Sysmon is a utility that's packaged with the Windows Sysinternals toolset, which is a set of Windows tools for administrators or advanced users. Sysmon itself is simply a Windows service and device driver that collects system events of interest and forwards them to the Windows event log. Thinking about Sysmon as a host-based sensor for strategic hunting and advanced behavioral detection capability is where things get really exciting.
What makes Sysmon a powerful sensor for both hunting as well as advanced threat detection is the nature of the events it collects. The primary and most powerful event is the Process Creation event. With this single event we can see every process that runs on every host that has Sysmon installed in our environment. This by itself lets us get a feel for what normal operations look like on a given host, or in general across hosts in our environment. With some basic analytics tools, we can quickly begin to ferret out anomalies or deviations from normal system and user behavior.
What makes these Process Creation events even more powerful is that they contain both the command line for the process itself as well as the parent process and its command line. This is especially powerful because we can look for things like an application such as Winword.exe launching cmd.exe or powershell.exe. With a single event from Sysmon, we can detect advanced attacker behavior, such as the above example, where a Microsoft Word exploit runs some command line activity to create a backdoor and establish persistence.
Combining the power of Sysmon with an advanced analytics platform, such as Splunk, or the open source Elastic Stack (formerly known as the ELK Stack), unlocks an extremely powerful and potentially low-cost means to power hunting operations, detect advanced threats in your environment, and provide an always-on source of forensic data in the case of an incident response.
The great thing about this setup is that it’s extremely easy to roll it out to a small number of hosts and start to see the benefits very quickly. It can also be low or no cost - at least initially. As you scale, there will be increased costs to host your analytics toolset, but even those can be kept to a minimum to fit the size and needs of your business.
Take a look at this resource for some tips on getting started installing Sysmon.
Below are are few detection ideas to get you started:
Pattern: Productivity App (e.g. Word, Excel, PowerPoint, Outlook) launches cmd.exe or powershell.exe
Notes: This should typically be a red flag if you see this happen in your environment. Productivity applications launching shells may be indicative of a malicious document or email. While there may always be some exceptions depending on the environment, once those are accounted for, this should be a very high fidelity pattern, indicating something malicious happening.
Pattern: Abnormal parent of svchost.exe
Notes: Typically, the parent of svchost.exe is services.exe. As you get a baseline for your environment, you can confirm this. Deviation from that norm should be interesting to you as a security practitioner or analyst. Oftentimes, advanced attackers use the name svchost.exe to hide their operations because there are often several svchosts running on a typical Windows host. Other times, the actual svchost.exe may be called by a malicous program in order to achieve the intent of the intrusion.
Notes: While whoami.exe is a standard Windows executable that you’ll see running occasionally, it’s not very common for your average user to run it. For the most part, whoami is used by system administrators, attackers, or penetration testers (at least in a Windows environment). This pattern might serve more as a hunting lead than a stand-alone detection.
Pattern: CommandLine=”net.exe use *”
Notes: Similar to the whoami pattern, “net use” is occasionally used by administrators, and very often used by advanced attackers to move laterally across your environment. A more sophisticated use of these two patterns might be to combine them and look for the occurrence of whoami.exe and net.exe occurring on the same system in a short time window.
There are many, many more patterns that can be used to detect the common modalities that advanced attackers routinely use to operate in victim environments, many of which typically go undetected for months or years.
My goal with this post is to provide a succinct, high-level overview of the detection and hunting possibilities available to you with these low-cost tools. Hopefully you can see some of the possibilities already and are ready to test this out in your own environment. Feel free to reach out with any questions or ideas. If you would like me to cover one of these topics in more detail in a future post, please let us know.