 26 | 27 | * **Hashes**: This determines the file name, same as the FileDelete event. 28 | 29 | * **Archived**: Status whether is was stored in the configured Archive directory. 30 | 31 | A sample configuration to capture all clipboard events: 32 | 33 | ```XML 34 | 35 | sha1 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | ``` 47 | 48 | This is an event of a user connecting to a VM using Hyper-V console that leverages RDP: 49 | 50 | ```XML 51 | Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 52 | 53 | 54 | 24 55 | 5 56 | 4 57 | 24 58 | 0 59 | 0x8000000000000000 60 | 61 | 92 62 | 63 | 64 | Microsoft-Windows-Sysmon/Operational 65 | SDDC01.acmelabs.pvt 66 | 67 | 68 | 69 | - 70 | 2020-10-07 19:57:53.908 71 | {fcb91365-c386-5f7d-c100-000000000500} 72 | 108 73 | C:\Windows\System32\rdpclip.exe 74 | 1 75 | user: acmelabs\Admin ip: FE80:0000:0000:0000:013E:52B8:0C83:3DE3 hostname: DESKTOP-LH0AJLB 76 | SHA1=292341BFA0C002051415142B99991871C53B3905,MD5=94B9F6FA8509AB6771F72304C0B3538B,SHA256=1AAE1F7AD5E7CB54F0302794430DFBB0CCCF6DA1F3C79DE1B17E8D367D7BF6C1,IMPHASH=00000000000000000000000000000000 77 | true 78 | 79 | 80 | ``` 81 | 82 | In Hyper-V environments where Sysmon is configured for this event type and capturing for RDP connections, will also capture when the window for the console is selected from Hyper-V Manager given it uses RDP for displaying the UI of the VM. Because of this text in the clipboard can be captured by accident exposing its contents to logs. 83 | 84 | 85 | -------------------------------------------------------------------------------- /chapters/cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/cover.png -------------------------------------------------------------------------------- /chapters/create-remote-thread.md: -------------------------------------------------------------------------------- 1 | Create Remote Thread 2 | ==================== 3 | 4 | Sysmon will log **EventID 8** for all processes that use the Win32 API 5 | [CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread) 6 | call. 7 | 8 | This call is used by some programs, parts of the OS and debuggers making 9 | the number of events easy to filter out the normal usages to detect the 10 | outliers. 11 | 12 | Process of use/abuse of CreateRemoteThread 13 | 14 | * Use **OpenProcess( )** to open a target process. 15 | 16 | * Use **VirtualAllocEx( )** allocate a chunk of memory in the process. 17 | 18 | * Use **WriteProcessMemory( )** write the payload to the newly 19 | allocated section. 20 | 21 | * User **CreateRemoteThread( )** to create a new thread in the remote 22 | process to execute the shellcode. 23 | 24 | There are multiple Process Injection techniques, Sysmon monitors for the 25 | most common one used. The infographic from 26 | 27 | 28 | Illustrates the different techniques. 29 | 30 | ![process injection infograph](./media/image57.png) 31 | 32 | The fields for the event are: 33 | 34 | * **RuleName**: Name of rule that triggered the event. 35 | 36 | * **UtcTime**: Time in UTC when event was created 37 | 38 | * **SourceProcessGuid**: Process Guid of the source process that 39 | created a thread in another process 40 | 41 | * **SourceProcessId**: Process ID used by the OS to identify the 42 | source process that created a thread in another process 43 | 44 | * **SourceImage**: File path of the source process that created a 45 | thread in another process 46 | 47 | * **TargetProcessGuid**: Process Guid of the target process 48 | 49 | * **TargetProcessId**: Process ID used by the OS to identify the 50 | target process 51 | 52 | * **TargetImage**: File path of the target process 53 | 54 | * **NewThreadId**: Id of the new thread created in the target process 55 | 56 | * **StartAddress**: New thread start address 57 | 58 | * **StartModule**: Start module determined from thread start address 59 | mapping to PEB loaded module list 60 | 61 | * **StartFunction**: Start function is reported if exact match to 62 | function in image export tables 63 | 64 | Since the number of processes that use the **CreateRemoteThread()** API in a production environment is low, the best approach is to exclude known good processes by their full path. **CreateRemoteThread()** is not the only API call that can be used to create a thread, so it should not be relied on as a definitive guarantee of lack of process injection. 65 | 66 | ![process](./media/image58.png) 67 | 68 | Example where known processes that use the API call are excluded 69 | 70 | ```xml 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | Google\Chrome\Application\chrome.exe 80 | 81 | 82 | C:\Windows\System32\wbem\WmiPrvSE.exe 83 | 84 | 85 | C:\Windows\System32\svchost.exe 86 | 87 | 88 | C:\Windows\System32\wininit.exe 89 | 90 | 91 | C:\Windows\System32\csrss.exe 92 | 93 | 94 | C:\Windows\System32\services.exe 95 | 96 | 97 | C:\Windows\System32\winlogon.exe 98 | 99 | 100 | C:\Windows\System32\audiodg.exe 101 | 102 | 103 | C:\windows\system32\kernel32.dll 104 | 105 | 106 | 107 | 108 | 109 | ``` 110 | -------------------------------------------------------------------------------- /chapters/dns-query.md: -------------------------------------------------------------------------------- 1 | DNS Query 2 | ========= 3 | 4 | Sysmon will log EventID 22 to log all DNS Queries using the Windows DnsQuery_* API calls in **dnsapi.dll**. Logging is supported on Windows 8.1 or above since it leverages new ETW functionality in newer versions of Windows. Programs that do their own DNS resolution and do not use the Windows API calls will not be logged 5 | 6 | The fields for the event are: 7 | 8 | * **RuleName**: Name of rule that triggered the event. 9 | 10 | * **UtcTime**: Time in UTC when event was created 11 | 12 | * **ProcessGuid**: Process Guid of the process that made the DNS query 13 | 14 | * **ProcessId**: Process ID of the process that made the DNS query 15 | 16 | * **QueryName**: DNS name that was queries 17 | 18 | * **QueryStatus**: Query result status code 19 | 20 | * **QueryResults**: Query results 21 | 22 | * **Image**: File path of the process that made the DNS query 23 | Exclude known destinations in order to focus on new unknown destinations. This is a high-volume event generation filter, so it is recommended to experiment and build rules with filters for your specific environment if implemented. Some examples can be found in 24 | 25 | 26 | Example that excludes known update and telemetry domains. 27 | 28 | ```xml 29 | 30 | 31 | * 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | .mozaws.net 41 | 42 | 43 | .mozilla.com 44 | 45 | 46 | .mozilla.net 47 | 48 | 49 | .mozilla.org 50 | 51 | 52 | 53 | 54 | clients1.google.com 55 | 56 | 57 | clients2.google.com 58 | 59 | 60 | clients3.google.com 61 | 62 | 63 | clients4.google.com 64 | 65 | 66 | clients5.google.com 67 | 68 | 69 | clients6.google.com 70 | 71 | 72 | safebrowsing.googleapis.com 73 | 74 | 75 | 76 | 77 | 78 | -pushp.svc.ms 79 | 80 | 81 | .b-msedge.net 82 | 83 | 84 | 85 | .bing.com 86 | 87 | 88 | .hotmail.com 89 | 90 | 91 | .live.com 92 | 93 | 94 | .live.net 95 | 96 | 97 | .s-microsoft.com 98 | 99 | 100 | .microsoft.com 101 | 102 | 103 | .microsoftonline.com 104 | 105 | 106 | .microsoftstore.com 107 | 108 | 109 | .ms-acdc.office.com 110 | 111 | 112 | .msedge.net 113 | 114 | 115 | .msn.com 116 | 117 | 118 | .msocdn.com 119 | 120 | 121 | .skype.com 122 | 123 | 124 | .skype.net 125 | 126 | 127 | .windows.com 128 | 129 | 130 | .windows.net.nsatc.net 131 | 132 | 133 | .windowsupdate.com 134 | 135 | 136 | .xboxlive.com 137 | 138 | 139 | login.windows.net 140 | 141 | 142 | 143 | 144 | 145 | ``` 146 | -------------------------------------------------------------------------------- /chapters/driver-loading.md: -------------------------------------------------------------------------------- 1 | Driver Loading 2 | ============== 3 | 4 | Sysmon will log EventID 6 for the loading of drivers. Drivers have been used by attackers for the installation of rootkits or to run tooling that needs to run at the kernel level. Mimikatz is known to use a driver to perform tasks to query and modify the UFI to bypass process protections. 5 | 6 | Sysmon will provide code signing information allowing filtering on those fields. Sysmon can also check if a certificate that signed the driver has been revoked. 7 | 8 | A recommended action for this event is to filter on the **Signature** and **SignatureStatus** fields and exclude known drivers. The main reason to filter on both fields is that many of the attacks steal certificates that are later revoked. By confirming that the **SignatureStatus** is valid, we can find easier drivers signed by a vendor who has been forced to revoke that specific signing certificate. 9 | 10 | The process for Signature values should be a constant one. 11 | 12 | 13 | ![process](./media/image48.png) 14 | 15 | Initial rule for collecting DriverLoad events 16 | 17 | ```xml 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | ``` 38 | 39 | Collect unique Signature field values for building filters 40 | 41 | The event fields are: 42 | 43 | * **RuleName**: Name of rule that triggered the event. 44 | 45 | * **UtcTime**: Time in UTC when event was created 46 | 47 | * **ImageLoaded**: File path of the driver loaded 48 | 49 | * **Hashes**: Hashes captured by Sysmon driver 50 | 51 | * **Signed**: Is the driver loaded signed 52 | 53 | * **Signature**: Signer name of the driver 54 | 55 | * **SignatureStatus**: Status of the signature 56 | 57 | Example filtering out drivers signed by Microsoft, Intel and VMware for 58 | a VDI environment 59 | 60 | ```xml 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | Microsoft 69 | Valid 70 | 71 | 72 | 73 | Intel 74 | Valid 75 | 76 | 77 | 78 | VMware 79 | Valid 80 | 81 | 82 | 83 | 84 | 85 | ``` 86 | -------------------------------------------------------------------------------- /chapters/eBPF.md: -------------------------------------------------------------------------------- 1 | sysinternalsEBPF 2 | ================= 3 | 4 | Sysmon for Linux uses its own library “sysinternalsEBPF” to handle the security events monitoring process. The advantages are that eBPF is a technology that allows programs to run in a sandbox in an operating system at the kernel level. The eBPF library will allow for the collection of information on: 5 | 6 | * Processes 7 | * System Calls 8 | * Network Sockets 9 | 10 | The “sysinternalsEBPF” library is open sourced and licensed under the MIT License. The source is available in GitHub at In GitHub the latest installation and build instructions can be found. 11 | 12 | ![eBPF](media/image64.png) 13 | 14 | The eBPF library leverages a large library of Kernel memory offsets that are stored after installation in a JSON file at **/opt/sysinternalsEBPF/offsets.json** if the kernel is not one in the list it will do an auto discovery of the offsets and add them to **/opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf** There might be some cases where it will fail to do an autodiscovery of the offsets like in the case of a kernel update. In this case the service will fail to load and provide instructions on how to update the offsets. Bellow is the error that would be displayed in the case that autodiscovery fails. 15 | 16 | ![Kernel Offset](media/image65.png) 17 | 18 | The GitHub repo instructions on how to build and offset config for the current kernel are provided 19 | -------------------------------------------------------------------------------- /chapters/file-block-exe.md: -------------------------------------------------------------------------------- 1 | File Block EXE 2 | =========== 3 | 4 | On version 14.0 of Sysmon the capability to block the creation of executables by a process was added, this is the first event type where Sysmon takes a block action on a rule match. Sysmon relies on its filter driver, Sysmon can log the creation of files and information on what process is the the file using **EventID 27**. This event type is found under schema version 5 | 6 | 7 | ![minifilter](./media/image36.png) 8 | 9 | The minidriver inspect the header of the file for the MZ DOS Executable header. The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A) at the beginning of the file (the "magic number"). "MZ" are the initials of Mark Zbikowski, one of the leading developers of MS-DOS. This header is included in DLLs, PE Files, COM executables and other executable types. 10 | 11 | Sysmon will not generate any alert on screen for the user once it takes the action. 12 | 13 | 14 | ### Event information 15 | 16 | The file delete event fields are: 17 | 18 | * **RuleName**: Name of rule that triggered the event 19 | 20 | * **UtcTime**: Time in UTC when event was created 21 | 22 | * **ProcessGuid**: Process Guid of the process that attempted to create the file 23 | 24 | * **ProcessId**: Process ID used by the OS to identify the process that attempted to create the file. 25 | 26 | * **Image**: File path of the process that attempted to create the file 27 | 28 | * **TargetFilename**: Name of the file that is being created. 29 | 30 | **Hashes**: Full hash of the file with the algorithms in the HashType field. This is also the filename of the saved file in the ArchiveDirectory 31 | 32 | 33 | Given the potential for this specific rule set to cause friction between a security team with users and other groups in the organization it is recommended to test before deploying. One recommendation is to use a file creation rule set to build a baseline of what executables are create where as part of normal day to day operations and then take that data to build a rule set that will minimize impact. 34 | 35 | A sample baseline ruleset can be: 36 | 37 | ```XML 38 | 39 | sha1 40 | 41 | 42 | 43 | 44 | .dll;.exe 45 | 46 | 47 | 48 | 49 | ``` 50 | 51 | Bellow is an example rule set that covers some of the most common scenarios where actors will drop executables using malicious documents, in emails, 52 | 53 | ```XML 54 | 55 | sha1 56 | 57 | 58 | 59 | 60 | 61 | excel.exe 62 | winword.exe 63 | powerpnt.exe 64 | outlook.exe 65 | msaccess.exe 66 | mspub.exe 67 | 68 | 69 | powershell.exe 70 | mshta.exe 71 | cscript.exe 72 | wscript.exe 73 | 74 | 75 | certutil.exe 76 | esenutl.exe 77 | desktopimgdownldr.exe 78 | regsvr32.exe 79 | Odbcconf.exe 80 | 81 | 82 | 83 | 84 | ``` 85 | -------------------------------------------------------------------------------- /chapters/file-blockshredding.md: -------------------------------------------------------------------------------- 1 | File Block EXE 2 | =========== 3 | 4 | On version 14.1 of Sysmon the capability to log and block when a process is deleting a file by overwriting its file blocks. Events will be loggedusing **EventID 27**. This event type is found under schema version 4.83. 