Microsoft has released an updated version of the sysinternals tools recently. This update include a tool named: sysmon. You can find all details from the TechNet website by following this link: http://technet.microsoft.com/en-us/sysinternals/dn798348.aspx
In short the tool will provides detailed information about process creations, network connections, and changes to file creation time. As you can guess this sounds like the perfect addition for your lab!
The install part is very easy, download a copy of the tool from the microsoft website (see link above). Unarchive the content to the desired location and run the following command:
Sysmon.exe -i [-h [sha1|md5|sha256]] [-n]
As you can see there is a few options:
- -i: flag for the installation of the service and driver
- -h: use to specify the hashing algorithm used for the image identifcation. Default is sha1
- -n: log network connection
Once this done you are up and running! As said this install a service so it will restart automatically on reboot.
Logs will be stored in the Event Viewer under: “Applications and Services logs -> Microsoft -> Windows -> Sysmon”.
Testing with a sample
So let’s test this new tool with a sample of malware. It happens I have a sample of a ransomware readily available (md5: 9c2bf7dcf039612394b2704f6450129f). After launching the executable this what you can see in the log files:
First the executable is launched, sample is named “bill_78403.exe”. You can see that the event ID is set to 1.
Second steps you can see that the “bill_78340.exe” launch an “explorer.exe” process. As set during the installation the Hash algorithm is SHA1.
A little bit later you can see that “explorer.exe” created above will launch a command line to delete all the Shadows files. This is typically done by ransomware to make it even more difficult to recover data.
You can see that the only Event ID in the above screenshots is set to 1. The explanation for this is the following: I have disabled the network connection on the VM on which I ran the sample so there is no Event ID 3 (which is the one for network connection). Also no trace of Event ID 2 which is the event for the modification of the time creation on files.
Sysmon.exe is a great addition to the available to track malicious activities. Obviously this is not the first tool to track such activities neither the most complete one. However it is free, easy to use and provide a fairly good amount of information.