Sysmon is a Windows service that is used to analyze Windows events and system activity. It can gather detailed and high quality logs that can assist with an investigation.
Events are typically stored in Applications and Services Logs>Microsoft/Windows/Sysmon/operational
Sysmon requires a config file to tell the binary how to analyze each event. One can be downloaded or you can create your own.
It contains 29 different types of Event IDs. These event IDs can be used within the config to specify how the vents should be handled or analyzed.
A lot of time people tend to have the config files set to exclude items instead of including. The reason for this is that normal activity is excluded.
Important Event IDs
Event ID 1: Process creation
This will look for any processes that have been created. This can assist with looking into suspicious processes or processes that may have typos.
Event ID 3: Network connection
This event ID will look for events that occur remotely. This may include files as well as opened ports.
This event uses Image and DestinationPort XML tags.
Event ID 7: Image Loaded
This looks for DLLS loaded by processes. This is helpful for DL injections and hijacking. This uses the Signed, ImageLoaded, and signature XML tags.
Event ID 8: CreateRemoteThread
This monitors for processes injecting code into other processes. This activity could be used by malware to hide malicious activity.
Event ID 11: File Created
This logs when files are created or overwritten to an endpoint. This could help identify file names and signatures of files that are written to disk
Event ID 12, 13, and 14: Registry events
These look for changes made to the registry on the device. This may include persistence and credential abuse
Event ID 15: FileCreateStreamHash
This looks for any file created in an alternate data stream. This is how malicious actors hide malware.
Event ID 22: DNS event
This shows any DNS queries or events. Best practice on here is to exclude all trusted domains, that way you can tune out the noise. Doing that will allow you to locate DNS anomalies a lot easier.
Installing Sysmon
To install system run the following command in Powershell
Download-SysInternalsTools C:\Sysinternals
You will also need a config for Sysmon.
https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml
This will give you more granular control over the logs that are created.
Starting Sysmon
To start run the following command in Powershell
Sysmon.exe -accepteula -i ..\Configuration\swift.xml
Once it is started, you can start to view the logs in event viewer (Applications and Services Logs/Microsoft/Windows/Sysmon/Operational)