is a powerful tool to monitor endpoints, it is free and can be easily installed on many machines. It creates lots of log messages and stores them in the Windows event log. Those logs are usually routinely sent to a central log server such as Graylog
, where blue teams can easily search them:
To get meaningful search terms, blue teams often use sandboxes such as Joe Sandbox, to deeply analyze malware. However, the IOCs generated by sandboxes are many times not in the appropriate format to easily correlate them to the Sysmon events. Blue teams in turn have to translate IOCs, which is a painful job. In addition, Sysmon event logs can serve as an input for various other tools. For instance, they can be easily translated to Sigma
which allows a wider search across many other logs.
To reduce friction and make the blue teams job less painful, we added Sysmon output to Joe Sandbox.
Using a Cookbook to generate Sysmon output
In order to get Sysmon logs you have to use a custom Cookbook which will first install Sysmon. Cookbooks are small scripts which define how an analysis is executed. They give blue teams a way to fully customize a dynamic analysis. Let us have a look at our Sysmon cookbook:
In line 3
the cookbook specifies that the malware is executed on a sandbox named w7_1. On the submission page you find a mapping of system names to system configurations:
In lines 7 to 16
Sysmon is installed. Please note that you can use any Sysmon config you like, there is no restriction. By default, the template from SwiftOnSecurity
In lines 18 to 24
all the analysis engines are started including the network and behavior engines.
In line 26 the sample is started and in line 30 the cookbook sleeps a maximum of two minutes. Right after that, the analysis engines are stopped and finally the machine is cleaned up.
Generate Sysmon Events for SmokeLoader
Let us take a concrete example and assume you want to verify if one of your hosts is infected by the latest SmokeLoader malware
The cookbook is submitted together with the malware sample in the advanced tab:
In the generated analysis report
, go to the explorer.exe process and then Sysmon Activities:
Joe Sandbox lists all the Sysmon events log in various formats. To construct your search query for Graylog, you can use the first 3 fields. For instance, you can easily search for LNK file creation by explorer:
You can also use the last field, copy it to a file and then use the evt2sigma
converter to get a Sigma rule:
Sigma then can be converted to various other formats:
Cookbooks - Agile Malware Analysis
Thanks to Cookbooks, blue teams can benefit from a full customization of the malware analysis. Installing Sysmon is just one example. By using our Cookbook technology, analysts can easily:
- Accelerate system time and date
- Change keyboard layouts
- Change the DNS server
- Simulate USB memory sticks
- Browse URLs on Chrome or Firefox
- Execute multipart malware
- Install their custom tools