Threat Hunting with Sysmon For Security Operations Center | TryHackMe Sysmon

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on welcome back in today's video we're going to be talking about threat hunting with cis mode sysmona stands for system monitor and it is a microsoft sys internal tool you can download that and install it on your computer now this mode is used to as you can see here collect analyze and send logs to either si sim device or to workstation log if you don't know what to see device it is security information event management which are look aggregated they are log aggregators collecting logs from various endpoints on the network in order for the in order for you as a blue teamer to analyze these logs and detect incidents so if you don't know what is the same i think you'll have to do a fresh up on your bluetooth skills so now the logs that are sent by assist mode once you install system under endpoints will be sent to same device or workstation logs workstation logs could be linux syslogs or could be windows so if you are using linux you will be able to analyze the logs with syslog if you're using windows you'll be able to analyze logs with windows event viewer or with the equivalent command line tools such as get with event impartial or will event utility in command line now that we understand what is the purpose of cis mode let's find out what system will detect what system will analyze and what are the type of logs that we can configure with this mode so first thing first this one operates on the configuration file the configuration file [Music] is a file that you configure with rules in the rules are used to detect incidents so you can find examples of this among config online um in this scenario we're going to be using the uh one created by tryhackme or retrohackme actually created by swift on security company and we will analyze the rules on that file so this is config file or system config file is used to create the incidents where you will list your rules as i said earlier now in the example that we will be examining in this scenario the cisco the config file is configured with rules to detect the following in events nine type of events the first type is process creation so system will alert us or alert the windows event log or the same device or send log if a process is created and even id for that is one so why we use process creation rules because most malwares when they are dropped in your workstation they will create processes so you want to be alerted about the processes being created of course we can exclude we can include specific processes network connections now the network connections why do we also send events for network connections because we know that malwares communicate with command and control centers or foreign id addresses so we want to be alert alerted when that happens dlls loaded most malwares also use dlls or when a dln injection attack happens a dl is loaded or replaced with another dll so we want to be alerted about that and these are the event ideas that we will use in when we examine that process hollowing process hollowing is the uh is where a process all right is accessing or inserting another thread in another process to hide itself so this is typically the case with many malwares and you want to be alerted when that happens and if the id for that is aids the same with process access a process such as task scheduler accessing another process such as notepad we want to be elected about that behavior as well imitation is 10 and file created so usually malwares or trojan downloaders or droppers they download files over the internet so they use to create workstation or they use to create files on the workstation that's having to be alerted when the file is created register keys they manipulate register key is creating uh register keys or values under um let's say current version or run in order to execute startup scripts these are different ids alternate data streams now alternative data streams is used within with windows heavily but malwares use address data streams to bypass detections so we can detect these kind of techniques if we look for any files created in alternate data stream the last one is dns events but also to be alerted when a dns query is made to the outside network now we're going to switch to the practical scenario we're going to be taking a look at a sample configuration file from uh trey hackmey for cismod and we will be answering the questions for the challenge the challenge is about a scenario where a machine is infected with malicious file from a usb device and define is that was downloading another file and using pipe and using evasion techniques so we will be discovering that with sysmone analyze the events so make sure you are connected and of course turn on the machine let me switch now to the virtual machine so let's see here i think we need to create a new connection the ip address and we will need also the username and password let me cancel that select auto detect connect all right where we get the connection to work let me show you how to download the cis mode so basically i hate this okay this is the password okay you can download this mode from here once you download this moon you can execute that and it will work as a service as you can see here now at the configuration file of cis mode you can configure system technically by let me choose config so basically here after you download sysmon you can execute the following command sysmone64-i and the configuration file now basically the configuration file is a file that you create okay you can put the file whenever you want whatever you want in your workstation and most importantly is to specify the path when you execute or when you include the configuration file with this mode let's take a look at an example configuration file you can go to github and download this example configuration file ion store the example configuration file here will be used throughout the scenario and as you can see these are the rules created it's a big file and this file is used to detect ransomwares malwares trojans most security incidents are covered in this file of course you are free to add your own rules to cover more incidents okay so now let's take an example uh from these rules so for example as you can see the first rule so rule group the name