Microsoft has released Sysmon 15, changing it to a secure system and adding a new ‘FileExecutableDetected’ option to log executable files that have been created.
For those who are not familiar with Sysmon (or System Monitor), it is a free Microsoft Sysinternals tool that can monitor and block malicious/suspicious events and log events to the Windows Event Log.
By default, Sysmon handles basic events such as creating new processes and ending processes. However, it is possible to create advanced configuration files that allow you to monitor various processes, such as the deletion of files, changes to the Windows clipboard, and detect and prevent file corruption.
Users can find a complete list of instructions in the Sysmon schema, which can be viewed by running the sysmon -s command on the command line.
Yesterday, Microsoft released Sysmon 15.0, which includes two new features – hardening the project by turning it into a secure system and the ability to detect when executable files are created on the monitoring system.
Sysmon is now a secure system
As Sysmon is often used to detect malicious activity, it is dangerous for interested parties to disrupt or disable the program.
With this release, Microsoft changed Sysmon.exe which can be used as a security tool to prevent malicious code from entering it.
“In Windows 8.1, a new concept of secure services has been introduced to allow anti-malware services to be set as a secure service,” explains Microsoft’s article about the service.
“When a service is started as protected, Windows uses code integrity to only allow trusted code to enter the protected service. Windows also protects these processes from being replaced by code injection and other malicious actions from admin systems.”
After Sysmon is installed, you can see that it is a secure process using Process Explorer and check its security, as shown below.
Source: BleepingComputer
Based on Process Explorer, Sysmon is working as a PPL (PROTECTED_ANTIMALWARE_LIGHT), which is also covered in this article by Elastic.
Detecting new files that may occur
System 15.0 also updates the Sysmon schema to update 4.90, which now includes a ‘FileExecutableDetected’ configuration option to detect the creation of executable files on a monitored device.
<event name="SYSMONEVENT_FILE_EXE_DETECTED" value="29" level="Informational" template="File Executable Detected" rulename="FileExecutableDetected" version="5">
<data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
<data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
<data name="ProcessGuid" inType="win:GUID" />
<data name="ProcessId" inType="win:UInt32" outType="win:PID" />
<data name="User" inType="win:UnicodeString" outType="xs:string" />
<data name="Image" inType="win:UnicodeString" outType="xs:string" />
<data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" />
<data name="Hashes" inType="win:UnicodeString" outType="xs:string" />
</event>
For example, to use the new FileExecutableDetected directive to check for new files created under the C:\ProgramData\ and C:\Users\ folders, you can use the following file:
<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Log executable file creations -->
<FileExecutableDetected onmatch="include">
<TargetFilename condition="begin with">C:\ProgramData\</TargetFilename>
<TargetFilename condition="begin with">C:\Users\</TargetFilename>
</FileExecutableDetected>
</EventFiltering>
</Sysmon>To start Sysmon and configure it to use the above modified file, you can do the following sysmon -i command and pass the name of the configuration file.
In our example, the name of the configuration file is sysmon.confso we can use the following command from the Administrative Command Prompt to start Sysmon:
sysmon -i sysmon.confOnce started, Sysmon will install its driver and silently collect data in the background.
All Sysmon events will be logged to ‘Programs and Operations Logs/Microsoft/Windows/Sysmon/Operational‘ in the Event Viewer.
With the FileExecutableDetected feature enabled, when a new executable file is created under the C:\ProgramData or C:\Users\folder (and their subfolders), Sysmon will create an executable that matches the command, Sysmon will block the file and create an entry of ‘Event 29, File Executable Detected’ in the Event Viewer.
Source: BleepingComputer
The Event Log entries that are generated contain important information, described below:
- UtcTime: The time when the event was detected.
- ProcessID: PID of the process trying to create an executable file.
- User: The user associated with the file system.
- Picture: The file name of the program to create the file.
- TargetFilename: The default file that was created. Note: In our tests, the file was always displayed under the temporary file name.
- Hash: The hash of the file being created. The hashes displayed will depend on your HashAlgorithms settings.
For more information and tips on how to use this new tool, we recommend reading Olaf Hartong’s excellent article on the new Sysmon.
For those who want a Sysmon configuration file that uses this information to detect malware or malicious devices, you can use security researcher Florian Roth’s Sysmon config.
Learn more about Sysmon
Sysmon is an advanced network monitoring tool with many instructions that allow you to create configuration files that meet your organization’s needs.
Due to the complexity of this program, it is recommended that you read Sysmon’s documentation and play with the configuration options to see how these instructions work.
Unfortunately, Sysmon is not a well-documented program, requiring users to do some trial and error to test the interface and see what is written on the log.
The good news is that Sysmon will not open the wrong configuration file, if you see a “Configuration file” message when you download Sysmon, you know you are on the right track.
You should also read Olaf Hartong’s Sysmon articles, as he writes new ones as they are released.
Finally, admins can use or read existing Sysmon configuration files from Florian Roth and SwiftOnSecurity to see how the instructions can be used to block malware.
#Microsoft #Sysmon #detects #variable #files #created
