Sysmon: how to set up, update and use?

Today, we’re going to talk about Sysmon which was written by Mark Russinovich and Thomas Garnier. You can get this pretty amazing tool from sysinternals.com. Sysmon can be useful for you because it provides a pretty detailed monitoring about what is happening in the operating system, starting from process monitoring, going through monitoring all the network and ending up with a discovery of the different types of exploitation techniques.

In this article, I will show you how to set up Sysmon correctly, as well as how to update it with a custom configuration. In addition, I’m super excited to show you tools that our team wrote to support system logging and to extract information about what is happening, for example, with your processes communicating with the network. Let’s dive into Sysmon.

How to install Sysmon?

We will start with the installation of Sysmon. We’ve got the installation file, Sysmon.exe and we can just run a question mark here to find out what kind of options do we have.
sysmon

One of the interesting things is that even if you don’t specify any particular settings, Sysmon will be installed without any problems and that’s what we’re going to do at the very beginning.

As you see, there is an option -c, and we can update the configuration whenever Sysmon is already installed. We are going to do that as well. We can also specify the hash algorithms.

We can specify SHA-1 but you also have plenty of other options. A particularly interesting one is imphash which is like an import hash. We’re can rely on the list of imports for a certain image file.

This is quite interesting especially when developers are changing the version of the file and so on, but the list of imports remains the same.

Also, we have -l, for loading of modules. We also have, for example, an interesting one which is -n which is used for logging different types of network connections. We’re going to actually do a quite interesting step around that. -r is also very cool: check for a signature certificate for verification. So, we can verify the signatures and if the certificate was revoked or not.

Anyway, let’s move on and actually install Sysmon. I’m going to clear the screen and type sysmon one more time, and we do -i to install it, -h to specify that we would like to log MD5, for example, and then we’re going to do -l to log different types of modules being loaded which could, for example, be a DLL or any other thing. Next step we’re going to specify is -n. That’s going to be our Sysmon installation.

sysmon

For now, we can verify how it logs within the event logs. I’m going to start Event Viewer.

Let it begin

We’re going to go to Applications and Service logs, Microsoft, Windows, and then Sysmon. Let it begin. We’ve got Sysmon operational log where we’ve got all the details that we have chosen to load.

sysmon

Of course, there are much more different types of events we could use over here. We’ve got, right now, ten events to be logged. By default, some of them are not logged. This is a subject for another post where we will be talking about the Create Remote threat and raw access to the disc. For now, we’re going to focus on extraction of hashes and IP addresses from the log.

Sysmon is great because it allows you to monitor, in our configuration currently, a process create an event and also a process terminated event. Whenever, for example, a process is started, we can spot that that particular process, for example, had the following parameters of execution.

sysmon

Also, we can know who was executing this and what the parent image that was launching this process was. This is pretty interesting when you are analyzing a lot of things like who started a certain executable which may be a malware.

Having gotten access to the log, what is interesting to us by now is to verify what the path is. So, we can go into properties of the log and we can see its path is Windows \ System 32 \ Winevt \ logs. I’m going to just copy this path and we’re going to play a little bit on it, but first of all, we will update the Sysmon configuration. Let’s do that.

sysmon

I have created our config file before writing this article. This is config.xml and that config file contains schema version which is quite important depending on which Sysmon version you actually run. We will update the configuration by different hash algorithms. So, in this case, we’re going to not only log on MD5, but also SHA256, and we are including here all of the network events.

This is quite surprising, but we are excluding nothing. It means that we are logging on everything, in this if I want to create a remote thread, even though we are not focusing on this one this time. Also, raw access read and I am excluding different types of events. Here I am including, for the create a remote thread, different types of events.

Let’s update the system configuration. We will do Sysmon -c config.xml, which is very easy, and based on that we are able to update the configuration.

sysmon

From now, when we verify within the event log what’s happening, we should be able to log on different types of hashes. Not only MD5, but also SHA256.

sysmon

This is the set-up. As you see, we’ve got the very nice difference here. When we focus on the old event, the only thing that we’ve got is MD5 but when you focus on the new event here, we also have SHA256.

This is how we can see that the configuration is updated.

Let’s do something advanced

Basic stuff is behind us. Now it’s time to focus on something interesting. One of the things that we’re going to do is to, let’s say, export the system configuration in order to have it deployed within the enterprise. Why should we do that? Well, who knows? Maybe you have just lost a configuration file or you have updated configuration in so many different ways that you are like, “Right now I would like to have that out”. Unfortunately Sysmon, for now, does not provide an option to export the configuration file. The only thing we can do is Sysmon – C and that shows us our configuration in a kind of nice way because it allows us to see what is out there. You cannot just take this and you cannot save it in a text file and import it somewhere else. This is quite confusing.

sysmon

You can always go to the registry, so regedit, and go to Sysmon. We’ve got that settings in System, Current Control Set, then we can go to Services and we can spot over here two things: one is Sysmon, and another one is Sysmon driver.

sysmon

This is where we can spot the configuration in the parameters hive and we’ve got hashing algorithm, options, and rules. While I’m happy to, of course, explain everything step by step, we could also export the registry settings. That is another option. Maybe we would like to import the configuration, so for now over here in the registry, it could be a little bit difficult. That’s why we have written a tool called CQSysmonConfig.

>> Download the CQSysmonConfig tool <<
Password: CQUREAcademy#123!

>> Download the CQSysmonConfig tool version 3.0 <<
Password: CQUREAcademy#123!

CQSysmonconfig allows you to export the configuration to a file. We can do -E config.xml. This exported config.xml is the file that we can use in order to play with the configuration. This is the configuration that we were playing with before.

sysmon

What is interesting when we will play with the different types of Sysmon log files is that we are able to export the hashes. I’ve got CQSysmonHash extract here which is a tool that allows us to specify the current log file that we’ve got and also we can specify the output file where we will have the list of hashes within the file. It’s going to take a while, but let’s do that.

>> Download the CQSysmonHash tool <<
Password: CQUREAcademy#123!

sysmon

In our case, it’s going to be CQ Sysmon hash extract, -L, and we can specify -O for output. We can specify the certain file which will be outfile.txt. For now, as I mentioned, it’s going to take a little bit of time because my log is big. In our outfile.txt, we will have a list of the hashes being exported. That’s something that you can upload to Virustotal, or you can work on those hashes a little bit. You can parse them in different ways and put them into your own analysis.

sysmon

These are the hashes. For example, what we can do over here as well is that we can use the Virustotal checker. This software was not written by us but you can download this from the internet. Virustotal checker will allow us to submit different types of hashes into Virustotal. We can do that as well. I have prepared already a list of hashes for us, so it’s going to be a little bit faster.

>> Download the Virustotal checker <<

sysmon

Let’s check out the options first. Over here, we can specify the file containing hashes that we would like to use. We will also specify the output. We would like to use that dot for the current directory. We will also specify the mode and we will choose the mode caching. We will be uploading hashes into Virustotal and these hashes will be from the list. Let’s begin.

sysmon

We’ve got Virustotal checker, and we will specify -m caching and -file hashes2.txt here. We will specify the output dot and we are ready. It takes a little bit of time. I will use this opportunity to mention over here that in order to be able to do that, of course, you need to request for your key. It’s your private key from Virustotal that allows you to submit this data. You can fill in the form. You can just sign in on the Virustotal website. You would need to configure the private key in the same parent folder where you’ve got the Virustotalchecker.exe. That is absolutely easy. This key is for free, but when it’s free you can only upload four items at the same time. When you’re going to pay for it, you can do this pretty much simultaneously. You choose. I’m using the free one for demo purposes. You can check it by yourself and have the same experience that I do have right now over here.

Some of those hashes on the list will be spotted by Virustotal as malicious software, so we’re going to leave this result for the moment and after a while, we’re going to get back to it and then we’re going to see if it discovered something or not.

Using this opportunity, let’s dig into another demo which will be related with extracting from event log information about different types of IP addresses that I am connecting with. Different processes that I have running in Windows are connecting within the network and I would like to know exactly which ones and with what kind of IP addresses. This is the data that I would like to get. In order to do that, I need to, of course, get access to the event log.

>> Download the CQSysmonNetAnalyzer <<
password: CQUREAcademy#123!

For now, what we will be playing with is a tool that we wrote as well. The tool is called CQSysmonNetAnalyzer. CQSysmonNetAnalyzer is the one that allows us to analyze the log. Let’s have a look.

sysmon

We’ve got a dir, and this is where we’ve got our Sysmon files and out where we’re going to have our output files. In our case, it’s going to be dir and it’s going to be C\Windows\System32\Winevt\Logs. This is the one that we have which is the path from the clipboard. We’re going to name it, for example, Sysmonnet.txt. Let’s extract it.

As I have repeated over and over, this one also is going to take a little bit of time because what we are doing, for now, is analyzing the log and extracting the IP addresses or the full information from the log, but focusing on IP addresses we have been communicating with by now. I’ve got a couple of thousands of events, so at this stage actually I would like to show you the log.

I have the output ready already and I am importing this to Excel. For now, that log looks like this.

We’ve got the log file here, and it’s now very easy to import. We will just press next and finish.

sysmon

This is how our log file looks like. We are importing right now from the really big piece of data the different types of connections that we’ve got over here. Of course, on the top of that, we can build a very nice table and this will allow us in a very comfortable way to sort out, for example, if I don’t want to have Fiddler, if I don’t want to have Adobe. We can now unselect different kinds of items that we don’t want to analyze and we will be left with different types of the executable that are interesting for us to analyze and know why they were communicating over the network.

What’s my point? My point is that there is a column. It’s called destination IP. Let’s take it. I will just copy the whole column and go to the tool called IPNetInfo. This is a tool that you can get from Nirsoft. Since it’s already there, we decided not to write our own tool. I can remove the beginning. What the tool will do is to filter out all the internal IP addresses like 192.168, and so on. It will only leave the external ones, and it will analyze them by verifying who the owner of an IP address is and the type of IP address it is.

sysmon

As you see right now, we are performing the verification of what we were in total communicating with. Selecting one of the top IP addresses that I’ve got shows that it is an IP address of the Microsoft Corporation. We can see, of course, who the owner is. We can see all the information that we got from ARIN.net, how we are able to communicate with the owner of the IP address, and so on. We also have a couple of other networks. We also verify what and who is the owner of a particular IP address. As you see, my list is actually pretty big over here. It’s going to take a little bit of time for the verification. At the end, you will have a complete list that you can use, and if you don’t like something, then you can block that on the firewall.

This is the analysis. Let’s have a look at the very end of the presentation. Is there something interesting from the hashes list that was discovered?

sysmon

Absolutely. We’ve got 75 as a number of hashes checked. We’ve got duration, and also we’ve got information about that particular finding over here. What was running is Mimikatz and currently, 33 of 57 different types of antivirus engine providers said that this is probably something not cool. Here we’ve got information about what that was.

We have analyzed three tools today. One is used to export Sysmon configuration so that you can play with it later on. If you update the configuration several times, then basically it’ll be great if you had the final file somewhere. You can also use it as a backup. Another tool that we used was the one that allowed us to export and play with hashes. You can also do it in many different ways. You can even use logparser on the top of your EVTX file. There is a logparser -I column EVT option to play with the EVTX files. You can use, as well, some other parser to extract MD5s, for example, so the hashes, or you can use our tool. Another one is the CQSysmonNetAnalyzer which is, to be sincere, my favorite. It allows us to export different type of network related events. In terms of external tools, we have used the Virustotalchecker.exe, which is a free tool downloadable from the Internet.

Comments