Threat Hunting with Sysmon For Security Operations Center | TryHackMe Sysmon

Introduction

This post on Threat Hunting with Sysmon in Security Operations on TryHackMe explains using Sysmon, a Windows monitoring tool, for threat detection within a Security Operations Center (SOC). It covers Sysmon’s configuration, key event types (e.g., process creation, network connections), and deployment. A practical walkthrough in the TryHackMe environment demonstrates analyzing Sysmon logs to trace potential threats, such as malicious files or network anomalies. It emphasizes customizing Sysmon rules for enhanced detection and discusses filtering techniques to streamline threat identification, making Sysmon a crucial tool for incident response and forensic analysis.

Overview of Sysmon

Sysmon, a tool used to monitor and log events on Windows, is commonly used by enterprises as part of their monitoring and logging solutions. Part of the Windows Sysinternals package, Sysmon is similar to Windows Event Logs with further detail and granular control.

From the Microsoft Docs, “System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.”

Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events. When installed on an endpoint, Sysmon will start early in the Windows boot process. In an ideal scenario, the events would be forwarded to a SIEM for further analysis. However, in this room, we will focus on Sysmon itself and view the events on the endpoint itself with Windows Event Viewer.

COMPTIA Security+ Study Notes

HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes

Sysmon Configuration and Event Types

Sysmon operates based on a configuration file that defines the events to monitor and log. Common event types in a Sysmon configuration include:

• Process Creation (Event ID 1): Triggers when a new process is created, often used to detect malware behavior.
• Network Connections (Event ID 3): Monitors outbound network connections for unauthorized data exfiltration or C2 (command-and-control) activity.
• File Creation (Event ID 11): Detects new files, which could signify malware payloads.
• Registry Key Changes (Event ID 13): Identifies changes to registry keys often associated with persistence mechanisms.
• Alternate Data Streams and DNS Queries: These events track attempts to evade detection or communicate externally, such as DNS tunneling or hidden data streams.

Practical Configuration and Deployment

• Installing Sysmon: Sysmon is installed as a service, configured with a specified XML file containing detection rules.
• Sample Configuration File: The tutorial provides a configuration file example from GitHub, detailing rules for detecting various malware behaviors, like process injections or specific suspicious file paths.
• This configuration can be customized with additional rules based on threat intelligence and specific needs, such as newly identified malware behavior patterns.

Investigation Walkthrough on TryHackMe

• The video then transitions to a TryHackMe scenario, simulating an investigation where a malicious file is dropped via USB, and Sysmon logs are used to trace the attack.
• Steps include:
  • Viewing Sysmon Logs in Windows Event Viewer: Sysmon logs are located under Applications and Services Logs → Microsoft → Windows → Sysmon.
  • Filtering Event IDs: Analysts filter specific Event IDs to narrow down relevant logs (e.g., Event ID 1 for process creation).
  • Answering Incident Response Questions: By examining Sysmon logs, investigators can identify artifacts like process names, file paths, registry modifications, and network connections associated with the malware activity.

Best Practices and Customization

• Customizing Sysmon rules enhances detection capabilities, allowing threat hunters to define conditions specific to the organization’s environment or newly observed attacker tactics.
• Sysmon logs provide actionable details, from identifying file creation paths to detecting new processes tied to suspicious network connections, assisting in rapid incident response.

Room Answers | TryHackMe Sysmon

Video Walkthrough