Tag: sysmon version 4 filtering

Sysmon version 4 : Cool filtering!

Sysmon version 4 has much more  flexible filtering rules than previous versions. Now its possible to have both an include filter set and an exclude filter set for each event ID where exclude matches take precedence. Below I will present few  examples for  filtering  Event IDs  3,7,9

Event ID 3

Event ID 3 (network connections) is very noisy and gathering everything is not  possible in the majority of networks.
Its nice if we can log  connections to Internet through the proxy(its good to have one :-)) coming from non-browser  executables. This can be used for hunting malware that uses  legitimate windows executables to bypass even Applocker and also uses the local  proxy settings(including browser’s User-Agent) to communicate with C&C. Obviously for malware that injects code into browsers we need something else….(EMET maybe can help for such cases). Moreover  is desirable to exclude the network traffic of Skype, Lync and some other Microsoft executables in order to further reduce  the volume.
Config.xml  should contain the section  below to achieve this filtering :
……
<!– Log non browser connections to proxy and clear some noise –>
<NetworkConnect onmatch=”include”>
                   <DestinationPort>PROXY PORT</DestinationPort>
</NetworkConnect>   
<NetworkConnect onmatch=”exclude”>
       <Image condition=”contains”>chrome.exe</Image>
       <Image condition=”contains”>iexplore.exe</Image>
       <Image condition=”contains”>firefox.exe</Image>
       <Image condition=”contains”>outlook.exe</Image>
        <Image condition=”contains”>Skype.exe</Image>
        <Image condition=”contains”>lync.exe</Image>
        <Image condition=”contains”>GoogleUpdate.exe</Image>
  </NetworkConnect>
…….

Event ID 7

Event ID 7 (Image loaded) is  the most noisy event. This event should be configured carefully as it generates a HUGE number of events.
On my test system,without filtering, within 5 minutes  few thousands of events were generated.

sysmon4-1
If somebody wants to log only images loaded  from user profile directory, clear some noise and also monitor what is loaded  on lsass.exe the following section should be added to config.xml :

…….
<ImageLoad onmatch=”exclude”>
    <Image condition=”contains”>Citrix</Image>
    <Image condition=”contains”>Sysmon.exe</Image>
</ImageLoad><ImageLoad onmatch=”include”>
    <Image condition=”end with”>lsass.exe</Image>
    <Image condition=”contains”>C:\Users</Image>
</ImageLoad>
……


Event ID 9

I gathered Event ID 9  from several hundreds of endpoints.The picture below shows that 2 executable inside system32 directory (C:\Windows\System32\wbem\WmiPrvSE.exe and C:\Windows\System32\svchost.exe)  generated around 60% of the total volume for Event ID 9. The percentage of course is not the same on every network  but these two should  always be in the top 10 list. In any case any noisy process can be filtered out easily.
sysmon4-2
So if somebody wants  to :
1)Get Event ID 9 for all  executables in system32  EXCEPT WmiPrvSE.exe and svchost.exe
2)Get Event ID 9 for executables that contain User profile directory (C:\Users\) or  Recycle bin (C:\$recycle.bin)then the  section below should be added to config.xml
……
<!– Clear some noise for Event ID 9 –>
   <RawAccessRead onmatch=”exclude”>
     <Image>C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
    <Image>C:\Windows\System32\svchost.exe</Image>
</RawAccessRead>

<RawAccessRead onmatch=”include”>
     <Image condition=”contains”>C:\Windows\System32\</Image>
    <Image condition=”contains”>C:\Users</Image>
    <Image condition=”contains”>C:\$recycle.bin</Image>
</RawAccessRead>

……………
Advertisements