Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Onion Conference - 2015

25,200 views

Published on

Integrating Sysmon data into Security Onion...

Published in: Technology
  • Be the first to comment

Security Onion Conference - 2015

  1. 1. #SOCAugusta @DefensiveDepth Sysmon & Security Onion
  2. 2. • Why? • Sysmon • Detection Techniques Roadmap
  3. 3. -Sysinternal’s Tool (released 8/14, current v3.1) -Installed as a Windows Service, logs: -Process creation with full command line -Parent Process with full command line -Hash of process image file (SHA1 + more) -Network Connections, tied to process -Loaded Drivers & DLLs (sigs & hashes) -File Creation Time +More! Sysmon
  4. 4. Sysmon
  5. 5. sysmon.exe –i -acceptuela Sysmon - Deployment
  6. 6. Sysmon – Filtering
  7. 7. Sysmon – Collection & Parsing
  8. 8. Real-Time Alerting: OSSEC + SGUIL/ELSA Historical/Investigation: ELSA Detection
  9. 9. -Image Location svchost.exe  System32/syswow64 -Run As svchost.exe  Local System, Network Service, Local Service -Parent Process svchost.exe  Services.exe -How many instances? svchost.exe  5+ -Other svchost.exe  -k “param” Detection: Process Abnormalities
  10. 10. Poweliks • Image: dllhost.exe • Command Line: none • ParentImage: Powershell.exe • Command Line: /Processid:{} • ParentImage: svchost.exe Detection: Process Abnormalities
  11. 11. -cmd.exe, powershell.exe, at.exe -Context Specific! Detection: Abnormal Application Usage
  12. 12. Detection: Abnormal Application Usage
  13. 13. Detection: Suspicious Application Usage
  14. 14. -OSSEC CDB List Lookup -IOCs -Sysinternal’s PsExec (Context Specific!) -2011 – 2014 Hashes Detection: Hash Lookups
  15. 15. -Certain apps that should never initiate connections? -Processes initiating connections on 80/443? Detection: Network Connections
  16. 16. Detection: Process Injection
  17. 17. Detection: Loaded Drivers
  18. 18. -Plan & Filter Events -Event Forwarding - Finicky Visibility! Running in Production
  19. 19. -Rulesets (Sysmon + OSSEC) -Process Abnormalities -Abnormal Applications -Network Connections -Process Injections outside of norm -Loading Drivers outside of norm Future Work
  20. 20. Questions or Comments? Josh@DefensiveDepth.com @DefensiveDepth Sysmon & Security Onion

×