BSidesCharm 2024 - Sysmon or it Didn’t Happen

[Music]

[Music] all right we're going to go ahead and get started here thanks everybody for joining me today and uh this is kind of a a a rough uh time of day right after lunch so hopefully everybody's got a nice caffeinated beverage and uh we're going to be looking at at system monitor Windows sysmon uh from a forensic angle and we'll get into a lot of this so I'm just going to jump right in go ahead and give everybody a chance to settle in here uh by way of introduction my name is Jerry Johansson I am a principal what is it security solution specialist I've gone through three title changes in the last two years so you're

going to have to forgive me on that one uh at Red Canary uh anybody familiar with Red Canary all right wow okay I'm going have to tell marketing they're doing an awesome job uh been in the industry a little over 10 years this is actually my second go round into something I spent 10 years in law enforcement at the state and federal level most of that working in cyber crime so uh this was kind of a natural transition but a little bit little bit different coming at it um also an author uh if you've uh seen the digital forensics and instant response book from packed um I'm the author and I'm based out of Rapid City South Dakota so if

anybody's heading up to wild west hacking Fest make sure you stop and say hi because uh I'm always at that con because it's only like 45 minutes up the road the Genesis of what we're going to talk about today why I wanted to talk about this is a couple of things uh if you're transitioning say from security operations or cyber security analyst as a role and you're moving into the the digital forensics or incident response space or you just have an interest in it uh I wanted to give anybody really that will listen a starting point where to actually start uh one of the the kind of drawbacks that we have is there's a lot

of good training out there there's a lot of good education but sometimes we get wrapped around the axle and we go to the last data point that we've we're familiar with so you go ahead and take say an advanced endpoint forensics class and you learn about the Amash and the shim cash and the prefetch file to identify maybe suspicious executions that's the one thing that you're going to rely on just give me the prefetcher just give me the AMC and I've actually heard analysts say this so that's one of the unique challenges that we have so we need something to to actually start us off uh we're going to talk about that we're going to talk about the Windows system

monitor as a a tool um real quick overview on in installing and customization this is not a a discussion on how do we do this really it's more of getting you set up showing you some of the power of it and then actually pivoting into some of the key data points that we can we can get from this we'll look at endpoint detection and uh timelining so I'm actually going to do some live demos I'm knocking on wood here that they go they go as well as live demos can and in this type of situation but to kind of show you some of the the tools and techniques that you can go ahead and start

extracting data points off of sysmon so I talked about one of the unique challenges but the key is where to start and again going back to that you know you're the victim of the the last training that you took in terms of what you're going to extract and what you're going to analyze starting an investigation um but what happens very quickly as sand gets into the gears if I said hey I want to see if for example a link file was open or a dll file is open I may not have that type of visibility in the Amash or the shim cash uh master file table something like that 99% of our evidence is on less than

1% of the disc having said that that's still 6 to 800 megabytes if you went out and used say uh anybody familiar with uh coll artifact parser and extractor or Velociraptor one of those tools anywhere from 600 to 800 megabytes of data that you have to go into and here's the other thing that is completely unstructured in a lot of ways it's also so in for example the registry you have to utilize special tools for the registry utilize special tools for the master file table and and usn journal so all of these are are disperate all over the place and to just dive into one imagine trying to do a day or two of analysis an activity on the

master file table how how many entries how many how many programs are changed on just a common 2 24 48 hour period it's very tough for us to to really do that so what we're really looking for is a good starting point here's the other thing we may suspect a system is compromised it exists in this weird gray area between we know it's completely bricked because there's a ransomware note on it or it's not compromised it's purely not been touched we're good there's a gray area so one of the other key aspects to this is identifying some of those behaviors that are in that gray area if you're lucky enough to find yourself investigating say an attack in progress

before they've gotten to encrypt things maybe they're in post exploitation some of these things are are are easily identified when we're looking at say process execution things that are executing so for example if you're starting to see you know net commands even Who Am i. Exe on an endpoint you know you may have a situation that you're going to have to take care of the big thing here is we're going to start with a pivot point point because system monitor or sysmon gives us such a wide range of activity that we can see it gives you enough detail to maybe make some decisions but it also gives you a starting point to actually pivot to do

