Currently Empty: $0.00
Sysmon Log Analysis: Threat Hunting on Windows Systems
August 14, 2024
Sysmon Log Analysis, Today, as cyber security threats are becoming increasingly complex, effective log analysis and threat hunting on Windows systems are critical. Sysmon provides security professionals with a powerful tool to record and analyse system events in detail. This tool works integrated with SOC and SIEM solutions to help security teams detect potential threats at an early stage and respond quickly.
In this article, we will examine how Sysmon works and how it can be used for threat hunting on Windows systems. We will discuss important Sysmon event IDs and focus on developing effective threat hunting techniques using this data. We will also evaluate Sysmon’s ability to monitor WMI events and the role of this information in security analysis. In conclusion, we will emphasise the place and importance of Sysmon in modern cyber security strategies.
What is Sysmon and How Does It Work?
Sysmon (System Monitor) is a powerful tool developed by Microsoft that performs in-depth monitoring of Windows systems. This tool helps security experts detect advanced threats by recording system activity in detail. Unlike standard antivirus or host-based intrusion detection systems (HIDS), Sysmon monitors system activity more thoroughly and records reliable indicators of potential threats.
Key Features of Sysmon
Sysmon monitors and records the following important activities:
- Transaction creation and termination (with full command line and hash values)
- Network connections
- File creation and timestamp changes
- Driver and DLL installation
- Creating a remote thread
- Raw disc access
- Process memory access
These features provide security teams with a great advantage in detecting and analysing suspicious activities on the system.
Sysmon Installation and Configuration
You can follow the steps below to install and configure Sysmon:
- Download Sysmon from the official website of Microsoft.
- Extract the downloaded zip file and run the .exe file inside as administrator.
- As a configuration file, download ‘sysmonconfig-export.xml’ from SwiftOnSecurity’s GitHub repository.
- Open the command prompt as administrator and run the command:sysmon.exe -accepteula -i sysmonconfig-export.xml
By following these steps, you will have Sysmon installed on your system and running with a pre-made configuration.
Sysmon Log Locations
Sysmon records the logs it generates in the Windows Event Log. To access these logs:
- Open the Event Viewer.
- Follow the path ‘Applications and Services Logs’ > ‘Microsoft’ > ‘Windows’ > ‘Sysmon’ > ‘Operational’.
In this location, you can examine in detail all system activities recorded by Sysmon. Logs are recorded with a UTC timestamp and stored in XML format.
Sysmon provides security analysts and system administrators with the opportunity to analyse events that occur on Windows systems in depth. In this way, potential security threats can be detected at an early stage and necessary measures can be taken.
Important Sysmon Event IDs
Sysmon records various events that occur on Windows systems and tags these events with specific IDs (Event ID). These event IDs help security analysts and system administrators to detect potential threats and understand system behaviour. Here are the most important Sysmon event IDs and their meanings:
Process Creation and Termination Events
Event ID 1 (Process Creation): This event is logged when a process is created. Process creation events provide detailed information with full command line and hash values. This is critical in the detection of malware or suspicious activity.
Event ID 5 (Process Terminated): This event is generated when a process is terminated. The event contains the UtcTime, ProcessGuid and ProcessId values of the process. This information is important to understand when and how a process was terminated.
File and Record Book Operations
Event ID 11 (FileCreate): This event is logged when a file is created or overwritten. This is particularly useful for monitoring locations that are frequently used by malware, such as startup folders, temporary directories and download folders.
Event ID 12 and 13 (RegistryEvent): These events record the creation, deletion and modification of registry keys and values. Since registry modifications are a common method used by malware, these events are important for security.
Event ID 14 (RegistryEvent – Key and Value Rename): This event is generated when a registry key or value is renamed and records the new name.
Network Connections and DNS Queries
Event ID 3 (NetworkConnect): This event is generated when a process establishes a network connection. It contains IP addresses, port numbers and other connection details. This information is critical in detecting suspicious external connections.
