Skip to content

Sysmon.md

Latest commit

 

History

History
133 lines (81 loc) · 5.87 KB

Sysmon.md

File metadata and controls

133 lines (81 loc) · 5.87 KB

Sysmon - Easy

  1. Introduction
  2. Cutting out the Noise
  3. Hunting Metasploit
  4. Detecting Mimikatz
  5. Hunting Malware
  6. Hunting Persistence
  7. Detecting Evasion Techniques
  8. Practical Investigations

Introduction

  • Sysmon is a tool used to monitor and log events on Windows; Sysmon events stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational.

  • Sysmon uses Event IDs for its config file, to analyze events.

xfreerdp /u:THM-Analyst /p:5TgcYzF84tcBSuL1Boa%dzcvf /v:10.10.181.158
#connect to machine

Cutting out the Noise

  • Sysmon usage is improved by best practices such as prioritizing excluding events rather than including events, using the CLI and understanding the environment.

  • Events can be filtered using the Event Viewer or PowerShell.

Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Metasploit.evtx -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
#to look for network connections coming from port 4444

Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx -FilterXPath '*/System/EventID=3' | Measure-Object -Line
#to find number of event ID 3 events
1. How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx? - 73,591

2. What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx? - 2021-01-06 01:35:50.464

Hunting Metasploit

  • We can look for network connections that originate from suspicious ports such as 4444 and 5555.
Get-WinEvent -path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Metasploit.evtx -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'

Detecting Mimikatz

  • Mimikatz can be detected by looking for file creation with the name Mimikatz.

  • We can also hunt for abnormal LSASS behaviour to detect Mimikatz.

Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Mimikatz.evtx -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'

Hunting Malware

  • Hunting for common back connect ports to detect RATs:
Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Rats.evtx -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=8080'

Hunting Persistence

  • Persistence is used by attackers to maintain access to a machine once it's compromised.

  • Some ways used to gain persistence are registry modification and startup scripts.

Detecting Evasion Techniques

  • Examples of evasion techniques are Alternate Data Streams, Injections, Masquerading, Packing/Compression, Recompiling, Obfuscation, Anti-Reversing.

  • Detecting Alternate Data Streams:

Get-WinEvent -Path C:\Users\Administrator\Desktop\Sysmon.evtx -FilterXPath '*/System/EventID=15'
  • Detecting Remote Thread Creation:
Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_CreateRemoteThread.evtx -FilterXPath '*/System/EventID=8'

Practical Investigations

1. What is the full registry key of the USB device calling svchost.exe in Investigation 1? - HKLM\System\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01#4054910EF19005B3&0#\FriendlyName

2. What is the device name when being called by RawAccessRead in Investigation 1? - \Device\Harddisk\Volume3

3. What is the first exe the process executes in Investigation 1? - rundll32.exe

4. What is the full path of the payload in Investigation 2? - "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta

5. What is the full path of the file the payload masked itself as in Investigation 2? - C:\Users\IEUser\Downloads\update.html

6. What signed binary executed the payload in Investigation 2? - C:\Windows\System32\mshta.exe

7. What is the IP of the adversary in Investigation 2? - 10.0.2.18

8. What back connect port is used in Investigation 2? - 4443

9. What is the IP of the suspected adversary in Investigation 3.1? - 172.30.1.253

10. What is the hostname of the affected endpoint in Investigation 3.1? - DESKTOP-O153T4R

11. What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1? - empirec2

12. Where in the registry was the payload stored in Investigation 3.1? - HKLM\SOFTWARE\Microsoft\Network\debug

13. What PowerShell launch code was used to launch the payload in Investigation 3.1? - "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \"-enc $x\" powershell";exit;

14. What is the IP of the adversary in Investigation 3.2? - 172.168.103.188

15. What is the full path of the payload location in Investigation 3.2? - C:\Users\q\AppData:blah.txt

16. What was the full command used to create the scheduled task in Investigation 3.2? -  "C:\WINDOWS\system32\schtasks.exe" /Create /F /SC DAILY /ST 09:00 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($(cmd /c ''more < c:\users\q\AppData:blah.txt'''))))\""

17. What process was accessed by schtasks.exe that would be considered suspicious behaviour in Investigation 3.2? - lsass.exe

18. What is the IP of the adversary in Investigation 4? - 172.30.1.253

19. What port is the adversary operating on in Investigation 4? - 80

20. What C2 is the adversary utilizing in Investigation 4? - empire