In the past I wrote a blog post about Process Explorer to find hidden threats on potentially compromised systems. As I said back then, Process Explorer is part of a suite called Sysinternals, which contains a whole lot of great software. Sysmon is another part of the Sysinternals suite.
Although its name is obviously derived from “System Monitoring”, it is more than just a general-purpose monitoring solution. Sysmon is specifically designed to safely log such events which could reveal malicious activities a hacker is performing on a system (e.g. inject code into other processes, launch processes from unusual parent processes, etc.).
I generally recommend all my clients to deploy Sysmon on their Windows servers so that we can monitor and correlate suspicious activities in a centralized Security and Event Management (SIEM) system. Sysmon is a great way to considerably increase visibility across a company’s Windows computer landscape. SIEM solutions like QRadar offer whole rule sets based on Sysmon that allow security teams to spot malicious activities which without Sysmon would remain totally unobserved – standard Windows logging would simply not report anything about it.
Yesterday Microsoft released a new version of this very powerful tool and it is now bringing an important addition to counteract on the last stage in the hacking cycle. As a reminder, the textbook hacking process is as follows:
- Reconnaissance (e.g. using OSINT)
- Scanning and enumeration
- Gaining access and escalate privileges
- Maintaining access
- Covering tracks
What hackers often do when they gain access to a system is to install certain software, perform their attacks and then delete their tools again to cover tracks. It is hence very difficult during a post mortem analysis to understand exactly what an attacker did. Also other activities are becoming more complicated, for example to harden systems against the employed tools, or to build alerting mechanisms to immediately notice whenever these tools are being used again somewhere else. If the tools are deleted, you cannot analyze them to understand and learn.
In the new version 11 of Sysmon, files that are being deleted can be automatically and securely archived by Sysmon. They are then only accessible with an admin account afterwards. Blue teams can use these archived files during their incident analysis to understand which tools were used, how to detect them in the future (fingerprinting) and how to harden systems against the employed attack vectors.
Apart from that, Sysmon 11 also brings improvements for Windows Event Forwarding (WEF). WEF is a very useful, high performance mechanism to forward windows event logs. This means that you can for example forward in real-time security logs like the ones created by Sysmon to one central monitoring location (usually your SIEM). WEF is available by default on Windows systems and is therefore a very good basis to quickly spot and alert on suspicious behaviour.
I’m exited to try out this new version of Sysmon and also to see when SwiftOnSecurity releases an updated version of the Sysmon configuration to make us of the new features. Mark Russinovich, creator of the Sysinternals suite and CTO of MS Azure, explains some of the new features in a video. Worth viewing!