- Oct 3, 2022
- 380
Sysmon is a free malware monitoring tool by MS SysInternals. https://download.sysinternals.com/files/Sysmon.zip . It reveals things like executable file creation, browser created downloads (DriveBy Downloads, I presume) and named pipe creation. The executable file creation detection is a new feature of ver 15.
For non-malware analysts, our focus is on stopping malware, and not just detection. For that, there is a trapped event named FileBlockExecutable. Sysmon logs this in Event Viewer and blocks executable file creation. That will stop hackers installing their tools.
The rules are made in xml format and installed using the command line. Sysmon installs with the command "sysmon64 -i <rules file>". And the command "sysmon64 -c <rules file>" changes the rules. Just using the "-c" without any rules file displays the configured rules.
This command empties the rules "sysmon64 -c --". We have to use this command before we do Windows Update, or else the updates will never install properly. Also you have to use this before downloading any installer.exe and running any installer.
Remember that FileBlockExecutable will block any exe file creation, and on my old laptop, it is noticed that it blocks "mscorsvw.exe" from creating some exe's and dll's. (not during Windows Update) Upon googling, it reveals that it is part of ". NET Framework Optimization Service." The name 'optimization' suggest to me that Windows will still run without it functioning. So it's up to you whether you deploy this or not. It is suggested that you test and monitor Event Viewer for while.
Here is the rules file containing just the rule for executable file creation blocking:
<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Block executable file creations -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="begin with">C:</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>
Here is the page containing all the tags and event IDs you can trap for: Sysmon - Sysinternals
The Event Viewer path is "Application and Services Logs > Microsoft > Windows > Sysmon > Operational".
For non-malware analysts, our focus is on stopping malware, and not just detection. For that, there is a trapped event named FileBlockExecutable. Sysmon logs this in Event Viewer and blocks executable file creation. That will stop hackers installing their tools.
The rules are made in xml format and installed using the command line. Sysmon installs with the command "sysmon64 -i <rules file>". And the command "sysmon64 -c <rules file>" changes the rules. Just using the "-c" without any rules file displays the configured rules.
This command empties the rules "sysmon64 -c --". We have to use this command before we do Windows Update, or else the updates will never install properly. Also you have to use this before downloading any installer.exe and running any installer.
Remember that FileBlockExecutable will block any exe file creation, and on my old laptop, it is noticed that it blocks "mscorsvw.exe" from creating some exe's and dll's. (not during Windows Update) Upon googling, it reveals that it is part of ". NET Framework Optimization Service." The name 'optimization' suggest to me that Windows will still run without it functioning. So it's up to you whether you deploy this or not. It is suggested that you test and monitor Event Viewer for while.
Here is the rules file containing just the rule for executable file creation blocking:
<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Block executable file creations -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="begin with">C:</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>
Here is the page containing all the tags and event IDs you can trap for: Sysmon - Sysinternals
The Event Viewer path is "Application and Services Logs > Microsoft > Windows > Sysmon > Operational".
Last edited:
