1. #SOCAugusta
@DefensiveDepth
Sysmon &
Security Onion

2. • Why?
• Sysmon
• Detection Techniques
Roadmap

3. -Sysinternal’s Tool (released 8/14, current v3.1)
-Installed as a Windows Service, logs:
-Process creation with full command line
-Parent Process with full command line
-Hash of process image file (SHA1 + more)
-Network Connections, tied to process
-Loaded Drivers & DLLs (sigs & hashes)
-File Creation Time
+More!
Sysmon

4. Sysmon

5. sysmon.exe –i -acceptuela
Sysmon - Deployment

6. Sysmon – Filtering

7. Sysmon – Collection & Parsing

8. Real-Time Alerting:
OSSEC + SGUIL/ELSA
Historical/Investigation:
ELSA
Detection

9. -Image Location
svchost.exe  System32/syswow64
-Run As
svchost.exe  Local System, Network Service, Local Service
-Parent Process
svchost.exe  Services.exe
-How many instances?
svchost.exe  5+
-Other
svchost.exe  -k “param”
Detection:
Process Abnormalities

10. Poweliks
• Image: dllhost.exe
• Command Line: none
• ParentImage: Powershell.exe
• Command Line: /Processid:{}
• ParentImage: svchost.exe
Detection:
Process Abnormalities

11. -cmd.exe, powershell.exe, at.exe
-Context Specific!
Detection:
Abnormal Application Usage

12. Detection:
Abnormal Application Usage

13. Detection:
Suspicious Application Usage

14. -OSSEC CDB List Lookup
-IOCs
-Sysinternal’s PsExec (Context Specific!)
-2011 – 2014 Hashes
Detection:
Hash Lookups

15. -Certain apps that should never initiate
connections?
-Processes initiating connections on 80/443?
Detection:
Network Connections

16. Detection:
Process Injection

17. Detection:
Loaded Drivers

18. -Plan & Filter Events
-Event Forwarding - Finicky
Visibility!
Running in Production

19. -Rulesets (Sysmon + OSSEC)
-Process Abnormalities
-Abnormal Applications
-Network Connections
-Process Injections outside of norm
-Loading Drivers outside of norm
Future Work

20. Questions or Comments?
Josh@DefensiveDepth.com
@DefensiveDepth
Sysmon &
Security Onion