Sysmon.exe

  • File Path: C:\SysinternalsSuite\Sysmon.exe
  • Description: System activity monitor

Hashes

Type Hash
MD5 6E515B8FF9F19DB5FFFBC1F9C9A8C612
SHA1 2984D70224C9BBD3AB86F48352AC7DC7067B163C
SHA256 074FB553EF7B5604BBAAE72EE549133C0F2802D423610A5168F4475D9CA5FA5F
SHA384 829B889C2AD4C501B5C0FD01E4192D817C433A30A924C3355D950965632A9A0C5C35197D5C8E71074749E9F24AF4D32F
SHA512 3BE6ED2E652ABFD8B00402E517A206A74AF2D717993AFB9620F3D051E37E3BA4EDC1090573D4EB9F47B6BFDF24408F00AFF50303223972B8B4A4597EA3B2C4D6
SSDEEP 49152:MnAUvPdSHEjk2tmO/MxFgiFHFkzqC+x8ouAIfSF24OhmfQ2X+Fd+U:MnAUZjttMFgaHhMhmfuT
IMP 64B64021B8D8D427A1959E74B69D3F9A
PESHA1 7F2A2F8785B70F06BFCB125EFB30CEED641629C1
PE256 EB28DF367445E517587CE730A71E323956EDF9D4CAF90C5BAFB2DF2F53F7CEF9

Runtime Data

Usage (stdout):


System Monitor v12.0 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com


Usage (stderr):


Usage:
Install:                 C:\SysinternalsSuite\Sysmon.exe -i [<configfile>]
Update configuration:    C:\SysinternalsSuite\Sysmon.exe -c [<configfile>]
Install event manifest:  C:\SysinternalsSuite\Sysmon.exe -m
Print schema:            C:\SysinternalsSuite\Sysmon.exe -s
Uninstall:               C:\SysinternalsSuite\Sysmon.exe -u [force]
  -c   Update configuration of an installed Sysmon driver or dump the
       current configuration if no other argument is provided. Optionally
       take a configuration file.
  -i   Install service and driver. Optionally take a configuration file.
  -m   Install the event manifest (done on service install as well).
  -s   Print configuration schema definition of the specified version.
       Specify 'all' to dump all schema versions (default is latest).
  -u   Uninstall service and driver. Adding force causes uninstall to proceed
       even when some components are not installed.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are written to the System event log.

Use the '-? config' command for configuration file documentation.More examples are available on the Sysinternals website.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.

Neither install nor uninstall requires a reboot.


Loaded Modules:

Path
C:\SysinternalsSuite\Sysmon.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000187721772155940C709000000000187
  • Thumbprint: 2485A7AFA98E178CB8F30C9838346B514AEA4769
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name: Sysinternals Sysmon
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 12.0
  • Product Version: 12.0
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/074fb553ef7b5604bbaae72ee549133c0f2802d423610a5168f4475d9ca5fa5f/detection/

File Similarity (ssdeep match)

File Score
C:\SysinternalsSuite\Sysmon64.exe 60
C:\Sysmon\Sysmon.exe 100
C:\Sysmon\Sysmon64.exe 60

