Analyzing Evil With Sysmon & Event Logs

Sysmon Basics

When investigating malicious events, several event IDs serve as common indicators of compromise. For instance, Event ID 4624 provides insights into new logon events, enabling us to monitor and detect suspicious user access and logon patterns. Similarly, Event ID 4688 furnishes information about newly created processes, aiding the identification of unusual or malicious process launches. To enhance our event log coverage, we can extend the capabilities by incorporating Sysmon, which offers additional event logging capabilities.

System Monitor (Sysmon) is a Windows system service and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log. Sysmon provides detailed information about process creation, network connections, changes to file creation time, and more.

Sysmon's primary components include:

A Windows service for monitoring system activity.
A device driver that assists in capturing the system activity data.
An event log to display captured activity data.

Sysmon's unique capability lies in its ability to log information that typically doesn't appear in the Security Event logs, and this makes it a powerful tool for deep system monitoring and cybersecurity forensic analysis.

Sysmon categorizes different types of system activity using event IDs, where each ID corresponds to a specific type of event. For example, Event ID 1 corresponds to "Process Creation" events, and Event ID 3 refers to "Network Connection" events.

The full list of Sysmon event IDs:

Sysmon - SysinternalsMicrosoftLearn

For more granular control over what events get logged, Sysmon uses an XML-based configuration file. The configuration file allows you to include or exclude certain types of events based on different attributes like process names, IP addresses, etc. We can refer to popular examples of useful Sysmon configuration files:

GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracingGitHub

GitHub - olafhartong/sysmon-modular: A repository of sysmon configuration modulesGitHub

For a comprehensive configuration, we can visit: Swift on Security Repo (the first link above). <-- We will use this one in this section!
Another option is: the second link above, which provides a modular approach.

To get started, you can install Sysmon by downloading it from the official Microsoft documentation. Once downloaded, open an administrator command prompt and execute the following command to install Sysmon.

Sysmon - SysinternalsMicrosoftLearn