trustedsec / sysmoncommunityguide Goto Github PK
View Code? Open in Web Editor NEWTrustedSec Sysinternals Sysmon Community Guide
TrustedSec Sysinternals Sysmon Community Guide
Sysmon v11.0 has been released.
It creates a new event type 23 File Delete.
I'm not sure what else has changed with this version.
Field | Description |
---|---|
UtcTime | Time in UTC when event was created |
ProcessGuid | Process Guid of the process that made the delete |
ProcessId | Process ID of the process that made the delete |
User | User that created the |
Image | File path of the process that made the |
TargetFilename | Name of the file that was deleted |
Hashes | Full hash of the file with the algorithms in the HashType field |
IsExecutable | Boolean Value if deleted file was executable |
Archived | Boolean Value if deleted file was archived in the ArchiveDirectory folder based on the CopyOnDelete* settings |
Looking at the Sysmon/Linux sources, GUIDs are constructed by concatenating the "machine id", the start time of the process (UNIX-style, seconds since 1970-1-1), and a "process start key" which is not defined in the userspace component (function GenerateUniqueId
in sysmonCommon/eventsCommon.h
):
*(DWORD*) pResult = machineId;
pResult += sizeof(DWORD);
*(DWORD*) pResult = seconds;
pResult += sizeof(DWORD);
*(DWORD64*) pResult = ProcessStartKey;
The "process key" is taken from m_EventBody.m_ProcessCreateEvent.m_ProcessKey
which for Linux is created in the eBPF code (set_ProcCreate_info
in ebpfKern/sysmonProcCreate.c
):
// get the process key - this is the end of the text segment currently as it should be
// a) randomised for a PIE executable; and
// b) dependent on the amount of code in the process
event->m_ProcessKey = (uint64_t)derefPtr(task, config->offsets.mm_end_code);
I'm still in the process of looking at Sysmon/Windows with a disassembler, so I can't yet speak to what happens there. However, from the logs I have looked at, I don't recognize the process id as part of the process GUID.
We've been having a very strange issue with a particular Azure Devops pipeline over the last few months. We have three build agents, and the pipeline would consistently fail on two of them, and consistently work fine on the third. The failures are always the same - one specific project would fail to compile (always the same project) because it could not write the assembly object file (CSC2012: Access denied).
Analysis using Procmon showed that on the problem agents, immediately after the file is written by the compiler, subsequent access to the path would show PENDING DELETE.
We immediately suspected some heuristic rule in AV software (we run Symantec and Cylance) was quarantining the file, but after completely uninstalling both we were still seeing the error.
Then we noticed that sysmon64 was only running on the two problem agents and not on the third. After removing sysmon from one of the problem agents, the build started working fine on that agent.
Is there a way to mitigate this or do we simply have to turn off sysmon on these agents?
In Sysinternals Video Update for June 2020 on Youtube, minute 4:45 describes a new feature of sysmon v11 providing new "is-all" filtering condition as ability to specify multiple conditions and require all of them to be satisfied before an event is logged.
Sysmon (v12) schema shows these filters which are new to me:
is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image
The video does not provide an example of usage of these (these) new filtering options. I think it would be helpful to document usage here so folks (like me) can get up and running with it faster.
Reformat code blocks so they are more readable in PDF and other formats
How Can sysmon detect execution of built in cmd commands such as echo, mkdir, del etc.?
I've attached an annotated PDF. Please incorporate my suggestions as you see fit.
TS_Sysmon_Community_Guide-duplex-friendly-with-comments.pdf
It looks like instances of Markdown code blocks are being truncated in the PDF version of the document. Examples: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/install-and-configuration.md#installation-best-practice and https://github.com/trustedsec/SysmonCommunityGuide/blob/master/install-and-configuration.md#deployment-script
I gathered some details on updates for the changelog, but as I wasn't able to gather feature details for each individual release, I'm not creating a pull request. Here are additions I have been able to quickly gather:
Version | Schema | Features | Release |
---|---|---|---|
Sysmon 13.30 | 4.50 | * Adds user fields for events * Fixes a series of crash-causing bugs * Improves memory usage and management in the driver. |
October 26, 2021 |
Sysmon 13.24 | 4.50 | ?? | Possibly August 18, 2021? |
Sysmon 13.23 | 4.50 | ?? | Possibly July 27, 2021? |
Sysmon 13.22 | 4.50 | ?? | Possibly June 23, 2021? |
Sysmon 13.21 | 4.50 | ?? | Possibly June 1, 2021? |
13.20 | 4.50 | * Adds not begin with and not end with filter conditions* Fixes a regression for rule include/exclude logic |
May 25, 2021 |
13.10 | 4.50 | * Adds a FileDeleteDetected rule that logs when files are deleted but doesn't archive * Deletes clipboard archive if event is excluded * Fixes an ImageLoad event bug. |
Wednesday, March 24, 2021 |
13.02 | 4.50 | ?? | Wednesday, March 24, 2021 |
Compiled mostly from: Choco version history and Sysinternals documentation
I copied the sample config and when I tried to apply it it failed so I made sure there was a space before ending bracked -->
this fixed an issue I had with c:\windows\temp line
However I still get an error saying opening and ending tag mismatch for line that has extensions <TargetFileName condition="contains any">
I have installed SET and all other functions seem fine but when I try site cloning it gives me this error
errno 2 no such file or directory src/webattack/tabnabbing/source.jsI please help with how I can solve this
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.