Introduction:
Hello all this blog will be about blue teaming, In this blog I'll discuss about how to detect Process Injection using sysmon. I have talked about detecting injection attacks before but that was after injecting the shellcode and it is hard to detect where the shellcode is injected in the process. So I decided to explore more ways to detect basic injection attacks. In this blog I'll be using sysmon to detect a very known injection technique. Let's jump right in.
What is Sysmon?
Sysmon or System Monitor is a part of the Microsoft Sysinternal packages that is installed on a system and runs as a system service and device driver that monitors and logs system activity in the Windows Event Log.
We can say that sysmon is a host based intrusion detection system that is able to detect advanced threats on your network. With sysmon you can detect malicious activity by tracking network connections, process creation and a lot more.
The best part about sysmon is that it's completely free very useful and extremely easy to install and deploy.
Overview of Sysmon Capabilities
According to Microsoft Official Documentation, Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Multiple hashes can be used at the same time.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Includes a session GUID in each event to allow correlation of events on same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Logs opens for raw read access of disks and volumes.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Automatically reload configuration if changed in the registry.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
Sysmon Installation:
Installing sysmon is very easy to install first download the zip file from the following link.
Run sysmon -h to view the help menu:
Now you need configuration file to set it up and that configuration will contain the detection rules, there are many configuration files available online for example:
These are few github repositories that you can use for testing or modify them according to your needs. You can set it up using the following command:
sysmon -i <configuration file name>
In this blog I'll be using SwiftOnSecurity configuration file, in the above image I have already installed sysmon and I have given the configuration file. In the current configuration file it will log the following events:
1. Process Creation
2. Network Connect
3. File Create Time
4. Process Terminate
5. Driver Load
6. Create Remote Thread
7. Raw Access Data
8. Process Access
9. File Create
10. Registry Event
11. File Create Stream Hash
12. Pipe Event
13. WmiEvent
14. DnsQuery
But we will focus on the Process Create, Network Connect and Create Remote Thread we look at these events because when an injection is done it creates a new process (Process Create) and most likely it will connect to a C2 or give a call back hence Network connect and Create Remote Thread is basically ran to execute the shellcode or dll that is injected.
Let's run a shellcode injection program and see if sysmon can detect it.
In this inject.exe program it will inject the shellcode into the notepad process and executes the shellcode using CreateRemoteThread windows api.
I ran the inject.exe program with the notepad process ID:
inject.exe 8084
After injection let's see if sysmon logged it. You can view sysmon logs in Windows Event Viewer:
go to run and type eventvwr.msc.
Go to Application and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational
In the Operational tab you will find sysmon logs.
In the above image we can see that sysmon the CreateRemoteThread rule is triggered and is logged. It also gave the program name along with the process name and the ProcessID in which the inject.exe injected.
Indeed sysmon was able to detect the injection.
Sysmon Event ID:
Here’s a list of event IDs corresponding to the logs generated by Sysmon’s service:
- Event ID 1: Process creation
- Event ID 2: Process changed a file creation time
- Event ID 3: Network connection
- Event ID 4: Sysmon service state changed
- Event ID 5: Process terminated
- Event ID 6: Driver loaded
- Event ID 7: Image loaded
- Event ID 8: CreateRemoteThread
- Event ID 9: RawAccessRead
- Event ID 10: ProcessAccess
- Event ID 11: FileCreate
- Event ID 12: RegistryEvent (Creation and Deletion)
- Event ID 13: RegistryEvent (Value set)
- Event ID 14: Registry Event (Key and Value rename)
- Event ID 15: FileCreateStreamHash
- Event ID 16: ServiceConfigurationChange
- Event ID 17: PipeEvent (Creation)
- Event ID 18: PipeEvent (Connected)
- Event ID 19: WmiEvent (WmiEventFilter activity)
- Event ID 20: WmiEvent (WmiEventConsumer activity)
- Event ID 21: WmiEvent (WmiEventConsumerToFilter activity)
- Event ID 22: DNSEvent (DNS Query)
- Event ID 23: FileDelete
- Event ID 255: Error
Above event ID's are from this blog.
Conclusion:
Playing with sysmon has been very fun and informative. Feel free to explore further and create configuration files on your own, see how far the rabbit hole goes and keep learning.
That's it for today :). See you in the next one.