Sysmon 5 : New opportunities for hunting

On 28/11/2016   Sysmon v5 was released delivering nice features. In this post I will  describe some use cases for the new events. If you are new to Sysmon please start with the presentation from Marc Russinovich at RSA 2016.

Another nice presentation by @c_APT_ure   at Botconf https://www.botconf.eu/2016/advanced-incident-detection-and-threat-hunting-using-sysmon-and-splunk/

I have stopped my description of Sysmon events in EventID 9.Before version 5

EventID 10 ProcessAccess was added.

You can use it to monitor access to lsass.exe. The challenge is to filter legitimate processes that generate this event.

In version 5  the 2 highlights are

1.EventID 11 which enables the monitoring of startup folder

2. Event IDs 12,13,14 for registry monitoring. These 3 events have the same descriptor in sysmon.xml (RegistryEvent) so a registry key that is put in this configuration section is monitored for all actions (add,delete,Value set,rename).

There is also EventID 15 which logs the hashes of attachments

As it is expected if in the configuration of sysmon you just include these events without filtering your log management system will be dead :-). Filtering is crucial for deplying sysmon at scale.

 

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s