Microsoft released Sysmon 15, converting it to a protected process and adding the new “FileExecutableDetected” option to log when executable files are created.

For those who don’t know SysmonName (or System Monitor), this is a free Microsoft Sysinternals tool that can monitor and block malicious/suspicious activity and log events to the Windows Event Log.

By default, Sysmon monitors basic events such as new process creation and process termination. However, it is possible to create advanced configuration files that allow you to monitor various behaviors, such as file deletion, Windows clipboard changes, and detecting and blocking file destruction.

Users can find the full list of directives in the Sysmon schema, which can be viewed by running the sysmon -s command on the command line.

Yesterday, Microsoft released Sysmon 15.0, which includes two new features – hardening the program by turning it into a protected process and the ability to detect when executable files are created on the monitored system.

Sysmon is now a protected process

As Sysmon is commonly used to detect malicious behavior, it is in the interest of threat actors to tamper with or disable the software.

With this release, Microsoft has converted the Sysmon.exe executable into a protected process to prevent the injection of malicious code into the process.

“In Windows 8.1, a new protected service concept was introduced to allow user-mode anti-malware services to be launched as a protected service,” explains a Microsoft article on functionality.

“Once the service is launched as protected, Windows uses code integrity to allow only trusted code to load into the protected service. Windows also protects these processes against code injection and other process attacks. administration.”

Once Sysmon is launched, you can see that it is a protected process by using Process Explorer and looking at its security properties as shown below.

Based on Process Explorer, Sysmon runs as a PPL process (PROTECTED_ANTIMALWARE_LIGHT), which is described in more detail in This article by Elastic.

Detection of new executable files

System 15.0 also upgrades the Sysmon schema to version 4.90, which now includes the “FileExecutableDetected” configuration option to detect the creation of executable files on the monitored device.

    <event name="SYSMONEVENT_FILE_EXE_DETECTED" value="29" level="Informational" template="File Executable Detected" rulename="FileExecutableDetected" version="5">
      <data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
      <data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
      <data name="ProcessGuid" inType="win:GUID" />
      <data name="ProcessId" inType="win:UInt32" outType="win:PID" />
      <data name="User" inType="win:UnicodeString" outType="xs:string" />
      <data name="Image" inType="win:UnicodeString" outType="xs:string" />
      <data name="TargetFilename" inType="win:UnicodeString" outType="xs:string" />
      <data name="Hashes" inType="win:UnicodeString" outType="xs:string" />
    </event>

For example, to use the new FileExecutableDetected directive to detect new executables created under the C:\ProgramData\ and C:\Users\ folders, you can use the following configuration file:

<Sysmon schemaversion="4.90">
  <!-- Capture all hashes -->
  <HashAlgorithms>MD5,SHA256</HashAlgorithms>
  <EventFiltering>
    <!-- Log executable file creations -->
    <FileExecutableDetected onmatch="include">
    <TargetFilename condition="begin with">C:\ProgramData\</TargetFilename>
        <TargetFilename condition="begin with">C:\Users\</TargetFilename>
    </FileExecutableDetected>
  </EventFiltering>
</Sysmon>

To start Sysmon and tell it to use the configuration file above, you need to run the sysmon -i command and pass the name of the configuration file.

In our example, the configuration file name is sysmon.confso we would use the following command from a Administrative command prompt to start Sysmon:

sysmon -i sysmon.conf

Once started, Sysmon will install its driver and quietly collect data in the background.

All Sysmon events will be logged in ‘Applications and Services Logs/Microsoft/Windows/Sysmon/Operational‘ in Event Viewer.

With the FileExecutableDetected feature enabled, when a new executable file is created under the C:\ProgramData or C:\Users\ folder (and any of their subfolders), Sysmon generates an executable is created and matches a rule , Sysmon blocks the file and generates an “Event 29, File Executable Detected” entry in Event Viewer.

The event log entries created will contain a lot of valuable information, explained below:

• UTC time: Time at which the event was detected.
• Process ID: The PID of the process attempting to create the executable file.
• User: The user associated with the file creation process.
• Picture: The filename of the program creating the file.
• Target file name: The executable file that was created. Note: During our tests, the file was always displayed under a temporary file name.
• Chop: The hash of the file being created. The hashes displayed depend on your HashAlgorithms configuration setting.

For even more information and creative tips on using this new feature, it is highly recommended to read Olaf Hartong’s article excellent writing on this new version of Sysmon.

For those who want a pre-made Sysmon configuration file that uses this functionality to detect when known malware or hacking tool executables are created, you can use security researcher Florian Roth. System Setup.

Learn more about Symon

Sysmon is an advanced network monitoring tool with a ton of guidelines that let you create configuration files that suit your organization’s needs.

Due to the complexity of the program, it is strongly advised to read the Sysmon Documentation and play around with the configuration options to see how the different directives work.

Unfortunately, Sysmon is not a well-documented program, requiring users to perform trial and error to test functionality and see what events are written to the event log.

The good news is that Sysmon won’t load a misconfigured configuration file, so if you see a “Configuration file validated” message when loading Sysmon, you know you’re at least on the right track.

You should also read Blog posts by Olaf Hartong about Sysmon, as it documents new features as they are released.

Finally, administrators can use or read predefined Sysmon configuration files from Florian Roth And SwiftOnSecurity to see how guidelines can be used to block malware.