Possible Misuse

The following table contains possible examples of Sysmon.exe being misused. While Sysmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml service: sysmon DRL 1.0
sigma win_invoke_obfuscation_obfuscated_iex_services.yml service: sysmon DRL 1.0
sigma win_mal_creddumper.yml service: sysmon DRL 1.0
sigma win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml service: sysmon DRL 1.0
sigma win_net_ntlm_downgrade.yml service: sysmon DRL 1.0
sigma win_tap_driver_installation.yml service: sysmon DRL 1.0
sigma win_user_driver_loaded.yml - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ DRL 1.0
sigma sysmon_mimikatz_detection_lsass.yml service: sysmon DRL 1.0
sigma sysmon_quarkspw_filedump.yml # Sysmon: File Creation (ID 11) DRL 1.0
sigma sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ DRL 1.0
sigma mal_azorult_reg.yml service: sysmon DRL 1.0
sigma win_mal_blue_mockingbird.yml service: sysmon DRL 1.0
sigma win_mal_flowcloud.yml service: sysmon DRL 1.0
sigma win_mal_octopus_scanner.yml service: sysmon DRL 1.0
sigma win_mal_ursnif.yml service: sysmon DRL 1.0
sigma win_tool_psexec.yml description: Detects PsExec service installation and execution events (service and Sysmon) DRL 1.0
sigma powershell_suspicious_profile_create.yml service: sysmon DRL 1.0
sigma sysmon_cmstp_execution.yml - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ DRL 1.0
sigma sysmon_in_memory_assembly_execution.yml C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" DRL 1.0
sigma sysmon_in_memory_assembly_execution.yml - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ DRL 1.0
sigma cmstp_execution.yml - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ DRL 1.0
sigma win_apt_chafer_mar18.yml service: sysmon DRL 1.0
sigma win_apt_unidentified_nov_18.yml # Sysmon: File Creation (ID 11) DRL 1.0
sigma win_apt_unidentified_nov_18.yml service: sysmon DRL 1.0
sigma win_cmstp_com_object_access.yml - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ DRL 1.0
sigma win_exploit_cve_2019_1388.yml IntegrityLevel: 'System' # for Sysmon users DRL 1.0
sigma win_exploit_cve_2019_1388.yml User: 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings DRL 1.0
sigma win_hktl_createminidump.yml service: sysmon DRL 1.0
sigma win_malware_formbook.yml # e.g. wscript.exe /B sysmon-install.vbs DRL 1.0
sigma win_mal_adwind.yml - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf DRL 1.0
sigma win_mal_adwind.yml service: sysmon DRL 1.0
sigma win_mshta_javascript.yml ## todo — add sysmon eid 3 for this rule DRL 1.0
sigma win_renamed_binary.yml description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. DRL 1.0
sigma win_renamed_binary_highly_relevant.yml description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. DRL 1.0
sigma win_silenttrinity_stage_use.yml service: sysmon DRL 1.0
sigma win_sysmon_driver_unload.yml title: Sysmon Driver Unload DRL 1.0
sigma win_sysmon_driver_unload.yml description: Detect possible Sysmon driver unload DRL 1.0
sigma win_sysmon_driver_unload.yml - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon DRL 1.0
sigma sysmon_cmstp_execution.yml - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ DRL 1.0
sigma sysmon_disable_security_events_logging_adding_reg_key_minint.yml - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one DRL 1.0
sigma sysmon_new_dll_added_to_appcertdlls_registry_key.yml - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one DRL 1.0
sigma sysmon_suspicious_keyboard_layout_load.yml - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files DRL 1.0
sigma sysmon_suspicious_keyboard_layout_load.yml definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' DRL 1.0
sigma sysmon_susp_service_installed.yml - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ DRL 1.0
sigma sysmon_ads_executable.yml service: sysmon DRL 1.0
sigma sysmon_ads_executable.yml definition: 'Requirements: Sysmon config with Imphash logging activated' DRL 1.0
sigma sysmon_alternate_powershell_hosts_pipe.yml service: sysmon DRL 1.0
sigma sysmon_apt_turla_namedpipes.yml service: sysmon DRL 1.0
sigma sysmon_cactustorch.yml service: sysmon DRL 1.0
sigma sysmon_cobaltstrike_process_injection.yml service: sysmon DRL 1.0
sigma sysmon_createremotethread_loadlibrary.yml service: sysmon DRL 1.0
sigma sysmon_cred_dump_tools_named_pipes.yml service: sysmon DRL 1.0
sigma sysmon_mal_namedpipes.yml service: sysmon DRL 1.0
sigma sysmon_password_dumper_lsass.yml service: sysmon DRL 1.0
sigma sysmon_possible_dns_rebinding.yml service: sysmon DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml service: sysmon DRL 1.0
sigma sysmon_suspicious_remote_thread.yml service: sysmon DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml service: sysmon DRL 1.0
sigma sysmon_wmi_event_subscription.yml service: sysmon DRL 1.0
sigma sysmon_wmi_susp_scripting.yml service: sysmon DRL 1.0
sigma sysmon_process_reimaging.yml # Sysmon v.10.0 or newer is required for proper detection. DRL 1.0
sigma sysmon_process_reimaging.yml service: sysmon DRL 1.0
sigma backend_config.yml sysmon: true DRL 1.0
sigma collection_repeat.yml service: sysmon DRL 1.0
sigma arcsight.yml service: sysmon DRL 1.0
sigma arcsight.yml deviceProduct: Sysmon DRL 1.0
sigma crowdstrike.yml windows-sysmon: DRL 1.0
sigma crowdstrike.yml service: sysmon DRL 1.0
sigma elk-windows.yml windows-sysmon: DRL 1.0
sigma elk-windows.yml service: sysmon DRL 1.0
sigma elk-windows.yml EventLog: Microsoft-Windows-Sysmon DRL 1.0
sigma elk-winlogbeat-sp.yml windows-sysmon: DRL 1.0
sigma elk-winlogbeat-sp.yml service: sysmon DRL 1.0
sigma elk-winlogbeat-sp.yml log_name: 'Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma elk-winlogbeat.yml windows-sysmon: DRL 1.0
