Hunting with Sysmon

Previously I mentioned I would release my simple generic Splunk App to help anyone almost instantly operationalize Sysmon data. So, here it is! It is nothing completely fancy or of superior wizardry caliber, but it will get you everything you ever wanted to begin monitoring for evil in your environment. The goal of this project is to contribute back to the InfoSec industry in relation to Threat Hunting. I believe we all need to share our hunting methodologies along with tools. I hope this teaches those who want to learn something new, but also inspires those to test out Sysmon+Splunk and get full value out of endpoint data.

Sysmon

Sysmon (System Monitor) is part of the Windows Sysinternals Suite and can be downloaded for free. It is a system service and device driver, that logs system activity to the EventLog.

What type of data does Sysmon Collect?

https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/

I have collected many sample configuration and resources of Sysmon setups, deployments, use (hunting etc.) and recent presentations on my Github site:

GitHub — MHaggis/sysmon-dfir: Sources, configuration and how to detect evil things utilizing…

Basic, getting started, configuration:

To the more advanced configuration:

Splunk App

It’s simple. I know. It will get you to where you need to be though, I promise. The magic of this app is not the dashboard pictured above, but it is the gold that is in the saved searches that I want to point you to.

MHaggis/app_splunk_sysmon_hunter

Naming Scheme

I attempted to name the saved searches what they are and I hope they make sense. I will continuously be updating this app with new saved searches.

Powershell — All PoSh by computer
Powershell — EncodedCommand
Powershell — EventDescription

schtasks — run
schtasks — delete
schtasks — create
schtasks — change
schtasks — all

If you plan to contribute — I hope this makes sense, if not — let’s discuss and make this better.

Saved Searches

Threat hunting is many things and I believe this App+Sysmon will get you started in the right direction of hunting and finding bad things quickly. Out of the box, I have created reports for the many things that are top of mind across the industry.

Installutil.exe

msbuild.exe

powershell.exe encoded

rundll32.exe

Critical Process Check

In total out of the box you get 47 searches that will help you get started with Sysmon and threat hunting. How about that for sharing!?

Many of these came from TomU talk at BotConf and my previous experience with using Carbon Black in Splunk.

Additional items may be reviewed here:

MHaggis/hunt-detect-prevent

Help!

Hit me up on twitter or in the comments here.

Thank you

Indirectly the following have contributed to this app, either in Sysmon or in Splunk. Thank you for sharing.

InfoSec Taylor Swift

Tom Ueltschi — @c_APT_ure

Future for the App

• Splunk Data Model — depending upon how much data consumed
• Network data analysis
• Hopefully more dashboards that are sexy
• ML
• AI
• Adaptive response framework
• Built in Alerts