FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia...
Transcript of FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia...
![Page 1: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/1.jpg)
FIRST Regional Symposium Asia-Pacific
Sysmon Log Analysis Tool-SysmonSearch-
2018/10/25Wataru Takahashi (JPCERT/CC)
![Page 2: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/2.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Self-introduction
Incident Response Group at JPCERT/CC
Malware analysis, Forensics investigation.
Written up posts on malware analysis and technical findings on this blog and GitHub.— https://blogs.jpcert.or.jp/en/— https://github.com/JPCERTCC/
1
Wataru Takahashi
![Page 3: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/3.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.2
The Challenges in Current Incident Response
The attacker intrudes into the network, and infect many hosts and servers with malware.
Many hosts need investigation in incident response.
Take months to investigate the whole incident.
![Page 4: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/4.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Importance of loggingNecessity to retain logs on a daily basis:—Application log—Network communication log—System log
3
Sysmon(System Monitor)
![Page 5: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/5.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
SysmonSysmon is a free tool provided by Microsoft.Tool to record various Windows OS operations (applications, registry entries, communication etc.)
4
![Page 6: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/6.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Sysmon logExample log (Process Create)
What you can see from the logs
5
Information,2017/11/07 16:06:03,Microsoft-Windows-Sysmon,1,Process Create (rule: ProcessCreate),”Process Create:UtcTime: 2017-11-07 07:06:03.955ProcessGuid: {02EA0504-5B5B-5A01-0000-00105D741200}ProcessId: 2412Image: C:¥Windows¥SysWOW64¥cmd.exeCommandLine: cmd /c ""net use ¥¥Win7_64JP_03¥c$""CurrentDirectory: C:¥Windows¥system32¥User: NT AUTHORITY¥SYSTEMLogonGuid: {02EA0504-41A6-5A01-0000-0020E7030000}LogonId: 0x3e7TerminalSessionId: 0IntegrityLevel: SystemHashes: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5ParentProcessGuid: {02EA0504-584C-5A01-0000-0010E1C11000}ParentProcessId: 2604ParentImage: C:¥Intel¥Logs¥malware.exeParentCommandLine: C:¥Intel¥Logs¥malware.exe"
Executed command
User who created the process (authority)
Parent process
Created process
”malware.exe” executes cmd /c net use ¥¥Win7_64JP_03¥c$ (network sharing) with SYSTEM privilege.
![Page 7: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/7.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Challenges in Sysmon log analysis
6
Event Viewer Text Editor
Linux commands (grep, awk and others)
• Takes time to manually check massive size of data• Almost impossible to grasp the entire logs• Difficult to investigate multiple devices at once
Any ways to do it effectively?
![Page 8: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/8.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Solution!
7
Increase accuracy for log analysisShorten time for incident investigation
Reduce workload for log analysis
SysmonSearch
https://github.com/JPCERTCC/SysmonSearch
JPCERT/CC developed a tool to support sysmon log analysis
![Page 9: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/9.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
SysmonSearch
8
![Page 10: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/10.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
SysmonSearch overview
9
TransmissionVisualisationStorage
Powering Data Search, Log Analysis, Analytics | Elastichttps://www.elastic.co/products
![Page 11: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/11.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
SysmonSearchKibana (Web app)Elasticsearch
(Store data)
System overview
10
Winlogbeat
Visualisation(Kibana plugin)
Alert data
Statistical data StixIoC server
Winlogbeat
Extract Information in STIX and IoC format file
Sysmoninstalled devices
Send Sysmon's event log
Statistical process
Log monitoring
RestAPIquery
Search results
Analysis deviceAnalyze logs from web browsers
Developed originally
![Page 12: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/12.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
SysmonSearch functions
11
SearchBy hash value, host names etc.
MonitorBased on rules
VisualiseIn simple graphics
CreatestatisticsIn regular basis
![Page 13: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/13.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Search
12
Input search
condition
Search results
![Page 14: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/14.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.13
Monitor rules
Detection results
Number of matches
Monitor
![Page 15: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/15.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Visualise
14
Process relationship
![Page 16: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/16.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Corresponding icons to IDsEvent ID Event Icon
1 Process Create
2 File creation time changed
3 Network Connection Detected
7 Image loaded
8 CreateRemoteThread
15
Event ID Event Icon11 FileCreate
121314
RegistryEvent(CreateKey)
121314
RegistryEvent(values)
192021
WmiEvent
![Page 17: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/17.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Create statistics
16
![Page 18: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/18.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Create statistics
17
![Page 19: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/19.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
How to InstallSysmonSearch wiki— https://github.com/JPCERTCC/SysmonSearch/wiki
18
![Page 20: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/20.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
JPCERT/CC BlogJPCERT/CC Blog— https://blogs.jpcert.or.jp/en/2018/09/visualise-sysmon-logs-and-detect-
suspicious-device-behaviour--sysmonsearch.html
19
![Page 21: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/21.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
Future WorksExtended functions—Import Sysmon logs—Raise alert upon detection
20
![Page 22: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/22.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
NoteSysmon log output configuration—Besides installing the tool, you will need to change
Sysmon configurations to record logs
Network events recorded in Sysmon—Under proxy environment
Recorded destination IP address will be set to the proxyInvestigation required in line with the proxy server logs
21
![Page 23: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/23.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.
TakeawaySysmonSearch can be used for investigation of device operations and log monitoring in peacetime based on rules—Investigate suspicious operation by visualising
Sysmon logs—Detect suspicious operations based on rules
22
![Page 24: FIRST Regional Symposium Asia -Pacific Sysmon Log Analysis ... · FIRST Regional Symposium Asia -Pacific. Sysmon Log Analysis Tool-SysmonSearch-2018/10/25. Wataru Takahashi (JPCERT/CC)](https://reader033.fdocuments.us/reader033/viewer/2022042710/5f594dc9755330579c67df04/html5/thumbnails/24.jpg)
Copyright ©2018 JPCERT/CC All rights reserved.23
Thank you!!
Please give us feedback.e-mail: [email protected]