no-secure-code

Visualizing & Tracking Sysmon events with Sysmon View 1.2

With Sysmon View 1.1, I was able to view Sysmon logs visually. However, this drawn image was somehow incomplete as I was unable to track the entire process hierarchy (maybe because I was busy laying down the foundation). With version 1.2, following a process through its hierarchy is now possible, additionally, when investigating an event, it is easy now to get to (trackback) all other events related (associated) to the same session.

Example: in the following image, let’s track the history of events related to “AcroRd32.exe” process

Double-clicking on the “process create” event reveals the details of this event (notice that the “Parent process GUID” is being highlighted as a hyperlink), the “event details” is showing “Explorer.exe” as the parent process…

New to Sysmon View 1.2: Before proceeding further, let’s talk about the new events details window. In this window, you can retrieve all event’s data, and query virus total for hash information as shown in the next screenshot (You will have to get an API key to enable virus total queries). In the case of network events, query Virus Total for IP and domains information, including whois data, in addition to “jumping” to the logged registry keys in regedit.

Now back to our topic, clicking “Parent process GUID” link will bring up the parent process session (in this example, Explorer.exe) and all events associated with it

To go further deeper, repeat the same steps recursively: let’s go to the details of the “process create event” of “Explorer.exe”, which shows the parent process as “userinit.exe”

Again… lets get the details of “userinit.exe” parent process though the details of the process create event details…

Which reveals “winlogon.exe” as the parent process, lets further dig behind the parent process “winlogon.exe” details…

You got the idea…

Now you might be asking what the hyperlink of “Process GUID” does, well, it will re-draw (visualize) the same session under investigation again, so why the duplication? well, its not, this is feature is needed for the “Map view”…

When selecting a destination country (Map View will be available if you enabled geo ip setting when importing the XML log data), then all network events related to that “destination” will be listed, now to track back to all events within the context of a running session, click the “Process GUID” field…

And from there, it’s easy to track that process hierarchy or any other event associated with it

For any questions or suggestions, please contact me by email.