5 | 6 | 7 | ![minifilter](./media/image36.png) 8 | 9 | The minidriver inspect the action that is being taken to see if it is a file block overwrite and if the header of the file for the MZ DOS Executable header. Some common processes on system that perform actions that may generate some false positives if all instances of the action is blocked. If this approach is follower a exclusion list should be used. An example of these are: 10 | 11 | ```xml 12 | 13 | 14 | C:\WINDOWS\System32\svchost.exe 15 | NT AUTHORITY\LOCAL SERVICE 16 | 17 | 18 | C:\WINDOWS\System32\svchost.exe 19 | NT AUTHORITY\SYSTEM 20 | 21 | 22 | C:\WINDOWS\system32\SearchIndexer.exe 23 | NT AUTHORITY\SYSTEM 24 | 25 | 26 | C:\WINDOWS\system32\lsass.exe 27 | NT AUTHORITY\SYSTEM 28 | 29 | 30 | \MsMpEng.exe 31 | NT AUTHORITY\SYSTEM 32 | 33 | 34 | C:\WINDOWS\system32\DllHost.exe 35 | \Dropbox\Client\Dropbox.exe 36 | C:\WINDOWS\system32\backgroundTaskHost.exe 37 | \AppData\Local\Programs\Microsoft VS Code\Code.exe 38 | C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe 39 | \Microsoft\Edge\Application\msedge.exe 40 | \1Password.exe 41 | C:\Windows\ImmersiveControlPanel\SystemSettings.exe 42 | C:\WINDOWS\system32\taskhostw.exe 43 | 44 | 45 | ``` 46 | It is recommended to better block those files that an attacket would like to delete so as to hide their tracks that where part of a compromise at several stages. Now great care should be taken for those applications that update themself and some software management solutions that may trigger false positives for some of the files covered. Since this is a blocking action it is important to test before a configuration is pushed to host, after a deployment it is also important to minitor to prevent disruption in some environments. 47 | 48 | ```XML 49 | 50 | 51 | .sys 52 | .rft 53 | .jsp 54 | .jspx 55 | .asp 56 | .aspx 57 | .php 58 | .war 59 | .ace 60 | .iqy 61 | .slk 62 | .docm 63 | .pptm 64 | .xlsm 65 | .xlm 66 | .dotm 67 | .xltm 68 | .potm 69 | .ppsm 70 | .sldm 71 | .xlam 72 | .xla 73 | .xll 74 | .settingcontent-ms 75 | .application 76 | .appref-ms 77 | .kirbi 78 | .iso 79 | .img 80 | .hta 81 | .exe 82 | .dll 83 | .ps1 84 | .ps2 85 | .psm1 86 | .bat 87 | .cmd 88 | 89 | 90 | ``` 91 | 92 | Sysmon will not generate any alert on screen for the user once it takes the action. 93 | 94 | 95 | ### Event information 96 | 97 | The file delete event fields are: 98 | 99 | * **RuleName**: Name of rule that triggered the event 100 | 101 | * **UtcTime**: Time in UTC when event was created 102 | 103 | * **ProcessGuid**: Process Guid of the process that overwrote the fileblocks for the file 104 | 105 | * **ProcessId**: Process ID used by the OS to identify the process that overwrote the fileblocks for the file. 106 | 107 | * **Image**: File path of the process that overwrote the fileblocks for the file 108 | 109 | * **TargetFilename**: Name of the file that is being deleted. 110 | 111 | * **Hashes**: Full hash of the file with the algorithms in the HashType field. 112 | 113 | * **IsExecutable**: If the file has a MZ header saying the file is an executable. 114 | 115 | -------------------------------------------------------------------------------- /chapters/file-create-time-change.md: -------------------------------------------------------------------------------- 1 | File Create Time Change 2 | ======================= 3 | 4 | **EventID 2** is for the technique that modifies the timestamps of a file (the modify, access, create, and change times). This is done often to mimic files that are in the same folder to hide dropped files or accessed files to prevent casual detection. Some applications modify timestamps in their normal operation. A good practice is to exclude those applications that normally change file creation times like setup executables, Chrome, OneDrive, and others. As a minimum, the Users directory should be monitored. 5 | 6 | The fields for the event: 7 | 8 | * RuleName: Name of rule that triggered the event 9 | 10 | * UtcTime: Time in UTC when the event was created 11 | 12 | * ProcessGuid: Process GUID of the process that changed the file creation time 13 | 14 | * ProcessId: Process ID used by the OS to identify the process changing the file creation time 15 | 16 | * Image: File path of the process that changed the file creation time 17 | 18 | * TargetFilename: Full path name of the file 19 | 20 | * CreationUtcTime: New creation time of the file 21 | 22 | * PreviousCreationUtcTime: Previous creation time of the file 23 | 24 | 25 | Example: 26 | 27 | ```xml 28 | 29 | 30 | 31 | 32 | 33 | 34 | C:\Users 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | OneDrive.exe 44 | C:\Windows\system32\backgroundTaskHost.exe 45 | setup 46 | install 47 | Update\ 48 | redist.exe 49 | msiexec.exe 50 | TrustedInstaller.exe 51 | 52 | 53 | 54 | 55 | 56 | ``` 57 | -------------------------------------------------------------------------------- /chapters/file-create.md: -------------------------------------------------------------------------------- 1 | File Create 2 | =========== 3 | 4 | Via its filter driver, Sysmon can log the creation of files and information on what process is creating the file using **EventID 11**. This allows defenders to filter for: 5 | 6 | * Dropping of files for later execution (PowerShell, Office Apps, certutil.exe) 7 | 8 | * Modification of system configurations (Scheduled Tasks, WMI) 9 | 10 | * Detection of malicious behaviors that create temporary or log files (.Net compile and run, DotNet2JS) 11 | 12 | Since AV minifilters load before Sysmon (due to their lower altitude number range), if an AV or EDR minifilter driver detects a malicious file and blocks it writing to disk, Sysmon will not log the event. 13 | 14 | ![minifilter](./media/image36.png) 15 | 16 | The file creation event fields are: 17 | 18 | * **RuleName**: Name of rule that triggered the event 19 | 20 | * **UtcTime**: Time in UTC when event was created 21 | 22 | * **ProcessGuid**: Process Guid of the process that created the file 23 | 24 | * **ProcessId**: Process ID used by the OS to identify the process that created the file (child) 25 | 26 | * **Image**: File path of the process that created the file 27 | 28 | * **TargetFilename**: Name of the file that was created 29 | 30 | * **CreationUtcTime**: File creation time 31 | 32 | Example monitoring for script file creation by extension: 33 | 34 | ```XML 35 | 36 | 37 | 38 | 39 | 40 | 41 | .hta 42 | 43 | 44 | 45 | .bat 46 | .cmd 47 | .ps1 48 | .ps2 49 | .jse 50 | .vb 51 | .vbe 52 | .vbs 53 | 54 | 55 | 56 | 57 | .application .appref-ms 58 | 59 | 60 | 61 | 62 | .*proj 63 | .sln 64 | 65 | 66 | 67 | 68 | .docm 69 | .pptm 70 | .xlsm 71 | .xlm 72 | .dotm 73 | .xltm 74 | .potm 75 | .ppsm 76 | .sldm 77 | .xlam 78 | .xla 79 | 80 | 81 | 82 | 83 | AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ 84 | \UsageLogs\cscript.exe.log 85 | \UsageLogs\wscript.exe.log 86 | \UsageLogs\wmic.exe.log 87 | \UsageLogs\mshta.exe.log 88 | \UsageLogs\svchost.exe.log 89 | \UsageLogs\regsvr32.exe.log 90 | \UsageLogs\rundll32.exe.log 91 | 92 | 93 | 94 | 95 | 96 | ``` 97 | -------------------------------------------------------------------------------- /chapters/file-delete.md: -------------------------------------------------------------------------------- 1 | File Delete 2 | =========== 3 | 4 | On version 11.0 of Sysmon the capability to log file deletions was added, in addition file marked for deletion are archived allowing defentders to collect tools and other files an attacker creates on a system to better track and understand their activiries. Sysmon relies on its filter driver, Sysmon can log the creation of files and information on what process is deleting or overwriting the file using **EventID 23**. Defender can use this event type to filter for: 5 | 6 | * Dropper / stager that removes itself after execution (T1193 or T1064 and loads more) or attackers doing it manually 7 | 8 | * Wiper software (T1485 and T1488) 9 | 10 | * Ransomware (T1486) 11 | 12 | ![minifilter](./media/image36.png) 13 | 14 | The minidriver monitors for three I/O request packets (IRP) IRP_MJ_CREATE, IRP_MJ_CLEANUP, and IRP_MJ_WRITE for file creates, complete handle closes, and writes respectively. 15 | 16 | 17 | ### Archive directory 18 | 19 | By default this folder is set to Sysmon if no folder is specified during installation and specified either in the configuration either in config file with the `````` setting in XML configurations file or via the registry by setting the registry key value **FilterArchiveDirectory** under the driver registry key paramaters. 20 | 21 | On version 11.0 of Sysmon if the folder is not created during install using the commandline **-a \** parameter Sysmon will use the default **Sysmon** folder name and create that one and not the one specified in the configuration. On version 11.1 of Sysmon the parameter was removed and it is now required to specify the folder in the XML configuration file or the default name will be used. 22 | 23 | This folder is protected by a SYSTEM ACL, to access it you can use psexec to spawn a shell to access it via ```PsExec.exe -sid cmd```. 24 | 25 | ``` 26 | PS C:\> (Get-Acl C:\Sysmon\).access 27 | 28 | 29 | FileSystemRights : FullControl 30 | AccessControlType : Allow 31 | IdentityReference : NT AUTHORITY\SYSTEM 32 | IsInherited : False 33 | InheritanceFlags : None 34 | PropagationFlags : None 35 | ``` 36 | 37 | ### Event information 38 | 39 | The file delete event fields are: 40 | 41 | * **RuleName**: Name of rule that triggered the event 42 | 43 | * **UtcTime**: Time in UTC when event was created 44 | 45 | * **ProcessGuid**: Process Guid of the process that deletec the file 46 | 47 | * **ProcessId**: Process ID used by the OS to identify the process that deleted the file (child) 48 | 49 | * **Image**: File path of the process that deleted the file 50 | 51 | * **TargetFilename**: Name of the file that was deleted 52 | 53 | **Hashes**: Full hash of the file with the algorithms in the HashType field. This is also the filename of the saved file in the ArchiveDirectory 54 | 55 | * **Archived**: States whether the archival action was succesful 56 | 57 | Example monitoring for script file creation by extension: 58 | 59 | ```XML 60 | 61 | SysmonIsAwesome 62 | 63 | 64 | 65 | 66 | \Downloads\ 67 | \Content.Outlook\ 68 | \AppData\Local\Temp\ 69 | \AppData\Local\Microsoft\ 70 | C:\Windows\Temp 71 | 72 | 73 | 74 | .exe;.ps1;.js;.xls;.xlsm;.docm 75 | 76 | 77 | 78 | 79 | ``` 80 | 81 | ### Warning 82 | 83 | A code execution vulnerability exits on Sysmon 11.0, 11.1 and 12.0 where an attacker that has local administrative privileges can leverage a bug in the way that Sysmon handles File Delete events in its memory allows for arbitrary kernel write where an attacker can write executacle code and run it with kernel level privileges. 84 | 85 | SHA1 hashes for vulnerables version of the drivers are: 86 | 87 | * 35c67ac6cb0ade768ccf11999b9aaf016ab9ae92fb51865d73ec1f7907709dca 88 | * d2ed01cce3e7502b1dd8be35abf95e6e8613c5733ee66e749b972542495743b8 89 | * a86e063ac5214ebb7e691506a9f877d12b7958e071ecbae0f0723ae24e273a73 90 | * c0640d0d9260689b1c6c63a60799e0c8e272067dcf86847c882980913694543a 91 | * 2a5e73343a38e7b70a04f1b46e9a2dde7ca85f38a4fb2e51e92f252dad7034d4 92 | * 98660006f0e923030c5c5c8187ad2fe1500f59d32fa4d3286da50709271d0d7f 93 | * 7e1d7cfe0bdf5f17def755ae668c780dedb027164788b4bb246613e716688840 94 | 95 | Using a SIEM one can monitor for this hashes using Sysmon Event ID 6 for driver loads. Also access to the sysmon service executable should be monitor for SourceImage and GrantedAccess masks not seen before. 96 | -------------------------------------------------------------------------------- /chapters/file-stream-creation-hash.md: -------------------------------------------------------------------------------- 1 | File Stream Creation Hash 2 | ========================= 3 | 4 | Sysmon will log **EventID 15** for the creation of Alternate Data Streams (ADS). This is an old technique where many vendors already monitor for the creation of ADS on files where the alternate stream is a PE executable. Attackers have changed to use alternate streams to hide information and to store other payloads that are not PE executables (DLL, Scripts). Sysmon will also capture the contents of text streams if they are less 1KB for the purpose of capturing Mark Of The Web (MOTW) streams. 5 | 6 | Each record in NTFS on a drive is subdivided into a list of variable length attributes: 7 | 8 | * \$STANDARD\_INFORMATION 9 | 10 | * \$FILE\_NAME 11 | 12 | * \$DATA 13 | 14 | * \$INDEX\_ROOT 15 | 16 | * \$BITMAP 17 | 18 | * \$INDEX\_ALLOCATION 19 | 20 | * \$ATTRIBUTE\_LIST 21 | 22 | Alternate Data Streams (ADS) are implemented by having multiple \$Data 23 | attributes 24 | 25 | * The Default data stream is unnamed 26 | 27 | * Alternate streams are named ones. 28 | 29 | Since streams that are part of the NTFS structure directories may have an AD, we can use PowerShell to look at a file with the single default unamend :\$DATA stream: 30 | 31 | ![stream1](./media/image41.png) 32 | 33 | File with a second named stream: 34 | 35 | ![stream2](./media/image42.png) 36 | 37 | Some execution examples: 38 | 39 | * Execution Rundll32 example 40 | 41 | * Cscript Example 42 | 43 | * PowerShell Example 44 | 45 | More execution examples at 46 | by 47 | Oddvar Moe 48 | 49 | In the case of downloads performed by browsers and email clients in Windows that leveragle the urlmon.dll for downloading files they have al indetifying stream added with information about the download including the URL and Refferer. This information can be used to track the origing of downloaded files by attackers with a console presense or via a phishing attack. 50 | 51 | We can use PowerShell Get-Item and Get-Content cmdlets to check is a Zone.Identifier stream exist and show its content. 52 | 53 | ![process](./media/image63.png) 54 | 55 | 56 | The fields for the event: 57 | 58 | * **RuleName**: Name of rule that triggered the event 59 | * **UtcTime**: Time in UTC when event was created 60 | * **ProcessGuid**: Process GUID of the process that created the named file stream 61 | * **ProcessId**: Process ID used by the OS to identify the process that created the named file stream 62 | * **Image**: File path of the process that created the named file stream 63 | * **TargetFilename**: Name of the file 64 | * **CreationUtcTime**: File download time 65 | * **Hash**: Full hash of the file with the algorithms in the HashType field 66 | * **Content**: Contents of text streams. 