Investigate suspicious Windows processes using Sysinternals Sysmon
This article on Microsoft's Technet Blog is really interesting: Moti Bani explain how to investigate suspicious activity on servers using Sysmon Tool.
What is Sysmon?
Sysmon is a tool from Sysinternals that provides a comprehensive monitoring about activities in the operating system level.
It is composed by a Windows service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
It provides detailed information about process creations, network connections, and changes to file creation time: analyzing them, you can identify malicious or anomalous activity and understand how malware operate.
The tool was developed by Mark Russinovich and Thomas Garnier.
The Article
The article starts with a review on configuration and deploy process of Sysmon in enterprise environment, and after begins the interesting section, related to investigation process.
How do you identify processes that are suspicious? Mark Russinovich has told us to look for these suspicious process attributes when hunting malware with Process Explorer:
- Have no icon, description or company name
- Run from Windows directory or user profile
- Started with wrong parent
- Misspelled process
- Unsigned executables
- Packed executables
- Host suspicious DLLs or services
- Have open TCP/IP endpoints
- Include strange URLs, strings in the executable
In this video Mark Russinovich explain the process:
https://www.youtube.com/watch?v=80vfTA9LrBM
The most important analysis steps can be summarized with this graph:
After, the paper continues with a list of commands useful during investigating a suspicious file:
Run Sigcheck and search for any unsigned executables or VirusTotal's flagged executables:
sigcheck -vt -vr -e -u -s c:\
Run streams to detect alternate data streams:
streams -s c:\
Using PowerShell review the content of the Windows directory, and search for files with non-standard date-time:
Get-ChildItem -recurse | Where-Object { !$_.PsIsContainer } | Sort-Object -Descending { $_.CreationTime }
At last, the post contains a useful list of relevant Sysmon events ID:
- 2 - A process changed a file creation time
The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. - 4 - Sysmon service state changed
The Sysmon service state change event reports the state of the Sysmon service (started or stopped).
- 6 - Driver loaded
The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. - 8 - CreateRemoteThread
The CreateRemoteThread event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. - 9 - RawAccessRead
The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. - 10 - ProcessAccess
The process accessed event reports when a process opens another process, an operation that's often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. - 15 - FileCreateStreamHash
This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier "mark of the web" stream.
I strongly suggest you read the original article, you can find it here: Sysinternals Sysmon suspicious activity guide