You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Sysmon.md
+289Lines changed: 289 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -810,6 +810,295 @@ Example:
810
810
811
811
812
812
813
+
## Process Events
814
+
815
+
Sysmon can log process creation, process termination and process access events. The process events are captured via ObjRegisterCallbacks at the kernel level using its driver, and contain a unique, deterministically generated ProcessGuid and LogonGuid that are unique to their process instance and LSA logon session respectively.
816
+
817
+
The ProcessGuid and LoginGuid make tracking individual process and users much easier. The ProcessGuid attribute is used in all events associated with its process, and, unlike a ProcessID, will not be reused by the host system later. The LogonGuid attirbute similarly is assigned to a login session of a particular user, and will not be reused later as a LoginID would.
818
+
819
+
820
+
821
+
When a user logs onto on a modern version of Windows (Windows 2016/10)
822
+
they will have 2 Logon IDs assigned if:
823
+
824
+
* User is a member of local Administrator Group.
825
+
826
+
* UAC (User Access Control) is enabled.
827
+
828
+
These sessions will be linked by a Linked Login ID in Successful Logon
829
+
Event ID 4624, making the logging of this event important.
830
+
831
+
The ProcessGUID depending on the event and where in the process tree it
832
+
is, it will also be known by other names by its relation to the action
833
+
monitored.
834
+
835
+
ProcessGUID is generated by Sysmon when Sysmon logs the event. ProcessGUID
836
+
specifically is not an attribute of the internal Windows process data structs
837
+
(EPROCESS). Sysmon keeps track of the GUID until the process exits.
838
+
839
+
840
+
841
+
The only Event Types that will not reference a ProcessGuid or one of its
842
+
derived names are
843
+
844
+
* WMI events
845
+
846
+
* Kernel Driver Load
847
+
848
+
The image of the process is also related in other processes and can be
849
+
used to track all actions related to a specific one.
850
+
851
+
852
+
853
+
854
+
### Process Creation
855
+
856
+
Sysmon will log **EventID 1** for the creation of any new process when
857
+
it registers with the kernel.
858
+
859
+
Sysmon will generate a ProcessGuid and LogonGuid with the information it
860
+
obtains and it will hash the process main image. The command line of the
861
+
process will be parsed and logged in to eventlog. When storage permits a
862
+
common practice is to log all processes and to filter out common day to
863
+
day processes for Windows and Applications after profiling usage.
864
+
865
+
The fields on a process creation event are:
866
+
867
+
***ProcessGuid** -- Unique process GUID generated by Sysmon.
868
+
869
+
***ProcessId** -- Process ID represented as a integer number.
870
+
871
+
***Image** -- Full path of the executable image that was executed.
872
+
873
+
***FileVersion** -- File version filed in the image metadata.
874
+
875
+
***Description** -- Description field in the image metadata.
876
+
877
+
***Product** -- Product field in the image metadata.
878
+
879
+
***Company** - Company field in the image metadata.
880
+
881
+
***OriginalFileName** -- Original image name if renamed.
882
+
883
+
***CommandLine** -- Command line that executed the image.
884
+
885
+
***CurrentDirectory** -- Directory under which the image was
886
+
executed.
887
+
888
+
***User** - Name of the account who created the process (child) . It
889
+
usually contains domain name and user name
890
+
891
+
***LogonGuid** - Logon GUID of the user who created the new process.
892
+
893
+
***LogonId** -Login ID of the user who created the new process.
894
+
895
+
***TerminalSessionId** - ID of the session the user belongs to
896
+
897
+
***IntegrityLevel** - Integrity label assigned to a process
898
+
899
+
***Hashes** - Full hash of the file with the algorithms in the
900
+
HashType field.
