Overview
In every operation team monitoring plays a vital role to proactively monitor and detect emerging cyber threats, it became more challenging to gather or correlate events from different logs or security sources, to add intelligence to raw data.
System monitoring with SYSMON has emerged as a new way of proactive monitors windows internal which includes various features such as log monitoring or gathering log system activity to the Windows event log.
an open-source windows system service and device driver, which is more familiar with its advanced features like process creations, network connections, and changes to file creation time. even its usually gets integrated with many SIEM tools like Splunk and Qradar.
Features of sysmon
Sysmon monitors the following activities:
- Process creation (with full command line and hashes)
- Process termination
- Network connections
- File creation timestamps changes
- Driver/image loading
- Create remote threads
- Raw disk access
- Process memory access
Installation steps
A Simple command-line option to get install and uninstall Sysmon.
- Download Sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
- Extract the .zip file.
- Right-click the .exe file for your system and select Run as administrator.
- For a 32-bit system, choose Sysmon.exe.
- For a 64-bit system, choose Sysmon64.exe.
List of Sysmons Event IDs
Before working with sysmon it is mandatory to know the Event ids with their relative information. Sysmon has generally 26 unique event id associated with its functions, Each has its own configuration file.
| ID | Tag |
| 1 ProcessCreate | Process Create : A detailed information about the process created |
| 2 FileCreateTime | File creation time Used to check integrity of file creationtime |
| 3 NetworkConnect | Network connection detected : Event logs TCP/UDP connections on the machine |
| 4 Sysmon service state changed | Sysmon service state change : The service state change event reports the state of the Sysmon service (started or stopped). |
| 5 ProcessTerminate | Process terminated : A detailed information about the process termination |
| 6 DriverLoad | Driver Loaded : A detailed information about the drive installed in addition with HASH value |
| 7 ImageLoad | Image loaded : The image loaded event logs when a module is loaded in a specific process |
| 8 CreateRemoteThread | CreateRemoteThread detected : Event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes |
| 9 RawAccessRead | RawAccessRead detected : The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. |
| 10 ProcessAccess | Process accessed : The event reports when a process opens another process |
| 11 FileCreate | File created : File create operations are logged when a file is created or overwritte |
| 12 RegistryEvent | Registry object added or deleted : Registry key and value create and delete operations map to this event type, |
| 13 RegistryEvent | Registry value set : This Registry event type identifies Registry value modifications. |
| 14 RegistryEvent | Registry object renamed : This Registry event type identifies Registry value renamed |
| 15 FileCreateStreamHash | File stream created : This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. |
| 16 ServiceConfigurationChange | Sysmon configuration change : Event triggered when Sysmon configuration change |
| 17 PipeEvent | Named pipe created : This event generates when a named pipe is created. |
| 18 PipeEvent | Named pipe connected : This event logs when a named pipe connection is made between a client and a server. |
| 19 WmiEvent | WMI filter : When a WMI event filter is registered |
| 20 WmiEvent | WMI consumer : This event logs the registration of WMI consumers |
| 21 WmiEvent | WMI consumer filter : When a consumer binds to a filter, this event logs the consumer name and filter path. |
| 22 DNSQuery | DNS query : This event is generated when a process executes a DNS query |
| 23 FileDelete | File Delete archived : A file was deleted. Additionally to logging the event, the deleted file is also saved in the ArchiveDirectory |
| 24 ClipboardChange | New content in the clipboard : This event is generated when the system clipboard contents change. |
| 25 ProcessTampering | Process image change : This event is generated when process hiding techniques such as “hollow” or “herpaderp” are being detected. |
| 26 FileDeleteDetected | File Delete logged : A file was deleted. |
Working with sysmon
In general sysmon can be access via two different way
- GUI
- Command Line
GUI
Sysmon generally resides inside the event viewer, to access the sysmon, navigate to event viewer → Applications and Services Logs → Microsoft → Windows → Sysmon. A detailed summary of every event gets listed with its associated event ids.
Event 1 → Process Create : A detailed information about the process created,
It summarises the recent process with its information included with process name, GUID, the original filename, and with the HASH value.
Event 3 → Network connection detected : Event logs which are typically associated with TCP/UDP connections on the machine,
Hence It summarises the recent network activity included with processed, protocol,src_ip, hostname,src_port,dest_port and much more information.
Event 16 → Sysmon configuration change : Event triggered when Sysmon configuration change
As we already discussed sysmon has some basic configuration when it gets installed if there are any configuration changes once it gets triggered with some events whit event id 16. This states the integrity of the configuration file.
Accessing SYSMON via CMD
- Open the powershell terminal
- Enter the following cmd
$test = Get-WinEvent - LogName “Microsoft-Windows-Sysmon/Operational” | where ($_.id -eq 5)
The above mention query get to extract all the log which are associated with the event id 5 
Conclusion
The tool Sysmon has been used across by various cybersecurity professionals, especially for malware analysis, forensics analysis and Security operation. The simple tools are more familiar for their robust usage and performance.
Reference
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://cqureacademy.com/blog/hacks/sysmon
- https://www.blumira.com/enable-sysmon/
- https://www.blumira.com/enable-sysmon/