67 | 68 | 69 | The number of processes that create alternate streams should be low and easily excluded. Mail clients and browsers are the main generators of this event in normal operation to set the Zone attribute; Because of this, a maintenance process is recommended when leveraging these filters. 70 | 71 | ![process](./media/image43.png) 72 | 73 | Since urlmon.dll sets different parts of the stream as the file is downloaded we see normally a total of 6 events as the data is added to the file. This provides important forensic information to track files that an attacker may have delived and correlated with other networks logs. 74 | 75 | Example: Exclude common processes that create alternate data streams. 76 | 77 | ```xml 78 | 79 | 80 | 81 | 82 | 83 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 84 | 85 | C:\Windows\system32\browser_broker.exe 86 | 87 | C:\Program Files\Internet Explorer\iexplore.exe 88 | 89 | OUTLOOK.EXE 90 | 91 | 92 | 93 | 94 | ``` 95 | -------------------------------------------------------------------------------- /chapters/file_delete_detected.md: -------------------------------------------------------------------------------- 1 | File Delete Detected 2 | ==================== 3 | 4 | On version 13.10 of Sysmon added the capability to log file deletions without archiving the deleted file, the event is identical to **EventID 23** File Delete, for filtering the same fields are used. The File Delete Detected uses **EventID 26**. 5 | 6 | It leverages the Sysmon minidriver and we should considered it altitude number when other security products are present. 7 | 8 | ![minifilter](./media/image36.png) 9 | 10 | The minidriver monitors for three I/O request packets (IRP) IRP_MJ_CREATE, IRP_MJ_CLEANUP, and IRP_MJ_WRITE for file creates, complete handle closes, and writes respectively. 11 | 12 | ### Event information 13 | 14 | The file delete event fields are: 15 | 16 | * **RuleName**: Name of rule that triggered the event 17 | 18 | * **UtcTime**: Time in UTC when event was created 19 | 20 | * **ProcessGuid**: Process Guid of the process that deleted the file 21 | 22 | * **ProcessId**: Process ID used by the OS to identify the process that deleted the file (child) 23 | 24 | * **Image**: File path of the process that deleted the file 25 | 26 | * **TargetFilename**: Name of the file that was deleted 27 | 28 | **Hashes**: Full hash of the file with the algorithms in the HashType field. This is also the filename of the saved file in the ArchiveDirectory 29 | 30 | This event type is recommended for those cases where there is a large number of false positive for a given rule but still it is of value to log the action or the rule has false positives for files that could be of great size like archive file or image files like ISO, IMG and others. 31 | -------------------------------------------------------------------------------- /chapters/image-loading.md: -------------------------------------------------------------------------------- 1 | Image Loading 2 | ============= 3 | 4 | Sysmon will log **EventID 7** for the loading of images (Components like 5 | DLL, OCX..) by a given process. This filter can cause high CPU usage if 6 | filtering is to open on desktop or terminal systems with lots of process 7 | starting and stopping, because of this event is best targeted by 8 | monitoring for specific libraries or combinations used by attackers. 9 | 10 | The event fields are: 11 | 12 | * **RuleName**: Name of rule that triggered the event. 13 | 14 | * **UtcTime**: Time in UTC when event was created 15 | 16 | * **ProcessGuid**: Process Guid of the process that loaded the image 17 | 18 | * **ProcessId**: Process ID used by the OS to identify the process 19 | that loaded the image 20 | 21 | * **Image**: File path of the process that loaded the image 22 | 23 | * **ImageLoaded**: Path of the image loaded 24 | 25 | * **FileVersion**: Version of the image loaded 26 | 27 | * **Description**: Description of the image loaded 28 | 29 | * **Product**: Product name the image loaded belongs to 30 | 31 | * **Company**: Company name the image loaded belongs to 32 | 33 | * **OriginalFileName**: OriginalFileName from the PE header, added on 34 | compilation 35 | 36 | * **Hashes**: Full hash of the file with the algorithms in the 37 | HashType field 38 | 39 | * **Signed**: State whether the image loaded is signed 40 | 41 | * **Signature**: The signer name 42 | 43 | * **SignatureStatus**: status of the signature 44 | 45 | Example of libraries leveraged by attackers 46 | 47 | ```xml 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | jscript9.dll 56 | mshta.exe 57 | 58 | 59 | 60 | wshom.ocx 61 | scrrun.dll 62 | vbscript.dll 63 | 64 | 65 | 66 | System.Management.Automation.ni.dll 67 | System.Management.Automation.dll 68 | 69 | 70 | 71 | scrobj.dll 72 | 73 | 74 | 75 | 76 | 77 | ``` 78 | -------------------------------------------------------------------------------- /chapters/install_linux.md: -------------------------------------------------------------------------------- 1 | Install and Configuration 2 | ========================= 3 | 4 | Installation under Linux varies given that each Linux distribution and even version of each differ slightly in the steps to install the packages for sysinternalsEBPF and sysmonforlinux. The package installation steps for each distribution and is maintained in github at . The solution can be compiled and installed from source but it is not recommended for a production environment since it will add more complexity in the tracking of versions of dependencies and also introduced other packages that can be abused by an attacker if they gain access tto the system. 5 | 6 | The package installation process will create a sysmon elf binary as /usr/bin/sysmon this binary will be used to install and configure the service. 7 | 8 | When using the tool, any errors will result in an error message and help information with basic switches. To see only the help information for the tool, the **-?** switch parameter is used. This help information will include: 9 | 10 | * Parameter sets for installation, configuration, and uninstall 11 | 12 | * Common command line parameters. 13 | 14 | * General notes on how the tool works and further details on how to get more help information. 15 | 16 | The parameters of the tool and the structure of the XML configuration file are defined in the tool Schema. This schema can be printed using the **-s "PrintSchema"** parameter; if no schema version is provided, it will print the default schema. 17 | 18 | The tool can be run in 4 main modes; 3 of them are shown in the help message: 19 | 20 | * **Install** - Install the driver, manifest and service on the host. 21 | 22 | * **Configure** - Parses a given configuration file or command line parameters to generate a configuration that is stored in the registry. 23 | 24 | * **Uninstall** - Removes the driver and service from the host. 25 | 26 | Installation 27 | ------------ 28 | 29 | The key parameter that initiates the installation mode of Sysmon is the **-i** switch. The installation process will be as follows: 30 | 31 | * Decompresses and copy of itself in to **/opt/sysmon** 32 | 33 | * Creates a systemd service 34 | 35 | * Enables a default configuration (ProcessCreation and ProcessTermination) if no configuration file is passed to the **-i** parameter. 36 | 37 | The **-accepteula** parameter needs to be passed to accept the EULA for the tool. 38 | 39 | Uninstall 40 | --------- 41 | 42 | To uninstall Sysmon, a binary with the same name as the main service, if renamed, has to be run with the **-u** switch parameter. 43 | 44 | ```bash 45 | /opt/sysmon/sysmon -u 46 | ``` 47 | 48 | When executed the command will run a series of steps to uninstall the service and remove files for the tool from **/opt/sysmon**. 49 | 50 | The value of **force** can be passed to the **-u** parameter fo force uninstallation. 51 | 52 | ```bash 53 | /opt/sysmon/sysmon -u force 54 | ``` 55 | -------------------------------------------------------------------------------- /chapters/install_windows.md: -------------------------------------------------------------------------------- 1 | Install and Configuration 2 | ========================= 3 | 4 | * [Sysmon Command Line](#the-sysmon-command-line) 5 | 6 | * [Installation with Configuration](#installation-with-configuration) 7 | 8 | * [Uninstall](#uninstall) 9 | 10 | * [Installation Best Practice](#installation-best-practice) 11 | 12 | * [Configuration](#configuration) 13 | 14 | * [Command Line Parameters](#command-line-parameters) 15 | 16 | * [Filter Operators](#filter-operators) 17 | 18 | * [Event Schema](#event-schema) 19 | 20 | * [Configuration File](#configuration-file) 21 | 22 | * [RuleGroups](#rulegroups) 23 | 24 | * [Configuration File Best Practices](#configuration-file-best-practices) 25 | 26 | * [Configuration Tampering](#configuration-tampering) 27 | 28 | * [Configuration Deployment](#configuration-deployment) 29 | 30 | * [Deployment Script](#deployment-script) 31 | 32 | * [GPO Configuration Deployment](#gpo-configuration-deployment) 33 | 34 | The Sysmon Command Line 35 | ======================= 36 | 37 | Sysmon installation and configuration can be done via the command line. When Sysmon is downloaded from Microsoft, the zip file will contain two command line versions of the tool: 38 | 39 | * **Sysmon.exe** - x86 and x64 version. 40 | 41 | * **Sysmon64.exe** - 64bit only version. 42 | 43 | When using the tool, any errors will result in an error message and help information with basic switches. To see only the help information for the tool, the **-?** switch parameter is used. This help information will include: 44 | 45 | * Parameter sets for installation, configuration, and uninstall 46 | 47 | * Common command line parameters. 48 | 49 | * General notes on how the tool works and further details on how to get more help information. 50 | 51 | The parameters of the tool and the structure of the XML configuration file are defined in the tool Schema. This schema can be printed using the **-s "PrintSchema"** parameter; if no schema version is provided, it will print the default schema. 52 | 53 | The tool can be run in 4 main modes; 3 of them are shown in the help message: 54 | 55 | * **Install** - Install the driver, manifest and service on the host. 56 | 57 | * **Configure** - Parses a given configuration file or command line parameters to generate a configuration that is stored in the registry. 58 | 59 | * **Uninstall** - Removes the driver and service from the host. 60 | 61 | The semi-hidden and undocumented method is Debug, in which a specified configuration is parsed, and live events are shown in the console. 62 | 63 | Install 64 | ------- 65 | 66 | The key parameter that initiates the installation mode of Sysmon is the **-i** switch. The installation process will be as follows: 67 | 68 | * Decompresses and saves driver and copy of itself in to **%systemroot%** 69 | 70 | * Registers event log manifest 71 | 72 | * Creates a service 73 | 74 | * Enables a default configuration (ProcessCreation, ProcessTermination, DriverLoad , FileCreationTimeChanged, SHA1 for Images) if no configuration file is passed using the **-c \** parameter 75 | 76 | The Installation process allows for some obfuscation: 77 | 78 | * Driver name can be changed 79 | 80 | * Service name can be changed 81 | 82 | * Sysmon binary name can be renamed. 83 | 84 | These obfuscation changes will also affect registry paths for the driver and processes service keys. All of the obfuscation methods are part of the installation option set. 85 | 86 | The installation options are: 87 | 88 | * Default -- Driver is installed and named SysmonDrv and service Sysmon 89 | 90 | ```shell 91 | sysmon.exe --i --accepteula 92 | 93 | ``` 94 | 95 | * Renamed Driver -- The driver file and registry entry are renamed. Name has an 8-character limit. 96 | 97 | ```shell 98 | sysmon.exe -i -d 99 | ``` 100 | 101 | * Renamed Service -- The executable name defines the service name. 102 | 103 | ```shell 104 | .exe -i -d 105 | ``` 106 | 107 | The installation process on a x64 system with the binary named sysmon.exe that is intended to work across x64 and x86 architectures is shown below. This is important since some of the actions may cause confusion or trigger alerts on monitoring systems. 108 | 109 | One important thing to keep in mind when obfuscating the driver name and service name is that certain characteristics remain the same. 110 | 111 | * Service description remains the same. (This can be modified post-install.) 112 | 113 | * Driver Altitude number remains the same. 114 | 115 | * The eventlog remains the same so as to not break collection from SIEM products. 116 | 117 | Process for x86 118 | --------------- 119 | 120 | ![x86 bit insall process](./media/image6.png) 121 | 122 | x64 Process 123 | ----------- 124 | 125 | ![x64 install process](./media/image7.png) 126 | 127 | Sysmon will create 2 registry keys to define the services for its operation under ***HKLM\\SYSTEM\\CurrentControlSet\\Services*** 128 | 129 | * Sysmon - Service that talks to the driver and performs the filtering action. It is named with the same name as the Sysmon executable. 130 | 131 | * SysmonDrv - Kernel Driver Service, this service loads the Sysmon driver with an altitude number of 385201 132 | 133 | The settings for each service are: 134 | 135 | Main Service: 136 | 137 | * Name: **Name of the executable (default Sysmon or Sysmon64)** 138 | 139 | * LogOn: **Local System** 140 | 141 | * Description: **System Monitor service** 142 | 143 | * Startup: **Automatic** 144 | 145 | * ImagePath: **%windir%\\\** 146 | 147 | Driver Service: 148 | 149 | * Name: **SysmonDrv unless --d \ is** 150 | 151 | * LogOn: **Local System** 152 | 153 | * Description: **System Monitor driver** 154 | 155 | * Startup: **Automatic** 156 | 157 | * ImagePath: **\.sys** 158 | 159 | Installation with Configuration 160 | ------------------------------- 161 | An XML configuration file can be passed during installation if an initial configuration needs to be set. This is the preferred method for production systems since a configuration file can cover all types and logic. The most used method is to pass a configuration file using the **-c \** parameter. 