sigma elk-winlogbeat.yml service: sysmon DRL 1.0
sigma elk-winlogbeat.yml log_name: 'Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma fireeye-helix.yml windows-sysmon: DRL 1.0
sigma fireeye-helix.yml service: sysmon DRL 1.0
sigma fireeye-helix.yml channel: Microsoft-Windows-Sysmon DRL 1.0
sigma helk.yml windows-sysmon: DRL 1.0
sigma helk.yml service: sysmon DRL 1.0
sigma helk.yml index: logs-endpoint-winevent-sysmon-* DRL 1.0
sigma logstash-windows.yml windows-sysmon: DRL 1.0
sigma logstash-windows.yml service: sysmon DRL 1.0
sigma logstash-windows.yml Channel: Microsoft-Windows-Sysmon DRL 1.0
sigma netwitness-epl.yml service: sysmon DRL 1.0
sigma netwitness.yml service: sysmon DRL 1.0
sigma powershell-windows-all.yml windows-sysmon: DRL 1.0
sigma powershell-windows-all.yml service: sysmon DRL 1.0
sigma powershell-windows-all.yml LogName: 'Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma powershell.yml windows-sysmon: DRL 1.0
sigma powershell.yml service: sysmon DRL 1.0
sigma powershell.yml LogName: 'Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma splunk-windows.yml windows-sysmon: DRL 1.0
sigma splunk-windows.yml service: sysmon DRL 1.0
sigma splunk-windows.yml source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma sumologic-cse.yml windows-sysmon: DRL 1.0
sigma sumologic-cse.yml service: sysmon DRL 1.0
sigma sumologic.yml windows-sysmon: DRL 1.0
sigma sumologic.yml service: sysmon DRL 1.0
sigma sumologic.yml EventChannel: Microsoft-Windows-Sysmon DRL 1.0
sigma sysmon.yml title: Sysmon DRL 1.0
sigma sysmon.yml - sysmon DRL 1.0
sigma thor.yml service: sysmon DRL 1.0
sigma thor.yml windows-sysmon: DRL 1.0
sigma thor.yml service: sysmon DRL 1.0
sigma thor.yml - 'WinEventLog:Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma winlogbeat-modules-enabled.yml windows-sysmon: DRL 1.0
sigma winlogbeat-modules-enabled.yml service: sysmon DRL 1.0
sigma winlogbeat-modules-enabled.yml winlog.channel: 'Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma winlogbeat-modules-enabled.yml #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 DRL 1.0
sigma winlogbeat-modules-enabled.yml #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 DRL 1.0
sigma winlogbeat-old.yml windows-sysmon: DRL 1.0
sigma winlogbeat-old.yml service: sysmon DRL 1.0
sigma winlogbeat-old.yml log_name: 'Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma winlogbeat.yml windows-sysmon: DRL 1.0
sigma winlogbeat.yml service: sysmon DRL 1.0
sigma winlogbeat.yml winlog.channel: 'Microsoft-Windows-Sysmon/Operational' DRL 1.0
sigma sysmon.yml title: Conversion of Generic Rules into Sysmon Specific Rules DRL 1.0
sigma sysmon.yml service: sysmon DRL 1.0
malware-ioc misp_invisimole.json "https://docs.microsoft.com/sysinternals/downloads/sysmon", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate\/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed\/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux\/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform\/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files\/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL\/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.\n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a Command-Line Interface. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)\n\nAnother example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding Invoke-PSImage. The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used Invoke-PSImage to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016)\n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering, Process command-line parameters, Environment variable, Process Monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection\n\nDefense Bypassed: Host forensic analysis, Signature-based detection, Host intrusion prevention systems, Application whitelisting, Process whitelisting, Log analysis, Whitelisting by file name or path\n\nContributors: Red Canary, Christiaan Beek, @ChristiaanBeek", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\n\n===Windows===\n\nThere are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Engame Process Injection July 2017)\n* '''Dynamic-link library (DLL) injection''' involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.\n* '''Portable executable injection''' involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)\n* '''Thread execution hijacking''' involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.\n* '''Asynchronous Procedure Call''' (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is a variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)\n* '''Thread Local Storage''' (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)\n\n===Mac and Linux===\n\nImplementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)\n*'''LD_PRELOAD, LD_LIBRARY_PATH''' (Linux), '''DYLD_INSERT_LIBRARIES''' (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)\n*'''Ptrace system calls''' can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)\n*'''/proc/[pid]/mem''' provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)\n*'''VDSO hijacking''' performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)\n\nMalware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.\n\nDetection: Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)\n\nMonitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. (Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits)\n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. (Citation: Microsoft Sysmon v6 May 2017)\n\nMonitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit, (Citation: Powersploit) so additional PowerShell monitoring may be required to cover known implementations of this behavior.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: API monitoring, Windows Registry, File monitoring, DLL monitoring, Named Pipes, Process Monitoring\n\nEffective Permissions: User, Administrator, SYSTEM, root\n\nDefense Bypassed: Process whitelisting, Anti-virus\n\nPermissions Required: User, Administrator, SYSTEM, root\n\nContributors: Anastasios Pingios", © ESET 2014-2018