some of those other deeper analysis so by way of overview uh it's sysmon is short for system monitor uh the authors Mark and Tom Thomas uh this is a free tool it is not default on the Windows operating system it is something that has to be installed um it's a system and device driver so it actually will get in very deep into the operating system and it monitors and log system activity and then it writes those just to an evtx file so one of the other things I like to use sysmon for and one of the constructs we'll we'll demonstrate real quick is it can actually mimic a lot of what in endpoint detection and response tool can do now

it's more on the driver and Device end and and creating that Telemetry you need something else to consume that Telemetry but you can actually mimic a lot of the behavior so if you don't have access to crowd strike you don't have access to I was going to say carbon black but uh mde or or or one of the other uh EDR tools out there we'll actually do a quick demo on how you can actually get a lot of EDR type capability just through uh the sysmon integration with the tool that we're going to look at so what this does for you is it actually gives you a little bit of exposure to this if you don't have any

access to those other tools so if you're running this in a home lab or you're doing something as a proof of concept you can actually get a little bit of the most of the functionality I would say a majority of the functionality that you would get out of some of those other tools so let's kind of look at this from a forensic end let's say we we get an alert or we get some sort of of uh behavior that we want to investigate so this is kind of generally some of the larger uh groupings of information that we can gather process creation this is a big one so one of the obvious issues we have

are legitimate binaries being used and this will give us some really good data in terms of what's being executed on the command line what's what are their current and parent processes so we pivot into the network oftentimes this is one of the blank areas that that I saw myself as as an incident responder really had a hard time with we would have plenty of endpoints lemetry but any type of network indicators unless they were running something specific in this case though sysmon will capture that they'll capture that uh uh network connections give us an IP address or DNS queries again give us an IP address into domain we're starting to work with some of those Network

indicators that we again cross reference persistence wmi event consumers this is one where you might see a thread actor toss a Powershell script that's actually a download cradle within wmi so that every time it reboots after an hour of of being live it goes out reaches down downloads installs are are Beacon and they're back up and running so we think we've cleaned the system or we've knocked them out or we're just going to reboot everything this is one area that we can actually get into into some some visibility into what they're doing same thing with any type of registry rights but like any tool especially free tools uh I like to say free tools are

free like a puppy it's uh they're fantastic but there's there is some overhead in terms of making sure it works for you from a good it's deep visibility into the endpoint this gives you a an incredible amount of visibility into the endpoint and what it's doing again very much like an EDR tool it's getting into that granular level of what's going on so for example contrast a sysmon entry with say just any start standard application log those are very good or even security logs we're getting a lot more detail and as we start start to look through some of these specific ones you'll see that very deep visibility into the endpoint what endpoints are doing it is very detailed as I said it

is a great first step in your triage process if you have this enabled you have Sison enabled sale on even just critical systems and you've got a larger incident and you want to see if those have been impacted this is a great starting position it gives you a lot of detail not just on a specific aspect but on a complete uh complete sequence of activity that that's been going on on that endpoint so if we look at something like uh a download we can see a download of them potentially executed we'll talk a little bit about when we get into a little bit more detail about what that actually looks like so here's the bad or

is here's the tradeoff it's very loud cismon is incredibly loud uh I've run experiments and just installed sysmon on a Windows uh evaluation ISO hooked it up to Splunk and left it running and within 24 hours I could have close to 22 to 25,000 separate log entries so imagine you have two or 300 endpoints and you're doing your monthly patch updates and how much of that activity is going to get logged so it's very loud this makes it very difficult for organizations to leverage as say a primary logging Source you are going to have a really Hefty Azure spend if you're sending this to Sentinel you're going to have a very uh very heavy Splunk spend if you're trying to send

this to Splunk so it's often not something that that uh you can actually turn on and log with a caveat we'll get to the caveat in a few it also logs all sorts of legitimate behavior and that means that if again say Patch Tuesday comes around all of that activity of new registry rights new processes new drivers loaded new dlls used all of that gets recorded so all of that's legitimate Behavior so there needs to be techniques and tools that we can utilize that will allow us to Pivot into specific areas and to also uh really focus on the bad versus is all of that noise and again because we're capturing all of this legitimate behavior all of

this uh just innocuous sometimes benign all the way to just hey this is the normal background noise of the Windows operating system alerting can be tough to do on your own that's the caveat is crafting at alerts can be very tough so we talked about the the good and the bad let's kind of just walk through a real quick how to install this not going to demo this because it's it's way too short uh but essentially uh and I will just say a side note these slides will be available to anybody that has them uh anybody that wants them I will make them freely available so you can just email me at I'll share my email at

the end so there's no need to to uh they were designed specifically to be a kind of a resource so you're going to download the cismon executable and it's available on Microsoft site they updated fairly regularly went through a a big update within the last year and you just download an executable the the piece that is really I talked about very loud one of the ways to kind of tune this out is a configuration file uh I threw one up here it is basically uh olafs uh he's one of the one of the key players in this space and has a lot of good uh configuration files for sysmon it's straight up XML file and it tells

the sysmon executable what to log so I talked about it being very loud this is where you can actually tune out a lot of behaviors that you don't need so let's say you did want to have all high-risk servers you know 20 to 30 high-risk servers uh forwarding logs uh cismon logs you might only want to capture for example process uh process execution right you shouldn't see a lot of processes executing on your domain controller on a regular basis especially something like run dll or PS exac so those are really good ones to to extract so you may not say hey I just want network connections and maybe process execution that's all I want or DNS

queries or something of that nature you can actually make your own configuration files that'll tune it all the way down so that you can tune it very very verbose where you're capturing everything or down to very specific things so once you have a configuration file and that executable you just go ahead and run it and this is the actual command and it starts logging starts logging the minute you start turning it on this is also a persistent process so every time you reboot it will survive a reboot and it'll keep on logging there's also uh expanding the default storage um I can generally get about 64 megabytes which is a couple of days of logging which is always really

really handy to have especially in more long-term incidents you can expand the default storage and then just let it go and then enjoy it uh couple of ways to view these Windows Event Viewer not my preferred method to actually look at these um there's a tool event log Explorer uh anybody use event log Explorer is one of my favorites yeah it makes Event Viewer look um again you can pull these into an event management system especially if you want to select specific systems uh this is really good for a Honeypot system uh this is really good for for those high-risk servers that you may want to pull in data and or servers that are just uh very static

don't have a lot of changes to them and then also endpoint detection and response tools so we'll go ahead and walk through some selected uh Windows system event IDs and kind of how they correspond and really help out from a forensic perspective so we're looking at about 20 to 30 depending on your configuration that number one process creation that is a big one if the thread actor drops a new process or runs one of the common techniques that we see constantly is dll files executed with rund dll so rundll32.exe executing something it's really handy and now those are kind of the data points that we can alert off of is if we have a syst

on event ID one with rund 32 executing that's that's something that we want to look at same thing that with that network connection file create so if you're starting to look at this from an attack chain what you would see is potentially a network connection and you see the IP address and it's like huh that looks like GitHub and all of a sudden you see a file created and it's a a Powershell file and then all of the sudden Powershell is used to execute that file in those three we've started to piece together a potential attack chain as we start to work our our way up as well we've got wmi events DNS queries file deletes all of these things

are things that we can actually look for but when we're looking at those things in red those are are very important really kind of highlighting doesn't mean some of the others are not important Dana in the back actually did a a wonderful talk on uh drivers and device drivers and again we're you can still see that there's very little logging available for when those are loaded and when those are executed but if we're looking at number six we can see hey if somebody is actually downloading their own driver and then executing it and then going to use that as a back door this is giving us that

visibility so let's kind of walk through some of the key ones and what we can actually use these for and then where to Pivot from so id1 this is ven id1 from cismon process creation this is where you will see executables dll exes actually execute so this is really good for identifying living off the land binaries as well if they're using Powershell rund d32 PS exec for lateral movement wmi for lateral movement you will see that execute inside the cismon event ID entry the the major uh data point that is that cismon has among other logging sources is file hashes so if you're looking at the image kind of in the lower third of that raw

text in the middle obviously a little too small to see but that's where you will find Hash values for what is executed and what executed it so think about this if I think that there's a malicious activity uh somebody dropped a malicious file you know cubot something like that on the system and I don't know where it is on the system it's on a it's on a one tbte drive somewhere in the file in on the file system is this malicious file if I can see it executed I don't have to necessarily find it immediately I have the hash value I can go drop it in virus total or or any run or any one

of the the uh threat intelligence sources and figure out okay this is what what the file is and I can gain some insight into what's actually happened so the key evidence that we have is this will give us a Pivot Point to say into the prefetch entries just to confirm we might want to see where it's where it's located in the prefetch entry because what the prefetch entry will give us pivoting off of this is how many times it was executed if it is something that's been surviving reboots and we see three or four or five executions on that prefetch we know we've got a longterm a long-term issue or if it's just executed once again we're starting to get more

and more information just off of this single data point we might actually be able to go to the master file table and find the location of this actual executable or dll file or a Powershell script that was used to run all of this is is really good information but I'm giving you a starting point so that you don't have to go through 300 lines 300,000 lines of the master file table or I don't have to give you uh you have to go out and find the prefetch and grab it and and process it immediately you can start to look at these things here's the other thing sometimes you may want to go into the memory image if it's

something really unique you're running it and you're like nobody knows what this binary is and it's no longer on the disc so you may have to go into into the memory but at least it gives you some file name to maybe pivot off of when you do a process list netc cons network connections are huge again talking about that kind of lack of visibility into that so command and control traffic or tool transfers tool transfers are huge too and I'm I'm not not kidding when I've seen actual GitHub repositories use the mimat GitHub like literally just they're so lazy they won't even set up their own infastructure they just point their script to download it from GitHub I

shouldn't say lazy they're efficient tool transfers are huge all right sharp Hound go out and just grab sharp don't even set up your own infrastructure you can do this all all on on a Powershell script in a download cradle downloads sharp uh sharp uh sharp pound in the rout of see you in you you dial in just let it run grab the the graph and you know you've got a map of of their actor directory environment process ID this is the thing is I can tie a process ID to an actual potentially malicious process what's the image source destination IP and Source destination ports all key data points so what I do then is let's say I look and I see an IP

address one place to look it may sound kind of weird just go right into the poers Shel blocks whether they're operational and hopefully you've got uh uh script block logging where you're taking the entire script block and it may be in base 64 so you may just go hunt and say hey do I see anything base 64 encoded because what you can actually start to do is is reconstruct or or I should say Analyze That Beacon and go ahead and find out what it was doing where it was going and then Network evidence sources once you got that IP address start looking for other network connections so really good Pivot Point with with this I get a net netcon I go

ahead and pivot to the firewall and I find any other infected system in the in the uh Enterprise that's possibly connected to that IP address file create again one of the things that is very tough is to see without going and processing the master file table and even just the last four to 6 hours or the last 24 hours processing those Master file table entries and actually going through and figuring out which one is a suspicious file that's that's that's a lot of overhead so something like ID 11 where we see a file created on the system so this is scripts dump files this is another thing is mimic cats for example will kick out a dump file or

proc dump will kick out a dump file sometimes and if you see a text file dump after a suspicious execution they're grabbing something whether it's Recon data whether it's they're dumping the Elsas process so again file create is actually a really good one a lot of people Overlook that when they're doing the initial pass but hey see what was actually executed in the last hour and then what what files were created afterwards this gives us uh Target file names to Pivot off of and maybe we can find those on disk and it also gives a creation time so you notice we're we're doing a lot with time as well because this is building that attack chain as we

can see a lot of activity with that at a attack chain from there we may have to go into dis evidence we have to go to the master file table the usn journal to see if it was deleted or modified sometimes you might just want to grab the dump file of the Powershell and see what it actually was doing and and what information the thread actor actually captured wmi is another one we talked about wmi is really really handy for that persistence um same thing with registry but this is where you will actually get all three so if you if you're not familiar with wmi that's not a problem just think about it there's three things that happen it takes an

event a consumer so hey when this system reboots I want you to I want you to execute this Powershell uh command and it ties it together with a binding that's three separate actions that happen so if I've got wmi activity in that in that way not just hey I'm laterally moving moving what you will see is three log entries and then this is your clue to go into the wmi operational logs to find out actually what happened sometimes you can actually grab the filter you can actually grab hey it's executing this or it's going to do this you can even go to the wmi repository if you're if you're that um you know that that Keen to go diving

into there and actually look at hey what's happening DNS events this is the other one is going back to network connections we see network connections but we also have DNS queries is this is this was a relatively new development but if you look at the query results it gives you all of the different whether it's ipv you know the the quad a or the a records it gives you that that that IP address and what the query is so if we're looking at a thread actor that's set up a fairly sophisticated infrastructure for command and control where they may be doing um rotating their their DNS records to different IPS FL uh fast flug DNS something of that nature uh that IP

address May no longer be that we saw in event ID3 May no longer be valid but we now have a domain that may also uh be indicative of that command and control traffic so we pivot into the proxy server we P pivot into uh maybe the firewall to marry that up and the same thing sometimes these are m in Powershell uh Powershell logs in terms of of how they've been executed all right I've talked a lot I want to kind of show you some of the the features that and some of the information that we can get out of this by uh more of a live demo um so the first one we're going to look at is that

EDR type of capability and then in this case we're going to use uh a free tool called waza uh um and basically it is a open- source uh endpoint detection and response logging capabilities slash uh actual alerting that that uh it can actually execute on specific log that we have so we're going to go ahead and pivot into there it's a really simple construct uh this is one of the easiest to set up uh there is a configuration change that you do have to make make and I actually leave that article in the resources but if you were to set up a virtual machine this is they have a very straightforward o OVA file that you can fire up and get

started probably in about 10 15 minutes this doesn't take a lot of time to actually set up we're going to look what I've done and we'll talk a little bit about it in a minute is uh actually used a script that is available again in resources uh on a GitHub public repository GitHub and it has a number of atomic red team testing I'm not going to talk about Atomic red team at all because the next talk in this room is going to be about Atomic red team so I'm going to leave it leave it for the experts there is uh but what it does is they're aligned to even specific IDs uh for cismon so it is a cismon tuning

emulation plan it doesn't do any specific threat or anything like that it's just used for this this purpose purp so you can actually create sysmon logs so in this case um just La just ran this about two hours ago we're going to go ahead and and fire that off and I'll show you kind of some of the the alerts that'll come out of the uh the execution of that script the first one which is probably right at the top yep is um command and control or executable file dropped any folder commonly used by malware what this tool is doing is taking that Telemetry from sysmon and running through a series of Sigma rules essentially open- Source IDs IPS rules

and it's actually comparing behaviors that are indicative of that kind of malicious activity this is not necessarily meaning it is malicious in this case it's really just testing but this is a really solid way to both understand what Telemetry sysmon provides and how that Telemetry can actually be run through a series of rules and actually give you a starting starting position or an alert so this would be one that you would want to look at so again we have a Powell execution it's giving us window event id1 but we have have a Powershell uh log uh Powershell script actually on the dis it gives us where it actually hit and that's very common to see a app data local temp folder and

this is a very interesting place for us to to a highly highly abused directory within the Windows operating system and this is where you would find all of the garbage that that maybe a user downloaded into the temp folder before it got moved to desktop so from here very simply if I go to the dis and maybe extract the Powershell script hopefully it's still there if I don't see the script there potentially it could have been deleted but then I can pivot into the Powershell logs to see if it's been executed and hopefully again we've got the the script block logging all configured so that we can actually extract so this is a really good way to

see that attack chain where the attacker got in downloaded a secondary payload via GitHub or or any type of repository they've got set up it's a Powershell script it starts a Cobalt strike Beacon and that's how they're gaining the foothold and then actually executing and all of this can be found just by a simple cismon event ID and and actually where to Pivot so some of the others that will go a little deeper in

