Sysinternals Tool Sysmon Usage Tips and Tricks - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, February 20, 2019

Sysinternals Tool Sysmon Usage Tips and Tricks

Microsoft Sysinternals tool Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.
Sysinternals from Web Browser:

Basic Sysmon Usage commands:

sysmon -i -accepteula [options]
  • Extracts binaries into %systemroot%
  • Registers event log manifest
  • Enables default configuration

Note: Once this command runs, the Sysmon service is installed, running, and logging to the Event log at Applications and Service Logs > Microsoft > Windows > Sysmon > Operational. 

Viewing and updating configuration:
sysmon -c [options]
  • Updates take effect immediately
  • Options can be basic options or a configuration file

Register event manifest for viewing logs only:
sysmon -m

sysmon -u

Sysmon -h
sysmon -h config

1. Get a Remote Sysmon Event

PS C:\windows\system32> enter-pssession -ComputerName testmachine1 -Credential admin1
[testmachine1]: PS C:\Users\admin1\Documents> cd ..
[testmachine1]: PS C:\Users\admin1> cd ..
[testmachine1]: PS C:\Users> cd ..
[testmachine1]: PS C:\> dir

    Directory: C:\

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----        17/09/2018   4:31 PM            1e1e425df683e574801386fa411ca3
da---        03/05/2018   1:32 PM            Activexviewer
d----        03/05/2018   1:31 PM            Dell
d----        03/05/2018   1:40 PM            Desktop Authority
d----        27/02/2018  11:27 AM            Intel
d----        13/07/2009  11:20 PM            PerfLogs
d-r--        20/09/2018  11:51 AM            Program Files
d-r--        18/09/2018  10:31 AM            Program Files (x86)
d----        18/09/2018  11:06 AM            Temp
d-r--        27/09/2018   9:40 AM            Users
d----        27/09/2018   9:46 AM            Windows
-a---        26/09/2018   2:02 PM       8922 SUService.log

[testmachine1]: PS C:\Users> Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3;} | Where {
$_.message -like "**" -and $_.message -like "*DestinationPort: *"} | Select-Object -Property message -First 1
 | Format-List

Message : Network connection detected:
          UtcTime: 2018-09-27 14:36:22.092
          ProcessGuid: {88333078-C9A4-5BAB-0000-0010EB030000}
          ProcessId: 4
          Image: System
          Protocol: tcp
          Initiated: false
          SourceIsIpv6: false
          SourcePort: 5985
          DestinationIsIpv6: false
          DestinationPort: 56588

[kl]: PS C:\Users>

2. Update Sysmon with config file

You also have the option of using a configuration file, which can further nail down what you would like to log.

C:\ISOScripting>Sysmon64.exe -h config

System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals -

Configuration usage (current schema is version: 4.00):

Configuration files can be specified after the -i (installation) or -c
(configuration) switches. They make it easier to deploy a preset configuration
and to filter captured events.

A simple configuration xml file looks like this:

<Sysmon schemaversion="4.00">
  <!-- Capture all hashes -->
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include" />
    <!-- Log network connection if the destination port equal 443 -->
    <!-- or 80, and process isn't InternetExplorer -->
    <NetworkConnect onmatch="include">
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">iexplore.exe</Image>

The configuration file contains a schemaversion attribute on the Sysmon
tag.This version is independent from the Sysmon binary version and allows the
parsing of older configuration files. The current schema version is shown in
the sample configuration.

Configuration entries are directly under the Sysmon tag and filters are under
the EventFiltering tag. Configuration entries are similar to command line
switches, and have their configuration entry described in the Sysmon usage
output. Parameters are optional based on the tag. If a command line switch
also enables an event, it needs to be configured though its filter tag.

Event filtering allows you to filter generated events. In many cases events
can be noisy and gathering everything is not possible. For example, you might
be interested about network connections only for a certain process, but not
all of them. You can filter the output on the host reducing the data to

Each event has its own filter tag under EventFiltering:

Id     Tag                  Event
1      ProcessCreate        Process Create
2      FileCreateTime       File creation time changed
3      NetworkConnect       Network connection detected
5      ProcessTerminate     Process terminated
6      DriverLoad           Driver loaded
7      ImageLoad            Image loaded
8      CreateRemoteThread   CreateRemoteThread detected
9      RawAccessRead        RawAccessRead detected
10     ProcessAccess        Process accessed
11     FileCreate           File created
12     RegistryEvent        Registry object added or deleted
13     RegistryEvent        Registry value set
14     RegistryEvent        Registry object renamed
15     FileCreateStreamHash File stream created
17     PipeEvent            Pipe Created
18     PipeEvent            Pipe Connected
19     WmiEvent             WmiEventFilter activity detected
20     WmiEvent             WmiEventConsumer activity detected
21     WmiEvent             WmiEventConsumerToFilter activity detected

You can also find these tags in the event viewer on the task name.