162 | 163 | ```shell 164 | sysmon.exe -i --accepteula -c 165 | ``` 166 | 167 | If the configuration specifies a archive folder using the `````` element the **-a \** needs to be specified in the command line so that Sysmon can create the folder and set the proper permissions for version 11.0 of Sysmon, for version 11.1 the parameter was removed and now it is configured via the configuration file. If the folder is not present and even if specified Sysmon will create a folder named **Sysmon** instead and use that folder to archive the deleted files. 168 | 169 | We can control the hashing algorithm used for events that hash images and we can control checking of revocation of signatures. 170 | 171 | The hashing algorithm or combination of them can be specified with the **-h \** The specified algorithms will be used to hash all images. 172 | 173 | ```shell 174 | sysmon.exe -i -c -h 175 | ``` 176 | 177 | We can specify checking to see if certificates are revoked using the -r parameter. 178 | 179 | ```shell 180 | sysmon.exe -i -c -r 181 | 182 | ``` 183 | 184 | SSome basic filtering can be done also from the command line. Only filtering by process name can be done for NetworkConnect, ImageLoad, and ProcessAccess via the command line. 185 | 186 | * **NetworkConnect** - Track network connections. 187 | 188 | ```shell 189 | sysmon.exe -i -c -n [] 190 | ``` 191 | 192 | * **ImageLoad** - DLL loading by processes. 193 | 194 | ```shell 195 | sysmon.exe -i -c -l [] 196 | ``` 197 | 198 | * **ProcessAccess** - Processes whose memory is accessed. 199 | 200 | ```shell 201 | sysmon.exe -i -c -k [] 202 | ``` 203 | 204 | Uninstall 205 | --------- 206 | 207 | To uninstall Sysmon, a binary with the same name as the main service, if renamed, has to be run with the **-u** switch parameter. 208 | 209 | ```shell 210 | sysmon.exe -u 211 | ``` 212 | 213 | When executed the command will run a series of steps to uninstall the service, driver and remove files for the tool. 214 | 215 | ![Uninstall Process](./media/image8.png) 216 | 217 | There is an undocumented value that can be passed to the **-u** parameter of **"force"** to force the removal of the services even if a stop was not possible. 218 | 219 | ```shell 220 | sysmon.exe -u force 221 | ``` 222 | 223 | Installation Best Practice 224 | -------------------------- 225 | 226 | Installation best practices that can be followed to aid and minimize risk when deploying the Sysmon tool include: 227 | 228 | * Keep a repository of Sysmon versions archived; Microsoft does not provide older versions for download. 229 | 230 | * Sysmon is very dependent on the version of the binary for its configuration. The install/upgrade script should check the binary version for: 231 | 232 | * Upgrade 233 | 234 | * Version for applying initial config 235 | 236 | * If a GPO is used to push scheduled tasks for upgrades or to push configuration, use a WMI filter to target the specific version that was tested. Example: 237 | 238 | ```sql 239 | SELECT * FROM CIM_Datafile WHERE (Name="c:\\Windows\\Sysmon64.exe" OR Name="c:\\Windows\\Sysmon.exe") AND version="10.0.4.1" 240 | ``` 241 | 242 | * Check file versions they don't match release versioning. 243 | 244 | * It is better to not push configuration as an XML that gets run from a share or dropped on disk with a scheduled task: 245 | 246 | * Credentials are left that can be recovered via DPAPI for deleted scheduled tasks. 247 | 248 | * The file can be read more easily by an attacker if controls are not properly placed 249 | 250 | * There is a higher chance of human error 251 | 252 | * Better to push values via GPO or other methods with file version checking. 253 | 254 | -------------------------------------------------------------------------------- /chapters/media/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image1.png -------------------------------------------------------------------------------- /chapters/media/image10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image10.png -------------------------------------------------------------------------------- /chapters/media/image11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image11.png -------------------------------------------------------------------------------- /chapters/media/image12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image12.png -------------------------------------------------------------------------------- /chapters/media/image13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image13.png -------------------------------------------------------------------------------- /chapters/media/image14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image14.png -------------------------------------------------------------------------------- /chapters/media/image15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image15.png -------------------------------------------------------------------------------- /chapters/media/image16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image16.png -------------------------------------------------------------------------------- /chapters/media/image17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image17.png -------------------------------------------------------------------------------- /chapters/media/image18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image18.png -------------------------------------------------------------------------------- /chapters/media/image19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image19.png -------------------------------------------------------------------------------- /chapters/media/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image2.png -------------------------------------------------------------------------------- /chapters/media/image20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image20.png -------------------------------------------------------------------------------- /chapters/media/image21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image21.png -------------------------------------------------------------------------------- /chapters/media/image22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image22.png -------------------------------------------------------------------------------- /chapters/media/image23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image23.png -------------------------------------------------------------------------------- /chapters/media/image24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image24.png -------------------------------------------------------------------------------- /chapters/media/image25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image25.png -------------------------------------------------------------------------------- /chapters/media/image26.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image26.png -------------------------------------------------------------------------------- /chapters/media/image27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image27.png -------------------------------------------------------------------------------- /chapters/media/image28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image28.png -------------------------------------------------------------------------------- /chapters/media/image29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image29.png -------------------------------------------------------------------------------- /chapters/media/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image3.png -------------------------------------------------------------------------------- /chapters/media/image30.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image30.png -------------------------------------------------------------------------------- /chapters/media/image31.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image31.png -------------------------------------------------------------------------------- /chapters/media/image32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image32.png -------------------------------------------------------------------------------- /chapters/media/image33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image33.png -------------------------------------------------------------------------------- /chapters/media/image34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image34.png -------------------------------------------------------------------------------- /chapters/media/image35.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image35.png -------------------------------------------------------------------------------- /chapters/media/image36.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image36.png -------------------------------------------------------------------------------- /chapters/media/image37.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image37.png -------------------------------------------------------------------------------- /chapters/media/image38.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image38.png -------------------------------------------------------------------------------- /chapters/media/image39.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image39.png -------------------------------------------------------------------------------- /chapters/media/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image4.png -------------------------------------------------------------------------------- /chapters/media/image40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image40.png -------------------------------------------------------------------------------- /chapters/media/image41.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image41.png -------------------------------------------------------------------------------- /chapters/media/image42.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image42.png -------------------------------------------------------------------------------- /chapters/media/image43.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image43.png -------------------------------------------------------------------------------- /chapters/media/image44.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image44.png -------------------------------------------------------------------------------- /chapters/media/image45.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image45.png -------------------------------------------------------------------------------- /chapters/media/image46.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image46.png -------------------------------------------------------------------------------- /chapters/media/image47.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image47.png -------------------------------------------------------------------------------- /chapters/media/image48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image48.png -------------------------------------------------------------------------------- /chapters/media/image49.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image49.png -------------------------------------------------------------------------------- /chapters/media/image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image5.png -------------------------------------------------------------------------------- /chapters/media/image50.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image50.png -------------------------------------------------------------------------------- /chapters/media/image51.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image51.png -------------------------------------------------------------------------------- /chapters/media/image52.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image52.png -------------------------------------------------------------------------------- /chapters/media/image53.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image53.png -------------------------------------------------------------------------------- /chapters/media/image54.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image54.png -------------------------------------------------------------------------------- /chapters/media/image55.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image55.png -------------------------------------------------------------------------------- /chapters/media/image56.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image56.png -------------------------------------------------------------------------------- /chapters/media/image57.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image57.png -------------------------------------------------------------------------------- /chapters/media/image58.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image58.png -------------------------------------------------------------------------------- /chapters/media/image59.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image59.png -------------------------------------------------------------------------------- /chapters/media/image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image6.png -------------------------------------------------------------------------------- /chapters/media/image60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image60.png -------------------------------------------------------------------------------- /chapters/media/image61.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image61.png -------------------------------------------------------------------------------- /chapters/media/image62.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image62.png -------------------------------------------------------------------------------- /chapters/media/image63.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image63.png -------------------------------------------------------------------------------- /chapters/media/image64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image64.png -------------------------------------------------------------------------------- /chapters/media/image65.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image65.png -------------------------------------------------------------------------------- /chapters/media/image66.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image66.png -------------------------------------------------------------------------------- /chapters/media/image67.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image67.png -------------------------------------------------------------------------------- /chapters/media/image68.