How to Use Sysmon 2.0 (Part 1)
On January 19, 2015, the SysInternals team released Sysmon 2.0. "This major update to Sysmon, a service that records process activity to the Windows event log for use by incident detection and forensic analysis, includes driver load and image load events with signature information, configurable hashing algorithm reporting, flexible filters for including and excluding events, and support for supplying configuration via a configuration file instead of the command line."
One interesting update in 2.0 is the addition of Import Hashes (imphash).If you are not familiar, imports are the functions that a piece of software calls from other files. Most of the time, imports are used to augment a program with a function from a Windows DLL. Imphashes are calculated by based on library/API names and their specific order within the executable. Imphashes are useful for tracking flavors of malware that use the same functionality but have different binaries. This addition separates Sysmon from being an augmentation of Windows event logging to a utility that is designed to analyze malware. Awesome.
2.0 also comes with 5 new events:
Event ID 4: Sysmon service state changed
The service state change event reports the state of the Sysmon service (started or stopped).
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> <EventID>4</EventID> <Version>1</Version> <Level>4</Level> <Task>4</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2015-01-21T16:54:43.336928400Z" /> <EventRecordID>216242</EventRecordID> <Correlation /> <Execution ProcessID="1112" ThreadID="1168" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>WIN-RKSC06DQ86F</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="State">Started</Data> </EventData> </Event>
Event ID 5: Process terminated
The process terminate event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> <EventID>5</EventID> <Version>1</Version> <Level>4</Level> <Task>5</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2015-01-21T17:00:43.600396700Z" /> <EventRecordID>277158</EventRecordID> <Correlation /> <Execution ProcessID="1112" ThreadID="1332" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>WIN-RKSC06DQ86F</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="UtcTime">1/21/2015 05:00:43.481 PM</Data> <Data Name="ProcessGuid">{FF1717CF-DB0B-54BF-0000-001015761600}</Data> <Data Name="ProcessId">10096</Data> </EventData> </Event>
Event ID 6: Driver loaded
The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is done asynchronously for performance reasons and indicates if the file was removed after loading.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> <EventID>6</EventID> <Version>1</Version> <Level>4</Level> <Task>6</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2015-01-21T16:54:54.924095100Z" /> <EventRecordID>218132</EventRecordID> <Correlation /> <Execution ProcessID="1112" ThreadID="1336" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>WIN-RKSC06DQ86F</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="UtcTime">1/21/2015 04:54:47.299 PM</Data> <Data Name="ImageLoaded">C:\Windows\System32\drivers\WdNisDrv.sys</Data> <Data Name="HashType">SHA1,MD5,SHA256,IMPHASH</Data> <Data Name="Hash">9F469B3BA78F83D1F8B73B4F6EFD365F92A89786,282E7D46310338FF4A6B7680440EB0DA,04242798DD82F583154AEA3D775C9BFD574FC471D01CDEB9D070872425094D82,FEC15D772A16260D523B3D2E2797F735</Data> <Data Name="Signed">true</Data> <Data Name="Signature">Microsoft Windows</Data> </EventData> </Event>
Event ID 7: Image loaded
The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is done asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> <EventID>7</EventID> <Version>1</Version> <Level>4</Level> <Task>7</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2015-01-21T17:00:43.977452900Z" /> <EventRecordID>277336</EventRecordID> <Correlation /> <Execution ProcessID="1112" ThreadID="1332" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>WIN-RKSC06DQ86F</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="UtcTime">1/21/2015 05:00:43.789 PM</Data> <Data Name="ProcessGuid">{FF1717CF-DB37-54BF-0000-001008982000}</Data> <Data Name="ProcessId">41744</Data> <Data Name="Image">C:\Windows\System32\cmd.exe</Data> <Data Name="ImageLoaded">C:\Windows\System32\advapi32.dll</Data> <Data Name="HashType">SHA1,MD5,SHA256,IMPHASH</Data> <Data Name="Hash">C446DE5692D5CA9B7DAEE0F0A48FC6A575F8FE3A,561F1AB95F4F01C691BDABA5FD5C67FC,4C6184C1A72B2F84BB1CA5A72F89CC44F9F37FF225D834EBCEFF26F820635BED,973A8CDB39A3DB10C284AFB640B793B3</Data> <Data Name="Signed">true</Data> <Data Name="Signature">Microsoft Windows</Data> </EventData> </Event>
Event ID 255: Error
This event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load and certain tasked could not be performed or a bug exists in the Sysmon service.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> <EventID>255</EventID> <Version>1</Version> <Level>2</Level> <Task>255</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2015-01-21T17:00:44.001453300Z" /> <EventRecordID>278772</EventRecordID> <Correlation /> <Execution ProcessID="1112" ThreadID="1332" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>WIN-RKSC06DQ86F</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="ID">DriverCommunication</Data> <Data Name="Description">Failed to retrieve events (Last error: Insufficient system resources exist to complete the requested service.).</Data> </EventData> </Event>
Took me a second to get Sysmon to throw an error like this. It is worthy to note that, from my observations, Sysmon is not prone to error under normal use. In case anyone is wondering how to make Sysmon barf (along with the rest of the computer) I used an old school fork logic bomb batch script as a means to an end. Drop this into a batch file and run it. THIS WILL LOCK UP YOUR ENTIRE SYSTEM QUICK. You have been told.
:START start %~dp0%~n0%~x0 %~dp0%~n0%~x0|%~dp0%~n0%~x0 GOTO START
I am sure there are more elegant ways but this was the first idea that came to mind that worked.
Sysmon 2.0 also has a filtering feature that I will cover in the next post.