Sysmon Shell – Release 1.1

I have just uploaded a new version of Sysmon Shell (v1.1)

SS1

Here is the list of updates

  • I added new configuration options to include or exclude an entire event log, for example (Surprisingly missing in version 1.0):
    <PipeEvent onmatch=”include”/> or <PipeEvent onmatch=”exclude”/>
  • If you are using Sysmon for malware analysis, you might find the last tap marked “Logs Export” useful, as it allows exporting Sysmon logs to XML file, for example, I use the exported XML log files by loading them in Sysmon View for later analysis, the export feature has 3 options:
    • Export only
    • Export and clear Sysmon event log (to mark new analysis starting point)
    • Export, backup evtx file and clear the event log

SS3

  • In case you are applying Sysmon configuration using Sysmon Shell and not through the command line using Sysmon, you must be aware that I am no longer validating the image of Sysmon against it’s hash as I used to do in version 1.0, however, I am reporting the hash of Sysmon image being used to run the configuration command in the preview pane

SS2

The new version can be found on my Github

Please contact me to report any bugs or suggestions

Visualizing & Tracking Sysmon events with Sysmon View 1.2

With Sysmon View 1.1, I was able to view Sysmon logs visually, however, this drawn image was incomplete (maybe because I was busy laying down the foundation), for example, what if I wanted to track the hierarchy of a (interesting) process, although the tool will show the details of a “process create” event, and among those details I will find the parent process (if being reported), I would still have to dig for that process back again (by it’s name) and try to find the session (Parent process GUID) that created that child process, and from there track all the events associated with that parent process session. Another example… in the map view of Sysmon View, I can list all the network events associated with a certain destination country, what if I found a network event worth investigating and wanted to track all other events associated with it’s process (through process GUID).

With version 1.2, following a process through it’s hierarchy is now possible, also, when investigating an event, it is easy now to get all the other events related to the same session.

An example might help… in the following image, I selected “AcroRd32.exe” to investigate

1

Double-clicking on the “process create” event reveals the details of this event (notice that the “Parent process GUID” is being highlighted as a hyperlink), the “event details” is showing “Explorer.exe” as the parent process…

2

New to Sysmon View 1.2: Before proceeding further, lets talk about the new events details window, from this window, you can view all the events data, do copy and paste, and query virus total (You will have to get an API key to enable virus total queries), in addition, some windows has additional special features, for example, the network events can query Virus Total for IP and domains information, including whois data, the registry events allows for jumping to the registry key in regedit.

Following image shows what happens when I click on the “MD5” value for example

3

Now back to our topic, clicking “Parent process GUID” link will bring up the parent process session (in this example, Explorer.exe) and all events associated with it, this tracking is hard to follow by viewing the logs in event viewer, since the “process create” event of child process is associated with that child process (Child process GUID), and not with it’s parent (if you look closely at the next image, where it is showing all parent process events, you won’t find an event “create child process”, this is just how Sysmon logs data)

4

And if you want to go deeper, you can repeat the same steps recursively, lets go to the details of the process create event of “Explorer.exe”, which shows the parent process as “userinit.exe”

5

Again… lets get the details of it’s parent process though the details of the process create event details

6

Which reveals “winlogon.exe” as the parent, lets further dig behind the parent process “winlogon.exe” details…

7

You got the idea…

Now you might be asking what the hyperlink of “Process GUID” does, well, it will re-draw the same session under investigation…again, so why the duplication? well, its not, this is related to the Map view and the second case mentioned earlier (and future Sysmon views that will be added hopefully), lets visit the map view…

8

When selecting a destination country (Map View will be available if you enabled geo ip setting when importing the XML log data, by the way, thanks to http://freegeoip.net for their free API), then all network events related to that “destination” will be listed, and choosing any “Process GUID” will show all the events related to that network event (just another way to track Sysmon events)

9

And from there, it’s easy to track that process hierarchy or any other event associated with it.

Sysmon View can be downloaded (32 & 64 builds) from Github @ this link (Password is “password” without “”):

For any questions or suggestions, please contact me by email.

Updated SysmonView

Here is the latest update of Sysmon View (1.1), the tool incorporated much of the feedback received (thank you all), bug fixing and new features, here they are:

  • Bug fixes related to internal database connectivity errors
  • Bug fixes related to UI not to be reset after resetting data
  • Bug related to the way information about binary images (executables) are collected
  • Sysmon View design is now based on visual modules (currently there are two visual modules)
  • Sysmon comes in 32 and 64 builds
  • New cool “Black” theme 🙂
  • “Process View” got an additional filtering option that will show images (executables) that are being reported with only selected events, so if the analyst would like to view the timeline of a process, but excluding it’s network and Image loaded events, then this filter will help narrow down the results (as shown in the following screenshot)

  • Map View: you can also view network events based on destination country (thanks to freegeoip.net for the free API), this will work only if the geo-location option was selected during the import process. Selecting any country will display the related network events. Check it out

There are many enhancements I am currently working on, in addition to new features, but I decided to release earlier instead of waiting too long between releases.