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image68.png -------------------------------------------------------------------------------- /chapters/media/image7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image7.png -------------------------------------------------------------------------------- /chapters/media/image8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image8.png -------------------------------------------------------------------------------- /chapters/media/image9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/image9.png -------------------------------------------------------------------------------- /chapters/media/tslogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysmonCommunityGuide/362514b27491619500e07ce5f8bd31b88cb85622/chapters/media/tslogo.png -------------------------------------------------------------------------------- /chapters/metadata.yml: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Sysmon Missing Manual" 3 | author: "Carlos Perez" 4 | rights: "TrustedSec LLC, Creative Commons Non-Commercial Share Alike 4.0" 5 | language: "en-US" 6 | subtitle: Open Source Sysinternals Sysmon Community Guide 7 | date: 28.01.2020 8 | publisher: TrustedSec Inc. 9 | ibooks: 10 | version: 1.0 11 | stylesheet: pandoc.css 12 | cover-image: media/cover.png 13 | --- -------------------------------------------------------------------------------- /chapters/named-pipes.md: -------------------------------------------------------------------------------- 1 | Named Pipes 2 | =========== 3 | 4 | A named pipe is a named, one-way or duplex pipe for communication 5 | between the pipe server and one or more pipe clients. Each named pipe 6 | has a unique name that distinguishes it from other named pipes in the 7 | system\'s list of named objects. Pipe names are specified as 8 | \\\\ServerName\\pipe\\PipeName when connection is local a "." would be 9 | used as ServerName. 10 | 11 | Named pipes are used for pivoting in several RATs/Implants to have SMB 12 | connections between machines. Some tools will use named pipes to talk to 13 | injected code in other processes. 14 | 15 | Sysmon will generate a events 16 | 17 | * **EventID 17** when a named pipe server is created. 18 | 19 | * **EventID 18** when a client connects to a named piper server. 20 | 21 | For named pipes there are 2 approaches that can be taken: 22 | 23 | * Include all events and exclude known good. 24 | 25 | * Include only known malicious actors. 26 | 27 | The first approach requires more maintenance but in case of a breach 28 | offers more value. The second one would be more targeted but this kind 29 | of detection is better served with automation in the SIEM. Experienced 30 | attackers normally avoid known Pipes to prevent breaking normal 31 | operation of the system applications. 32 | 33 | The process for PipeName values should be constant process. 34 | 35 | ![process](./media/image45.png) 36 | 37 | Initial rule for collecting PipeEvent events 38 | 39 | ```xml 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | ``` 60 | 61 | Collect unique PipeName field values for building filters 62 | 63 | The fields for the Pipe Create Event are: 64 | 65 | * **RuleName**: Name of rule that triggered the event. 66 | 67 | * **EventType**: ***[CreatePipe]{.underline}*** 68 | 69 | * **UtcTime**: Time in UTC when event was created 70 | 71 | * **ProcessGuid**: Process Guid of the process that created the pipe 72 | 73 | * **ProcessId**: Process ID used by the OS to identify the process 74 | that created the pipe 75 | 76 | * **PipeName**: Name of the pipe created 77 | 78 | * **Image**: File path of the process that created the pipe 79 | 80 | The fields for the Pipe Connect Event are: 81 | 82 | * **RuleName**: Name of rule that triggered the event. 83 | 84 | * **EventType**: ***[ConnectPipe]{.underline}*** 85 | 86 | * **UtcTime**: Time in UTC when event was created 87 | 88 | * **ProcessGuid**: Process Guid of the process that connected the pipe 89 | 90 | * **ProcessId**: Process ID used by the OS to identify the process 91 | that connected the pipe 92 | 93 | * **PipeName**: Name of the pipe connected 94 | 95 | * **Image**: File path of the process that connected the pipe 96 | 97 | Example excluding known good Pipe Names 98 | 99 | ```XML 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | \ntapvsrq 108 | \srvsvc 109 | \wkssvc 110 | \lsass 111 | \winreg 112 | \spoolss 113 | Anonymous Pipe 114 | c:\windows\system32\inetsrv\w3wp.exe 115 | 116 | 117 | \SQLLocal\MSSQLSERVER 118 | \SQLLocal\INSTANCE01 119 | \SQLLocal\SQLEXPRESS 120 | \SQLLocal\COMMVAULT 121 | \SQLLocal\RTCLOCAL 122 | \SQLLocal\RTC 123 | \SQLLocal\TMSM 124 | Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe 125 | 126 | 127 | 128 | 129 | 130 | ``` 131 | 132 | One thing to consider is that Sysmon uses a minifilter just like the 133 | file events. If any AV or EDR with a lower altitude number triggers 134 | on a named pipe and blocks it, Sysmon will not log the event. 135 | -------------------------------------------------------------------------------- /chapters/network-connections.md: -------------------------------------------------------------------------------- 1 | Network Connections 2 | =================== 3 | 4 | Sysmon will log **EventID 3** for all TCP and UDP network connections. This event will generate a large number of entries and filtering should be tuned for specific processes and ports. 5 | 6 | For the DestinationHostname, the GetNameInfo API is used and it will often not have any information and may just be a CDN, making it NOT reliable for filtering since it uses a reverse DNS Lookup to get this information, in Sysmon v11.0 this behaviour can be disabled by using the ```True``` at the root of the configuration file. 7 | 8 | For the DestinationPortName, the GetNameInfo API is used for the friendly name of ports. In the case of services doing connections on some systems due to memory use, they are hosted under svchost.exe and most connections will originate from this process. 9 | 10 | The fields for the event are: 11 | 12 | * **RuleName**: Name of rule that triggered the event 13 | 14 | * **UtcTime**: Time in UTC when event was created 15 | 16 | * **ProcessGuid**: Process GUID of the process that made the network connection 17 | 18 | * **ProcessId**: Process ID used by the OS to identify the process that made the network connection 19 | 20 | * **Image**: File path of the process that made the network connection 21 | 22 | * **User**: Name of the account who made the network connection 23 | 24 | * **Protocol**: Protocol being used for the network connection 25 | 26 | * **Initiated**: Indicated process-initiated TCP connection 27 | 28 | * **SourceIsIpv6**: Is the source IP an Ipv6 29 | 30 | * **SourceIp**: Source IP address that made the network connection 31 | 32 | * **SourceHostname**: DNS name of the host that made the network connection 33 | 34 | * **SourcePort**: Source port number 35 | 36 | * **SourcePortName**: Name of the source port being used 37 | 38 | * **DestinationIsIpv6**: Is the destination IP an Ipv6 39 | 40 | * **DestinationIp**: IP address destination 41 | 42 | * **DestinationHostname**: DNS name of the host that is contacted 43 | 44 | * **DestinationPort**: Destination port number 45 | 46 | * **DestinationPortName**: Name of the destination port 47 | 48 | 49 | Example tracking connections for attacker "Living off the land" 50 | 51 | ```xml 52 | 53 | 54 | 55 | 56 | 57 | at.exe 58 | certutil.exe 59 | cmd.exe 60 | cscript.exe 61 | java.exe 62 | mshta.exe 63 | msiexec.exe 64 | net.exe 65 | notepad.exe 66 | powershell.exe 67 | reg.exe 68 | regsvr32.exe 69 | rundll32.exe 70 | sc.exe 71 | wmic.exe 72 | wscript.exe 73 | driverquery.exe 74 | dsquery.exe 75 | hh.exe 76 | infDefaultInstall.exe 77 | javaw.exe 78 | javaws.exe 79 | mmc.exe 80 | msbuild.exe 81 | nbtstat.exe 82 | net1.exe 83 | nslookup.exe 84 | qprocess.exe 85 | qwinsta.exe 86 | regsvcs.exe 87 | rwinsta.exe 88 | schtasks.exe 89 | taskkill.exe 90 | tasklist.exe 91 | replace.exe 92 | 93 | 94 | 95 | 96 | ``` 97 | -------------------------------------------------------------------------------- /chapters/operational-events.md: -------------------------------------------------------------------------------- 1 | Sysmon Operational Events 2 | ========================= 3 | 4 | * [Sysmon Operational Events](#sysmon-operational-events) 5 | 6 | * [Sysmon Config Change](#sysmon-config-change) 7 | 8 | * [Sysmon Error Event](#sysmon-error-event) 9 | 10 | * [Service State Change](#service-state-change) 11 | 12 | Sysmon will generate events for monitoring: 13 | 14 | * Configuration Changes 15 | 16 | * Service State Changes 17 | 18 | * Sysmon Errors 19 | 20 | These events cannot be filtered using Sysmon configuration and will be 21 | generated by the sysmon.exe (Default Install) process. 22 | 23 | Sysmon Config Change 24 | -------------------- 25 | 26 | Sysmon will log an EventID 16 when it updates its configuration. The event will only be generated if the configuration is changed with the Sysmon binary and not a direct change to the registry key. It is recommended that Windows Auditing be configured for the configuration key and a Sysmon filter to capture any attempt at modification outside of the use of the Sysmon binary. 27 | 28 | Fields for the Event: 29 | 30 | * **UtcTime**: Time the configuration was modified. 31 | 32 | * **Configuration**: Path to configuration file or command line of 33 | command used to modify the config. 34 | 35 | * **ConfigurationFileHash**: If a configuration file was used, the 36 | hash of the file. 37 | 38 | Example: Configuration using a XML file. 39 | 40 | ![XML Config Change](./media/image25.png) 41 | 42 | Example: Configuration via Command Line resetting configuration to 43 | default using the \-- switch. 44 | 45 | ![CommanLine config reset](./media/image26.png) 46 | 47 | Example: Configuration via Command Line. Set to monitor module loading 48 | by powershell.exe 49 | 50 | ![CommandLine Config Change](./media/image27.png) 51 | 52 | Sysmon Error Event 53 | ------------------ 54 | 55 | If the Sysmon binary running as a service encounters any error in its operation, it will generate an EventID 255. Some of the cases where this event may be generated are when: 56 | 57 | * The driver fails to load, or an attacker may have unloaded the driver 58 | 59 | * An application or attacker has modified the configuration in a way that cannot be parsed by the service 60 | 61 | Fields for the Event: 62 | 63 | * **UtcTime**: Time when the error was logged. 64 | 65 | * **ID**: The error ID 66 | 67 | * **Description**: Description of what caused the error. 68 | 69 | Example: 70 | 71 | ![Sysmon Error](./media/image28.png) 72 | 73 | Service State Change 74 | -------------------- 75 | 76 | EventID 4 is generated for Service State Changes. This event logs Start and Stop events when the Sysmon service is controlled via the Service Control Manager API (Services.mmc, sc.exe, net.exe, etc.). To better detect any manipulation of the service, Windows Auditing should be enabled for the service registry key and a Sysmon Registry filter for the service. 77 | 78 | Fields for the event are: 79 | 80 | * **UtcTime**: Time the service state changed. 81 | 82 | * **State**: Started or Stopped 83 | 84 | * **Version**: Version of the Sysmon binary 85 | 86 | * **SchemaVersion**: Schema Version of the Sysmon binary. 87 | 88 | Example: 89 | 90 | ![stop example](./media/image29.png) 91 | 92 | ![start example](./media/image30.png) 93 | -------------------------------------------------------------------------------- /chapters/pandoc.css: -------------------------------------------------------------------------------- 1 | /* 2 | * I add this to html files generated with pandoc. 3 | */ 4 | 5 | html { 6 | font-size: 100%; 7 | overflow-y: scroll; 8 | -webkit-text-size-adjust: 100%; 9 | -ms-text-size-adjust: 100%; 10 | } 11 | 12 | body { 13 | color: #444; 14 | font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', serif; 15 | font-size: 12px; 16 | line-height: 1.7; 17 | padding: 1em; 18 | margin: auto; 19 | max-width: 42em; 20 | background: #fefefe; 21 | } 22 | 23 | a { 24 | color: #0645ad; 25 | text-decoration: none; 26 | } 27 | 28 | a:visited { 29 | color: #0b0080; 30 | } 31 | 32 | a:hover { 33 | color: #06e; 34 | } 35 | 36 | a:active { 37 | color: #faa700; 38 | } 39 | 40 | a:focus { 41 | outline: thin dotted; 42 | } 43 | 44 | *::-moz-selection { 45 | background: rgba(255, 255, 0, 0.3); 46 | color: #000; 47 | } 48 | 49 | *::selection { 50 | background: rgba(255, 255, 0, 0.3); 51 | color: #000; 52 | } 53 | 54 | a::-moz-selection { 55 | background: rgba(255, 255, 0, 0.3); 56 | color: #0645ad; 57 | } 58 | 59 | a::selection { 60 | background: rgba(255, 255, 0, 0.3); 61 | color: #0645ad; 62 | } 63 | 64 | p { 65 | margin: 1em 0; 66 | } 67 | 68 | img { 69 | max-width: 100%; 70 | } 71 | 72 | h1, h2, h3, h4, h5, h6 { 73 | color: #111; 74 | line-height: 125%; 75 | margin-top: 2em; 76 | font-weight: normal; 77 | } 78 | 79 | h4, h5, h6 { 80 | font-weight: bold; 81 | } 82 | 83 | h1 { 84 | font-size: 2.5em; 85 | } 86 | 87 | h2 { 88 | font-size: 2em; 89 | } 90 | 91 | h3 { 92 | font-size: 1.5em; 93 | } 94 | 95 | h4 { 96 | font-size: 1.2em; 97 | } 98 | 99 | h5 { 100 | font-size: 1em; 101 | } 102 | 103 | h6 { 104 | font-size: 0.9em; 105 | } 106 | 107 | blockquote { 108 | color: #666666; 109 | margin: 0; 110 | padding-left: 3em; 111 | border-left: 0.5em #EEE solid; 112 | } 113 | 114 | hr { 115 | display: block; 116 | height: 2px; 117 | border: 0; 118 | border-top: 1px solid #aaa; 119 | border-bottom: 1px solid #eee; 120 | margin: 1em 0; 121 | padding: 0; 122 | } 123 | 124 | pre, code, kbd, samp { 125 | color: #000; 126 | font-family: monospace, monospace; 127 | _font-family: 'courier new', monospace; 128 | font-size: 0.98em; 129 | } 130 | 131 | pre { 132 | white-space: pre; 133 | white-space: pre-wrap; 134 | word-wrap: break-word; 135 | } 136 | 137 | b, strong { 138 | font-weight: bold; 139 | } 140 | 141 | dfn { 142 | font-style: italic; 143 | } 144 | 145 | ins { 146 | background: #ff9; 147 | color: #000; 148 | text-decoration: none; 149 | } 150 | 151 | mark { 152 | background: #ff0; 153 | color: #000; 154 | font-style: italic; 155 | font-weight: bold; 156 | } 157 | 158 | sub, sup { 159 | font-size: 75%; 160 | line-height: 0; 161 | position: relative; 162 | vertical-align: baseline; 163 | } 164 | 165 | sup { 166 | top: -0.5em; 167 | } 168 | 169 | sub { 170 | bottom: -0.25em; 171 | } 172 | 173 | ul, ol { 174 | margin: 1em 0; 175 | padding: 0 0 0 2em; 176 | } 177 | 178 | li p:last-child { 179 | margin-bottom: 0; 180 | } 181 | 182 | ul ul, ol ol { 183 | margin: .3em 0; 184 | } 185 | 186 | dl { 187 | margin-bottom: 1em; 188 | } 189 | 190 | dt { 191 | font-weight: bold; 192 | margin-bottom: .8em; 193 | } 194 | 195 | dd { 196 | margin: 0 0 .8em 2em; 197 | } 198 | 199 | dd:last-child { 200 | margin-bottom: 0; 201 | } 202 | 203 | img { 204 | border: 0; 205 | -ms-interpolation-mode: bicubic; 206 | vertical-align: middle; 207 | } 208 | 209 | figure { 210 | display: block; 211 | text-align: center; 212 | margin: 1em 0; 213 | } 214 | 215 | figure img { 216 | border: none; 217 | margin: 0 auto; 218 | } 219 | 220 | figcaption { 221 | font-size: 0.8em; 222 | font-style: italic; 223 | margin: 0 0 .8em; 224 | } 225 | 226 | table { 227 | margin-bottom: 2em; 228 | border-bottom: 1px solid #ddd; 229 | border-right: 1px solid #ddd; 230 | border-spacing: 0; 231 | border-collapse: collapse; 232 | } 233 | 234 | table th { 235 | padding: .2em 1em; 236 | background-color: #eee; 237 | border-top: 1px solid #ddd; 238 | border-left: 1px solid #ddd; 239 | } 240 | 241 | table td { 242 | padding: .2em 1em; 243 | border-top: 1px solid #ddd; 244 | border-left: 1px solid #ddd; 245 | vertical-align: top; 246 | } 247 | 248 | .author { 249 | font-size: 1.2em; 250 | text-align: center; 251 | } 252 | 253 | @media only screen and (min-width: 480px) { 254 | body { 255 | font-size: 14px; 256 | } 257 | } 258 | @media only screen and (min-width: 768px) { 259 | body { 260 | font-size: 16px; 261 | } 262 | } 263 | @media print { 264 | * { 265 | background: transparent !important; 266 | color: black !important; 267 | filter: none !important; 268 | -ms-filter: none !important; 269 | } 270 | 271 | body { 272 | font-size: 12pt; 273 | max-width: 100%; 274 | } 275 | 276 | a, a:visited { 277 | text-decoration: underline; 278 | } 279 | 280 | hr { 281 | height: 1px; 282 | border: 0; 283 | border-bottom: 1px solid black; 284 | } 285 | 286 | a[href]:after { 287 | content: " (" attr(href) ")"; 288 | } 289 | 290 | abbr[title]:after { 291 | content: " (" attr(title) ")"; 292 | } 293 | 294 | .ir a:after, a[href^="javascript:"]:after, a[href^="#"]:after { 295 | content: ""; 296 | } 297 | 298 | pre, blockquote { 299 | border: 1px solid #999; 300 | padding-right: 1em; 301 | page-break-inside: avoid; 302 | } 303 | 304 | tr, img { 305 | page-break-inside: avoid; 306 | } 307 | 308 | img { 309 | max-width: 100% !important; 310 | } 311 | 312 | @page :left { 313 | margin: 15mm 20mm 15mm 10mm; 314 | } 315 | 316 | @page :right { 317 | margin: 15mm 10mm 15mm 20mm; 318 | } 319 | 320 | p, h2, h3 { 321 | orphans: 3; 322 | widows: 3; 323 | } 324 | 325 | h2, h3 { 326 | page-break-after: avoid; 327 | } 328 | } 329 | -------------------------------------------------------------------------------- /chapters/process-access.md: -------------------------------------------------------------------------------- 1 | Process Access 2 | ============== 3 | 4 | When one process opens another, sysmon will log this with an event ID of 10. The access with higher permissions allows for also reading the content of memory, patching memory, process hollowing, creations of threads and other tasks that are abused by attackers. This technique has been used for access to credentials, keys and data that are in the process memory. 5 | 6 | This task is also common for benign processes that query information on another process, such as Task Manager, tasklist.exe and others, this requires that a baseline be established and filtered out at a SIEM level taking into consideration other factors like image fullpath, parent process and account used so as to prevent any whitelisted processes from being used as staging for attacks. 7 | 8 | Sysmon generates this event using ObRegisterCallbacks leveraging its 9 | driver. The main 2 filtering fields recommended are: 10 | 11 | * **TargetImage** - File path of the executable being accessed by 12 | another process. 13 | 14 | * **GrantedAccess** - The access flags (bitmask) associated with the 15 | process rights requested for the target process 16 | 17 | As a minimum it is recommended to filter including critical processes, 18 | as a minimum: 19 | 20 | * C:\\Windows\\system32\\lsass.exe 21 | 22 | * C:\\Windows\\system32\\csrss.exe 23 | 24 | * C:\\Windows\\system32\\wininit.exe 25 | 26 | * C:\\Windows\\system32\\winlogon.exe 27 | 28 | * C:\\Windows\\system32\\services.exe 29 | 30 | Check for masks of known tools for credential dumping, process injection 31 | and process hollowing. Great care should be taken when setting masks 32 | since Sysmon does a literal comparison of the mask string provided 33 | against the one returned. It is not a bitwise operation, care should be 34 | taken to track the proper combinations. 35 | 36 | |Access | Mask | 37 | |--------------------------------------|------------ 38 | | PROCESS\_CREATE\_PROCESS |0x0080| 39 | | PROCESS\_CREATE\_THREAD |0x0002| 40 | | PROCESS\_DUP\_HANDLE |0x0040| 41 | | PROCESS\_SET\_INFORMATION |0x0200| 42 | | PROCESS\_SET\_QUOTA |0x0100| 43 | | PROCESS\_QUERY\_LIMITED\_INFORMATION |0x1000| 44 | | SYNCHRONIZE |0x00100000| 45 | | PROCESS\_QUERY\_INFORMATION |0x0400| 46 | | PROCESS\_SUSPEND\_RESUME |0x0800| 47 | | PROCESS\_TERMINATE |0x0001| 48 | | PROCESS\_VM\_OPERATION |0x0008| 49 | | PROCESS\_VM\_READ |0x0010| 50 | | PROCESS\_VM\_WRITE |0x0020| 51 | 52 | The PSGumshoe PowerShell module has a function for creating and parsing 53 | mask strings. 54 | 55 | 56 | The fields for the even are: 57 | 58 | * **RuleName**: Rule that triggered the event 59 | 60 | * **UtcTime**: Time in UTC when event was created 61 | 62 | * **SourceProcessGUID**: Process Guid of the source process that 63 | opened another process. 64 | 65 | * **SourceProcessId**: Process ID used by the OS to identify the 66 | source process that opened another process. 67 | 68 | * **SourceThreadId**: ID of the specific thread inside of the source 69 | process that opened another process 70 | 71 | * **SourceImage**: File path of the source process that created a 72 | thread in another process 73 | 74 | * **TargetProcessGUID**: Process Guid of the target process 75 | 76 | * **TargetProcessId**: Process ID used by the OS to identify the 77 | target process 78 | 79 | * **TargetImage**: File path of the executable of the target process 80 | 81 | * **GrantedAccess**: The access flags (bitmask) associated with the 82 | process rights requested for the target process 83 | 84 | * **CallTrace**: Stack trace of where open process is called. Included 85 | is the DLL and the relative virtual address of the functions in the 86 | call stack right before the open process call 87 | 88 | Example: 89 | 90 | ```xml 91 | 92 | 93 | 94 | 95 | 96 | 97 | C:\Windows\system32\lsass.exe 98 | 0x1FFFFF 99 | 100 | 101 | C:\Windows\system32\lsass.exe 102 | 0x1F1FFF 103 | 104 | 105 | C:\Windows\system32\lsass.exe 106 | 0x1010 107 | 108 | 109 | C:\Windows\system32\lsass.exe 110 | 0x143A 111 | 112 | 113 | 114 | 115 | C:\Windows\system32\csrss.exe 116 | 0x1F1FFF 117 | 118 | 119 | C:\Windows\system32\wininit.exe 120 | 0x1F1FFF 121 | 122 | 123 | C:\Windows\system32\winlogon.exe 124 | 0x1F1FFF 125 | 126 | 127 | C:\Windows\system32\services.exe 128 | 0x1F1FFF 129 | 130 | 131 | 0x0810 132 | 133 | 134 | 135 | 136 | 0x0800 137 | 0x800 138 | 139 | 140 | 141 | 0x0820 142 | 0x820 143 | 144 | 145 | 146 | 147 | 148 | ``` 149 | 150 | Some examples of actions from security tools like Mimikatz and their 151 | access masks 152 | 153 | |Command |Sysmon 10 |Security 4663 Kernel Object 154 | |-----------------------|---------------------------------------------------|----------------------------- 155 | |lsadump::lsa /patch |GrantedAccess 0x1438 |AccessMask 0x10 156 | |lsadump::lsa /inject |GrantedAccess 0x143a |AccessMask 0x10 157 | |lsadump::trust /patch |GrantedAccess 0x1438 |AccessMask 0x10 158 | |misc:memssp |GrantedAccess 0x1438 |AccessMask 0x10 159 | |Procdump mimidump |GrantedAccess 0x1fffff |AccessMask 0x10 160 | |Task Manage minidump |GrantedAccess 0x1400, 0x1000, 0x1410 and 0x1fffff |AccessMask 0x10 161 | |sekurlsa::\* |GrantedAccess 0x1010 |AccessMask 0x10 162 | -------------------------------------------------------------------------------- /chapters/process-creation.md: -------------------------------------------------------------------------------- 1 | 2 | Process Creation 3 | ================ 4 | 5 | Sysmon will log **EventID 1** for the creation of any new process when 6 | it registers with the kernel. 7 | 8 | On Windows Sysmon will generate a ProcessGuid and LogonGuid with the information it 9 | obtains and it will hash the process main image. The command line of the 10 | process will be parsed and logged in to eventlog. When storage permits a 11 | common practice is to log all processes and to filter out common day to 12 | day processes for Windows and Applications after profiling usage. 13 | 14 | The fields on a process creation event are: 15 | 16 | * **ProcessGuid** -- Unique process GUID generated by Sysmon. 17 | 18 | * **ProcessId** -- Process ID represented as a integer number. 19 | 20 | * **Image** -- Full path of the executable image that was executed. 21 | 22 | * **FileVersion** -- File version filed in the image metadata. (Windows Only) 23 | 24 | * **Description** -- Description field in the image metadata.(Windows Only) 25 | 26 | * **Product** -- Product field in the image metadata. (Windows Only) 27 | 28 | * **Company** - Company field in the image metadata. (Windows Only) 29 | 30 | * **OriginalFileName** -- Original image name if renamed. (Windows Only) 31 | 32 | * **CommandLine** -- Command line that executed the image. 33 | 34 | * **CurrentDirectory** -- Directory under which the image was 35 | executed. 36 | 37 | * **User** - Name of the account who created the process (child) . It 38 | usually contains domain name and user name 39 | 40 | * **LogonGuid** - Logon GUID of the user who created the new process. 41 | 42 | * **LogonId** -Login ID of the user who created the new process. 43 | 44 | * **TerminalSessionId** - ID of the session the user belongs to 45 | 46 | * **IntegrityLevel** - Integrity label assigned to a process 47 | 48 | * **Hashes** - Full hash of the file with the algorithms in the 49 | HashType field. (Windows Only) 50 | 51 | * **ParentProcessGuid** - ProcessGUID of the process that 52 | spawned/created the main process (child) 53 | 54 | * **ParentProcessId** - Process ID of the process that spawned/created 55 | the main process (child) 56 | 57 | * **ParentImage -** File path that spawned/created the main process. 58 | 59 | * **ParentCommandLine -** Arguments which were passed to the 60 | executable associated with the parent process 61 | 62 | Sysmon offers an advantage over the regular process logging in Windows since it not 63 | only pulls the same information as with **EventID** **4688** but it also 64 | pulls information from the PE header, hashes the images for correlation 65 | with IOC databases like Virus Total and it also provides unique fields 66 | when querying for events. 67 | 68 | In Linux the advantage provided by Sysmon is that the data is structured in a wa that makes it easier to parse and leverage in a SIEM that leverages the logs. Bellow is an auditd example of the "ping -c 8.8.8.8" command. 69 | 70 | ```conf 71 | type=PROCTITLE msg=audit(10/26/2021 12:51:14.046:1385) : proctitle=-bash 72 | type=PATH msg=audit(10/26/2021 12:51:14.046:1385) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=401163 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 73 | type=PATH msg=audit(10/26/2021 12:51:14.046:1385) : item=0 name=/usr/bin/ping inode=394173 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=net_raw cap_fi=none cap_fe=1 cap_fver=2 cap_frootid=0 74 | type=CWD msg=audit(10/26/2021 12:51:14.046:1385) : cwd=/root 75 | type=EXECVE msg=audit(10/26/2021 12:51:14.046:1385) : argc=4 a0=ping a1=-c a2=3 a3=8.8.8.8 76 | type=SYSCALL msg=audit(10/26/2021 12:51:14.046:1385) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55c090caa2b0 a1=0x55c090ca9050 a2=0x55c090cb0750 a3=0x8 items=2 ppid=9313 pid=10184 auid=carlos uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=ping exe=/usr/bin/ping subj=unconfined key=(null) 77 | ``` 78 | 79 | Here is the same command logged in Sysmon where the event is contained in XML format. 80 | 81 | ```xml 82 | Oct 26 13:11:11 ubuntu sysmon: 154100x8000000000000000216077Linux-Sysmon/Operationalubuntu-2021-10-26 20:11:11.159{2424faa4-60df-6178-315b-20b68b550000}2669/usr/bin/ping-----ping -c 3 8.8.8.8/home/carlos/Desktopcarlos{2424faa4-0000-0000-e803-000000000000}10003no level-{2424faa4-60b3-6178-0517-a76010560000}2641/usr/bin/bashbashcarlos 83 | ``` 84 | 85 | In addition to this having a unique LogonGUID and ProcessGUID for correlation makes correlation much quicker. -------------------------------------------------------------------------------- /chapters/process-events.md: -------------------------------------------------------------------------------- 1 | 2 | Process Events 3 | ============== 4 | 5 | Sysmon can log process creation, process termination and process access events. For Windows the process events are captured via ObjRegisterCallbacks at the kernel level using its driver, and contain a unique, deterministically generated ProcessGuid and LogonGuid that are unique to their process instance and LSA logon session respectively. 6 | 7 | The ProcessGuid and LoginGuid make tracking individual process and users much easier. The ProcessGuid attribute is used in all events associated with its process, and, unlike a ProcessID, will not be reused by the host system later. The LogonGuid attribute similarly is assigned to a login session of a particular user, and will not be reused later as a LoginID would. 8 | 9 | ![ProcessGUID Source](./media/image31.png) 10 | 11 | The ProcessGUID depending on the event and where in the process tree it 12 | is, it will also be known by other names by its relation to the action 13 | monitored. 14 | 15 | ProcessGUID is generated by Sysmon when Sysmon logs the event. ProcessGUID 16 | specifically is not an attribute of the internal Windows process data structs 17 | (EPROCESS). Sysmon keeps track of the GUID until the process exits. 