Monitoring and Analyzing System Activity with

Sysmon for Threat Detection and Operational

Insights
Introduction

In today’s cybersecurity landscape, having visibility into system-level activity is critical for
detecting threats and ensuring operational integrity. This project focuses on deploying and
utilizing Sysmon (System Monitor) to capture detailed information about system events such as
process creation, file modification, network connections, and registry changes.

The goal of this project is to:

 Showcase the capabilities of Sysmon for endpoint monitoring.

 Demonstrate practical analysis of key system events.
 Provide recommendations for improving threat detection and response strategies.

Project Phase 1 and Key Insights

Phase 1: Installing and Configuring Sysmon

1. Purpose: To set up Sysmon on the host machine for detailed event logging.
2. Configuration File: A Sysmon configuration file tailored for monitoring critical events is applied.
This file determines which activities Sysmon logs, such as process creations, file integrity checks,
and network activity.
Key Insight:
Properly configured Sysmon provides high-fidelity data while minimizing noise, making it a powerful tool
for threat hunting.

Phase 2: Analyzing Key Sysmon Events

Sysmon generates detailed event logs that offer a wealth of information for identifying
suspicious activities, uncovering vulnerabilities, and fortifying system defenses. Let’s dive into
the critical Sysmon Event IDs captured in this project and what they signify.

Event ID 1: Process Creation

Description:
This event is logged whenever a new process is created on the system. It includes details such as:

 Process name and path

 Parent process
 Command-line arguments
 User account under which the process was executed

Why It’s Important:

 This is one of the most valuable event types for detecting malicious activity.
 Malicious software (e.g., ransomware, trojans) often creates processes to execute payloads or
establish persistence.
 Command-line arguments can reveal intent, such as PowerShell scripts used for data exfiltration
or privilege escalation.

Potential Vulnerabilities:

1. Living off the Land Binaries (LOLBins):

Attackers may exploit legitimate binaries like PowerShell, cmd.exe, or mshta.exe to perform
malicious actions.
2. Parent-Child Process Relationship:
An unusual parent-child process relationship (e.g., Word.exe launching cmd.exe) might indicate
malware activity.
Mitigation Strategy:

 Monitor for processes with uncommon or suspicious command-line arguments.

 Create alerts for specific parent-child process relationships indicative of malicious activity.

Event ID 3: Network Connections

Description:
This event logs outgoing TCP/UDP network connections initiated by the host. It includes:

 Source and destination IP addresses

 Port numbers
 Process responsible for the connection

Why It’s Important:

 It helps detect unauthorized or suspicious outbound traffic.

 Attackers often establish Command and Control (C2) connections to exfiltrate data or execute
remote commands.
 This event can also reveal lateral movement within a network.

Potential Vulnerabilities:

1. Untrusted Destinations:
Connections to unknown or blacklisted IP addresses could indicate data exfiltration or malware
calling home.
 2. Open Ports:
Unnecessary open ports can serve as entry points for attackers.

Mitigation Strategy:

 Analyze traffic to unknown destinations and cross-reference with threat intelligence feeds.
 Monitor for connections to unusual ports or countries.
 Implement network segmentation and enforce firewall rules to restrict outbound traffic.

Event ID 11: File Creation Time

Description:
This event logs changes to file creation timestamps, which are often manipulated by attackers to
cover their tracks. It includes:

 File path
 Timestamps
 User or process responsible for the change

Why It’s Important:

 Attackers might modify file timestamps to align malicious files with legitimate ones, making
them harder to detect.
 File creation events can also indicate unauthorized file operations, such as dropping malicious
executables or altering system files.
Potential Vulnerabilities:

1. Tampered Timestamps:
Attackers may backdate files to avoid detection during forensic investigations.
2. Unauthorized File Changes:
Malicious scripts or processes might drop payloads disguised as system files.