is process create include group let's take the file to our to my machine let's download that keep so we open the uh let me check yeah let's open the configuration fine with sublime all right so let's check some example rule sets so as you can see this is the first one this rule alerts when a process is created and below that we can see on match equal to include which means that we want to include all of these rules or we want to include all of these matches when the process is created for example alerts unknown process execution condition contains unknown process so a process is titled as unknown process it will trigger an alert and also we see here miter technique reversed condition image also if there is a process created under this name it will give you an alert the same goes with the rest of the processes so that the first one here the first rule set triggers an alert or triggers an event to be locked when a process is created and is included in one of these images or parent image let's examine another rule set so we have another one here process create exclude group so as you can see this is another rule that excludes specific processes and a way to cut down on the noise or on the false positives so whatever you put here all right will be excluded from the event logging so this process will be flagged as not malicious by your system why because you you instructed this mode to execute this process by using unmatch equal execute let's see here what do we have so another rule group here is the file creates so we want to be alert alerted when a file is created the rule is the rule will uh trigger an event to be logged whenever one of these files or if defined the file actually is stored in one of these paths start menu startup drivers prefetch it will trigger an alert let's see here what do we have as well so registry events rule group to trigger um an alert when a registry is key is created accessed or modified and their own match is include which means we want to we want the log to be created to when one of these right conditions is matched for example the name here contains current version run so whenever the registry key that is that ends with or contains current version run is modified you will be alerted why because many malwares use this register key to store values to be run after the system starts and in windows system scripts you will be also alerted when something is stored in this registry path why because many times managers use persistence scripts and register the values under this path of the registry in order to execute scripts at a startup or after specific criteria is met so you want to be alerted whenever this registry path is modified remember the value is stored there all right so that is an example of this moon config file it is very vital for system to work correctly from you to include these kind of files the configuration file you can download this file for free you can find many example system configuration files and you can create your own of course and add on existing ones of course you have to be you have to understand these rules all right how they work in order to create your own rules based on your threat intelligence or based on your threat hunting experience for example you might come across a malware that when executed creates a process that matches specific name so you want to add the process name here all right as an image name in your existing configuration file so that system will send you a log event when this process is executed or when this similar processes are executed all right so that's the configuration file and now let's head back to the virtual machine we will examine example logs created by cis mode all right we will be extracting details about the uh incident that happened in the scenario from troy hackme and we will answer the questions so right now i deployed the machine it will take about 47 seconds so we will answer the questions pertaining to the scenario here the scenario here is we have four uh one two three four we have four yeah five investigation files the files are taken from event log so suppose you are put yourself in the shoes of the investigator you will be given the event log files and you will be required to analyze the files to extract artifacts related to how the attack happened artifacts about the attacker and other artifacts about the payload used in the attack the first example is saying investigation in this investigation your team has received reports that a malicious file was dropped onto a host by a malicious usb they have pulled the logs suspected and have tasked you with running the investigation for it let's take the details about the virtual machine first and log in so not clicking problem all right let's create a new one okay let's make that bigger so okay so let's click on scenarios so we will be answering the questions pertaining to the investigation folder but if you want you can go over the practice these are the logs collected by your team now you might be asking me how this relates to this monitor so you have this machine here that has sys monitor installed and the configuration file that has been used is the configuration file i showed you a while ago now you can find all of the sysmon events i'm going to show you where this monitor lock the events so if you click on event viewer from here oh my god this board for god's sake i don't know why it is very creepy okay so basically this monitor stores the logs in applications and services if you expand this view here just wait for that to pop up okay so under applications and services logs you will find here microsoft expand microsoft go to windows under windows if we scroll down until we see sysmon so here you go it says monitor expand that click on operational and here you will see all of the sys monitor logs or if the all of the logs the assist monitor have collected and sent to your event viewer normally if you're working in an enterprise or in a sock team you will see these locks in a device called security and information even management device such as splunk or alien fault but if you work but for this scenario we are examining the logs from our station now if you go back these logs are collected from this view here but how they are separated as you can see here they are separated by uh the the the event type so if you go back to