Sysinternals new Sysmon tool looks for intruder traces
For the first time in almost two years, Microsoft's Mark Russinovich has added a new tool to the Sysinternals tool suite. The new tool is Sysmon which monitors for and logs certain specific events.
Sysinternals is a set of Windows utility programs first released in 1996, long before Russinovich joined Microsoft. Almost all were written by Russinovich and his then-partner Bryce Cogswell. Sysmon, written by Russinovich and Thomas Garnier, also of Microsoft, is the 73rd tool in the set, and has been used internally at Microsoft for some time.
The point of Sysmon is to monitor for three specific system events which are often used by malicious processes and which can be difficult to separate from the flood of events in a normal Windows system. Sysmon runs as a service using the Local System account and loads very early in the boot process in order to give the best chance of finding the origin of any problems.
The Sysmon service logs these to the event log:
- Event ID 1: Process creation. A new process is created. The event includes the date/time, the full command line, a hash of the executable file, the ID of the parent process and many other items which might help in system analysis.
- Event ID 2: A process changed a file creation time. According to the documentation, malware will often change file creation times in order to disguise the date/time when it infiltrated the system. Based on my own logs, it looks like Google Chrome changes the file creation times of its temp files a lot.
- Event ID 3: Network connection. This event shows a TCP or UDP connection on the local machine. This event is not turned on by default and must be enabled with sysmon -n.
For Windows Vista and later, Sysmon places these events in the event log in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". For earlier (unsupported) versions of Windows, it places them in the Windows System log.
Sysmon is a command line-only program. Run it with no parameters and it returns its command line syntax:
First you have to accept the license agreement by running sysmon -accepteula. Then you install the service with sysmon -i. Neither installation nor uninstallation requires a reboot.
Once loaded, Sysmon does its job automatically and in the background. Check the results in the Event Viewer:
Sysmon provides only raw event data, not analysis of that data. It is possible for third parties to write analysis tools which read the Sysmon event log and attempt to identify meaningful activity, but for now you have to analyze it the hard way.
Sysmon is just the latest of a series of monitoring tools from Microsoft, many of them from Sysinternals. Some others:
- Netmon: Allows capture and protocol analysis of network traffic. See good stuff on the (lately dormant) Network Monitor blog.
- Process Explorer: A super-duper Task Manager replacement. Shows extensive detail on running processes and threads.
- Process Monitor: Shows real-time file system, Registry and process/thread activity.
Another extremely useful diagnostic tool is Fiddler, which allows you to debug web traffic and much more. It started out in life as a free Microsoft tool and has since been spun off to an independent company.