This artifact allows collecting Sysmon Events for Triage around a timestamp.
By default collection will be 600 seconds from the current time and allows fast triage of a machine with recent telemetry.
name: Windows.Triage.Sysmon
author: Matt Green - @mgreen27
description: |
This artifact allows collecting Sysmon Events for Triage around a timestamp.
By default collection will be 600 seconds from the current time and allows
fast triage of a machine with recent telemetry.
type: CLIENT
parameters:
- name: TargetTime
description: the timestamp we want to box time around. Default is current time.
type: timestamp
- name: TargetTimeBox
description: the time box in seconds we want around TargetTime.
default: 600
type: int
- name: IdRegex
description: Regex of Sysmon EventIDs to include. Default is all.
default: .
- name: IocRegex
description: Regex of strings to search for in Sysmon events. Default is any.
default: .
- name: FilterRegex
description: Regex of strings to filter out of results. Default is none.
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- firstly set boxed timebounds
LET DateAfterTime <= if(condition=TargetTime,
then=timestamp(epoch=TargetTime.Unix - TargetTimeBox), else=timestamp(epoch=now() - TargetTimeBox))
LET DateBeforeTime <= if(condition=TargetTime,
then=timestamp(epoch=TargetTime.Unix + TargetTimeBox), else=timestamp(epoch=now() + TargetTimeBox))
-- run query and output rows
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob='''%SystemRoot%\System32\Winevt\Logs\*Sysmon*.evtx''',
ChannelRegex='Sysmon',
DateAfter= DateAfterTime,
DateBefore= DateBeforeTime,
IdRegex=IdRegex,
IocRegex=IocRegex,
WhitelistRegex=FilterRegex )
notebook:
- type: vql_suggestion
name: 1. Process event timeline
template: |
/*
## 1: Process creation
Comment in fields as needed.
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--EventData.RuleName as RuleName
--EventData.UtcTime as UtcTime
--EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.OriginalFileName as OriginalFileName
--,dict(FileVersion = EventData.FileVersion, Description = EventData.Description, Product = EventData.Product,Company = EventData.Company,OriginalFileName = EventData.OriginalFileName) as VersionInformation
,EventData.CommandLine as CommandLine
--,EventData.CurrentDirectory as CurrentDirectory
,EventData.User as User
--,EventData.LogonGuid as LogonGuid
--,EventData.LogonId as LogonId
--,EventData.TerminalSessionId as TerminalSessionId
--,EventData.IntegrityLevel as IntegrityLevel
--,parse_string_with_regex(string=EventData.Hashes, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)","IMPHASH=(?P<IMPHASH>[^,]+)"] ) as Hash
--,EventData.ParentProcessGuid as ParentProcessGuid
,EventData.ParentProcessId as ParentProcessId
,EventData.ParentImage as ParentImage
,EventData.ParentCommandLine as ParentCommandLine
--,EventData.ParentUser as ParentUser
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 1
- type: vql_suggestion
name: 2 Change file time
template: |
/*
## 2: A process changed a file creation time
The change file creation time event is registered when a file creation time is
explicitly modified by a process. This event helps tracking the real creation
time of a file. Attackers may change the file creation time of a backdoor to
make it look like it was installed with the operating system. Note that many
processes legitimately change the creation time of a file; it does not
necessarily indicate malicious activity.
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--EventData.RuleName as RuleName
--EventData.UtcTime as UtcTime
--EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.TargetFilename as TargetFilename
,EventData.CreationUtcTime as CreationUtcTime
,EventData.PreviousCreationUtcTime as PreviousCreationUtcTime
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 2
- type: vql_suggestion
name: 3. Network event timeline
template: |
/*
## 3. Network connection
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.Protocol as Protocol
,EventData.Initiated as Initiated
,EventData.SourceIsIpv6 as SourceIsIpv6
,EventData.SourceIp as SourceIp
,EventData.SourceHostname as SourceHostname
,EventData.SourcePort as SourcePort
,EventData.SourcePortName as SourcePortName
,EventData.DestinationIsIpv6 as DestinationIsIpv6
,EventData.DestinationIp as DestinationIp
,EventData.DestinationHostname as DestinationHostname
,EventData.DestinationPort as DestinationPort
,EventData.DestinationPortName as DestinationPortName
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 3
- type: vql_suggestion
name: 8. CreateRemoteThread
template: |
/*
## 8: CreateRemoteThread
The CreateRemoteThread event detects when a process creates a thread in another
process. This technique is used by malware to inject code and hide in other
processes. The event indicates the source and target process. It gives
information on the code that will be run in the new thread: StartAddress,
StartModule and StartFunction. Note that StartModule and StartFunction fields
are inferred, they might be empty if the starting address is outside loaded
modules or known exported functions.
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.SourceProcessGuid as SourceProcessGuid
,EventData.SourceProcessId as SourceProcessId
,EventData.SourceImage as SourceImage
,EventData.SourceUser as SourceUser
--,EventData.TargetProcessGuid as TargetProcessGuid
,EventData.TargetImage as TargetImage
,EventData.TargetUser as TargetUser
,EventData.NewThreadId as NewThreadId
,EventData.StartAddress as StartAddress
,EventData.StartModule as StartModule
,EventData.StartFunction as StartFunction
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 8
- type: vql_suggestion
name: 10. ProcessAccess
template: |
/*
## 10: ProcessAccess
The process accessed event reports when a process opens another process,
an operation that’s often followed by information queries or reading
and writing the address space of the target process. This enables
detection of hacking tools that read the memory contents of processes
like Local Security Authority (Lsass.exe) in order to steal credentials
for use in Pass-the-Hash attacks. Enabling it can generate significant
amounts of logging if there are diagnostic utilities active that
repeatedly open processes to query their state, so it generally
should only be done so with filters that remove expected accesses.