malware-ioc misp-turla-powershell-event.json "https://docs.microsoft.com/sysinternals/downloads/sysmon" © ESET 2014-2018
atomic-red-team Atomic_Friday.md (index=”botsv3” OR index=”botsv2”) powershell.exe source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” | stats values(CommandLine) by Computer MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe \| stats values(Image) by ParentImage MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe ParentImage=*\\powershell.exe\| stats values(Image) by ParentImage ParentCommandLine MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*powershell.exe*\| stats values(CommandLine) by Computer MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine!="*\Office Automatic Updates*" CommandLine!="*\Office ClickToRun*" \| stats values(CommandLine) by Computer MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe \| stats values(CommandLine) by Computer MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe \| table Computer, User, CommandLine, _time MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe \| table Computer, User, CommandLine, _time MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md Sometimes we may not see the whole picture looking at process command line (Sysmon). What if we had Powershell transactions logs? MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md Sysmon - MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-Sysmon/Operational" \| stats values(CommandLine) by Computer MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Unload Sysmon Filter Driver [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Security Software Discovery - Sysmon Service [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Unload Sysmon Filter Driver [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Security Software Discovery - Sysmon Service [windows] MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md - Atomic Test #4 - Security Software Discovery - Sysmon Service MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md ## Atomic Test #4 - Security Software Discovery - Sysmon Service MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md when sucessfully executed, the test is going to display sysmon driver instance if it is installed. MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #10 - Unload Sysmon Filter Driver MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #10 - Unload Sysmon Filter Driver MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md run the prereq_command’s and it should fail with an error of “sysmon filter must be loaded”. MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md | sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv| MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md sysmon -u -i > nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md sysmon -i -accepteula -i > nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md %temp%\Sysmon\sysmon.exe -u > nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md %temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ##### Description: Sysmon must be downloaded MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if ((cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Invoke-WebRequest “https://download.sysinternals.com/files/Sysmon.zip” -OutFile “$env:TEMP\Sysmon.zip” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Remove-Item $env:TEMP\Sysmon.zip -Force MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ##### Description: sysmon must be Installed MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ##### Description: sysmon filter must be loaded MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md sysmon -u MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md sysmon -accepteula -i MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Uninstall Sysinternals Sysmon for Defense Evasion MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md | sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1562.001\bin\sysmon.exe| MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md sysmon -i -accepteula >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ##### Description: Sysmon executable must be available MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(cmd /c where sysmon) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md $parentpath = Split-Path “#{sysmon_exe}”; $zippath = “$parentpath\Sysmon.zip” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Invoke-WebRequest “https://download.sysinternals.com/files/Sysmon.zip” -OutFile “$zippath” MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ##### Description: Sysmon must be installed MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(cmd /c sc query sysmon) { exit 0} else { exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md cmd /c sysmon -i -accepteula MIT License. © 2018 Red Canary
signature-base apt_tick_weaponized_usb.yar description = “Detects Sysmon Loader from Tick group incident - Weaponized USB” CC BY-NC 4.0
stockpile 7a6ba833-de40-466a-8969-5c37b13603e0.yml "sysmon", Apache-2.0
stockpile fcf71ee3-d1a9-4136-b919-9e5f6da43608.yml description: Clear Sysmon logs [intended to trigger CAR-2016-04-002] Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.