IR 330: Splunk and Sysmon (15 pts)

What You Need for this Project

Purpose

To monitor file system activity with sysmon and Splunk. Thanks to @rj_chap for telling me about this at CactusCon 2017!

Task 1: Installing Sysmon

Using SwiftOnSecurity's Configuration

By default, sysmon does not log registry changes. We'll use a configuration file from the famous @SwiftOnSecurity to fix that.

On your Windows machine, in a Web browser, open this page:

https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

Right-click the Raw button, as shown below, and click "Save Target As..." or "Save Link As..." Save the sysmonconfig-export.xml file in your Downloads folder.

Installing Sysmon

Open a new Web browser window and go to

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Click "Download Sysmon".

Save the Sysmon.zip file in your Downloads folder.

At the bottom of your Windows desktop, click the yellow folder icon to open Windows explorer. Navigate to Downloads.

Right-click Sysmon. Click "Extract All...". Click Extract.

Click Start. Type CMD. Right-click "Command Prompt" and click "Run as Administrator".

In the User Account Control box, click Yes.

In the Command Prompt window, execute these commands, replacing "student" with your logon name.

cd %HOMEPATH%\Downloads\Sysmon
sysmon64 -i ..\sysmonconfig-export.xml
If a "License Agreement" box pops up, click Agree.

Sysmon starts, as shown below.

Understanding Sysmon

Sysmon logs events for important system events. The first three types of events are shown below.

There are also events for registry changes.

Viewing Sysmon Logs in Event Viewer

Click Start. Type EVENT. Click "Event Viewer".

In the left pane, expand these items, as shown below:

Click Operational.

In the upper middle pane, log entries are visible, as shown below:

Creating an EXE File

In the Command Prompt window, execute this command:
echo 1 > ../TEST.EXE
In Event Viewer, from the menu bar, click Action, Refresh.

If your machine is not very busy, you may see an event with Event ID 11 and a Task Cetegory of "File created...", as shown below:

Filtering Events in Event Viewer

In Event Viewer, on the right side, in the Actions pane, click "Filter Current Log...".

In the "Filter Current Log", in the middie, click the field containing "<All Event IDs>" and type 11, as shown below.

Then click OK.

Click the first event found. You see details about the "TEST.EXE" file you created, as shown below.

Flag IR 330.1: Image (5 pts)

The flag is covered by a green box in the image below.

Opening the Splunk Management Page

On your Windows machine, open a Web browser and go to this URL:

localhost:8000

A Splunk login page appears, as shown below.

Log in. If you followed the steps in the previous project, your credentials are admin and password

If you have lost your password, reinstall Splunk or try this process.

Adding the Sysmon Data to Splunk

In the Splunk administration page, at the top right, click Settings, "Data inputs".

In the "Local Inputs" list, click "Local event log collection".

In the "Available log(s)" list, scroll down and click Microsoft-Windows-Sysmon/Operational, as shown below.

Then click Save.

Viewing Data Sourcetypes

At the top left of the Splunk administration window, click splunk.

At the top left, click "Search & Reporting".

In the center right, click the "Data Summary" button.

In the "Data Summary" box, click the Sourcetypes tab.

You should see a sourcetype of

WinEventLog:Microsoft-Windows-Sysmon/Operational

as shown below.

Click WinEventLog:Microsoft-Windows-Sysmon/Operational .

Splunk searches and finds the events.

Add TEST.EXE to the query, as shown below, and click the green magnifying glass icon to run the search again.

Splunk finds the event you saw earlier in Event Viewer, as shown below.


Task 2: Finding Periods of Excessive File Creation

Searching for File Creation Events

In the Splunk administration page, at the top left, click splunk.

Click "Search & Reporting".

Enter this in the "New Search" field, as shown below.

Then click the magnifying glass icon on the right side.

sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"
On the lower left, find EventCode, outlined in red in the image below.

Click EventCode. A box pops up showing the observed values of EventCode, as shown below.

In the EventCode box, in the Values column, click 11.

Events showing file creation are found, as shown below.

Counting File Creation Events Per Minute

In the "New Search" field, click at the end of the query and press Shift+Enter to move to a new line.

Then add this line to the query, as shown below.

| streamstats time_window=1m count(EventCode)
Click the magnifying glass icon on the right side.

On the lower left, in the "Interesting Fields" section, click count(EventCode).

There haven't been more than one such event per minute so far, as shown below.

Searching for Excessive File Creation

Let's focus on events with more than 10 files created per minute.

Adjust your query to look like this, as shown below.

sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 
| streamstats time_window=1m count(EventCode) as "new_EXEs"
| search new_EXEs > 10
Run the query. No matching events are found, as shown below.

Creating Twelve EXEs

On your Windows machine, in a Web browser, go to

https://samsclass.info/50/proj/12EXEs.zip

Save the file in your Downloads folder.

At the bottom of your Windows desktop, click the yellow folder icon to open Windows explorer. Navigate to Downloads.

Right-click 12files and click "Extract All...". Click Extract.

Searching Again for Excessive File Creation

In the Splunk administration page, click the magnifying glass icon on the right side.

Now events are found. In the first event, click "Show all 22 lines".

Complete information about the event apears, as shown below.

Flag IR 330.2: TargetFilename (10 pts)

The flag is covered by a green box in the image below.


Task 3: Registry Run Keys

Adding a Run Key

On your Windows machine, click Start. Type regedit

In the search results, click regedit. In the User Account Control box, click Yes.

In Registry Editor, in the left pane, navigate to this key, as shown below.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, right-click an empty space and click New, "String Value", as shown below.

A new value appears, with its name highlighted. Type over the name, entering BADPROG as shown below.

Press Enter.

Close Regedit.

Searching for Sysmon Events

In Splunk, perform this search:
sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" Registry

Flag IR 330.3: TargetFilename (5 pts)

Find the EventCode that shows the name of the new Run key.

That's the flag.


Updated for strange new Sysmon field names 6-14-2020