A hash of a system program like “cmd.exe” executed on the different systems on your domain should always be the same on all systems running the same version of Windows. Sysmon provides the executable hash as MD5, SHA1 or SHA256 in the log entries that enables an analyst to identify the few different versions of a certain system executable. With the data collected from the different Sysmon sources, this is an easy task to do. In security monitoring we call it anomaly detection, Antivirus vendors call it heuristics and SPAM appliances evaluate it in a “X-Spam-Score”.Īnomaly detection requires the ability to describe what is normal and exclude it from the evaluation. I am still a strong believer and often phrase sentences like “anomaly detection is the only method to detect yet unknown threats”. In recent years “anomaly detection” has often been used as marketing buzzword and as a result lost some of its shine. By using Sysmon on many systems within the network and collecting all the logs in a central location you’ll get a database full of interesting attributes and Metadata which can be statistically analyzed in order to identify anomalies.Ĭarlos Perez wrote a really good article on Sysmon, which you should check out if you’re new to Sysmon and its capabilities. We know how to track processes with the standard Windows audit policy option “Audit process tracking”, but Sysmon messages contain much more information to evaluate. I recently developed a method to detect system file manipulations, which I would like to share with you. SysInternals Sysmon is a powerful tool especially when it comes to anomaly detection.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |