Sysmon & Security Onion: Monitoring Key Windows Processes for Anomalies

One of the sections of my recently released paper works through how to use Sysmon logs to monitor key windows processes for anomalous behavior. One issue that I wanted to make clear–The current OSSEC ruleset on Github is based on this document that I maintain: http://DefensiveDepth.com/Windows-Processes, which itself is based on a few different sources, namely the SANS Know Normal… Find Evil, Know your Windows Processes or Die Trying,  as well as my own experience. Any feedback that you can give to tweak the documentation and/or rules would be much appreciated.

From the paper, Using Sysmon to Enrich Security Onion’s Host-Level Capabilities:

So as to be able to maintain persistence, both targeted and opportunistic threats use certain techniques to attempt to blend into the background of a busy system. One of the primary ways of doing this is by emulating and/or abusing legitimate Windows processes. For instance, malware named svhost.exe instead of svchost.exe, which is a legitimate process. Another example would be the Poweliks class of malware, which hollows out a legitimate process and runs its malicious threads from there. In fact, in the case of Poweliks, there is no binary downloaded to the system itself, as it runs entirely in memory.

Using the host data generated by Sysmon, detection of these techniques can become commonplace. The crux of the idea is that it is well known how critical legitimate Windows processes should be running. Let us take a closer look at this detection strategy. The current iteration of Poweliks hollows a legitimate Windows process, dllhost.exe, to perform its malicious tasks. (Harrell, 2014) When the author ran a copy of Poweliks on a system with Sysmon installed, the following pertinent data was generated:

 

         Image: C:\Windows\syswow64\dllhost.exe

         CommandLine: C:\Windows\syswow64\dllhost.exe

 

         ParentImage: C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe

         ParentCommandLine: “C:\Windows\syswow64\windowspowershell\v1.0\power shell.exe” iex $env:a

 

Typically dllhost.exe’s parent process would be svchost.exe, and at runtime, dllhost.exe would be passed the following parameter: /Processid:{}. As can be seen, the dllhost.exe that is started by Poweliks falls outside the norm, and would have set off some alerts.

Based on this concept, the I wrote more than ten OSSEC rules that cover normal behavior for a number of critical Windows processes. These rules can be found on Github. Keep in mind that the rules were written with the corresponding OSSEC decoder for Sysmon logs, so they may need to be edited if used outside of that particular context. When writing the rules, there were a number of ways to alert on abnormal behavior: Image Location, User Context, Parent Process Image, and finally, how many instances should be running on the system. For simplicity, the ruleset was designed to alert on one abnormal attribute. The most immutable attribute would seem to be the parent image, which is why the ruleset only looks at the parent image for abnormalities. Within this attribute, two abnormalities are checked for. The first is whether the parent process image is known-good. For example, the parent image of svchost.exe should only ever be C:\Windows\System32\services.exe. The second abnormality is that there are a couple processes that should never spawn a child process—lsm.exe and lsass.exe. With this being the case, there are a few rules that look for these particular images as the parent process image and alert if found.

References:

SANS. (n.d.). Know Abnormal… Find Evil. Retrieved February 12, 2015, from sans.org: http://digital-forensics.sans.org/media/poster_2014_find_evil.pdf

Harrell, C. (2014, December 17). Prefetch File Meet Process Hollowing. Retrieved from Journey Into Incident Response: http://journeyintoir.blogspot.com/2014/12/prefetch-file-meet-process-hollowing_17.html

Tagged , , , ,

One thought on “Sysmon & Security Onion: Monitoring Key Windows Processes for Anomalies

  1. keydet89 says:

    Endpoint monitoring is critical, and well worth the investment of effort for a wide range of tasks, including troubleshooting and incident response. Perhaps most importantly, process creation monitoring removes a great deal of guess work from IR, and acts as a video camera.

    RE: Poweliks – though a binary isn’t downloaded to a file on the system, this malware does persist by writing particular data to the Registry. As such, it’s actually incredibly trivial to find.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s