Introduction to Sysmon
As a continuously evolving project, Sysmon offers a range of features that assist in identifying anomalous activities across the network environment. A few of these key features include:
- Process creation logging: Capturing basic process information, parent process information, and command line details.
- Network communication monitoring: Recording source processes, IPs, ports, and hostnames of network connections.
- Process image hashing: Providing hashes of process image files in SHA1, MD5, SHA-256, or IMPHASH formats.
- DLL loading detection: Identifying the loading of DLLs, along with their corresponding hashes.
- File modification tracking: Detecting changes in file creation times, a technique often employed by attackers to evade detection.
- Kernel-mode malware identification, rule filtering based on false positives, session identification, and correlation capabilities.
In this comprehensive guide, we will walk you through the installation, configuration, and event analysis of Sysmon, ensuring you are equipped with the knowledge to harness its full potential.
Sysmon Installation Process
Installing Sysmon is a straightforward process. Start by downloading the binaries from Microsoft’s official website. Then, open the console in the same directory and follow the steps outlined below:
- Check the options provided by the binary using the command:
Sysmon64.exe -h - Install Sysmon as a service/driver with default settings or with a custom configuration file (we will discuss the configuration process in the following section). To install Sysmon with default settings, use the following command in an administrative console:
Sysmon64.exe -i
The default configurations include SHA-1 hashing for process images and no monitoring of network connections.
Once the installation is complete, Sysmon’s service will begin logging events to its dedicated channel, and the driver will function as a boot-start driver, allowing it to capture events before the Windows operating system or event logging service fully boots up.
Accessing Sysmon Logs
Sysmon creates its event log channel under “Applications and Services Logs.” To access and view the logs, follow these steps:
- Open “eventvwr.msc.”
- On the left panel, expand “Applications and Services.”
- Open “Microsoft.”
- Open “Windows.”
- Navigate to “Sysmon” and select the “Operational log.”
Upon successful installation of Sysmon’s service, all logs should be updated in the “Operational log.” Event IDs 1 (Process Creation) and 5 (Process Termination) are commonly observed.
Configuring Sysmon
To customize Sysmon, begin by exporting the current configuration using the command:
Sysmon64.exe -c
This will display the output from the default configuration, which should resemble the following:
Current configuration:
-- Service name: Sysmon64
-- Driver name: SysmonDrv
- HashingAlgorithms: SHA1
-- Network connection: disabled
-- Archive Directory: -
-- Image loading: disabled
-- CRL checking: disabled
-- DNS lookup: enabled
No rules installed
Next, we will construct a configuration file that can be used to modify the Sysmon installation. This file should start with the Sysmon tag, accompanied by the schemaversion attribute. The schemaversion attribute ensures that the configuration file can parse same-version or older configuration files. The structure of the configuration file should resemble the following:
<Sysmon schemaversion="4.22">
...
</Sysmon>
To retrieve the current version, use the command:
Sysmon64.exe -? config
Configuration Entries
Under the Sysmon tag, you can add “Configuration Entries” that act as parameters for additional functionality. For example, you can specify the hashing algorithms used for detection:
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
This will result in the following configuration file structure:
<Sysmon schemaversion="4.22">
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
</Sysmon>
Event Filtering and Rule Groups
The EventFiltering tag is used to include event filters. For instance, you may want to include specific process creations and exclude others at the collection point.
Filter rules are written under the RuleGroup tag, which can contain the relationship between sub-nested tags and an optional name field. For example, to filter for file creation time events in the “C:\Users” directory or for executable files, you would write the following filter:
<RuleGroup name="" groupRelation="or">
<FileCreateTime onmatch="include">
<Image name="T1099" condition="begin with">C:\Users</Image>
<TargetFilename name="T1099" condition="end with">.exe</TargetFilename>
</FileCreateTime>
</RuleGroup>
To specify events for exclusion, simply replace the include value in the onmatch attribute with exclude.
For example, to monitor registry events for changes to the “CurrentVersion\Run” registry key, use the RegistryEvent ID under your RuleGroup:
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<TargetObject name="T160, RunKey" condition="contains">CurrentVersion\Run</TargetObject>
</RegistryEvent>
</RuleGroup>
With these filters in place, our sample configuration file will appear as follows:
<Sysmon schemaversion="4.22">
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<TargetObject name="T160, RunKey" condition="contains">CurrentVersion\Run</TargetObject>
</RegistryEvent>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<FileCreateTime onmatch="include">
<Image name="T1099" condition="begin with">C:\Users</Image>
<TargetFilename name="T1099" condition="end with">.exe</TargetFilename>
</FileCreateTime>
</RuleGroup>
</Sysmon>
Once your configuration file is complete, update the configuration using the command (replacing “config.xml” with your file):
Sysmon64.exe -c config.xml
It is important to note that while Sysmon provides advanced logging capabilities with built-in filtering, it is not a whitelisting tool or HIDS agent. The effectiveness of Sysmon relies heavily on your analysis of the logs collected from an endpoint.
For more detailed documentation, visit: Microsoft Sysmon Documentation
Pre-built Sysmon Configurations
Fortunately, the cybersecurity community has contributed extensively to keeping Sysmon configurations up to date. One notable example is the sysmon-export.xml file created by SwiftOnSecurity. This highly customizable configuration supports updates from the latest version of Sysmon, and can be downloaded and integrated into your existing configuration with ease.
Access the sysmon-export.xml file here: SwiftOnSecurity’s Sysmon Config
Those interested in contributing their own rules or files can do so by creating a similar open-source configuration file.
Understanding Sysmon Event IDs
Sysmon generates logs with various event IDs, each corresponding to a specific type of event. The list below outlines the event IDs associated with Sysmon’s service:
- Event ID 1: Process creation
- Event ID 2: Process changed a file creation time
- Event ID 3: Network connection
- Event ID 4: Sysmon service state changed
- Event ID 5: Process terminated
- Event ID 6: Driver loaded
- Event ID 7: Image loaded
- Event ID 8: CreateRemoteThread
- Event ID 9: RawAccessRead
- Event ID 10: ProcessAccess
- Event ID 11: FileCreate
- Event ID 12: RegistryEvent (Creation and Deletion)
- Event ID 13: RegistryEvent (Value set)
- Event ID 14: Registry Event (Key and Value rename)
- Event ID 15: FileCreateStreamHash
- Event ID 16: ServiceConfigurationChange
- Event ID 17: PipeEvent (Creation)
- Event ID 18: PipeEvent (Connected)
- Event ID 19: WmiEvent (WmiEventFilter activity)
- Event ID 20: WmiEvent (WmiEventConsumer activity)
- Event ID 21: WmiEvent (WmiEventConsumerToFilter activity)
- Event ID 22: DNSEvent (DNS Query)
- Event ID 23: FileDelete
- Event ID 255: Error
Analyzing Sysmon Logs
To illustrate the value of Sysmon logs, let’s examine a sample log entry generated by Sysmon with a configuration updated according to SwiftOnSecurity’s configuration file:
Sysmon Event ID 3: Network Connection Detected
Reviewing the available information in a single log entry reveals a wealth of data that is not typically recorded by default Windows logging. Sysmon fills these gaps, providing crucial insights for IT professionals.
By forwarding these logs to a SIEM or centralized logging solution, you can further enhance the analysis and detection capabilities of your cybersecurity infrastructure.
Conclusion
In this comprehensive guide, we have covered the key aspects of setting up and using Sysmon. By experimenting with configuration files and understanding the unique requirements of your enterprise, you can optimize Sysmon to minimize noise and maximize the efficiency of your threat hunting efforts. As a result, you will be better equipped to detect, analyze, and mitigate potential threats within your network environment.