Event ID 22 (DNSEvent): This event is generated when a process makes a DNS query, regardless of whether the result succeeds or fails and regardless of whether it is cached. Monitoring DNS queries is important to detect connections to malicious domains.
These event IDs are only a part of the detailed monitoring and logging capabilities that Sysmon provides on Windows systems. By analysing these events, security experts can distinguish between normal and abnormal behaviour on the system, detect potential threats at an early stage and take the necessary measures.
Threat Hunting Techniques with Sysmon
Sysmon stands out as a powerful tool for threat hunting. This tool provides security analysts with a great advantage in detecting potential threats by recording the activities on the system in detail. The data provided by Sysmon allows the application of various threat hunting techniques.
Detecting Suspicious Process Activities
Sysmon’s Event ID 1 (Process Creation) feature provides detailed information about the processes that occur in the system. This is critical for detecting suspicious process activity. For example, unusual command line parameters or unexpected parent-child process relationships can be indicative of potential threats.
Event ID 8 (CreateRemoteThread) detects that a process has created a workflow in another process. This technique is frequently used by malware to inject code and hide on the system. By monitoring these events, security analysts can detect malware activity at an early stage.
Identifying Malware Behaviour
Sysmon’s Event ID 11 (FileCreate) plays an important role in identifying malware behaviour. This event is recorded when a file is created or overwritten. File creation activity should be closely monitored, especially in locations frequently used by malware, such as startup folders, temporary directories and download folders.
Event ID 12 and 13 (RegistryEvent) record the creation, deletion and modification of registry keys and values. These events are used to detect registry modifications, a common method used by malware.
Catching Data Leak Attempts
Sysmon’s Event ID 3 (NetworkConnect) feature can be used to catch data leakage attempts. This event is generated when a process establishes a network connection and contains connection details such as IP addresses and port numbers. This information is critical in detecting suspicious external connections.
Event ID 22 (DNSEvent) helps to detect potential data leak attempts by monitoring DNS queries. Connections to malicious domains can be identified through this event record.
These detailed log records provided by Sysmon provide security analysts with a great advantage in distinguishing normal and abnormal behaviour on the system, detecting potential threats at an early stage and taking the necessary measures. These techniques have become an indispensable part of modern cyber security strategies.
Conclusion
Sysmon is a powerful addition to threat hunting on Windows systems. By recording system activities in detail, this tool assists security professionals in detecting potential threats early and responding quickly. Key event IDs and log analysis techniques allow to distinguish between normal and suspicious behaviour. This has become an important part of cyber security strategies.
As a result, the use of Sysmon on Windows systems provides security teams with detailed monitoring and analysis capabilities. This tool provides the necessary data to apply modern threat hunting techniques and thus strengthens the cyber security posture of organisations. These advantages provided by Sysmon Log analysis are crucial for developing effective defence strategies in today’s complex cyber threat environment.
Frequently Asked Questions About Sysmon Log Analysis
What does the Sysmon log do?
Sysmon log is an application that records the movements and events that occur in the system and is used to analyse and display these records. Event Log presents these situations to the user through the event viewer.
What is the purpose of the sysmon64 exe file?
Once installed on a system, Sysmon64 exe, i.e. System Monitor, continuously monitors system activities and records this information in the Windows event log. It is a Windows system service and device driver that continues to run automatically when the system restarts.
What information does Event ID 3 contain?
Event ID 3 contains logs of TCP/UDP network connections to the device. This event is disabled by default and provides access to information such as ProcessId, ProcessGUID, source/destination hostnames, IPv4/IPv6 addresses and port numbers associated with the process concerned.
What are Event ID 1 and Event ID 2?
Event ID 1 provides detailed information about the processes created on the system and logs this information. Event ID 2 is used to check the creation times of newly created files on the system and the integrity of these times, it also logs this information.
