Windows.Triage.Sysmon

This artifact allows collecting Sysmon Events for Triage around a timestamp.

By default collection will be 600 seconds from the current time and allows fast triage of a machine with recent telemetry.


name: Windows.Triage.Sysmon
author: Matt Green - @mgreen27
description: |
   This artifact allows collecting Sysmon Events for Triage around a timestamp.
   
   By default collection will be 600 seconds from the current time and allows 
   fast triage of a machine with recent telemetry.
   
type: CLIENT

parameters:
   - name: TargetTime
     description: the timestamp we want to box time around. Default is current time.
     type: timestamp
   - name: TargetTimeBox
     description: the time box in seconds we want around TargetTime.
     default: 600
     type: int
   - name: IdRegex
     description: Regex of Sysmon EventIDs to include. Default is all.
     default: .
   - name: IocRegex
     description: Regex of strings to search for in Sysmon events. Default is any.
     default: .
   - name: FilterRegex
     description: Regex of strings to filter out of results. Default is none.
     
sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      -- firstly set boxed timebounds
      LET DateAfterTime <= if(condition=TargetTime,
        then=timestamp(epoch=TargetTime.Unix - TargetTimeBox), else=timestamp(epoch=now() - TargetTimeBox))
      LET DateBeforeTime <= if(condition=TargetTime,
        then=timestamp(epoch=TargetTime.Unix + TargetTimeBox), else=timestamp(epoch=now() + TargetTimeBox))
        
      -- run query and output rows
      SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
                EvtxGlob='''%SystemRoot%\System32\Winevt\Logs\*Sysmon*.evtx''',
                ChannelRegex='Sysmon',
                DateAfter= DateAfterTime,
                DateBefore= DateBeforeTime,
                IdRegex=IdRegex,
                IocRegex=IocRegex,
                WhitelistRegex=FilterRegex )

    notebook:
      - type: vql_suggestion
        name: 1. Process event timeline
        template: |
            /*
            ## 1: Process creation
            Comment in fields as needed.
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --EventData.RuleName as RuleName
                --EventData.UtcTime as UtcTime
                --EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.OriginalFileName as OriginalFileName
                --,dict(FileVersion = EventData.FileVersion, Description = EventData.Description, Product = EventData.Product,Company = EventData.Company,OriginalFileName = EventData.OriginalFileName) as VersionInformation
                ,EventData.CommandLine as CommandLine
                --,EventData.CurrentDirectory as CurrentDirectory
                ,EventData.User as User
                --,EventData.LogonGuid as LogonGuid
                --,EventData.LogonId as LogonId
                --,EventData.TerminalSessionId as TerminalSessionId
                --,EventData.IntegrityLevel as IntegrityLevel
                --,parse_string_with_regex(string=EventData.Hashes, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)","IMPHASH=(?P<IMPHASH>[^,]+)"] ) as Hash
                --,EventData.ParentProcessGuid as ParentProcessGuid
                ,EventData.ParentProcessId as ParentProcessId
                ,EventData.ParentImage as ParentImage
                ,EventData.ParentCommandLine as ParentCommandLine
                --,EventData.ParentUser as ParentUser
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 1
 
      - type: vql_suggestion
        name: 2 Change file time
        template: |
            /*
            ## 2: A process changed a file creation time
                The change file creation time event is registered when a file creation time is 
                explicitly modified by a process. This event helps tracking the real creation 
                time of a file. Attackers may change the file creation time of a backdoor to 
                make it look like it was installed with the operating system. Note that many 
                processes legitimately change the creation time of a file; it does not 
                necessarily indicate malicious activity.
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --EventData.RuleName as RuleName
                --EventData.UtcTime as UtcTime
                --EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.TargetFilename as TargetFilename
                ,EventData.CreationUtcTime as CreationUtcTime
                ,EventData.PreviousCreationUtcTime as PreviousCreationUtcTime
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 2