here this is a very good one too is where we see uh CMD executing a uh essentially a defense evasion attack and in this case one of the one of the atomic red team tests is it actually it unloads the cismon driver for you so this is a common you'll see defense evasion technique if they can get away with it is is actually uh unload the driver that's used by say an antivirus or a logging agent so that they can actually go ahead and do all of their all of their nefarious activities without being detected so this is another good one that you might see and again all we're doing is looking at data that's freely

available to us and in this case it's just a a process execution or or EX Ed uh executed uh command line utility that's being used to to uh offload the the actual uh cismon driver to stop the logging this is the last test we we I usually put in the in that type of emulation plan because if you put it like 2third down you've got nothing else that'll log but that's actually part of of the emulation plan if you go ahead and download it look at it you'll see at the last part I I unload the driver but this is what it looks like on the back end from our perspective is this is a

really good alert it's like hey somebody's somebody's offloading the driver or unloading the driver really really uh really good thing to Pivot off of so this is uh waza and sysmon this is again freely available you can it takes you about 10 15 minutes to set up and it will give you that kind of EDR style Telemetry and also allow you to really kind of dig into specific events and really kind of look at what they're doing let's say though you don't have access to this this hasn't been set up in your organization and you just have the logs themselves and nothing else so we're going to walk through kind of two different techniques uh that we can use to look at

at logs one is again going to be using Sigma rules and a tool called Hayabusa uh uh this is a tool from the Japanese uh computer incident response team I believe it's their National computer incident response team and basically what it does is it processes evtx files against a set of Sigma rules and what it does for us is actually focus our attention on specific things that we're going to need to actually look at so in this case all I'm going to do is point the tool it's freely available again resources at the end of the presentation it will create a a uh timeline in CSV format for us that we can actually start to Pivot off of so

I'm just going to go ahead and run it it's not going to take too long it's going to ask me a few questions one of the things is this is constantly updated the hyabusa tool so uh emerging threat rules are always good to have um and this one is actually asking for the specific sysmon rules um which is about 1,400 so as you can see and we're going to show you why why this may be your best First Option when processing CIS Bon say related to it a security event or something of that nature is we're going to see how many come out of Hayabusa and then we're actually going to process maybe the last three hours of

sysmon uh log entries to see what the difference looks like so we're going to use we're going to go ahead and use the sysmon uh rules as well goes out reaches out grabs the the detection rules and actually starts processing it and this may take a few minutes okay so it took took little less than a minute to process this so think about this from a workflow you get a you get a an alert from the security operations or you working in security operations you get some sort of alert coming across and it's very it's very discreet in time it's this time this date this happened and you want to see what happened before and after that event but you want to

focus your attention what we're doing is we're seeing top critical alerts um process access process execution Shell Code injection there's actually a a a code injection test that's actually run uh user process and download cradles all of these so we're looking at a just a tick under maybe four or 500 event IDs in that event log that we want to look at so if we go up to analysis you can see where it actually outputs some logs for you and we'll go ahead and open

that so one of the key differentiators between this and just say raw logs is it's actually giving you something some context around why high boost is said hey I want you to look at this because this could be a very important piece of of the overall puzzle and these are probably impossible to see but if I just click in there what this is telling us is this is basically the payload this is what sysmon is kicking back from a informational standpoint and in this case Windows command uh command prompt was used to execute something in this case explorer.exe may be legitimate probably legitimate but you know maybe the threat actor is RDP and they just

are downloading stuff from from uh file shares and just copying it into Windows Explorer uh all of these things again you have to you have to look at but what it's doing is giving you some of that that context around what's going on here's another one where we have Powershell running we're only looking though we're focusing our attention on 571 entries which is is a little bit more manageable than what I'm going to show you next but it is something that uh is really useful but from this standpoint is is our focusing our energy on what we really can place some suspicion around uh and still actually still have a fairly fairly decent timeline of activity but

again what I is doing is it's counting on those Sigma rules to focus our energy if we want to back out and get a full picture of say the last three hours of activity we'll walk through that right now so in this case we're going to use a tool called Velociraptor anybody use Velociraptor okay it is an awesome Tool uh it is a free and open source tool by the by the folks at rapid 7 and uh without I'll give you the 60c elevator pitch it is basically a remote evidence acquisition tool and we're going to use it to acquire the last 3 hours of sis our last two hours of sysmon activity on a system so what we do is we dial into

