 Okay, so this talk is about the importance of Sysmon for investigations. I'm extreme paper clip. Who am I exactly. Digital forensics nerd Linux geek infosec dork lifelong student of everything amateur history buff spice fanatic loads of fun. Follow me on the Twitters but I'm probably not that interesting. Okay, what this talk is and is not about this talk is not an advanced guide to Sysmon. What it is is basically just a simple intro to Sysmon. Here are a few things we're going to talk about. We talk about what is Sysmon, an overview of the system on events. What is the Sysmon config will go over installing Sysmon and some examples of my favorite system on events and some system on examples for an investigation. Okay, so you're probably asking. Just cut to the chase and tell me what is Sysmon. Okay, here's the TLDR Sysmon creates the logs that should exist in Windows event logs by default, but do not. This one creates very unique event logs specific for security. Think of it that way. Here are some more facts about Sysmon. So Sysmon was created by Mark Racinevich and Thomas Garnier. Sysmon is short for system monitor. It's a part of the Windows sys internal suite. It was released in 2014. Both a device driver and a service. And it creates logs specifically for security, you could say. A very brief history of Sysmon. So it was first released in 2014. And it initially only had three event IDs. One, which shows a process created event ID to a process changed a file creation time and event ID three network connection. This little snippet right here I took from web archive. So let's do it. An overview here of the Sysmon events. The latest version of Sysmon has 26 event IDs. It's version 1334. And you can see there that it was released in May of 2022. Note also there's also a version for Linux. This is a recent thing. I'm not going to go into it on this talk, but it's something you should check out. Okay, let's go over all the events. Don't worry, we're not going to deep dive into these. So let's do an overview of these events event ID one. Like, like I said earlier is process creation. Some of the things that are really interesting about event ID one, of course, two things in my opinion, you're going to see the command line. You're going to get a hash of the process. It's very useful. I'm going to go a little quicker here so event ID to the process change the file creation time event ID three network connection. Very useful. Event ID for Sysmon service state changed you can see in the logs, if this one was stopped. And of course event ID five the process was terminated event ID six, a driver was loaded. This can be very useful event ID seven is image loaded now think of an image not like a picture in the world of an image is basically an executable event ID eight is create remote thread event ID nine raw access read event ID 10 process access now event ID 10 can be very useful. For example, at finding evidence of me me cats event ID 11 file create. Also very useful. You can see something like if a somebody ran a query to spit out bloodhound dot zip. You're going to see that that file was created event ID 12. These are you could think of these as the registry events here. This one event ID 12 talks about an object was created or deleted in the registry. 13 shows you the value that was set for that registry event and event ID 14 talks about the key and value redame event ID 15 file create stream hash. I'll be honest. This one hasn't really rocked my world event ID 16 service configuration change. And these two below are the pipe events. So you can see a pipe created event ID 17 and event ID 18 pipe connected. This can be very useful in malware hunting event ID 19 WMI event. These are, you could think of these as the WMI events here. You can show event ID 19 shows activity detected event ID 20 shows the consumer event ID 21 consumer to filter. Fun stuff. Okay event ID 22 DNS event. Very cool. I love that one event ID 23 file deleted. Candy useful it can also be noisy event ID 24 clipboard change. I'll be honest this one. Kind of baffles me event ID 25 process tampering. One example of that is, if you hollow an executable. Let's see there's a tool called shelter that can help you do that where you can insert a payload for shell code event ID 26 file delete detected could be good, and it could be bad, because it can be very noisy. Okay, those are the events so. Let's talk about the sysmon config the sysmon config. Here's the TLDR sysmon config is an XML file that defines what gets included or excluded in the sysmon logs. It's a big deal. Why, why is it a big deal. Well, okay, so it's a big deal because if your sysmon config is configured to be over inclusive, you could end up with a lot of garbage data that can make it hard to analyze and and sift through. And on the other hand, if you exclude too much in your sysmon config, then you're probably going to be missing valuable log data that could potentially contain evidence of malicious activity. Well, here's a few facts about the sysmon config here's a little example. So in right here you can see in the XML file some things I'll just point them out. The rule group is like a simple way you can group the rules for a specific event ID. And note the way that the in this case the group relation uses to and to define how the rules are used an alternative to this would be an or. Okay, process create. Let's see is an example of basically event ID one. And this rule right here is going to match on include. Image like I said is the word used for an executable. In this example the images timeout dot exe. Command line is one of the fields in event ID one. And in this example it shows us that the command line simply just contains 100. A little more about the sysmon config. In the sysmon config there are conditions you can use. You can see here in this little example that's a and or condition equals is or condition equals end with or begin with. So, you might be thinking. How do I get a good pre made sysmon config that I can start with. Yeah, that's a great question. So, I would say that Olaf Hartong has a great sysmon config. And he makes a great modular sysmon config that you can use to easily customize your rules for each event ID. He makes it very easy to manage. Big thanks to a lot for making such great sysmon config. Okay, let's take a little look here. So, here you can see a little of what his sysmon config looks like. The sysmon config is pretty darn great. But you have to understand you will need to spend some time getting to know the sysmon config and adjust it to your specific environment. It's a big part of it, big deal. And with that, you can go to the trusted sex sysmon community guide, which is quite wonderful, and written by Carlos Perez dark operator a note about Carlos pretty much anything he writes or creates is amazing. You can learn a lot from him. Okay, now let's talk about installing sysmon. It's easy. You just follow these steps you basically downloads this sysmon on zip. Grab your sysmon config, make sure you save it to the same folder. And then you're going to run this command right there. You know you can also do this with the script of course, I'm not going to go into that for the sake of time but just know that that's an option. After sysmon is installed, you should see this. And if you want to go see the sysmon logs, you can open up event viewer and go to applications services logs, Microsoft windows sysmon and click on operational. And then you'll see the logs. Okay, now what you might say. Okay, I have installed sysmon now what. Well, now you need to send these sysmon events to a sim. And you might ask, wait, what is this in a sim is basically a security information and event management system. And it's think of it like a sense it's basically a central place to send all your logs. So you can analyze and search the data. And here are a few examples. Splunk is they have, of course, a paid version. And they have a free version but note that the free version allows up to 500 megabytes per day, which is actually not a lot of data. You might be surprised how quickly you get to that limit. Security onion is great. It's free. It's a great community. But note that you're on your own to set it up and get it running. And the same is true with the elk stack by elastic. So, let's talk a bit about some examples of my favorite sysmon events. Sysmon event, like I said event ID one process creation is just fabulous. Event ID three network connection also fabulous. Sysmon event 22 DNS event. Fabulous. Let's talk about them. So, in Sysmon event ID one. I wanted to show you here a little example of some of the fields that it captures. In the field rule name, you can see there, I just want to note Olaf sysmon config contains MITRE attack IDs here, and that's very useful. Note the image, which is the executable. In this case it's notepad plus plus. Let's see. Also, you can see here the command line. That's the greatest. It's wonderful. You can see the user. In this case it's just username is just an example. And this is also very, very important. You get hashes. So you can see the shot one MD five hash. It's cut off but you can't see it but over on the right you can also get imp hash. So at the bottom you can see the parent image which was the parent executable and the parent command line. Wonderful. Okay, event ID three network connection. Here's here I show you an example here I just included it. In the field rule name you can see right there what Olaf sysmon config has for the rule name you can see the MITRE attack ID. Wonderful. And in this case let's see you can also see the user. The protocol source IP source port destination IP destination port. Absolutely wonderful. So valuable. So event ID 22 DNS event DNS query. This is such a great event. One of the greatest parts about this, you can see the query name right there in the middle. In this case it's some Google telemetry garbage probably. And you can see the image executable Firefox, and it shows you the user. Okay, let's get to some examples of sysmon used during an investigation. In this case, you can see sysmon event ID one, and we're doing a query for the command who am I. This can be either completely harmless event. It could be an attacker that ran who am I to understand what kind of privileges they have because they had just popped the box in there. So, very useful. And here we're looking at sysmon event ID three. And this is just a general search really to look at the processes source IP source port destination IP destination port. These can be very interesting. For example, if I was to specify the destination port as 445. That would be very interesting showing SMB. Okay, sysmon event ID 22. This is really good ones really fun. This is rare DNS queries. So we're looking basically at one machine in particular, and we're looking at the rare DNS queries that Iran. This can be very interesting very helpful during an investigation. Okay, some closing thoughts. So, what do you see here. Yeah. These are some typical answers I've heard when I ask folks who work in incident response. If the companies they work with resolving an incident have sysmon deployed in their environment. So, I see things like rarely, never, hardly ever. This is a good one. Yes, but not configured to send to the sim. So I guess I just want to say, you know, if you have never deployed sysmon in your environment, please do install sysmon and make sure you send the sysmon events to a sim. And really help everybody in an incident. That's it. Thanks. Join the conversation meet up with the blue team village discord dot blue team village.org. I'm extreme paperclip. Thanks. And you're clear.