The onmatch filter is applied if events are matched. It can be changed with
the "onmatch" attribute for the filter tag. If the value is 'include', it
means only matched events are included. If it is set to 'exclude', the event
will be included except if a rule match.

Each tag under the filter tag is a fieldname from the event. Each field entry
is tested against generated events, if one match the rule is applied and the
rest is ignored.

For example this rule will discard any process event where the IntegrityLevel
is medium:

    <ProcessCreate onmatch="exclude">

Field entries can use other conditions to match the value. The conditions
areas follow (all are case insensitive):

is          Default, values are equals.
is not      Values are different.
contains    The field contains this value.
excludes    The field does not contain this value.
begin with  The field begins with this value.
end with    The field ends with this value.
less than   Lexicographical comparison is less than zero.
more than   Lexicographical comparison is more than zero.
image       Match an image path (full path or only image name).
            For example: lsass.exe will match c:\windows\system32\lsass.exe.

You can use a different condition by specifying it as an attribute. This
excludes network activity from processes with iexplore.exe in their path:

  <NetworkConnect onmatch="exclude">
    <Image condition="contains">iexplore.exe</Image>

You can use both include and exclude rules for the same tag, where exclude
rules override include rules. Within a rule, filter conditions have OR
behavior,  In the sample configuration shown earlier, the networking filter
uses both an include and exclude rule to capture activity to port 80 and 443
by all processes except those that have iexplore.exe in their name.


Template for a super simple config.xml

<Sysmon schemaversion="4.00">
 <HashAlgorithms>md5,sha256</HashAlgorithms> <!-- Both MD5 and SHA256 are the industry-standard algorithms for identifying files -->
 <CheckRevocation/> <!-- Check loaded drivers, log if their code-signing certificate has been revoked, in case malware stole one to sign a kernel driver -->


 <!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
  <ProcessCreate onmatch="exclude">

  <FileCreateTime onmatch="include">

  <FileCreateTime onmatch="exclude">

  <NetworkConnect onmatch="include">
   <!--Destination : Suspicious-->
   <DestinationIp condition="is"></DestinationIp> <!--Specific rule-->
   <DestinationIp condition="is"></DestinationIp> <!--test verification rule-->

  <NetworkConnect onmatch="exclude">


A little bit more complicate one:

<Sysmon schemaversion="4.00">
 <!-- Event ID 1: ProcessCreate -->
<ProcessCreate onmatch="exclude">
<!-- Google Chrome -->
<Image condition="Is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
<Image condition="contains">Chrome\Application\chrome.exe</Image>  
<!-- Other Chatty applications -->
<Image condition="contains">C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Image>
<Image condition="contains">C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe</Image>
<ParentImage condition="contains">C:\Program Files (x86)\Google\Update\GoogleUpdate.exe</ParentImage>
<CommandLine condition="contains">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</CommandLine>
<ParentCommandLine condition="contains">C:\Windows\system32\SearchIndexer.exe /Embedding</ParentCommandLine>
<ParentCommandLine condition="contains">C:\Windows\system32\SearchIndexer.exe /Embedding</ParentCommandLine>
<!-- Event ID: 2 FileCreateTime -->
<FileCreateTime onmatch="exclude">
 <Image condition="end with">chrome.exe</Image>
 <Image condition="end with">firefox.exe</Image>
 <Image condition="end with">outlook.exe</Image>
 <Image condition="end with">iexplore.exe</Image>
 <Image condition="contains">C:\Windows\system32\msiexec.exe</Image>
 <Image condition="contains">C:\Windows\syswow64\MsiExec.exe</Image>
<!-- Event ID 3: Network Connection -->
<NetworkConnect onmatch="exclude">
    <DestinationIp condition="contains">169.254</DestinationIp> 
 <DestinationIp condition="contains">255.255.</DestinationIp> 
 <DestinationIp condition="contains">239.255.</DestinationIp> 
 <DestinationIp condition="begin with">10.</DestinationIp> 
 <DestinationIp condition="contains">127.0.</DestinationIp> 
 <DestinationIp condition="contains">0:0:0</DestinationIp> 
<!--<Image condition="end with">iexplore.exe</Image> -->
<!--<Image condition="end with">chrome.exe</Image> -->
 <Image condition="end with">excel.exe</Image>
 <Image condition="end with">winword.exe</Image>
 <Image condition="end with">lms.exe</Image>
 <Image condition="end with">onenote.exe</Image>
 <Image condition="contains">C:\Program Files\Mozilla Firefox\firefox.exe"</Image>
 <Image condition="contains">C:\Program Files\Mozilla Firefox\firefox.exe</Image> 
 <DestinationPortName condition="end with">dhcpv6-client</DestinationPortName>
 <DestinationPortName condition="end with">epmap</DestinationPortName>
 <DestinationPortName condition="end with">llmnr</DestinationPortName>
 <DestinationPortName condition="end with">netbios-dgm</DestinationPortName>
 <DestinationPortName condition="end with">netbios-ns</DestinationPortName>
 <DestinationPortName condition="end with">netbios-ns</DestinationPortName>
 <SourcePortName condition="end with">llmnr</SourcePortName>
 <SourcePortName condition="end with">epmap</SourcePortName>
 <SourcePortName condition="end with">ws-discovery</SourcePortName>
 <SourcePortName condition="end with">ssdp</SourcePortName>
<!-- Event ID: 5 Process Terminate. We're not logging process termination -->
<ProcessTerminate onmatch="include"/>
<!-- Event ID: 6 Driver Loaded: Log all drivers except if signature Contains Microsoft or Windows-->
<DriverLoad onmatch="exclude">
 <Signature condition="contains">microsoft</Signature>
 <Signature condition="contains">windows</Signature>
<!-- Event ID: 8 Log CreateRemoteThread -->
<CreateRemoteThread onmatch="include"> 
      <TargetImage condition="image">lsass.exe</TargetImage> 
  <TargetImage condition="image">winlogon.exe</TargetImage> 
  </CreateRemoteThread >
<!-- Event ID: 9 RawAccessRead -->
<RawAccessRead onmatch="exclude">
<!-- Event ID: 11 FileCreate -->
<FileCreate onmatch="include">
<TargetFilename condition="end with">.exe</TargetFilename>
<TargetFilename condition="end with">.pdf</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
<TargetFilename condition="end with">.doc</TargetFilename>
<TargetFilename condition="end with">.hta</TargetFilename>
<TargetFilename condition="end with">.xls</TargetFilename>
<!-- Event ID: 12 Certain registry keys (AutoStart, Services,Debuggers) -->
<RegistryEvent onmatch="include">
<TargetObject condition="contains">Windows\CurrentVersion\Run</TargetObject>
<TargetObject condition="contains">Windows\CurrentVersion\Image File Execution Options</TargetObject>
<TargetObject condition="contains">CurrentControlSet\Services</TargetObject>
<TargetObject condition="contains">Microsoft\Windows NT\CurrentVersion\Winlogon</TargetObject>
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\Policies\Explorer</TargetObject>
<TargetObject condition="contains">Microsoft\Windows\CurrentVersion\RunOnce</TargetObject>
<TargetObject condition="contains">System\CurrentControlSet\Services\Tcpip\parameters</TargetObject>
<!-- Event ID: 15 FileCreateStreamHash  Events -->
<FileCreateStreamHash onmatch="exclude">
<TargetFilename condition="end with">.directory</TargetFilename>
<TargetFilename condition="end with">.sxx</TargetFilename>
<TargetFilename condition="end with">.partial</TargetFilename>

3. Change Sysmon Event Log Size

Change sysmon event log file size to 20M with wevtutil command:

wevtutil s1 Microsoft-Windows-Sysmon/Operational /ms:20971520

4. Third party tools: Sysmon View and Sysmon Shell
Sysmon View 1.4
Sysmon Shell 1.1

5. Deploy Sysmon in the domain environment

There is a script from "Deploying Sysmon through Group Policy (GPO)" and the process.

copy /z /y "\\\apps\config.xml" "C:\windows\"
sysmon -c c:\windows\config.xml
sc query "Sysmon" | Find "RUNNING"
goto startsysmon
net start Sysmon
goto installsysmon
"\\\apps\sysmon.exe" /accepteula -i c:\windows\config.xml

Right click your domain OU and
  1.  Create GPO in this domain, and link it here
  2. Provide a name (Sysmon Deployment) , hit OK
  3. Right click your newly created GPO Sysmon Deployment and select Edit
  4. Navigate to Computer configuration > Policies > Windows Settings > Scripts > Startup
  5. Click on Startup and Add and browse to your script location \\\apps\Sysmon_Install.bat and finalize with OK
  6. Right click your newly created GPO and ensure that it’s enabled and enforced (if necessary)


No comments:

Post a Comment