trustedsec / sysmoncommunityguide Goto Github PK

View Code? Open in Web Editor NEW

1.1K 1.1K 162.0 16.5 MB

TrustedSec Sysinternals Sysmon Community Guide

CSS 54.03% TeX 35.38% Shell 10.60%

sysmoncommunityguide's People

Contributors

Stargazers

Watchers

Forkers

codesavvysoftware johnjohnsp1 senas23 2xyo olgermolla reedtechno simplyryan thisgrrlbytes kurobeats fxthia fencepost alex-dengx awesome-security wawava atropineal johntroony michaelsss1 doomvr chrism65 gtrunsec kyisoethin nvijatov wangdongya duanshuaimin pave-fe hyuni materaj2 x62smith pynpy yehias rivenlogik pigram86 richardnixon rahmiy kakuye mattlparker marcelopalacioabreu-pjf kaisaryousuf jeffreyulatan hartescout mattweatherford marciopocebon 5l1v3r1 andresrt gordenbrown51 doah78 cissychen0 c0axx edmond-locard fohlab philliprowland olafhartong arukaminado mmg1 dmmca ceyhuncamli sydbarrett46 gr3yr0n1n kevinmiles srameko raimundojimenez ganggl raystyle visionarysec glo-fi dekoder wankyou professor-moody digitalarche chouaibhm amarjitghuman pythonjwm cias youdownwithttps rrlocksmith alainw68 minkione a099 cybersecops yasin0ps glennguillot scs-labs pect0ral tobany smkanji sea-cpu hermont2015 elsaman chauchse xiaolei20190417 reverse-ex oakkaya amiryektaie carmelofdz samsplunks gary561 splunk-app-and-ta-development madusec reconluke ekmixon

sysmoncommunityguide's Issues

Sysmon v11.0

Sysmon v11.0 has been released.
It creates a new event type 23 File Delete.

I'm not sure what else has changed with this version.

Field	Description
UtcTime	Time in UTC when event was created
ProcessGuid	Process Guid of the process that made the delete
ProcessId	Process ID of the process that made the delete
User	User that created the
Image	File path of the process that made the
TargetFilename	Name of the file that was deleted
Hashes	Full hash of the file with the algorithms in the HashType field
IsExecutable	Boolean Value if deleted file was executable
Archived	Boolean Value if deleted file was archived in the ArchiveDirectory folder based on the CopyOnDelete* settings

process-events.md: Description of Process GUIDs is not right.

Looking at the Sysmon/Linux sources, GUIDs are constructed by concatenating the "machine id", the start time of the process (UNIX-style, seconds since 1970-1-1), and a "process start key" which is not defined in the userspace component (function GenerateUniqueId in sysmonCommon/eventsCommon.h):

	*(DWORD*) pResult = machineId;
	pResult += sizeof(DWORD);
	*(DWORD*) pResult = seconds;
	pResult += sizeof(DWORD);
	*(DWORD64*) pResult = ProcessStartKey;

The "process key" is taken from m_EventBody.m_ProcessCreateEvent.m_ProcessKey which for Linux is created in the eBPF code (set_ProcCreate_info in ebpfKern/sysmonProcCreate.c):

    // get the process key - this is the end of the text segment currently as it should be
    // a) randomised for a PIE executable; and
    // b) dependent on the amount of code in the process
    event->m_ProcessKey = (uint64_t)derefPtr(task, config->offsets.mm_end_code);

I'm still in the process of looking at Sysmon/Windows with a disassembler, so I can't yet speak to what happens there. However, from the logs I have looked at, I don't recognize the process id as part of the process GUID.

Does sysmon64 lock/remove files?

We've been having a very strange issue with a particular Azure Devops pipeline over the last few months. We have three build agents, and the pipeline would consistently fail on two of them, and consistently work fine on the third. The failures are always the same - one specific project would fail to compile (always the same project) because it could not write the assembly object file (CSC2012: Access denied).

Analysis using Procmon showed that on the problem agents, immediately after the file is written by the compiler, subsequent access to the path would show PENDING DELETE.

We immediately suspected some heuristic rule in AV software (we run Symantec and Cylance) was quarantining the file, but after completely uninstalling both we were still seeing the error.

Then we noticed that sysmon64 was only running on the two problem agents and not on the third. After removing sysmon from one of the problem agents, the build started working fine on that agent.

Is there a way to mitigate this or do we simply have to turn off sysmon on these agents?

Example usage of is-any feature new to sysmon v11.0

In Sysinternals Video Update for June 2020 on Youtube, minute 4:45 describes a new feature of sysmon v11 providing new "is-all" filtering condition as ability to specify multiple conditions and require all of them to be satisfied before an event is logged.

Sysmon (v12) schema shows these filters which are new to me:
is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,end with,less than,more than,image

The video does not provide an example of usage of these (these) new filtering options. I think it would be helpful to document usage here so folks (like me) can get up and running with it faster.

Reformat Code Blocks

Reformat code blocks so they are more readable in PDF and other formats

Detect built-in cmd commands

How Can sysmon detect execution of built in cmd commands such as echo, mkdir, del etc.?

Suggestions, mostly typos and inconsistencies

I've attached an annotated PDF. Please incorporate my suggestions as you see fit.
TS_Sysmon_Community_Guide-duplex-friendly-with-comments.pdf

Markdown code blocks truncated in PDF

It looks like instances of Markdown code blocks are being truncated in the PDF version of the document. Examples: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/install-and-configuration.md#installation-best-practice and https://github.com/trustedsec/SysmonCommunityGuide/blob/master/install-and-configuration.md#deployment-script

Changelog Updates

I gathered some details on updates for the changelog, but as I wasn't able to gather feature details for each individual release, I'm not creating a pull request. Here are additions I have been able to quickly gather:

Version	Schema	Features	Release
Sysmon 13.30	4.50	* Adds user fields for events * Fixes a series of crash-causing bugs * Improves memory usage and management in the driver.	October 26, 2021
Sysmon 13.24	4.50	??	Possibly August 18, 2021?
Sysmon 13.23	4.50	??	Possibly July 27, 2021?
Sysmon 13.22	4.50	??	Possibly June 23, 2021?
Sysmon 13.21	4.50	??	Possibly June 1, 2021?
13.20	4.50	* Adds `not begin with` and `not end with` filter conditions * Fixes a regression for rule include/exclude logic	May 25, 2021
13.10	4.50	* Adds a FileDeleteDetected rule that logs when files are deleted but doesn't archive * Deletes clipboard archive if event is excluded * Fixes an ImageLoad event bug.	Wednesday, March 24, 2021
13.02	4.50	??	Wednesday, March 24, 2021

Compiled mostly from: Choco version history and Sysinternals documentation

chapters/file-delete.md sample config

I copied the sample config and when I tried to apply it it failed so I made sure there was a space before ending bracked --> this fixed an issue I had with c:\windows\temp line

However I still get an error saying opening and ending tag mismatch for line that has extensions <TargetFileName condition="contains any">

Setoolkit not working site cloning

I have installed SET and all other functions seem fine but when I try site cloning it gives me this error
errno 2 no such file or directory src/webattack/tabnabbing/source.jsI please help with how I can solve this

trustedsec / sysmoncommunityguide Goto Github PK

sysmoncommunityguide's People

Contributors

Stargazers

Watchers

Forkers

sysmoncommunityguide's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs