Sysinternals Sysmon suspicious activity guide

Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log.

You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log.

This guide will help you to investigate and appropriately handle these events.

Let's start with Microsoft Cybersecurity posture

 

Microsoft Cybersecurity posture consists of three pillars: Protect, Detect, and Respond. While Solid protection and rapid response capability are crucial, detection in depth is equally important. The focus in this blog post is on the last two:

Sysmon Configuration file

A configuration file is used by Sysmon to store information about which events we want to include and which event we wish to exclude.

Configuration files may be specified after the  -i (installation) or  -c (installation) configuration switches. They make it easier to deploy a preset configuration and to filter captured events.

A sample configuration file with rules to log device drivers that are not related to Microsoft and Windows or only network connections over TCP ports 80 and 443:

A sample configuration file for enterprises based on my research and real-life deployments can be found in My GitHub repository.

How to deploy a Sysmon configuration file in an enterprise?

Sysmon rules and configuration settings are saved in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysmonDrv\Parameters 

Using Group Policy Preferences (GPP) you can deploy Sysmon filtering rules across the entire organization (once installed, the service will poll its registry key for changes, and will be updated automatically, no restart is needed)

Step-By-Step instructions:

  1. Open Group Policy Editor, navigate to Computer Configuration, Preferences, Windows Settings and Registry
  2. Select Registry Wizard and New
  3. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters and check the following items: HashingAlgorithm, Options and Rules

4. Deploy the GPO on the desired computers

Prepare for security investigations

Investigate suspicious process

How do you identify processes that are suspicious? Mark Russinovich has told us to look for these suspicious process attributes when hunting malware with Process Explorer

  • Have no icon, description or company name
  • Run from Windows directory or user profile
  • Started with wrong parent
  • Misspelled process
  • Unsigned executables
  • Packed executables
  • Host suspicious DLLs or services
  • Have open TCP/IP endpoints
  • Include strange URLs, strings in the executable

To summarize the most important analysis steps, you can use the accompanying graph:

Useful commands when investigating a suspicious file:

  1. Run Sigcheck and search for any unsigned executables or VirusTotal's flagged executables:

    sigcheck -vt -vr -e -u -s c:\

  2. Run streams to detect alternate data streams:

    streams -s c:\

  3. Using PowerShell review the content of the Windows directory, and search for files with non-standard date-time:

    Get-ChildItem -recurse | Where-Object { !$_.PsIsContainer } | Sort-Object -Descending { $_.CreationTime }

Note: Due to the complexity of modern threats it's recommend to utilize professional/automatic removal process.

Sysmon Events Activity Guide

Event ID 2 - A process changed a file creation time

Description

The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate a malicious activity.

Investigation

  • Is the source computer running an organization-approved ZIP extractor or web browser? If yes, you may ignore this alert because these applications are known to change file timestamps
  • Extract the following items from the event:
    • Image -path is not Windows or ProgramFiles -Use Investigate suspicious processes section above
    • TargetFileName -Use Investigate suspicious process table above

Remediation

Exclude an organization-approved application using the configuration file

Event ID 4 - Sysmon service state changed

Description

The Sysmon service state change event reports the state of the Sysmon service (started or stopped).

Investigation

  • The Sysmon Service state was changed to "Stopped"? If an attacker has privileges, Sysmon monitoring can be disabled by killing the Sysmon service. Investigate why the service had stopped by searching the System event log for events with "Service Control manager" source in the System log

Remediation

None, but it is always recommended to implement a centralized event logging infrastructure

Event ID 6 - Driver loaded

Description

The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.

Investigation

An attacker can exploit the Windows kernel by using a vulnerable device driver.

  • Is the driver loaded is part of an organization-approved device drivers list? If yes, you may ignore this alert
  • Extract the following items from the event:
    • ImageLoaded – check if the path is not Windows or Windows\System32\Drivers - Use Investigate suspicious process table above

Remediation

None

Event ID 8 - CreateRemoteThread

Description

The CreateRemoteThread event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction. Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.

Investigation

If an attacker has privileges, he can inject a custom DLL into the process's address space by using the CreateRemoteThread function call.

  • Extract the following items from the event:
    • SourceImage -path is not Windows or ProgramFiles -Use Investigate suspicious processes table above
    • TargetImage -image is lsass, password manages, browsers or other sensitive accounts

Remediation

None

Event ID 9 - RawAccessRead

Description

The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.

Investigation

There are tools and PowerShell scripts that are capable of copying NTDS.dit, Registry hives, and any other file sitting on an NTFS volume by obtaining a read handle to the volume and parsing NTFS streams directly.

  • Extract the following items from the event:
    • Image -path is not Windows or ProgramFiles - Use Investigate suspicious process table above

Remediation

None

Event ID 10 - ProcessAccess

Description

The process accessed event reports when a process opens another process, an operation that's often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses.

Investigation

  • Extract the following items from the event:
    • SourceImage -path is not Windows or ProgramFiles -Use Investigate suspicious processes table above
    • TargetImage -image is lsass, password manages, browsers or other sensitive accounts

Remediation

In case of sensitive accounts and suspicious processes, assume that the accounts are compromised and replace their passwords

Event ID 15 - FileCreateStreamHash

Description

This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier "mark of the web" stream.

Investigation

  • Extract the following items from the event:
    • SourceImage -path is not Windows or ProgramFiles -Use Investigate suspicious processes table above

  • By using Sysinternals streams we can check which files have alternate data-streams.

Remediation

If the alternate data stream is confirmed to be a malware or data related to a malware you can remove it using the PowerShell Remove-Item command