search

Sysmon Usecases (IBM)

hashtag
Introduction

  • Sysmon is a tool that provides extra visibility on the Windows logs especially when it comes to things that aren't usually captured through normal logs. For example, code injection, PowerShell commands, process mitigation, etc..

hashtag
Use Case 01 - Malicious File Injection and Execution

hashtag
Scenario:

  • An attacker uses a PowerShell script that downloads a malicious backdoor and runs it from the temp directory.

hashtag
Red Flags:

  • The process started from a temp directory.

  • Unsigned exe or dll.

  • PowerShell commands that download and start processes.

hashtag
Rules:

hashtag
Unsigned Executable or DLL Loaded from Temp Directory

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001844) Image Loaded.

  • When the event matches LoadedImage (custom) matches any of expressions <Temp Directory Path Regex>

hashtag
Process Launched from Temp Directory

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001828) Process Create

  • Event matches Image (custom) matches any of expressions <Temp Directory Path Regex>

hashtag
Powershell Malicious Usage Detected

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001828) Process Create

  • Event matches Process CommandLine (custom) is not NA.

  • Event matches Process CommandLine (custom) matches <Malicious Commands Regex> (Make sure to make it case insensitive and to escape useless characters to detect bypassing activities)

hashtag
Process Created a Thread into System Process

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001845) CreateRemote Thread

  • Event matches Process CommandLine (custom) is not NA.

  • Any of Target Image Name (Custom) is contained in any of Windows Sensitive Processes (Reference Set that includes the sensitive Windows processes)

PreviousArchive/Backup/BinNextLinux Fundamentals (TryHackMe)

Last updated