      - type: vql_suggestion
        name: 3. Network event timeline
        template: |             
            /*
            ## 3. Network connection
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.Protocol as Protocol
                ,EventData.Initiated as Initiated
                ,EventData.SourceIsIpv6 as SourceIsIpv6
                ,EventData.SourceIp as SourceIp
                ,EventData.SourceHostname as SourceHostname
                ,EventData.SourcePort as SourcePort
                ,EventData.SourcePortName as SourcePortName
                ,EventData.DestinationIsIpv6 as DestinationIsIpv6
                ,EventData.DestinationIp as DestinationIp
                ,EventData.DestinationHostname as DestinationHostname
                ,EventData.DestinationPort as DestinationPort
                ,EventData.DestinationPortName as DestinationPortName
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 3
       
       
      - type: vql_suggestion
        name: 8. CreateRemoteThread
        template: |           
            /*
            ## 8: CreateRemoteThread
            The CreateRemoteThread event detects when a process creates a thread in another 
            process. This technique is used by malware to inject code and hide in other 
            processes. The event indicates the source and target process. It gives 
            information on the code that will be run in the new thread: StartAddress, 
            StartModule and StartFunction. Note that StartModule and StartFunction fields 
            are inferred, they might be empty if the starting address is outside loaded 
            modules or known exported functions.
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.SourceProcessGuid as SourceProcessGuid
                ,EventData.SourceProcessId as SourceProcessId
                ,EventData.SourceImage as SourceImage
                ,EventData.SourceUser as SourceUser
                --,EventData.TargetProcessGuid as TargetProcessGuid
                ,EventData.TargetImage as TargetImage
                ,EventData.TargetUser as TargetUser
                ,EventData.NewThreadId as NewThreadId
                ,EventData.StartAddress as StartAddress
                ,EventData.StartModule as StartModule
                ,EventData.StartFunction as StartFunction
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 8
     
      - type: vql_suggestion
        name: 10. ProcessAccess
        template: |          
            /*
            ## 10: ProcessAccess
            The process accessed event reports when a process opens another process, 
            an operation that’s often followed by information queries or reading 
            and writing the address space of the target process. This enables 
            detection of hacking tools that read the memory contents of processes 
            like Local Security Authority (Lsass.exe) in order to steal credentials 
            for use in Pass-the-Hash attacks. Enabling it can generate significant 
            amounts of logging if there are diagnostic utilities active that 
            repeatedly open processes to query their state, so it generally 
            should only be done so with filters that remove expected accesses.
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.SourceProcessGuid as SourceProcessGuid
                ,EventData.SourceProcessId as SourceProcessId
                ,EventData.SourceThreadId as SourceThreadId
                ,EventData.SourceImage as SourceImage
                ,EventData.SourceUser as SourceUser
                --,EventData.TargetProcessGuid as TargetProcessGuid
                ,EventData.TargetProcessId as TargetProcessId
                ,EventData.TargetImage as TargetImage
                ,EventData.TargetUser as TargetUser
                ,EventData.GrantedAccess as GrantedAccess
                ,EventData.CallTrace as CallTrace
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 10

      - type: vql_suggestion
        name: 11. FileCreate
        template: |             
            /*
            ## 11: FileCreate
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.TargetFilename as TargetFilename
                ,EventData.CreationUtcTime as CreationUtcTime
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 11

      - type: vql_suggestion
        name: 12 13 14. Registry events
        template: |                 
            /*
            ## 12, 13, 14: Registry
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.EventType as EventType
                ,EventData.TargetObject as TargetObject
                ,EventData.Details as Details
                ,EventData.NewName as NewName
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID in ( 12, 13, 14 )

      - type: vql_suggestion
        name: 15. FileCreateStreamHash
        template: | 
            /*
            ## 15: FileCreateStreamHash
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.TargetFileName as TargetFileName
                ,EventData.CreationUtcTime as CreationUtcTime
                --,parse_string_with_regex(string=EventData.Hash, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)"] ) as Hash
                ,EventData.Hash as Hash
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 15

      - type: vql_suggestion
        name: 17 18. Named Pipes
        template: | 
            /*
            ## 17, 18: Named Pipes
            17: Pipe created
            18: Pipe connected
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.EventType as EventType
                ,EventData.PipeName as PipeName
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID in ( 17,18 )
            
            
            /*
            
      - type: vql_suggestion
        name: 19 20 21. WMI Eventing
        template: |            
            ## 19,20,21: WMI Eventing
            19: WmiEventFilter activity detected.  
            20: WmiEventConsumer activity detected.  
            21: WmiEventConsumerToFilter activity detected.  
            
