Serious Discussion MS SysInternals SysMon. Malware blocking.

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
447
Sysmon is a free malware monitoring tool by MS SysInternals. https://download.sysinternals.com/files/Sysmon.zip . It reveals things like executable file creation, browser created downloads (DriveBy Downloads, I presume) and named pipe creation. The executable file creation detection is a new feature of ver 15.

For non-malware analysts, our focus is on stopping malware, and not just detection. For that, there is a trapped event named FileBlockExecutable. Sysmon logs this in Event Viewer and blocks executable file creation. That will stop hackers installing their tools.

The rules are made in xml format and installed using the command line. Sysmon installs with the command "sysmon64 -i <rules file>". And the command "sysmon64 -c <rules file>" changes the rules. Just using the "-c" without any rules file displays the configured rules.

This command empties the rules "sysmon64 -c --". We have to use this command before we do Windows Update, or else the updates will never install properly. Also you have to use this before downloading any installer.exe and running any installer.

Remember that FileBlockExecutable will block any exe file creation, and on my old laptop, it is noticed that it blocks "mscorsvw.exe" from creating some exe's and dll's. (not during Windows Update) Upon googling, it reveals that it is part of ". NET Framework Optimization Service." The name 'optimization' suggest to me that Windows will still run without it functioning. So it's up to you whether you deploy this or not. It is suggested that you test and monitor Event Viewer for while.

Here is the rules file containing just the rule for executable file creation blocking:


<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Block executable file creations -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="begin with">C:</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>

Here is the page containing all the tags and event IDs you can trap for: Sysmon - Sysinternals

The Event Viewer path is "Application and Services Logs > Microsoft > Windows > Sysmon > Operational".
 
Last edited:

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
447
There is something to be said about malware. They mostly don't just appear without any interaction from us. The chances are that they came along with some program that we are installing are high. Thus there is merit to adopting the malware analyst way of working - record suspicious events and nose around what programs are doing in the background. If the logs don't reveal anything to note, just leave sysmon running in monitoring mode - antivirus programs do that. You might catch a zero day that your antivirus miss.

Here is a sysmon rules file from an industry insider, Florian Roth, courtesy of bleepingcomputer.com. https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml. It monitors for a lot of suspicious things that should not happen and are known to be used by hackers and malware. It is sourced from many security analysts. It also contains notes that will show up in Event Viewer.(Application and Services Logs > Microsoft > Windows > Sysmon > Operational)

Note that this rules file ireplaces the one in the previous post, and does not drop executables files created. It is long but well worth the read as there are lots of explainations.
 
Last edited:

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
447
For doing quick scans of Event Viewer logs, I scroll thru them looking for items with RuleNames. The Rule Names are configured into Roth's monitoring rules. You can open Roth's rules and quickly Ctrl-F Find the rule name and see the comments..
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top