Getting the Sysmon data into splunk is easy as there is already a Sysmon Add-on available in the App Store. I use my favorite log analysis system for the analysis, which is Splunk. Anomaly 1: “StickyKeys” backdoor and the like Let’s take a look at two analysis examples in which I use this method to identify different anomalies. The following analysis includes an anomaly, which is worth to be investigated:ĭ8B7B276710127D233ABCDB7313AAC36 - C:\WINDOWS\system32\cmd.exe - 1 But let me give you some examples.Ī sane system environment analysis for the “cmd.exe” would look like this:ģC77C39347A6FA560A74587B0498FE84 - C:\WINDOWS\system32\cmd.exe - 56ĪD7B9C14083B52BC532FBA5948342B98 - C:\Windows\System32\cmd.exe - 34 A hash of a system program like “cmd.exe” executed on the different systems on your domain should always be the same on all systems running the same version of Windows. Sysmon provides the executable hash as MD5, SHA1 or SHA256 in the log entries that enables an analyst to identify the few different versions of a certain system executable. With the data collected from the different Sysmon sources, this is an easy task to do. In security monitoring we call it anomaly detection, Antivirus vendors call it heuristics and SPAM appliances evaluate it in a “X-Spam-Score”.Īnomaly detection requires the ability to describe what is normal and exclude it from the evaluation. I am still a strong believer and often phrase sentences like “anomaly detection is the only method to detect yet unknown threats”. In recent years “anomaly detection” has often been used as marketing buzzword and as a result lost some of its shine. By using Sysmon on many systems within the network and collecting all the logs in a central location you’ll get a database full of interesting attributes and Metadata which can be statistically analyzed in order to identify anomalies.Ĭarlos Perez wrote a really good article on Sysmon, which you should check out if you’re new to Sysmon and its capabilities. We know how to track processes with the standard Windows audit policy option “Audit process tracking”, but Sysmon messages contain much more information to evaluate. I recently developed a method to detect system file manipulations, which I would like to share with you.
SysInternals Sysmon is a powerful tool especially when it comes to anomaly detection.
0 kommentar(er)
