{"id":171,"date":"2014-08-08T05:30:25","date_gmt":"2014-08-08T05:30:25","guid":{"rendered":"http:\/\/teacheritblog.wordpress.com\/?p=171"},"modified":"2014-08-08T05:30:25","modified_gmt":"2014-08-08T05:30:25","slug":"sysinternals-sysmon-a-great-way-to-see-whats-happening-on-your-system","status":"publish","type":"post","link":"https:\/\/christianlehrer.com\/?p=171","title":{"rendered":"Sysinternals Sysmon \u2013 a great way to see what\u00b4s happening on your system"},"content":{"rendered":"<div class=\"shariff\" data-title=\"Sysinternals Sysmon \u2013 a great way to see what\u00b4s happening on your system\" data-info-url=\"http:\/\/ct.de\/-2467514\" data-backend-url=\"https:\/\/christianlehrer.com\/wp-content\/plugins\/shariff-sharing\/backend\/index.php\" data-temp=\"\/tmp\" data-ttl=\"60\" data-service=\"tlxr\" data-services='[\"facebook\",\"twitter\",\"linkedin\",\"xing\",\"reddit\",\"whatsapp\",\"mail\",\"info\"]' data-image=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image_thumb.png\" data-url=\"https:\/\/christianlehrer.com\/?p=171\" data-lang=\"en\" data-theme=\"white\" data-orientation=\"horizontal\"><\/div><p>&#160;<\/p>\n<p>Two days ago Mark Russinovic released a new tool call <a href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/dn798348\">sysmon<\/a> in his Sysinternals Suite (which is owned by Microsoft now).<\/p>\n<p>This tool can help you getting an overview about things that often happen on your system while it is or is getting compromised by creating events for specific things like the change a precess creation time, creation of new processes and optionally new network connections into the eventlog. <\/p>\n<p>Here\u00b4s an extract of the features from the official website:<\/p>\n<h5 align=\"left\">Overview of Sysmon Capabilities<\/h5>\n<p align=\"left\"><em>Sysmon<\/em> includes the following capabilities:<\/p>\n<ul>\n<li>\n<div align=\"left\">Logs process creation with full command line for both current and parent processes. <\/div>\n<\/li>\n<li>\n<div align=\"left\">Records the hash of process image files using SHA1 (the default), MD5 or SHA256. <\/div>\n<\/li>\n<li>\n<div align=\"left\">Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs. <\/div>\n<\/li>\n<li>\n<div align=\"left\">Optionally logs network connections, including each connection\u2019s source process, IP addresses, port numbers, hostnames and port names. <\/div>\n<\/li>\n<li>\n<div align=\"left\">Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks. <\/div>\n<\/li>\n<li>\n<div align=\"left\">Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.<\/div>\n<\/li>\n<\/ul>\n<p>After you <a href=\"http:\/\/download.sysinternals.com\/files\/Sysmon.zip\">downloaded<\/a> it, extract it and just run sysmon.exe to see the parameters it offers:<\/p>\n<p><a href=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image.png\"><img decoding=\"async\" loading=\"lazy\" title=\"image\" style=\"border-top:0;border-right:0;border-bottom:0;border-left:0;display:inline;\" border=\"0\" alt=\"image\" src=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image_thumb.png\" width=\"559\" height=\"374\" \/><\/a> <\/p>\n<p>&#160;<\/p>\n<p>To install sysmon as a service and with network connection monitoring enabled, run<\/p>\n<p>sysmon \u2013i \u2013n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <\/p>\n<p>After accepting the EULA it will install and show you the result:<\/p>\n<p><a href=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image1.png\"><img decoding=\"async\" loading=\"lazy\" title=\"image\" style=\"border-top:0;border-right:0;border-bottom:0;border-left:0;display:inline;\" border=\"0\" alt=\"image\" src=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image_thumb1.png\" width=\"504\" height=\"158\" \/><\/a> <\/p>\n<p>&#160;<\/p>\n<p>No reboot is needed, the service starts working immediately.<\/p>\n<p>You can now open your Eventviewer and navigate to Applications and ServicesMicrosoftWindowsSysmonOperational (for Windows 8.1) to see the entries:<\/p>\n<p>EventID 1 is for a new created process. This is the Details-tab of EventID 1:<\/p>\n<p><a href=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image2.png\"><img decoding=\"async\" loading=\"lazy\" title=\"image\" style=\"border-top:0;border-right:0;border-bottom:0;border-left:0;display:inline;\" border=\"0\" alt=\"image\" src=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image_thumb2.png\" width=\"547\" height=\"264\" \/><\/a> <\/p>\n<p>&#160;<\/p>\n<p>EventID 2 is for changes of a file creaton time:<\/p>\n<p><a href=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image3.png\"><img decoding=\"async\" loading=\"lazy\" title=\"image\" style=\"border-top:0;border-right:0;border-bottom:0;border-left:0;display:inline;\" border=\"0\" alt=\"image\" src=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image_thumb3.png\" width=\"557\" height=\"198\" \/><\/a> <\/p>\n<p>Like Larry Stelzer in his <a href=\"http:\/\/www.zdnet.com\/sysinternals-new-sysmon-tool-looks-for-intruder-traces-7000032058\/\">post<\/a> about sysmon, I see many entries related to chrome with this EventID.<\/p>\n<p>&#160;<\/p>\n<p>EventID 3 stands for a new network connection:<\/p>\n<p><a href=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image4.png\"><img decoding=\"async\" loading=\"lazy\" title=\"image\" style=\"border-top:0;border-right:0;border-bottom:0;border-left:0;display:inline;\" border=\"0\" alt=\"image\" src=\"https:\/\/teacheritblog.files.wordpress.com\/2014\/08\/image_thumb4.png\" width=\"537\" height=\"350\" \/><\/a> <\/p>\n<p>\u00b4<\/p>\n<p>An important note on the official site states:<\/p>\n<p>&#160;<\/p>\n<blockquote>\n<p>Note that <em>Sysmon<\/em> does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.<\/p>\n<\/blockquote>\n<\/p>\n<p>So while this tool can help you analyze what was\/is going on, it can happen that the log also gets compromised.<\/p>\n<p>But: if your SIEM or Log-server tool of choice gets involved, this new tool can help catching the bad guys earlier.<\/p>\n<p>&#160;<\/p>\n<p>Sources: <\/p>\n<p><a title=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/dn798348\" href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/dn798348\">http:\/\/technet.microsoft.com\/en-us\/sysinternals\/dn798348<\/a><\/p>\n<p><a title=\"http:\/\/www.zdnet.com\/sysinternals-new-sysmon-tool-looks-for-intruder-traces-7000032058\/\" href=\"http:\/\/www.zdnet.com\/sysinternals-new-sysmon-tool-looks-for-intruder-traces-7000032058\/\">http:\/\/www.zdnet.com\/sysinternals-new-sysmon-tool-looks-for-intruder-traces-7000032058\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#160; Two days ago Mark Russinovic released a new tool call sysmon in his Sysinternals Suite (which is owned by Microsoft now). This tool can help you getting an overview about things that often happen on your system while it is or is getting compromised by creating events for specific things like the change a&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15],"tags":[96,106,107],"_links":{"self":[{"href":"https:\/\/christianlehrer.com\/index.php?rest_route=\/wp\/v2\/posts\/171"}],"collection":[{"href":"https:\/\/christianlehrer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/christianlehrer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/christianlehrer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/christianlehrer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=171"}],"version-history":[{"count":0,"href":"https:\/\/christianlehrer.com\/index.php?rest_route=\/wp\/v2\/posts\/171\/revisions"}],"wp:attachment":[{"href":"https:\/\/christianlehrer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/christianlehrer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/christianlehrer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}