Sysmon View can be downloaded (32 & 64 builds) from Github @ this link (Password is “password” without “”):

For any questions or suggestions, please contact me by email.

Sysmon View

Although the noise generated by Sysmon could be reduced through filters applied in its XML configuration, it is still somehow too much to look at, or in the case of malware reverse engineering, filtering events is something to be done after logging almost everything.

No matter the amount of logs a security analyst has to deal with, Sysmon View can be of some help (thanks to Sysmon logged process GUID, which works as a correlation identifier).

The main idea is to help identify malicious binaries using “visual” reporting modules, which are based on certain (useful) use cases.

The utility is still in it’s initial stages, I am releasing it with the first reporting module, which can identify malicious binaries as follows:

Step 1 – Filtering binary images (executables) according to their file name

Step 2 – Filtering binary image files (selected from step 1) according to their path, which might be helpful in investigating anomalies in images location (Images with the same name running from multiple locations)

Step 3 – Last step is to visualize certain executable events (filtered through step 1 and 2), but per image logged session (this is the process GUID in action)

Step 4 – The utility can then help “visually” line up (sorted by time) the different events associated with a certain session

To get started, we need to export Sysmon events first to an XML file using WEVTUtil (I could have designed the tool to connect and retrieve-pull the logs from the server directly, but Sysmon View was not designed to be used as live log analysis tool, although I am not phasing out this option in the future)

WEVTUtil query-events “Microsoft-Windows-Sysmon/Operational” /format:xml /e:sysmonview > eventlog.xml

Once exported, run Sysmon View and import the generated file “eventlog.xml” (or the name you selected), please note that this might take some time, depending on the size of the log file (this needs to be done once per log file, subsequent runs do not need any imports, just use the command File -> Load existing data to load previous data and work with it again)

1

Sysmon View will build an internal database that I will discuss its structure in upcoming posts and how to utilize its content (which by the way is a SQLite database file).

2

Once the log file is imported, you can start searching through the collected binary images, which can be easily filtered

3

4

Double clicking any of the binary images will show the path location(s) reported by Sysmon, which will help in identifying anomalies in path location at this stage as previously outlined

5

Double clicking an image path entry will cause the tool to collect all sessions (again, this is the process GUID in action) for that image entry that was running from that location

6

Double clicking any of the sessions entries will generate a tree of events sorted by event’s logged time

7

The generated tree chart can be exported to PDF, and in case more details needed about certain event block, double clicking it will reveal more details in a floating window (you will notice some additional entries that do not exist in Sysmon XML schema, as previously mentioned, I will post another blog entry to explain the internal database structure)

8

Sysmon View can be downloaded (32 & 64 builds) from Github link @ this link (Password is “password” without “”):

For any questions or suggestions, please contact me by email.

Sysmon Shell

Sysmon Shell can aid in writing and applying Sysmon XML configurations through a simple GUI interface, it can also be used to learn more about Sysmon configuration options available with each release, instead of digging behind the XML Schema, in a nutshell:

  • Sysmon Shell can load Sysmon XML files configurations: with version 1.0, I am only supporting the latest schema v3.30 for Sysmon v6.01, future updates to Sysmon will be supported. In addition, the tool won’t be loading any configuration of Sysmon from registry, however, I might add support to this feature in the future.
  • It can export/save the final XML to a file.
  • It can apply the generated XML file by calling Sysmon.exe -c directly (creating a temp XML file in the same folder where Sysmon is installed), for this reason, it will need elevated privileges (the need for this is inherited from Sysmon), the output of applying the configuration will be displayed in the preview pan (Sysmon output)
  • XML Configuration can be previewed before saving in the preview pan
  • The utility contains descriptions for all events types taken from Sysmon Sysinternals home page (https://technet.microsoft.com/en-us/sysinternals/sysmon)

What it won’t do: warn you about Include/Exclude conflicts or attempt to validate the rules itself, however, once configuration is applied, the preview pan will display the output from Sysmon to show the results (this is the output of Sysmon -c command), from which errors can be identified

Following is a screenshot of Sysmon Shell in action

ScreenCapture

Sysmon Shell can be downloaded from my Github.

Please contact me to report any bugs or suggestions