In this video walk-through, we covered how sysmon works and how to analyze events generated to detect and respond to incidents.
Learn how to utilize Sysmon to monitor and log your endpoints and environments.
Sysmon, a tool used to monitor and log events on Windows, is commonly used by enterprises as part of their monitoring and logging solutions. Part of the Windows Sysinternals package, Sysmon is similar to Windows Event Logs with further detail and granular control.
From the Microsoft Docs, “System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.”
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events. When installed on an endpoint, Sysmon will start early in the Windows boot process. In an ideal scenario, the events would be forwarded to a SIEM for further analysis. However, in this room, we will focus on Sysmon itself and view the events on the endpoint itself with Windows Event Viewer
How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?
What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?
What is the device name when being called by RawAccessRead in Investigation 1?
What is the first exe the process executes in Investigation 1?
What is the full path of the payload in Investigation 2?
What is the full path of the file the payload masked itself as in Investigation 2?
What signed binary executed the payload in Investigation 2?
What is the IP of the adversary in Investigation 2?
What back connect port is used in Investigation 2?
What is the IP of the suspected adversary in Investigation 3.1?
What is the hostname of the affected endpoint in Investigation 3.1?
What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?
Where in the registry was the payload stored in Investigation 3.1?
What PowerShell launch code was used to launch the payload in Investigation 3.1?
What is the IP of the adversary in Investigation 3.2?
What is the full path of the payload location in Investigation 3.2?
What was the full command used to create the scheduled task in Investigation 3.2?
What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?
What is the IP of the adversary in Investigation 4?
What port is the adversary operating on in Investigation 4?
What C2 is the adversary utilizing in Investigation 4?