Post on 07-Jan-2017
#SOCAugusta @DefensiveDepth
Sysmon & Security Onion
• Why?
• Sysmon
• Detection Techniques
Roadmap
-Sysinternal’s Tool (released 8/14, current v3.1)
-Installed as a Windows Service, logs:-Process creation with full command line-Parent Process with full command line-Hash of process image file (SHA1 + more)-Network Connections, tied to process-Loaded Drivers & DLLs (sigs & hashes)-File Creation Time+More!
Sysmon
Sysmon
sysmon.exe –i -acceptuela
Sysmon - Deployment
Sysmon – Filtering
Sysmon – Collection & Parsing
Real-Time Alerting:OSSEC + SGUIL/ELSA
Historical/Investigation:ELSA
Detection
-Image Locationsvchost.exe System32/syswow64
-Run Assvchost.exe Local System, Network Service, Local Service
-Parent Processsvchost.exe Services.exe
-How many instances?svchost.exe 5+
-Othersvchost.exe -k “param”
Detection:Process Abnormalities
Poweliks• Image: dllhost.exe
• Command Line: none• ParentImage: Powershell.exe
• Command Line: /Processid:{}• ParentImage: svchost.exe
Detection:Process Abnormalities
-cmd.exe, powershell.exe, at.exe
-Context Specific!
Detection:Abnormal Application Usage
Detection:Abnormal Application Usage
Detection:Suspicious Application Usage
-OSSEC CDB List Lookup
-IOCs
-Sysinternal’s PsExec (Context Specific!)
-2011 – 2014 Hashes
Detection:Hash Lookups
-Certain apps that should never initiate connections?
-Processes initiating connections on 80/443?
Detection:Network Connections
Detection:Process Injection
Detection:Loaded Drivers
-Plan & Filter Events
-Event Forwarding - Finicky
Visibility!
Running in Production
-Rulesets (Sysmon + OSSEC)-Process Abnormalities-Abnormal Applications-Network Connections-Process Injections outside of norm
-Loading Drivers outside of norm
Future Work
Questions or Comments?
Josh@DefensiveDepth.com
@DefensiveDepth
Sysmon & Security Onion