18 | 19 | In Linux the process for generating the ProcessGuid is similar to Windows with the exception that the hexadecimal value in **/etc/machine-id**, this hexadecimal value is unique per host, it is usually generated from a random source during system installation or first boot and stays constant for all subsequent boots. Optionally, for stateless systems, it is generated during runtime during early boot if necessary. 20 | 21 | ![Linux ProcessGUID Source](./media/image66.png) 22 | 23 | The ProcessGUIs is referenced in several events under different names. 24 | 25 | ![ProcessGUID Relation](./media/image32.png) 26 | 27 | The only Event Types that will not reference a ProcessGuid or one of its 28 | derived names are 29 | 30 | * WMI events 31 | 32 | * Kernel Driver Load 33 | 34 | All processes associated to a unique logon session can be mapped using the LogonGuid field. This field is generated using similar values as the ProcessGuid with the exception that instead of a process Id it uses in the case of Windows the Logon Session hexadecimal value and in the case of Linux the Logon Id to generate a unique identifier to match all actions taken. 35 | 36 | For Windows 37 | 38 | ![LogonGuide Source](./media/image68.png) 39 | 40 | For Linux 41 | 42 | ![Linux LogonGuide Source](./media/image67.png) 43 | 44 | When a user logs onto on a modern version of Windows (Windows 2016/10) 45 | they will have 2 Logon IDs assigned if: 46 | 47 | * User is a member of local Administrator Group. 48 | 49 | * UAC (User Access Control) is enabled. 50 | 51 | These sessions will be linked by a Linked Login ID in Successful Logon 52 | Event ID 4624, making the logging of this event important. 53 | 54 | The image of the process is also related in other processes and can be 55 | used to track all actions related to a specific one. 56 | 57 | ![Image Relation](./media/image33.png) 58 | 59 | -------------------------------------------------------------------------------- /chapters/process-tampering.md: -------------------------------------------------------------------------------- 1 | Process Image Tampering 2 | ----------------------- 3 | 4 | Sysmon will log **EventID 25** when a process original image is replaced in memory or on disk. This covers the technique of [Process Hollowing] (https://attack.mitre.org/techniques/T1055/012/), this is when a process is launched, then suspended and the memory for the image is unmapped and realigned to another image injected in to memory and then resumed to execute the injected image. [Process Herpaderping] (https://jxy-s.github.io/herpaderping/) is another technique that is caught by this event type, this technique works by modifying the content on disk after the image has been mapped. This capability was added in version 13.0 of Sysmon with schema 4.50. 5 | 6 | The fields for the event are: 7 | 8 | * **ProcessGuid** -- Unique process GUID generated by Sysmon. 9 | 10 | * **ProcessId** -- Process ID represented as an integer number. 11 | 12 | * **Image** -- Full path of the executable image that was tampered with. 13 | 14 | * **Type** -- Type of process tampering (Image is locked for access, Image is replaced) 15 | 16 | There are several programs like browsers and code development programs that trigger this event type. Since an attacker can select any process as their target it is recommended to capture all events and create an exclusion list of known programs. There is a risk that attacker will select this program for their actions but it limits greatly their capability by narrowly directing them to programs that can then be monitor for other behaviors to detect abuse on the. 17 | 18 | Example: 19 | 20 | ```xml 21 | Sysmon schemaversion="4.50"> 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | ``` 31 | 32 | Collect events and build a exclusion list like: 33 | 34 | ```xml 35 | RuleGroup name=“” groupRelation=“or”> 36 | 37 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 38 | C:\Program Files\Mozilla Firefox\firefox.exe 39 | C:\Program Files\Mozilla Firefox\updater.exe 40 | C:\Program Files\Mozilla Firefox\default-browser-agent.exe 41 | C:\Program Files\Mozilla Firefox\pingsender.exe 42 | C:\Program Files\Microsoft VS Code\Code.exe 43 | C:\Program Files\Git\cmd\git.exe 44 | C:\Program Files\Git\mingw64\bin\git.exe 45 | \software_reporter_tool.exe 46 | unknown process 47 | 48 | 49 | ``` 50 | 51 | Seems like Electron based apps like Slack, Mattermost and others also create false positives. Another thing to be awarded of that not all process hollowing techniques are detected. Some variations based on the original technique by changing some API calls and amount of the image altered are not detected. This is a perfect example as to why it is important to have additional detection controls for other action and have a layered approach to detection. 52 | -------------------------------------------------------------------------------- /chapters/process-termination.md: -------------------------------------------------------------------------------- 1 | Process Termination 2 | ------------------- 3 | 4 | Symon will log an **EventID 5** when a process terminates. By logging 5 | process termination events allow for calculating duration of operation 6 | of a process by comparing the times with process creation. Process 7 | termination also allows when co-related with shutdown and start events 8 | if a process may have been terminated by an attacker. 9 | 10 | The process termination fields are: 11 | 12 | * **RuleName** -- Rule name for which the event triggered. 13 | 14 | * **UtcTime** - Time in UTC when event was created 15 | 16 | * **ProcessGuid** - Process Guid of the process that terminated 17 | 18 | * **ProcessId** - Process ID used by the OS to identify the process 19 | that terminated 20 | 21 | * **Image** - File path of the executable of the process that 22 | terminated -------------------------------------------------------------------------------- /chapters/raw-access-read.md: -------------------------------------------------------------------------------- 1 | Raw Access Read 2 | =============== 3 | 4 | Sysmon will log **EventID 9** for any process trying to read straight from a storage device by bypassing any filesystem restrictions that may be imposed by it. This information is logged by Sysmon on Windows by leveraging its minifilter. This type of action is only done by drive imaging software or backup software in a normal operating environment. 5 | 6 | On Linux this event is logged when a block device is directly accessed and eBPF is used to detect this type of action. 7 | 8 | Attackers have been known to use this technique on Windows to copy NTDS.dit and SAM Registry Hives off host for the purpose of credential harvesting. In the case of Linux it is the raw access to the device for similar purposes too access credentials, key material and binaries of the system. 9 | 10 | The fields for the event are: 11 | 12 | * **RuleName**: Name of rule that triggered the event 13 | 14 | * **UtcTime**: Time in UTC when event was created 15 | 16 | * **ProcessGuid**: Process GUID of the process that conducted reading operations from the drive 17 | 18 | * **ProcessId**: Process ID used by the OS to identify the process that conducted reading operations from the drive 19 | 20 | * **Image**: File path of the process that conducted reading operations from the drive 21 | 22 | * **Device**: Target device 23 | 24 | In the case of Windows given that no process should be performing this action normally, it is best to log all instances of it or, even better, to target the NTDS.dit file on domain controllers and SAM hive file on all systems. On systems with many file modifications, slightly higher resource usage may result if monitoring is enabled for all files. 25 | 26 | 27 | Example that captures all instances of this event 28 | 29 | ![collect all](./media/image60.png) 30 | -------------------------------------------------------------------------------- /chapters/registry-actions.md: -------------------------------------------------------------------------------- 1 | Registry Actions 2 | ================ 3 | 4 | Sysmon has the capability to monitor for three major actions against the Registry 5 | 6 | * **EventID 12** - Registry object added or deleted 7 | 8 | * **EventID 13** - Registry value set 9 | 10 | * **EventID 14** - Registry object renamed 11 | 12 | The Windows Registry has been a source of information gathering, persistence, storage, and configuration control for attackers since its wider use introduction in Windows NT 4.0/Windows 95. 13 | 14 | Sysmon uses abbreviated versions of Registry root key names, with the following mappings: 15 | 16 | 17 | |**Key name** |**Abbreviation** | 18 | |---------------------------------------------|--------------------------------- 19 | | HKEY\_LOCAL\_MACHINE |HKLM| 20 | | HKEY\_USERS |HKU| 21 | | HKEY\_LOCAL\_MACHINE\\System\\ControlSet00x |HKLM\\System\\CurrentControlSet| 22 | | HKEY\_LOCAL\_MACHINE\\Classes |HKCR| 23 | 24 | Registry Add/Delete Fields: 25 | 26 | * **RuleName**: Name of rule that triggered the event 27 | 28 | * **UtcTime**: Time in UTC when event was created 29 | 30 | * **EventType**: CreateKey or DeleteKey 31 | 32 | * **ProcessGuid**: Process GUID of the process that created or deleted a registry key 33 | 34 | * **ProcessId**: Process ID used by the OS to identify the process that created or deleted a registry key 35 | 36 | * **Image**: File path of the process that created or deleted a registry key 37 | 38 | * **TargetObject**: Complete path of the registry key 39 | 40 | 41 | Registry Set Value Fields: 42 | 43 | * **RuleName**: Name of rule that triggered the event 44 | 45 | * **UtcTime**: Time in UTC when event was created 46 | 47 | * **EventType**: SetValue 48 | 49 | * **ProcessGuid**: Process GUID of the process that modified a registry value 50 | 51 | * **ProcessId**: Process ID used by the OS to identify the process that modified a registry value 52 | 53 | * **Image**: File path of the process that modified a registry value 54 | 55 | * **TargetObject**: Complete path of the modified registry key 56 | 57 | * **Details**: Details added to the registry key 58 | 59 | 60 | Registry Rename Fields: 61 | 62 | * **RuleName**: Name of rule that triggered the event 63 | 64 | * **UtcTime**: Time in UTC when event was created 65 | 66 | * **EventType**: RenameKey 67 | 68 | * **ProcessGuid**: Process GUID of the process that renamed a registry value and key 69 | 70 | * **ProcessId**: Process ID used by the OS to identify the process that renamed a registry value and key 71 | 72 | * **Image**: File path of the process that renamed a registry value and key 73 | 74 | * **TargetObject**: Complete path of the renamed registry key 75 | 76 | * **NewName**: New name of the registry key 77 | 78 | 79 | This event type is better used in a targeted manner given the size of the registry and how it is used by a multitude of processes on a daily basis in Windows. 80 | 81 | In registry events, the value name is appended to the full key path with a \"\\\" delimiter. 82 | 83 | Default key values are named \"\\(Default)\" 84 | 85 | When filtering for keys or values in HKCU, use **contains** or **ends with** when filtering against **TargetObject** since the SID of the user is appended after the Hive name. 86 | 87 | ![HKCU Test](./media/image51.png) 88 | 89 | ![HKCU Test Event](./media/image52.png) 90 | 91 | Since the value name is appended when specifying a registry path in **TargetObject**, where we also want to catch modification of values under the key, the **contains** operator is better suited than **ends with**. For value events, the **Detail** element of the event will contain the type of value. 92 | 93 | Sysmon does not log the actual value being set nor a previous or new one being modified. 94 | 95 | 96 | ![HCU Value Event](./media/image53.png) 97 | 98 | Example of monitoring some AutoRun locations 99 | 100 | ```xml 101 | 102 | 103 | 104 | 105 | \CurrentVersion\Run 106 | \Group Policy\Scripts 107 | \Windows\System\Scripts 108 | \Policies\Explorer\Run 109 | \ServiceDll 110 | \ImagePath 111 | \Start 112 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 113 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 114 | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 115 | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 116 | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute 117 | \Explorer\FileExts 118 | \shell\install\command 119 | \shell\open\command 120 | \shell\open\ddeexec 121 | Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup 122 | 123 | 124 | 125 | 126 | ``` 127 | -------------------------------------------------------------------------------- /chapters/sysmon-changelog.md: -------------------------------------------------------------------------------- 1 | # Sysmon Changelog 2 | 3 | | Version | Schema | Features | Release | 4 | |---------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| 5 | | 13.01 | 4.50 | * Fixed regression bug where several event types where not logged. | January 13, 2021 | 6 | | 13.0 | 4.50 | * Added support for Process Tampering Detection. | January 11, 2021 | 7 | | 12.03 | 4.40 | * fixes reporting and a possible crash condition for PipeEvent and RegistryEvent rules. | November 25, 2020 | 8 | | 12.02 | 4.40 | * This update to Sysmon fixes several configuration parsing bugs. | November 4, 2020 | 9 | | 12.01 | 4.40 | * Security and bug fix release, resolves a PipeEvent processing issue and adds extra checks to kernel writes. | October 16, 2020 | 10 | | 12.0 | 4.40 | * Added support to capture text stored in to the clipboard by a process. | September 17, 2020 | 11 | | 11.11 | 4.4 | * Fixes a bug that prevented USB media from being ejected.
* Fixes an issue that could stop network event logging and a resulting memory leak.
* Fixes logs file delete events for delete-on-close files. | July 15, 2020 | 12 | | 11.1 | 4.31 | * For Event ID 15 “Content field was added to save text streams of less than 1k.
* The –a commandline option has been removed. The custom archive directory must be set via configuration file.
* Fix Issue where EventID 1 was not logged on Windowds 2016 and Windows 10.
* Fix rule parsing issue. | June 24, 2020 | 13 | | 11.0 | 4.30 | * Control Reverse DNS Lookup.
* Log file deletions and story copy of the file.
* Bug Fixes. | April 28, 2020 | 14 | | 10.42 | 4.23 | * Memory leaks in DNS, Networking and Image load events
* Bug fixes including filtering, rule group names, NULL process GUIDS and W3LOGSVC interop issue
* Increased rule name field length from 32 to 128 characters
* Added “excludes any” and “excludes all” filtering conditions.