the board here as you can see here we spoke about the type of events sys monitor detects right and we also expanded here the kind of the numbers of the even even ideas right so we take it with id for example we want to filter for the process creation logs so we take the image id one filter current log 11 okay and now we can click on save filtered log file as that's how these logs are collected so your team has sift through all of these events they have created these events for you in order for you to analyze okay that's how these log files are created or gathered so normally if you're running sysmon on your device and you found this huge number of let me create a filter huge number of events created by a system all you have to do is to just understand what are david id's uh correlated or queries that are corresponding to the type of pro type of you know process for example here the product is now a connection load it so take the event id and filter based on what you want okay let's close that and expand here these are practice scenarios okay if we for example let's take one detecting remote threads remote threads are threads created by a process in another process and typically it is a malicious behavior so basically you can see the event let me take this right up so see detecting remote threats and these are all of the events that correspond to the scenario but we're assuming that you are sifting through huge number of events right so you will not be using the graphical gui here we will be using the command line tools specifically the partial now that you have given the log files your task as a sock team to analyze these log files so you will open the powershell as administrator you will navigate to the let's make the phone bigger properties font so users see the tsm analyst cd desktop go to scenarios practice clear so we have these locks okay so for example hunting metasploit so in this lock file your team believes that the collected locks generated by system monitor are hinting about metasploit activity so how do you go about detecting let's put activity from an event log file so you would need the power of get to an event so get when event and then we defined the path which is hunting with exploit hunting uh miller slot here okay now we type xpath or filter if you don't know what is filtered xpath you can go about you can go to the last video i have created where i explained how to use xml queries to filter through your events okay now let me open my file so here are the commands so basically if i want to detect metasploit activity i want to look for ports for force and i want to look for even id equal three so why do i do that because metasploit commonly uses the port for force right in your r host artboards configuration if you're if you're doing uh if you're creating a payload the port for force comes predefined in the output configuration of metasploit that's why here we are filtering for the port for force and if it id equal 3 because 3 corresponds to network connection so we want to configure and network we want to configure an event where there is a network connection and where the port is for force which means that could be possibly metasploit possibly i mean not necessarily so let me copy the comment from here take this paste enter so as you can see we have one event now if we want to get more information about that event we type fl to display that in a list format okay so this is these are the information of the event as you can see here we can see the process that initiated the connection it is shell.exe and exists in downloads which means that the user possibly has downloaded the file from an email attachment and the file has been stored in the dialogs after they executed the file which is scheduled.exe it has initiated a connection to this ip address and this port four fourths possibly there is an omitted four here but it is four fourths so this is the event that relates to meta split now if we go up let's examine the bimicas one how do you know that there is a mimikats activity on my network or on my host so let's get back to the list of comments and let's take let's see here which one okay so let's take this one i'm going to explain that when i widely execute the command so copy that get back so basically i'm gonna remove these characters and here we define mimi cuts dash oh wait so basically here we have mimikats dash filter xpath paste now to detect or not detect actually it has already has already been detected by uh this monitor to filter for minicaps events you have to use two criterias the first one david id equal 10 whiten if we get back here then corresponds to process access and mimikatz when mimikatz is used against a target machine it access another process the process name is elsas which is the local security authority process responsible for creating and authenticating users on your machine mimikatz when you issue dump credentials with mimikats mimicas will access this process all right and dump the credentials so we want to filter for the events where they will add equal 10 corresponding to process access and the process that has been accessed must be elsas that's how we know that actually there was bb cats running against the machine so if you hit enter you see there is one the message is project access if you want to list more information about that we type fl and we see here the full details so the source image see users downloads mimikats so again the attacker has dropped the mimikats in the downloads folder and the executed mimikats from there and target image the target image is the process that has been accessed by the source image here which is mimikatz and here you can see the call trace so that's how we know now you can do the same with other practice files i'm going to hit now directly to save time to the challenge so you can find the challenge files in scenarios investigations and here the challenge you'll get the idea you will understand everything why we while we go through the challenge so back to challenge the first scenario here we heard about this right there was a malicious file dropped by a usb the investigation questions are we have three questions the first one what is the full registry key of the usb device calling service host in investigation one so here we want to extract the registry key that contains information about the malicious usb right so for that reason we will use the event id 13 12 or 14 to find more information about what to register key that has been modified so the same command here stands but let's go back to and cd to investigations so here let's work on the commands oh let me copy the comment directly from here so let's take the first one all right so we defined the path to the even file and here we filtered for event id 13 because we're looking for modifications on registry keys here i put maximum events too i want to display maximum only two events and sort them by or sorting by the oldest so let's see here so the rule name set value this is the rule in where you guess in this monitor that triggered the events and we see the image as you can see windows portable device devices and here goes the device id of the usb as you can see it is usb cruiser so this is the register key containing information about the usb so we get back to here and you answer with this in the question now what is the device name when being called by raw access read investigation one so we're really required to find out the device name right we're being called by row actors read now what does your access read technically if you predict this it's an event by the way writer's read detected click on that event so it is an event has the id of nine and you can see more details about this the row access read even detects when a process conducts reading operations from the drive so basically the malicious process is inquiring or querying the usb drive where it's where it came from to take more comments or instructions about the malicious process so if you get back here and we scroll down instead of event 13 we type 9 so here we see row access read detected and the image image volume 3 in both cases so the answer to the question let me also close let's go back to try hack me click on that so what is this device name when being called by row access read investigation one it is this one as we found out what is the first process executes investigation one so he wanted to find out what was the process that was executed when we plugged the usb drive so i found out just by changing the even id to one which corresponds to process create alert in this monitor of course one and here you will see the process name is actually you have got two let me check no only one actually so as you can see the process name is run dll32 now we move on to investigation 2. let's look at the scenario another suspicious file has appeared in your logs and has managed to execute code masking itself as a html file evading your antivirus detections open the logs and investigate the suspicious file so there is another suspicious file or suspicious process that has a mask itself as html5 and is executed actually as html file so it has used something called alternate data streams so it's filter for alternate data streams to find out about this so if we go back to here and we see id is 15 let's check on id15 change the file to investigations too so there is nothing that match the event id15 okay let's check on the processes created so the first process that has been created uh from this investigation file let's check out here so this is the process right the original process the original file name is here now if we go back if you go down you see um the process here which is mshta has executed a file called update to hta right and if you go down you see there is something called the parent image the parent image refers to a completely same file name update object was with the flip extension which means that the original file name was updated hta but the malware has executed the file as update.html by looking at the parent image so if you go back to see the answer here what yeah what is the full path of the payload investigation too the full path will be this one this is where the payload lives on the workstation in this path now second question is what is the full path of the file the payload mask itself as an investigation so this is the original payload but the file that the payload has used to hide its identity was here in the parent image section now what signed binary executed the payload in the investigation 2 this is the binary that executed the payload now what is the ib address of the adversary investigation to so now i have to find the ib address that is used to or that's used by the malware to make the connection so basically filter for network connections which is the event id let me remember so let's go back remind myself of that three so filter for three so here we see only one event and this is the source ip which is the machine ip address that is making the connection and this is the process name which corresponds to the same process we found previously when filtering for the payloads and it's making the connection to the ip address here and on the sport so this answers this question and see this one now we go to the investigation or the third part of the investigation which is your team has informed you that the adversary has managed to set up persistence on your endpoints as they continue to move through your network throughout your network find how to adversely manage to gain persistence using the logs provided so most probably when there is persistence on the machine we want to look for even ids or alerts that correspond to registry modification so in the file we first define the path which is 3.1 and here we define our filter for events id so if you have got something so i've got something here let's see so here we're required to find the questions without the questions here so the first question in investigation part three what is the ip of the suspected adversary in investigation three so here let's skip the registry we're not required to find that let's find about the ip addresses so we filtered for three i guess remind myself of that three for network connections filter so we see three here three connection attempts source ip my workstation and this distillation ip let's compare that with the second event and we see the same ip address used in both cases as a destination ip which means the decision ip was this one and the solution port was 80. this answers the question here what is the hostname of the affiliate endpoint so to find out about the fitted endpoint we look at the source ip address and down and