The defenders dilemma is a real problem, you need to get your security right 100% of the time, whereas an attacker only needs to get lucky once. With this in mind it is inevitable something will slip past your defences, so how can we detect something malicious in your network and better yet how can we stop it?
Security monitoring software is the IT community’s answer to this problem, there are a huge amount of vendors out there that offer feature-rich and often expensive solutions that can detect malicious filetypes, block suspicious IP addresses and much more, all generating events for your team to respond to. Unfortunately for a lot of businesses there just isn’t room for these solutions in their IT Security budgets, that is, if they are lucky enough to have an IT Security budget at all.
In acknowledgement of this problem, I decided to create a guide on creating some basic blocking and alerting capabilities utilising only freely available Microsoft tools. These techniques are not my own and I first learned of them thanks to some fantastic content by @ippsec, a respected educator within the InfoSec community.
Sysmon is a Windows system service that, as it’s name suggests, serves as a system monitor. It can collect logs of all sorts of events. Most important to us, Sysmon can be configured with rules that will allow it to detect and block things. For example, using a well written Sysmon configuration file, we can block “exe” filetypes from being download via outlook or stop files that are sat in the Recycle Bin from reaching out over the network.
The first step is to download Sysmon from the microsoft website and get it installed. To do so simply grab the file from this webpage:
Once downloaded, extract the contents of the zip file to ‘C:\Windows\System32’. You can confirm it has installed successfully by opening a command prompt and typing ‘sysmon’, you should see that it reels off the usage information:
Now that we have it installed we need to work on the configuration file that will do all of the lovely detecting and blocking magic. We could write this out ourselves, but why snub the hard work that the InfoSec community has already done? Let’s use the fantastic configuration file provided Florian Roth of Nextron Systems Github repository.
This configuration file contains work done by SwiftOnSecurity, as well as Florian and countless other members of Github that have contributed. It contains blocking rules for a large number of known malicious filetypes, known filenames of malicious software, malicious file signatures, unusual network traffic and more. It is possible that something you use within your environment could do something that looks malicious but is benign and could therefore be impacted by the blocking rules in this config, so it is worth going through it and making sure there is nothing in there that will upset your normal operations. The file is XML and is documented well with comments, so there should be no problem in going through and stripping out anything you don’t like the look of.
Download the configuration file here:
Once you have the file, go ahead and save that to the same location as you did Sysmon.
(’C:\Windows\System32\’ in case you forgot!)
Now that everything is in place, we can now tell Sysmon about our configuration file and set it working to the rules that are defined. To do so we need to open a command prompt as administrator, doing so should make sure that it opens on to the System32 folder. Next, type the following command and hit enter:
sysmon -i sysmonconfig-export-block.xml
You should see Sysmon respond with some confirmation messages telling you that the service is started:
Excellent! Sysmon is now installed with our config file, and should be blocking things! Now it’s time to test it out and make sure it is working. To test it out, we’ll grab a copy of Winrar but we’re going to download it to a suspicious location that out config file has been configured to watch out for. Open a command prompt and enter the following command:
curl https://www.win-rar.com/fileadmin/winrar-versions/winrar/winrar-x64-611.exe –output C:\Users\Public\winrar.exe
This will download the winrar.exe to the Public user’s folder, a location that hackers like to drop executable files because its not somewhere users will often look. If we then view the contents of that folder in file explorer or just with the command:
you will see that file does not exist, despite the download command seeming to have worked.
If we investigate further in to Windows Event Viewer, we can see that a “FileBlockExecutable” event has fired, indicating that our config is working to protect us from bad things happening. You can check this out by opening Event Viewer as an administrator and navigating on the left panel through Applications and Services > Microsoft > Sysmon > Operational.
This is great, we’ve put rules in place and have confirmed they are working, the only problem is that we don’t know when they are firing, files are blocked silently. Sure we are protected, but we should probably know about attacks if they are happening. Unfortunately, this post is starting to run a little long, so you’ll have to wait for next post in this series to find out how we’ll use Task Scheduler to create alerts!
If you would rather have support from a team of experts, Equilibrium offer security monitoring services which can be tailored to your companies needs, technology and budget. Call us on 0121 663 0055, start a live chat or email email@example.com for more details.
References and Credits:
The video that inspired this series:
His excellent github page:
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.