TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

A Sysmon Event ID Breakdown – Updated to Include 29!!

BHIS · 2021-01-08 · Read original ↗

ATT&CK techniques detected

16 predictions
T1070.004File Deletion
100%
“happened. well, there is one more. event id 26 : file delete detection let ’ s say the adversary wanted to cover their tracks by deleting their artifacts. this event id strikes me as an either / or eid23 ( file delete archive ) or eid26 ( file delete ). really, you could grow you…”
T1574.001DLL
98%
“state change. sysmon event id 5 appears to be a rare event. i was able to trigger this event by restarting the sysmon service. based on a review of the modular configuration file, the images had to be loaded and unloaded from userland, temp, or \ windows \ temp. event id 6 : driv…”
T1021.001Remote Desktop Protocol
97%
“, which has been deprecated in lieu of t1070. 006. the parent technique is now “ indicator removal on host ” with the sub - technique being “ timestomp. ” more on this another day in a different blog. links : https : / / posts. specterops. io / revisiting - ttps - timestomper - 6…”
T1197BITS Jobs
97%
“the capability of sysmon modular. so, let ’ s install sysmon and review. and let ’ s have bitsadmin attempt a file download for us. the simple instantiation of a bitsadmin command caused the following match from the previous screenshot. if you take a moment and scroll back up to …”
T1003.001LSASS Memory
93%
“exe to build a file called sysmon. exe stuffed with lsass. exe ’ s signature bits. this results in capture!!!! we can all catch process tampering now. but, let ’ s take a quick look at the reverse of this process. first, we reviewed the event id 25, process tampering. but, the fi…”
T1003.001LSASS Memory
93%
“sysmon as well. no event id 9s had been reported by this system. links : https : / / www. ultimatewindowssecurity. com / securitylog / encyclopedia / event. aspx? eventid = 90009 https : / / docs. microsoft. com / en - us / sysinternals / downloads / sysmon event id 10 : processa…”
T1055.012Process Hollowing
92%
“2020, the modular repo could use a pull request to fix this logical flaw. the fix appeared to be as simple as shown below ( “ or ” not “ and ” ). a selection of the filtered event logs are shown below. and finally, the files deleted from userland were copied to the restrictedcont…”
T1059.003Windows Command Shell
75%
“##id11 can provide an early warning system for write operations in userland. quick stepback here to provide a definition for “ userland. ” userland or user space ( noun ) : in the context of computing, this can refer to all code that runs in low privilege processes, outside admin…”
T1685.001Disable or Modify Windows Event Log
66%
“a sysmon event id breakdown – updated to include 29!! a sysmon event id breakdown – updated to include 29!! updates! october 30, 2023 there ’ s been an additional update for sysmon! event id 29! another event id ( eid ) was added to the sysmon service. this event id followed the …”
T1654Log Enumeration
59%
“a sysmon event id breakdown – updated to include 29!! a sysmon event id breakdown – updated to include 29!! updates! october 30, 2023 there ’ s been an additional update for sysmon! event id 29! another event id ( eid ) was added to the sysmon service. this event id followed the …”
T1204.002Malicious File
53%
“an example shown below, we see the adversary trying to shred the malicious firefox installer. exe file from the downloads directory. sysmon stepped in here and denied the operation. in event logs, we see the following. sysmon blocked the shredding operation. event id 29 : file bl…”
T1204.002Malicious File
49%
“##card ). please note the config chunk below covers config changes necessary for eid 27 and eid 28. let ’ s assume i try to download a file from the internet, like chrome. exe. denied. game over. easy peasy. we have discussed userland and write permissions, administrative access,…”
T1546.003Windows Management Instrumentation Event Subscription
43%
“protocol. pipes are a means over which an smb client can establish a connection to a remotely available process. there is clearly some value in monitoring these events. sysmon modular ’ s configuration for these event ids is an exclude first operation. some common pipe event offe…”
T1685.001Disable or Modify Windows Event Log
36%
“##mic open a command shell. it is probable that olaf has implemented the best possible solution for the noise of wmic and related events. additional investigations may be warranted, though at this time, capturing wmi events in this fashion is recommended. link : https : / / redca…”
T1047Windows Management Instrumentation
33%
“##mic open a command shell. it is probable that olaf has implemented the best possible solution for the noise of wmic and related events. additional investigations may be warranted, though at this time, capturing wmi events in this fashion is recommended. link : https : / / redca…”
T1563.002RDP Hijacking
31%
“, which has been deprecated in lieu of t1070. 006. the parent technique is now “ indicator removal on host ” with the sub - technique being “ timestomp. ” more on this another day in a different blog. links : https : / / posts. specterops. io / revisiting - ttps - timestomper - 6…”

Summary

Jordan Drysdale // UPDATES! October 30, 2023There’s been an additional update for Sysmon! Event ID 29! Another Event ID (EID) was added to the Sysmon service. This event ID followed […]

The post A Sysmon Event ID Breakdown – Updated to Include 29!! appeared first on Black Hills Information Security, Inc..