Proj 4: Detecting Ransomware with Splunk and Sysmon (20 pts.)

What You Need for this Project

A Windows machine with Splunk installed, which you prepared in a previous project.

Purpose

To monitor file system activity with sysmon and Splunk. Thanks to @rj_chap for telling me about this at CactusCon 2017!

Task 1: Installing Sysmon & the Splunk Add-On for Sysmon

Installing Sysmon

Open a new Web browser window and go to

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Click "Download Sysmon".

Save the Sysmon.zip file in your Downloads folder.

At the bottom of your Windows desktop, click the yellow folder icon to open Windows explorer. Navigate to Downloads.

Right-click Sysmon. Click "Extract All...". Click Extract.

Click Start. Type CMD. Right-click "Command Prompt" and click "Run as Administrator".

In the User Account Control box, click Yes.

In the Command Prompt window, execute these commands, replacing "student" with your logon name.

cd \users\student\Downloads\Sysmon sysmon -i

A "License Agreement" box pops up, as shown below. Click Agree.

Understanding Sysmon

Sysmon logs events for important system events. The first three types of events are shown below.

There are also events for registry changes.

Opening the Splunk Management Page

On your Windows machine, open a Web browser and go to this URL:

localhost:8000

A Splunk login page appears, as shown below.

Installing the Splunk Add-On for Sysmon

In a Web browser, go to

https://splunkbase.splunk.com/app/1914/

At the top right, click "My Account".

Create a Splunk account if you don't have one.

In the search box, type sysmon

Click "Add-on for Microsoft Sysmon", as shown below.

Click Download.

Accept the license agreement and click "Agree to Download".

Save the add-on-for-microsoft-sysmon_604.tgz file in your Downloads folder.

In the Splunk administration page, at the top left, click splunk.

At the top left, next to "Apps", click the tiny gear icon, as shown below.

Click "Install app from file".

In the "Upload a file" page, click the Browse... button.

Nagivate to your Downloads foler and click the add-on-for-microsoft-sysmon_604.tgz file.

Click Open.

Click Upload.

A message appears saying "App "Microsoft Sysmon Add-on" was installed successfully", as shown below.

Task 2: Finding Periods of Excessive File Creation

Searching for Sysmon Events

In the Splunk administration page, at the top left, click splunk.

Click "Search & Reporting".

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"

This search finds events, as shown in the event counter at the top left, and the bar chart showing events in time slots, as outlined in green in the image below.

Interesting Fields

In the Splunk search page, scroll down to the "interesting Fields" section on the left side of the page, as shown below.

Click EventDescription, as outlined in green in the image above.

An "EventDescription" box pops up, showing how many events of each type were found, as shown below.

Click "File Create Time", as outlined in green in the image above.

The Search page refreshes. Now the query is more specific, finding only events with EventDescription="File Create Time", as outlined in green in the image below.

Counting File Creation Events

In the "New Search" field, click at the end of the query and press Shift+Enter to move to a new line.

Then add this line to the query, as shown below.

| streamstats count(EventDescription)

This query gives the same number of results, but now there's a new item in the "Interesting Fields" section: count(EventDescription), outlined in green, in the lower left of the image below.

On the lower left, in the "Interesting Fields" section, click count(EventDescription).

A pop-up box appears, showing information about this field, as shown below.

Notice that the "Min" value is 1, and the "Max" value is equal to the total number of events, as shown below.

Counting File Creation Events Per Minute

This field in the previous query was just a counter: 1 for the first event, 2 for the second event, etc.

That's not very useful. To make it useful, we need to count events within a time interval, such as per minute.

Adjust your query to look like this, as shown below.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventDescription="File Create Time" | streamstats time_window=1m count(EventDescription)

Now the count(EventDescription) field has a smaller number of different values, as shown below.

On the lower left, in the "Interesting Fields" section, click count(EventDescription).

A pop-up box appears, showing information about this field, as shown below.

It's common for 3 or 4 of these events to occur in a minute, but no larger numbers were visible in this sample.

Searching for Excessive File Creation

Let's focus on events with more than 10 files created per minute.

In the Splunk administration page, at the top left, click splunk.

Click "Search & Reporting".

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventDescription="File Create Time" | streamstats time_window=1m count(EventDescription) AS "new_files" | search new_files > 10

This search finds events in which more than 10 files are created in 1 minute. As shown above, there are no such events at the moment, so it reports "No results found".

Creating Many Files

On your Windows machine, in a Web browser, go to

https://samsclass.info/50/proj/12files.zip

Save the file in your Downloads folder.

At the bottom of your Windows desktop, click the yellow folder icon to open Windows explorer. Navigate to Downloads.

Right-click 12files and click "Extract All...". Click Extract, as shown below.

A "12files" window opens, as shown below.

Searching Again for Excessive File Creation

In the Splunk administration page, click the magnifying glass icon on the right side.

Now events are found, as shown below.

Notice that the details of the events shows a "Data Name='TargetFilename'" field with a value containing 12files, as outlined in red in the image above.

If there were the result of actual malware, the file path would probably be useful for identifying it.

Saving the Screen Image

Make sure you can see 12files, as outlined in red in the image above.

Save a FULL DESKTOP image with the filename Proj 4a from Your Name.

Task 3: Finding Processes with Multiple Hash Values

How to Find Trojans

Suppose malware alters an EXE file. Some events will be produced by the original EXE, and some by the altered version. Two events created by executables with the same path will have different hash values. We want to find those events.

Finding Sysmon Events

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"

Many results are found, as shown below.

Understanding the Image Field

On the left side, in the "Interesting Fields" section. scroll down until you find the Image field.

Click the Image field.

A box pops up showing the Top 10 Values, as shown below.

This field contains the full path for the executable that produced the event.

Notice the message outlined in green in the image above, saying "100% of events". This means that every Sysmon event contains this field.

Understanding the SHA1 Field

On the left side, in the "Interesting Fields" section. scroll down until you find the SHA1 field.

Click the SHA1 field.

A box pops up showing the Top 10 Values, as shown below.

This field contains the SHA-1 hash for the executable that produced the event.

Notice the message outlined in green in the image above. It's less than 100%, because only some Sysmon events contain this field.

In the pop-up box, click "Events with this field", as outlined in green in the image above.

The page refreshes, showing only events containing SHA1, as shown below.

Counting SHA1 Values

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" SHA1="*" | stats count(SHA1)

This shows a count of all SHA1 values, which is the same as the total number of events, as shown below.

This isn't much use.

Counting Distinct SHA1 Values

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" SHA1="*" | stats distinct_count(SHA1)

This counts the number of different SHA1 values, which is much smaller, as shown below.

Reporting Distinct SHA1 Values

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" SHA1="*" | stats distinct_count(SHA1), values(SHA1)

This shows the distinct SHA1 values, as shown below.

Reporting Distinct SHA1 Values and Images

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" SHA1="*" | stats distinct_count(SHA1), values(Image), values(SHA1)

This shows the image paths, with their SHA1 values, as shown below.

Counting the Number of Distinct SHA1 Values Per Images

In the query above, the "distinct_count(SHA1)" field is reporting the total number of distinct hashes in all the events, but what we really care about is the number of distinct hashes for events with the same Image.

To do that, we need to group the results by Image.

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" SHA1="*" | stats distinct_count(SHA1), values(Image), values(SHA1) by Image

Now we get the image paths, with a count of distinct SHA1 values, as shown below.

Renaming the distinct_count Field

Just to make the report easier to understand, let's rename the distinct_count(SHA1) field to "different_hashes".

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" SHA1="*" | stats distinct_count(SHA1) as different_hashes, values(Image), values(SHA1) by Image

The field name changes, as shown below.

Finding Images with More than One Different Hash

We want to report only results with "different_hashes" large than one. Those are the suspicious files, which have been altered.

Enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" SHA1="*" | stats distinct_count(SHA1) as different_hashes, values(Image), values(SHA1) by Image | search different_hashes > 1

There are no results, as shown below. This is expected, because no one has been altering EXE files on your Windows machine.

Creating a Trojan Signature

Click Start. Type CMD and click "Command Prompt".

Execute these commands, replacing YOURNAME with your own name (without any spaces), as shown below.

These commands copy cmd.exe to your home folder, run it, modify it by adding an "a" to the end, and run it again.

copy c:\windows\notepad.exe YOURNAME.exe YOURNAME.exe echo a >> YOURNAME.exe YOURNAME.exe

Searching for Trojans Again

In Splunk, click the magnifying glass icon on the right side.

It finds the file with your name on it, with two different SHA1 values, as shown below.

Saving the Screen Image

Make sure you can see these two required elements, as shown above:

An Image path containing YOURNAME
At least two different hash values

Save a FULL DESKTOP image with the filename Proj 4b from Your Name.

Task 4: Registry Run Keys

Using SwiftOnSecurity's Configuration

By default, sysmon does not log registry changes. We'll use a configuration file from the famous @SwiftOnSecurity to fix that.

On your Windows machine, in a Web browser, open this page:

https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

Right-click the Raw button and click "Save Target As...". Save the sysmonconfig-export.xml file in your Downloads folder.

https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

Adding the Configuration File to Sysmon

Click Start. Type CMD. Right-click "Command Prompt" and click "Run as Administrator".

In the User Account Control box, click Yes.

In the Command Prompt window, execute these commands, replacing "student" with your logon name.

cd \users\student\Downloads\Sysmon sysmon -c ..\sysmonconfig-export.xml

Adding a Run Key

On your Windows machine, click Start. Type regedit

In the search results, click regedit. In the User Account Control box, click Yes.

In Registry Editor, in the left pane, navigate to this key, as shown below.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, right-click an empty space and click New, "String Value", as shown below.

A new value appears, with its name highlighted. Type over the name, entering your name (without spaces), as shown below.

Press Enter.

Close Regedit.

Searching for Sysmon Events

In Splunk, enter this in the "New Search" field, as shown below. Click the magnifying glass icon on the right side.

sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"

This search finds events, as shown below.

Interesting Fields

In the Splunk search page, scroll down to the "interesting Fields" section on the left side of the page, as shown below.

Click EventDescription, as outlined in green in the image above.

An "EventDescription" box pops up, showing how many events of each type were found, as shown above.

Notice the two events recording Registry actions. We want to search for them.

Click "Registry object added or deleted", as outlined in green in the image above.

The Search page refreshes. Now the query is more specific, finding only events with that EventDescription, as shown below.

In the search query, remove all the text after "Registry" and replace it with a *, as shown below. Click the magnifying glass icon on the right side.

More events are found now.

Notice the 'TargetObject' field, highlighted in the image above. We want to find log entries with "Run" in this field.

In the Splunk search page, scroll down to the "Interesting Fields" section on the left side of the page, as shown below.

Click TargetObject, as outlined in green in the image above.

A "TargetObject" box pops up, showing how many events of each type were found, as shown above.

Notice the two events recording Registry Run key actions, outlined in green in the image above.

We want to search for them.

In the "TargetObject" box, click one of the registry paths containing "Run".

The Search page refreshes. Now the query is more specific, finding only events with that TargetObject, as shown below.

In the search query, remove all the text in the TargetObject pattern except "Run", and replace it with a * before and after "Run", as shown below. Click the magnifying glass icon on the right side.

More events are found now.

Adding YOURNAME

In the search query, add \\YOURNAME after "Run" in the TargetObject pattern, as shown below. Click the magnifying glass icon on the right side.

Th event containing your name appears, as shown below.

Saving the Screen Image

Make sure you can see this text: "Run\\YOURNAME" as shown above.

Save a FULL DESKTOP image with the filename Proj 4c from Your Name.

Turning in Your Project

Send the images as email attachments to cnit.50sam@gmail.com with a Subject line of Proj 4 from Your Name.

References

Detecting Ransomware Attacks with Splunk
Detect System File Manipulations with SysInternals Sysmon
Detecting WannaCry Activity on Sysmon-Enabled Hosts

Posted 10-4-17 by Sam Bowne
Updated 10-11-17