My last blog entry was about Sysmon View 1.2, since then, Sysmon View went through many changes and updates, mostly bug fixing, enhancements and recently, the addition of the new WMI events. With version 1.4 I decided that a write up is needed to highlight the most recent changes.
WMI Events and All Events View
Sysmon View can now import the WMI events (WMIFilter, WMIConsumer, and WMIBinding), however, there is no way to actually view those events in Sysmon View directly, simply because the first view was meant to focus on binaries logically grouped using the GUID field, and the second view was a geo-mapping of the IP addresses from Network events. This was an issue for events like WMI and even Driver loaded events, which lead to creating the third “All Events” view shown in the following screenshot…
The 3rd view was also helpful as an alternative to the case when a session (executable GUID) related events are too many that showing them in the first view will crash the application (I had one session producing thousands of events), in that case, Sysmon View will switch to the 3rd view highlighting the related session events.
If you are analyzing malware in a lab, I can’t emphasize enough on how useful the 3rd view is to you, first, it can work like a pivot table by grouping related events of the same type, or of the same session (GUID), can sort by event time, have a detailed search through any imported events. Further, expanding events provides access to their ID’s that look like hyperlinks, by clicking an ID number (this is an ID from the database itself, not a Sysmon generated data) you can invoke the detailed view of that event, view related sessions and query virus total for more information.
Here is the screenshot of an imported Sysmon log from a recent ransomware analysis I was doing (with events grouped by type)
I just skipped all events to search for any “delete” word (passed as an argument to vssadmin.exe), from there, I was able to track back to all the events sequence related to that session as shown in the next screenshot…
Sysmon View builds an SQLite database for all the imported events, this database can be loaded by any instance of Sysmon View (for example, passed to another analyst), in previous versions of Sysmon View, that database was encrypted, which is no longer the case now, and it can be used now by any other 3rd party application, since the database contains summaries of hashes, executables, IP addresses, ports, geo mappings, registry entries, which are all logically linked through a file name or a session (executable GUID) (Which I do reference myself, and if I do it frequently, I just make it a ready UI element in Sysmon View). For example, someone might decide to write rules in SQL to identify a malicious binary behavior or IOC…am just saying 🙂
In future releases, I might migrate this database to NoSQL, but for now, it is serving well by being self-contained and portable (it also depends on your feedback)
In the case Sysmon View UI is not sufficient, another UI can be created using the database, and Sysmon View can be used as an import utility (I might also create a separate command line import utility in the future, again, this depends on your feedback and if you think it is worth the effort)
So, I hope you can find Sysmon View useful in your threat hunting and malware analysis as it was to me, and thank you for your support, the awesome tweets, shares, and comments.