            Note: some fields for each event will be null.  
            Comment in and out relevant fields.
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.EventType as EventType
                ,EventData.Operation as Operation
                ,EventData.EventNamespace as EventNamespace
                ,EventData.Name as Name
                ,EventData.Query as Query
                ,EventData.Type as Type
                ,EventData.Destination as Destination
                ,EventData.Consumer as Consumer
                ,EventData.Filter as Filter
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID in ( 19,20,21 )

      - type: vql_suggestion
        name: 22. DNS event timeline
        template: |            
            /*
            ## 22: DNSEvent
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.QueryName as QueryName
                ,EventData.QueryStatus as QueryStatus
                ,EventData.QueryResults as QueryResults
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 22

      - type: vql_suggestion
        name: 23. FileDelete
        template: |             
            /*
            ## 23: FileDelete
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.TargetFilename as TargetFilename
                --,parse_string_with_regex(string=EventData.Hashes, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)"] ) as Hashes
                ,EventData.Hashes as Hashes
                ,EventData.Archived as Archived
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 23

      - type: vql_suggestion
        name: 24. ClipboardChange
        template: |             
            /*
            ## 24: ClipboardChange
            */
            SELECT EventTime, Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                --,EventData.ProcessGuid as ProcessGuid
                ,EventData.ProcessId as ProcessId
                ,EventData.Image as Image
                ,EventData.User as User
                ,EventData.Session as Session
                ,EventData.ClientInfo as ClientInfo
                --,parse_string_with_regex(string=EventData.Hashes, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)"] ) as Hashes
                ,EventData.Hashes as Hashes
                ,EventData.Archived as Archived
                --,EventData
                --,Message
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")
            WHERE EventID = 24

      - type: vql_suggestion
        name: Timesketch format
        template: |                
            SELECT EventTime as datetime
                ,Computer,EventID
                --,Channel,Provider
                --,EventData.RuleName as RuleName
                --,EventData.UtcTime as UtcTime
                ,get(item=dict(
                    `1` = 'Process Create',
                    `2` = 'File creation time changed',
                    `3` = 'Network connection detected',
                    `4` = 'Sysmon service state changed',
                    `5` = 'Process terminated',
                    `6` = 'Driver loaded',
                    `7` = 'Image loaded',
                    `8` = 'CreateRemoteThread detected',
                    `9` = 'RawAccessRead detected',
                    `10` = 'Process accessed',
                    `11` = 'File created',
                    `12` = 'Registry object added or deleted',
                    `13` = 'Registry value set',
                    `14` = 'Registry object renamed',
                    `15` = 'File stream created',
                    `16` = 'Sysmon config state changed',
                    `17` = 'Pipe Created"',
                    `18` = 'Pipe Connected',
                    `19` = 'WmiEventFilter activity detected',
                    `20` = 'WmiEventConsumer activity detected',
                    `21` = 'WmiEventConsumerToFilter activity detected',
                    `22` = 'Dns query',
                    `23` = 'File Delete archived',
                    `24` = 'Clipboard changed',
                    `25` = 'Process Tampering',
                    `26` = 'File Delete logged',
                    `27` = 'File Block Executable',
                    `28` = 'File Block Shredding',
                    `255` = 'Error'),
                    member=str(str=EventID)) as timestamp_desc
                ,Message as message
                --,EventData
            FROM source(artifact="Exchange.Windows.Triage.Sysmon")