the system that we're managing that's the system that I ran the atomic red team on I'm going to use a tool an artifact or called sysmon triage I'm going to configure the parameters and in this case we're going to do 7200 uh 7200s yeah that should be good um let's do this yeah 7200 should be that's two hours and then we're just going to go ahead and and let it run so let's look Hayabusa we had 571 entries those are run through a detection anal IC for us to really focus our energy from a workflow perspective you might say hey there's a lot of there's a lot of suspicious activity that I need to take

care of and look at as I'm looking at this I may have to go in and look at something else and in this

case and we're going to go ahead extract this out

and this gave us a little bit more information 780 lines of of data but as you can see I've got essentially a timeline built around what is actually happening on that system I can pivot by event IDs maybe I want to see if there's uh here's here's some executions oh and look luck would be luck would have it that I picked the one that's run d32 it's not really luck it's it's uh I didn't really do much with the the operating system at after I I ran the test but this is what that rundll might look like meaning somebody's using rundll to actually execute something uh a dll file on the operating system or bypass um the normal

dlls and put their own malicious DN dll files something that you want to actually look at but what we have now is if I kind of back out a little bit I've got a time that this actually executed so what I can do is start to work backwards a lot of lot of activity that we're looking at I can start to look backwards for other type of activity whether it's a network connection whether it's uh other files that are that are placed on the system something of that nature but in in this is what what's often referred to some people refer to it as a cismon smear or an event log smear where it's not necessarily a date

and time but really kind of a smear of activity over the last two hours on the Windows operating system and it gives you some that's very visible it's also uh easier to manage than saying having to go through 50,000 lines of of event logs um and actually start to work through it so really think about sysmon from you know kind of that first pass that initial pass giving you that idea of what's happened as well as ways to Pivot into to various other evidence sources so that you're really focusing your energy and you're not trying to do too much right off the bat it's a a really good way to focus and using tools like Hayabusa and and even Velociraptor

to really kind of get down into that period of time that you really need to focus in

so we talked about Hayabusa and the uh the Sison timeline uh all all of this is is again you can go ahead and um grab the slides but use this to uh get that timeline and then work through and pivot into specific aspects of the attack chain that you really want to look at and start extracting more of that that dis positive evidence any questions I threw a lot out there

yes proon is very detailed on actually grabbing the the memory space of a basically what's assigned to a process so I'll tell you how they work together is if you find rundll 32 or some other process was created you can use proct tump to grab the actual code in memory and then that you can actually do some reverse engineering or use or use memory analysis tools against

it it will tell you it depends on the alert logic on the back back in so cismon won't tell you anything if you have a detection for that and generally it will not because it's just it's just going off of what what the what the operating system is telling it what it did what I would say though is if you're looking like that is a weird process to be running that would be something that you would have to put your eyeballs on and say that's a weird process that doesn't look right

I'm sorry what what kind of tools

that Windows Defender is getting better and better I I you know we we we split a lot of our so Windows Defender is getting better and better at detecting a lot of this what would be referred to as as semi-legitimate looking activity that's not so Powershell for example uh Powershell if you're running it with no profile or encoded man you could have the most benign Powershell script that just downloads kitten pictures and man Defender be like oh no no no you have no profile loaded in it's encoded no no no you don't get to do that so it will you know the defender is getting is getting much much better

yes I'm sorry one more [Applause] [Music] time that I don't know yeah again sysmon is just going to tell you exactly what Windows is telling it so um that's kind of the general rule when you're working with with that kind of event ID or that kind of event Telemetry sorry anybody else okay thank you uh here's my email if you want to copy the slides let me know um these are all the resources that I used to build this uh so feel free um they're contained on here um there is the atomic red team again stay here for the the more detailed uh examining of atomic red team but there is an emulation script if

there's any problems with it let me know uh Swift on security and the other Sison config that we used uh and some other resources so feel free to grab these um again hit me up if you want a copy of the slides but thank you very much I appreciate everybody coming out