#SOCAugusta @DefensiveDepth

Sysmon & Security Onion

• Why?

• Sysmon

• Detection Techniques

Roadmap

-Sysinternal’s Tool (released 8/14, current v3.1)

-Installed as a Windows Service, logs:-Process creation with full command line-Parent Process with full command line-Hash of process image file (SHA1 + more)-Network Connections, tied to process-Loaded Drivers & DLLs (sigs & hashes)-File Creation Time+More!

Sysmon

Sysmon

sysmon.exe –i -acceptuela

Sysmon - Deployment

Sysmon – Filtering

Sysmon – Collection & Parsing

Real-Time Alerting:OSSEC + SGUIL/ELSA

Historical/Investigation:ELSA

Detection

-Image Locationsvchost.exe System32/syswow64

-Run Assvchost.exe Local System, Network Service, Local Service

-Parent Processsvchost.exe Services.exe

-How many instances?svchost.exe 5+

-Othersvchost.exe -k “param”

Detection:Process Abnormalities

Poweliks• Image: dllhost.exe

• Command Line: none• ParentImage: Powershell.exe

• Command Line: /Processid:{}• ParentImage: svchost.exe

Detection:Process Abnormalities

-cmd.exe, powershell.exe, at.exe

-Context Specific!

Detection:Abnormal Application Usage

Detection:Abnormal Application Usage

Detection:Suspicious Application Usage

-OSSEC CDB List Lookup

-IOCs

-Sysinternal’s PsExec (Context Specific!)

-2011 – 2014 Hashes

Detection:Hash Lookups

-Certain apps that should never initiate connections?

-Processes initiating connections on 80/443?

Detection:Network Connections

Detection:Process Injection

Detection:Loaded Drivers

-Plan & Filter Events

-Event Forwarding - Finicky

Visibility!

Running in Production

-Rulesets (Sysmon + OSSEC)-Process Abnormalities-Abnormal Applications-Network Connections-Process Injections outside of norm

-Loading Drivers outside of norm

Future Work

Questions or Comments?

Josh@DefensiveDepth.com

@DefensiveDepth

Sysmon & Security Onion