* Performance improvements for ImageLoad module | December 11, 2019 | -------------------------------------------------------------------------------- /chapters/the-sysmon-driver.md: -------------------------------------------------------------------------------- 1 | The Sysmon Driver 2 | ================= 3 | 4 | All of the monitoring is performed thanks to a driver that Sysmon installs called SysmonDrv. The driver will hook into Windows APIs and leverage Event Tracing for Windows (ETW) to capture the information on the actions it wants to monitor. 5 | 6 | This Sysmon Driver has a unique altitude number of 385201 that determines the order of loading of the driver in comparison to other drivers on the system. Some blog posts recommend changing this number in the registry for obfuscation, but this may cause a conflict with another driver and prevent Sysmon from working or cause other errors on the system. 7 | 8 | The driver is loaded by a service at system startup and a secondary service then queries the cached information. 9 | 10 | ![Sysmon Driver Behaviour](./media/image1.png ) 11 | 12 | For all file system operations, the driver registers as a Minifilter driver that is attached to volumes allowing it to see all actions taken by APIs before they are processed by the file system. 13 | 14 | ![Minifilter](./media/image2.png) 15 | 16 | Sysmon sets multiple callbacks on kernel objects in addition to using telemetry APIs and ETW. 17 | 18 | ![kernel hook1](./media/image3.png) 19 | 20 | ![kernel hook2](./media/image4.png) 21 | 22 | When the tool is downloaded from the Microsoft Sysinternals website it is important to save and identify previous versions since Microsoft does not provide older versions and the release notes do not detail what has been fixed. Microsoft has a fast release cycle, forcing users to test very carefully and to keep track of versions. 23 | 24 | You can take a look at recent changes across versions in the community guide [Sysmon Changelog](https://github.com/trustedsec/SysmonCommunityGuide/blob/master/sysmon-changelog.md) 25 | 26 | Another important piece of information is that there is no support from Microsoft on the Sysinternal tools—they are free and provided as is. This means that a testing plan for the environment it is deployed on should be formulated, tested, implemented, and improved upon as new versions of Sysmon are released. 27 | -------------------------------------------------------------------------------- /chapters/what-is-sysmon.md: -------------------------------------------------------------------------------- 1 | What is Sysmon 2 | ============== 3 | 4 | Sysmon is a free tool initially developed by Mark Russinovich and by Tomas Garnier,with contributions David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, John Lambert and others at Microsoft. The tools was initially released for. Windows. host and on October 2021 a Open Source Linux version of the tools was release. The tool is designed to extend the current logging capabilities in Windows and Linux so as to aid in understanding and detecting attackers by behavior. 5 | 6 | The original version the tool was for internal use at Microsoft. Under Windows the tool supports 64-bit and 32-bit systems and uses a single command line tool for installation and configuration management. 7 | 8 | For Linux the tool can be compiled from source or installed via the distribution package manager. It supports the following distributions: 9 | 10 | - Ubuntu 11 | - Debian 12 | - Red Hat Enterprise Linux 13 | - Fedora Linux 14 | - OpenSuse 15 | - Suse Linux Enterprise Server 16 | 17 | Sysmon will store logs in the default operating system login system. For Windows all of the events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog and in the case of Linux under /var/log/syslog in order to accommodate security products that already collect and centralize logs from both operating systems. 18 | 19 | Sysmon is able to monitor for a series of actions on a host that relate to existing behavior that is abused by threat actors. With this view on the actions, defenders are able to better detect abnormal behavior and abuses on a system. 20 | 21 | The table below shows the event types and event ID that the version of Windows collects. 22 | 23 | | EventType| EventId| 24 | |---|---| 25 | |Sysmon Service Status Changed|0 26 | |ProcessCreate|1 27 | |FileCreateTime|2 28 | |NetworkConnect|3 29 | |Service State Change|4 30 | |ProcessTerminate|5 31 | |DriverLoad|6 32 | |ImageLoad|7 33 | |CreateRemoteThread| 8 34 | |RawAccessRead| 9 35 | |ProcessAccess| 10 36 | |FileCreate| 11 37 | |Registry object added or deleted | 12 38 | |Registry Create| 13 39 | |Registry Rename| 14 40 | |FileCreateStreamHash | 15 41 | |Sysmon Config Change| 16 42 | |Named Pipe Create| 17 43 | |Named Pipe Connected|18 44 | |WMI Event Filter|19 45 | |WMI Event Consumer|20 46 | |WMI Consumer to Filter|21 47 | |DNS Query|22 48 | |File Delete|23 49 | |Clipboard Capture|24 50 | |Process Tampering|25 51 | |File Delete Detected|26 52 | |Error|255 53 | 54 | The Linux version supports given the OS and technologies a smaller number of events. 55 | 56 | | EventType| EventId| 57 | |---|---| 58 | |Sysmon Service Status Changed|0 59 | |ProcessCreate|1 60 | |NetworkConnect|3 61 | |Service State Change|4 62 | |ProcessTerminate|5 63 | |RawAccessRead| 9 64 | |FileCreate| 11 65 | |Sysmon Config Change| 16 66 | |File Delete|23 67 | 68 | The Sysmon version for Linux is an open-source version of the tool, developed to collect security events from Linux environments using eBPF (Extended Berkeley Packet Filter) and placing the captured events in to Syslog for easy consumption by existing centralized log collection solutions. 69 | 70 | Sysmon for Linux use the sysinternalsEBPF library to allow it to capture actions against files on disk and network actions. eBPF is a technology that allows to run the program at the Kernel level in a sandbox allowing it to capture read and. Sysmon leverages this technology to capture information on processes, reads and writes to block devices and also for Socket and TCP/IP actions before they reach a network interface. This behavior is similar to that of mini filter drivers in Windows that allow for the capture of events as they are executed by the APIs in the OS. 71 | 72 | The sysinternalsEBPF and Sysmon for Linux are Open Source projects, this allows the community to contribute and to further expand the capabilities of the tools. They can be found at https://github.com/Sysinternals. Both Projects are written in C and in each repository they include documentation on how to build the utilities. 73 | -------------------------------------------------------------------------------- /examples/Exchange_CVE_2021_26855.xml: -------------------------------------------------------------------------------- 1 | 19 | 20 | sha256 21 | 22 | 23 | 24 | 25 | 26 | 27 | \wwwroot\aspnet_client\;owa\auth;ecp\auth\;ClientAccess\Owa\;ClientAccess\Ecp\;ClientAccess\Oab\ 28 | w3wp.exe;UMWorkerProcess.exe;UMService.exe 29 | 30 | 31 | w3wp.exe 32 | UMWorkerProcess.exe 33 | UMService.exe 34 | 35 | .bat;.cmd;.exe;.js;.vbs;.vbe;.dll;.ps1 36 | .rar;.zip;.7z;.js;.vbs;.vbe;.dll;.ps1 37 | 38 | 39 | 40 | 41 | 42 | w3wp.exe 43 | UMWorkerProcess.exe 44 | 45 | .exe 46 | 47 | 48 | 49 | 50 | 51 | lsass.exe 52 | 53 | 54 | 55 | 56 | 57 | 58 | C:\Windows\system32\svchost.exe 59 | 0x1000 60 | 61 | 62 | C:\Windows\system32\wbem\wmiprvse.exe 63 | 0x1400 64 | 65 | 66 | C:\Windows\System32\svchost.exe 67 | 0x3000 68 | 69 | 70 | C:\Windows\system32\wbem\wmiprvse.exe 71 | 0x1000 72 | 73 | 74 | C:\Windows\System32\svchost.exe 75 | 0x1000 76 | 77 | 78 | C:\Windows\system32\services.exe 79 | 0x1000 80 | 81 | 82 | C:\Windows\system32\wininit.exe 83 | 0x1000000 84 | 85 | 86 | C:\Windows\system32\csrss.exe 87 | 0x1fffff 88 | 89 | 90 | C:\Windows\system32\wininit.exe 91 | 0x1fffff 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | powershell.exe;powershell_ise.exe 100 | System.Management.Automation 101 | 102 | 103 | 104 | 105 | 106 | 107 | C:\Windows\System32\ServerManager.exe 108 | C:\Windows\System32\RemoteFXvGPUDisablement.exe 109 | 110 | 111 | 112 | 113 | -------------------------------------------------------------------------------- /examples/FileDeleteDetected.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | sha256 5 | 6 | 7 | Archive 8 | 9 | 10 | 11 | 12 | 13 | \Appdata\Local\Microsoft\Windows\INetCache\Content.Outlook\ 14 | .com;.bat;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.xla;.cmd;.sh;.lnk;.pptm;.scr;.sct 15 | 16 | 17 | \Downloads\ 18 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 19 | 20 | 21 | \Appdata\Local\Temp\ 22 | .com;.bat;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.xla;.cmd;.sh;.lnk;.pptm;.scr;.sct 23 | 24 | 25 | 26 | C:\ProgramData\Intel 27 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 28 | 29 | 30 | C:\ProgramData\Mozilla 31 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 32 | 33 | 34 | C:\ProgramData\chocolatey\logs 35 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 36 | 37 | 38 | C:\ProgramData\Microsoft\DeviceSync 39 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 40 | 41 | 42 | C:\ProgramData\Microsoft\PlayReady 43 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 44 | 45 | 46 | C:\ProgramData\Microsoft\User Account Pictures 47 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 48 | 49 | 50 | C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys 51 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 52 | 53 | 54 | C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys 55 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 56 | 57 | 58 | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore 59 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 60 | 61 | 62 | C:\ProgramData\Microsoft\Office\Heartbeat 63 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 64 | 65 | 66 | C:\ProgramData\Microsoft\Windows\WER\ReportQueue 67 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 68 | 69 | 70 | C:\ProgramData\Microsoft\Windows\WER\Temp 71 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 72 | 73 | 74 | C:\ProgramData\Microsoft\Windows\WER\Temp 75 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 76 | 77 | 78 | C:\ProgramData\Microsoft\Windows\WER\Temp 79 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 80 | 81 | 82 | C:\ProgramData\Microsoft\Windows\WER\Temp 83 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 84 | 85 | 86 | C:\ProgramData\Microsoft\Windows\WER\Temp 87 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 88 | 89 | 90 | C:\Users\All Users\Intel 91 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 92 | 93 | 94 | C:\Users\All Users\Mozilla 95 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 96 | 97 | 98 | C:\Users\All Users\chocolatey\logs 99 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 100 | 101 | 102 | C:\Users\All Users\Microsoft\DeviceSync 103 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 104 | 105 | 106 | C:\Users\All Users\Microsoft\PlayReady 107 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 108 | 109 | 110 | C:\Users\All Users\Microsoft\User Account Pictures 111 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 112 | 113 | 114 | C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys 115 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 116 | 117 | 118 | C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys 119 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 120 | 121 | 122 | C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore 123 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 124 | 125 | 126 | C:\Users\All Users\Microsoft\Office\Heartbeat 127 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 128 | 129 | 130 | C:\Users\All Users\Microsoft\Windows\WER\ReportArchive 131 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 132 | 133 | 134 | C:\Users\All Users\Microsoft\Windows\WER\ReportQueue 135 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 136 | 137 | 138 | C:\Users\All Users\Microsoft\Windows\WER\Temp 139 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 140 | 141 | 142 | C:\Windows\Tasks 143 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 144 | 145 | 146 | C:\Windows\tracing 147 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 148 | 149 | 150 | C:\Windows\Registration\CRMLog 151 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 152 | 153 | 154 | C:\Windows\System32\Tasks 155 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 156 | 157 | 158 | C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys 159 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 160 | 161 | 162 | C:\Windows\System32\spool\drivers\color 163 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 164 | 165 | 166 | C:\Windows\SysWOW64\Tasks 167 | .com;.bat;.exe;.reg;.ps1;.vbs;.vba;.lnk;.doc;.xls;.hta;.bin;.7z;.dll;.xla;.cmd;.sh;.lnk;.pptm;.scr;.msi;.sct 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | \Downloads\ 177 | .exe;dll;.msi;.7z;.zip 178 | 179 | 180 | \Appdata\Local\Temp\ 181 | .exe;dll;.msi;.7z;.zip 182 | 183 | 184 | 185 | 186 | 187 | -------------------------------------------------------------------------------- /examples/NetConnBaseline.xml: -------------------------------------------------------------------------------- 1 | NT AUTHORITY\SYSTEM 2 | 3 | 4 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 5 | 443;80 6 | 7 | 8 | C:\Windows\SystemApps\Microsoft.Windows.Search_;\SearchApp.exe 9 | 443;80 10 | 11 | 12 | C:\Windows\System32\smartscreen.exe 13 | 443 14 | 15 | 16 | C:\Program Files\WindowsApps\;\LocalBridge.exe 17 | 443 18 | 19 | 20 | C:\Windows\System32\taskhostw.exe 21 | 443;389 22 | NT AUTHORITY\SYSTEM 23 | 24 | 25 | C:\Windows\System32\lsass.exe 26 | 88;135;389 27 | NT AUTHORITY\SYSTEM 28 | 29 | 30 | C:\Program Files\WindowsApps\Microsoft.YourPhone;\YourPhone.exe 31 | 443 32 | 33 | 34 | C:\Windows\System32\taskhostw.exe 35 | 389 36 | NT AUTHORITY\SYSTEM 37 | 38 | 39 | C:\Program Files\WindowsApps\Microsoft.Windows.Photos;\Microsoft.Photos.exe 40 | 443 41 | 42 | 43 | C:\Windows\System32\CompatTelRunner.exe 44 | 443 45 | NT AUTHORITY\SYSTEM 46 | 47 | 48 | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe 49 | 443 50 | NT AUTHORITY\SYSTEM 51 | 52 | 53 | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay;\GameBar.exe 54 | 443 55 | 56 | 57 | C:\Windows\System32\BackgroundTransferHost.exe 58 | 443 59 | 60 | 61 | C:\Windows\System32\RuntimeBroker.exe 62 | 443 63 | 64 | 65 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 66 | 80;443 67 | 68 | 69 | C:\Windows\System32\backgroundTaskHost.exe 70 | 135;389 71 | 72 | 73 | C:\Windows\System32\MoUsoCoreWorker.exe 74 | 443 75 | NT AUTHORITY\SYSTEM 76 | 77 | 78 | 79 | 80 | 81 | --------------------------------------------------------------------------------