901
+
902
+
***ParentProcessGuid** - ProcessGUID of the process that
903
+
spawned/created the main process (child)
904
+
905
+
***ParentProcessId** - Process ID of the process that spawned/created
906
+
the main process (child)
907
+
908
+
***ParentImage -** File path that spawned/created the main process.
909
+
910
+
***ParentCommandLine -** Arguments which were passed to the
911
+
executable associated with the parent process
912
+
913
+
Sysmon offers an advantage over the regular process logging since it not
914
+
only pulls the same information as with **EventID****4688** but it also
915
+
pulls information from the PE header, hashes the images for correlation
916
+
with IOC databases like Virus Total and it also provides unique fields
917
+
when querying for events.
918
+
919
+
### Process Termintation
920
+
921
+
Symon will log an **EventID 5** when a process terminates. By logging
922
+
process termination events allow for calculating duration of operation
923
+
of a process by comparing the times with process creation. Process
924
+
termination also allows when co-related with shutdown and start events
925
+
if a process may have been terminated by an attacker.
926
+
927
+
The process termination fields are:
928
+
929
+
***RuleName** -- Rule name for which the event triggered.
930
+
931
+
***UtcTime** - Time in UTC when event was created
932
+
933
+
***ProcessGuid** - Process Guid of the process that terminated
934
+
935
+
***ProcessId** - Process ID used by the OS to identify the process
936
+
that terminated
937
+
938
+
***Image** - File path of the executable of the process that
939
+
terminated
940
+
941
+
### Process Access
942
+
943
+
When one process opens another, sysmon will log this with an event ID of 10. The access with higher permissions allows for also reading the content of memory, patching memory, process hollowing, creations of threads and other tasks that are abused by attackers. This technique has been used for access to credentials, keys and data that are in the process memory.
944
+
945
+
This task is also common for benign processes that query information on another process, such as Task Manager, tasklist.exe and others, this requires that a baseline be established and filtered out at a SIEM level taking into consideration other factors like image fullpath, parent process and account used so as to prevent any whitelisted processes from being used as staging for attacks.
946
+
947
+
Sysmon generates this event using ObRegisterCallbacks leveraging its
948
+
driver. The main 2 filtering fields recommended are:
949
+
950
+
***TargetImage** - File path of the executable being accessed by
951
+
another process.
952
+
953
+
***GrantedAccess** - The access flags (bitmask) associated with the
954
+
process rights requested for the target process
955
+
956
+
As a minimum it is recommended to filter including critical processes,
957
+
as a minimum:
958
+
959
+
* C:\\Windows\\system32\\lsass.exe
960
+
961
+
* C:\\Windows\\system32\\csrss.exe
962
+
963
+
* C:\\Windows\\system32\\wininit.exe
964
+
965
+
* C:\\Windows\\system32\\winlogon.exe
966
+
967
+
* C:\\Windows\\system32\\services.exe
968
+
969
+
Check for masks of known tools for credential dumping, process injection
970
+
and process hollowing. Great care should be taken when setting masks
971
+
since Sysmon does a literal comparison of the mask string provided
972
+
against the one returned. It is not a bitwise operation, care should be
<!--Dumping credentials from services or setting up a keylogger-->
1053
+
<RulegroupRelation="and">
1054
+
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\csrss.exe</TargetImage> <!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
1055
+
<GrantedAccess>0x1F1FFF</GrantedAccess>
1056
+
</Rule>
1057
+
<RulegroupRelation="and">
1058
+
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\wininit.exe</TargetImage> <!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
1059
+
<GrantedAccess>0x1F1FFF</GrantedAccess>
1060
+
</Rule>
1061
+
<RulegroupRelation="and">
1062
+
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\winlogon.exe</TargetImage> <!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
1063
+
<GrantedAccess>0x1F1FFF</GrantedAccess>
1064
+
</Rule>
1065
+
<RulegroupRelation="and">
1066
+
<TargetImagename="technique_id=T1003,technique_name=Credential Dumping"condition="is">C:\Windows\system32\services.exe</TargetImage> <!--Mitre T1098--><!--Mitre T1075--><!--Mitre T1003--><!-- depending on what you're running on your host, this might be noisy-->
0 commit comments