Sysmon Threat Hunting

Sysmon is a powerful system monitoring tool developed by Microsoft that provides detailed information about system activity at the process and network level. Sysmon can be used to detect and investigate malicious activity on a system and is a valuable tool in any threat hunting toolkit.

In this blog post, we will explore how to use Sysmon for threat hunting and provide some examples of KQL (Kusto Query Language) code that can be used to detect suspicious activity.

Getting Started with Sysmon

Sysmon can be downloaded from the Microsoft Sysinternals website and installed on a Windows system. Once installed, Sysmon can be configured to collect various types of data, including process creation, network connection, file creation, and registry modification events. The data collected by Sysmon can be stored in the Windows Event Log or forwarded to a SIEM (Security Information and Event Management) solution for further analysis.

KQL Query Language

KQL (Kusto Query Language) is a query language developed by Microsoft for querying large datasets. KQL is used by several Microsoft products, including Azure Log Analytics and Azure Sentinel, to analyze data and extract insights. KQL is a powerful language that allows you to filter, transform, and aggregate data, making it an excellent choice for analyzing Sysmon data.

Sysmon Threat Hunting Examples

Here are some examples of KQL code that can be used to detect suspicious activity on a system using Sysmon data.

Detecting Process Creation by Suspicious Parent Processes
The following query detects process creation events where the parent process is a known malicious process.

Sysmon
| where EventID == 1
| where ProcessParentName in ("cmd.exe", "powershell.exe", "mshta.exe")

This query looks for process creation events (EventID == 1) where the parent process is cmd.exe, powershell.exe, or mshta.exe. These processes are commonly used by attackers to execute malicious code on a system.

Detecting Network Connections to Known Malicious IPs
The following query detects network connection events to known malicious IP addresses.

Sysmon
| where EventID == 3
| where RemoteIP in ("1.1.1.1", "2.2.2.2", "3.3.3.3")

This query looks for network connection events (EventID == 3) where the remote IP address is one of the known malicious IP addresses. Attackers often use command and control (C2) servers with known IP addresses to communicate with malware on a compromised system.

Detecting Suspicious Registry Modification Events
The following query detects suspicious registry modification events.

Sysmon
| where EventID == 13
| where RegistryKey contains "Run" or RegistryKey contains "RunOnce"

This query looks for registry modification events (EventID == 13) where the modified registry key contains "Run" or "RunOnce". These registry keys are commonly used by attackers to execute malware on a system at startup.

Detecting Creation of Suspicious File Types
The following query detects the creation of suspicious file types.

Sysmon
| where EventID == 11
| where FileType in (".exe", ".dll", ".bat", ".vbs", ".js", ".hta")

This query looks for file creation events (EventID == 11) where the created file type is one of the known suspicious file types. Attackers often use these file types to execute malicious code on a system.

In conclusion, Sysmon is a valuable tool for threat hunting and can be used to detect and investigate malicious activity on a system. KQL is a powerful language that allows you to filter, transform, and aggregate Sysmon data to extract.