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.SourceProcessGuid as SourceProcessGuid
,EventData.SourceProcessId as SourceProcessId
,EventData.SourceThreadId as SourceThreadId
,EventData.SourceImage as SourceImage
,EventData.SourceUser as SourceUser
--,EventData.TargetProcessGuid as TargetProcessGuid
,EventData.TargetProcessId as TargetProcessId
,EventData.TargetImage as TargetImage
,EventData.TargetUser as TargetUser
,EventData.GrantedAccess as GrantedAccess
,EventData.CallTrace as CallTrace
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 10
- type: vql_suggestion
name: 11. FileCreate
template: |
/*
## 11: FileCreate
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.TargetFilename as TargetFilename
,EventData.CreationUtcTime as CreationUtcTime
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 11
- type: vql_suggestion
name: 12 13 14. Registry events
template: |
/*
## 12, 13, 14: Registry
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.EventType as EventType
,EventData.TargetObject as TargetObject
,EventData.Details as Details
,EventData.NewName as NewName
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID in ( 12, 13, 14 )
- type: vql_suggestion
name: 15. FileCreateStreamHash
template: |
/*
## 15: FileCreateStreamHash
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.TargetFileName as TargetFileName
,EventData.CreationUtcTime as CreationUtcTime
--,parse_string_with_regex(string=EventData.Hash, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)"] ) as Hash
,EventData.Hash as Hash
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 15
- type: vql_suggestion
name: 17 18. Named Pipes
template: |
/*
## 17, 18: Named Pipes
17: Pipe created
18: Pipe connected
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.EventType as EventType
,EventData.PipeName as PipeName
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID in ( 17,18 )
/*
- type: vql_suggestion
name: 19 20 21. WMI Eventing
template: |
## 19,20,21: WMI Eventing
19: WmiEventFilter activity detected.
20: WmiEventConsumer activity detected.
21: WmiEventConsumerToFilter activity detected.
Note: some fields for each event will be null.
Comment in and out relevant fields.
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.EventType as EventType
,EventData.Operation as Operation
,EventData.EventNamespace as EventNamespace
,EventData.Name as Name
,EventData.Query as Query
,EventData.Type as Type
,EventData.Destination as Destination
,EventData.Consumer as Consumer
,EventData.Filter as Filter
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID in ( 19,20,21 )
- type: vql_suggestion
name: 22. DNS event timeline
template: |
/*
## 22: DNSEvent
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.QueryName as QueryName
,EventData.QueryStatus as QueryStatus
,EventData.QueryResults as QueryResults
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 22
- type: vql_suggestion
name: 23. FileDelete
template: |
/*
## 23: FileDelete
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.TargetFilename as TargetFilename
--,parse_string_with_regex(string=EventData.Hashes, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)"] ) as Hashes
,EventData.Hashes as Hashes
,EventData.Archived as Archived
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 23
- type: vql_suggestion
name: 24. ClipboardChange
template: |
/*
## 24: ClipboardChange
*/
SELECT EventTime, Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
--,EventData.ProcessGuid as ProcessGuid
,EventData.ProcessId as ProcessId
,EventData.Image as Image
,EventData.User as User
,EventData.Session as Session
,EventData.ClientInfo as ClientInfo
--,parse_string_with_regex(string=EventData.Hashes, regex=["MD5=(?P<MD5>[^,]+)","SHA1=(?P<SHA1>[^,]+)","SHA256=(?P<SHA256>[^,]+)"] ) as Hashes
,EventData.Hashes as Hashes
,EventData.Archived as Archived
--,EventData
--,Message
FROM source(artifact="Exchange.Windows.Triage.Sysmon")
WHERE EventID = 24
- type: vql_suggestion
name: Timesketch format
template: |
SELECT EventTime as datetime
,Computer,EventID
--,Channel,Provider
--,EventData.RuleName as RuleName
--,EventData.UtcTime as UtcTime
,get(item=dict(
`1` = 'Process Create',
`2` = 'File creation time changed',
`3` = 'Network connection detected',
`4` = 'Sysmon service state changed',
`5` = 'Process terminated',
`6` = 'Driver loaded',
`7` = 'Image loaded',
`8` = 'CreateRemoteThread detected',
`9` = 'RawAccessRead detected',
`10` = 'Process accessed',
`11` = 'File created',
`12` = 'Registry object added or deleted',
`13` = 'Registry value set',
`14` = 'Registry object renamed',
`15` = 'File stream created',
`16` = 'Sysmon config state changed',
`17` = 'Pipe Created"',
`18` = 'Pipe Connected',
`19` = 'WmiEventFilter activity detected',
`20` = 'WmiEventConsumer activity detected',
`21` = 'WmiEventConsumerToFilter activity detected',
`22` = 'Dns query',
`23` = 'File Delete archived',
`24` = 'Clipboard changed',
`25` = 'Process Tampering',
`26` = 'File Delete logged',
`27` = 'File Block Executable',
`28` = 'File Block Shredding',
`255` = 'Error'),
member=str(str=EventID)) as timestamp_desc
,Message as message
--,EventData
FROM source(artifact="Exchange.Windows.Triage.Sysmon")