above that we look at the image which is the host of the endpoint what is the hostname of the c2 server connecting to the endpoint in investigation 3.1 the hostname is pretty obvious empire c2 now where in the registry was the payload stored in investigation 3.1 so the malware if we got back the number has created a payload to execute itself every time the system starts and has created another registry keys under registry uh as the registry values actually in the registry keys to facilitate this process so you have to look in the registry how to look for registry modifications so we choose event id equal 12. let's make the 3 here so we see create key the question is where in the register was the payload stored settings so not here software windows convert image file execution options not here so we're looking for payload pattern actually let me choose event id 13. all right here we go something so this seems to be paired encoded right and we see here it is under hklm software microsoft network debug here where the payload has been stored this marks the answer for this question what partial launch code was used to launch the payload in investigation so the malware uses powershell to execute its comments so basically as you can see here you see the command right see windows powershell plus exe dash c and here you see the command so this marks the answer for the question here so this was the launch code executed by the malware which is partial code all right what is the ip address of the adversary investigation 3.2 so we move to the part 2 of the third investigation third is it's the same right yeah the same so let's then go back to the questions what is the ip address in the investigation 3.2 so here we have to change the file to b2 and look for network connections so you would change 13 to 3 enter oh we see here all of the network connections and we see repeated pattern of the destination ip address the ipad as you can see is the same throughout the network connections which means this was the ip address of the attacker what is the full path of the payload located in investigate what is the full path of the payload location in investigation 3.2 so we'll have to find out the payload location so we look for processes created because malwares use process right to create payloads so we look for process created by using id equal one go up as you can see this is the first process that has been created and it is actually cmd to create the payload so the payload is echoing some included stuff to see users update blog.txt which is the location of the payload what was the full command used to create a scheduled task in task 3.2 so you want to see the default command that was used by the malware to create a scheduled task in order to execute the malware frequently so we look for a process that is using a scheduled task test scheduler which is here as you can see this process is using task scheduler and the question is what was the full command so you copy that and you answer that which is uh the command here is creating a scheduled task to execute the payload in this location all right so what process was accessed by scheduled tasks that would be considered suspicious behavior in investigation 3.2 so schedule a task seemingly is accessing another process to perform its objective or to perform the objective of the payload so you have to look for the events that correspond to process access or process hollowing so we use the event id 10 and we see the pattern of process access as you can see source process id and target process image already but they are encoded so we have to look them at the nde file event file so open investigation 3.2 and you filter for yeah after it opens so we filter for event id 10 details so we see scheduled tasks is accessing the process which is lsas which indicates the presence of mimikatz activity right so the answer is process elsas what is the ip of the adversary investigation for move on to investigation 4. let's read about investigation 4 up there mom look i built a botnet as an adversary has gained a solid foothold onto your network it has been brought to your attention that they may have been able to set up sc2 communications on some of the endpoints collect the logs and continue the investigation so there is a button on my network i want to find out who are the or where is the original command control center to which the button is connecting so that's what we are tagged to find out here the ip the port and the [Music] the c2 name so head on to investigation 4. and here filter for network connections so three events as you can see the destination ip is the same every time which means uh nope not the same i see here yep so what's the question now what does that be of the adversary we got two ip addresses as you can see here the first one is here and it is initiated by this ip address the second one oh so here we do have to look for these right because they are ensured by the local service but this one is initiated by system and this is the source ip and this decision ips so i guess because it's initiated by a system and the scenario is assuming that the adversary has given a solid foothold which means they have elevated the privilege so most probably the answer should be this one because it's executed as the authority system and the scenario is assuming that the attacker has gained solid foothold like privileged access so the process or the image that is creating the connection should be system not service as we uh found out here that's why we didn't select this ip address so the right one is this one and this is the port and this is the name of dc2 which marks the answers for these questions i hope you enjoyed that take your time to find out more about sys monitor and install it on your local machine practice it try to create your own rules uh if you're working in a sock team try to bring your uh threat intelligence knowledge and start intelligence database to create more rules for this monitor in order to expand the detection scale of the tool so that was for today and hopefully see you in the next video
Info
Channel: Motasem Hamdan
Views: 11,367
Rating: undefined out of 5
Keywords: TryHackMe, Sysmon, SOC
Id: 2xA5Sm0Xdd0
Channel Id: undefined
Length: 50min 40sec (3040 seconds)
Published: Mon May 31 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.