Mitigation Strategy:

 Monitor critical directories for unusual file creation activity (e.g., system32, temp folders).
 Combine file monitoring with process creation logs (Event ID 1) to correlate file changes with
suspicious processes.
General Vulnerabilities in Sysmon Implementation

While Sysmon is a powerful tool, its efficacy depends on how it’s configured and monitored.
Here are some potential flaws:

1. Noise and Overhead:

o Poorly configured Sysmon rules can generate excessive noise, leading to alert fatigue
and missed detections.
2. Log Tampering:
o If attackers gain administrative access, they can disable Sysmon or manipulate logs.
3. Lack of Context:
o Sysmon alone doesn’t provide context for every event. It works best when integrated
with a SIEM or EDR solution for correlation.

Connecting These Events

Together, these events form a detailed picture of system activity:

 Event ID 1 tells you what was executed and how.

 Event ID 3 shows where the system is communicating.
 Event ID 11 reveals what files were altered.

By correlating these logs, you can detect sophisticated attack techniques like lateral movement,
privilege escalation, and data exfiltration.

Phase 3: Analyzing Sysmon Logs with Splunk

For this phase, I focused on analyzing Sysmon Event ID 3 (Network Connections) and Event
ID 11 (File Creation Time) in Splunk. These event types were chosen due to their importance in
identifying potentially malicious activity related to unauthorized network connections and file
operations.

The number of events generated was manageable, so I concentrated on meaningful queries rather
than creating dashboards. Instead, the insights were drawn directly from the analysis,
demonstrating how Sysmon logs can be effectively used for threat detection and forensic
investigation.

Event ID 3: Network Connections

Description:
Event ID 3 captures all outbound network connections initiated by the host. This event is critical
for identifying abnormal communications that may signify:

 Malware attempting to establish a connection to a Command and Control (C2) server.

 Unauthorized data exfiltration.
 Unusual internal communications, potentially indicating lateral movement by attackers.
Splunk Query:
To identify suspicious network activity, you use this query:

index=sysmon_logs sourcetype=sysmon EventID=3 | stats count by dest_ip,

dest_port, process_name

Key Insights:

1. Destination IP Analysis:
o Connections to unfamiliar or external IPs, especially those in regions where legitimate
business operations do not exist, were flagged for review.
2. Port Analysis:
o Uncommon ports or services, such as port 4444 (often associated with reverse shells),
were highlighted as potential threats.
3. Process Associations:
o A deeper look at processes initiating network connections (e.g., powershell.exe or
cmd.exe) provided critical context for identifying possible misuse of legitimate system
tools (LOLBins).

Flaws or Vulnerabilities Detected:

 Excessive Open Connections: Processes opening multiple connections to unknown IPs could be
indicative of malware.
 Unusual Ports: Ports not typically used by business applications might be exploited by attackers.
Event ID 11: File Creation Time

Description:
Event ID 11 monitors changes to file creation timestamps. This is essential for detecting
suspicious file modifications or creations, especially in critical system directories or temporary
folders where attackers often drop payloads.

Splunk Query:
To track file creation events, you use the following query:

index=sysmon_logs sourcetype=sysmon EventID=11 | stats count by file_path,

user, process_name

Key Insights:

1. File Path Analysis:

o Newly created files in sensitive locations like C:\Windows\System32 or
C:\Users\<username>\AppData\Temp were flagged for investigation.
2. User Context:
o Understanding which user account created or modified the files provided insight into
whether the activity was authorized or suspicious.
3. Process Analysis:
o Processes like powershell.exe or wscript.exe associated with file creation were
investigated further, as these are commonly used in malicious scripts.

Flaws or Vulnerabilities Detected:

 Unauthorized File Changes: Malicious payloads disguised as legitimate files were identified
based on unusual file names or locations.
 Backdating of Files: Timestamp manipulation to hide malicious files was observed as a tactic to
evade detection.
Phase 4: Deriving Actionable Insights

The analysis of Event IDs 3 and 11 led to valuable insights into system behavior:

1. Behavioral Patterns:
o Normal patterns of network connections and file operations were identified to establish
a baseline for future anomaly detection.
2. Anomalous Activity:
o Outliers in the data, such as unusual IP connections or unauthorized file creations,
highlighted potential threats that warranted further investigation.

Challenges:

 The volume of logs was relatively small, which simplified analysis but limited opportunities for
dashboard creation.
 While no major security incidents were detected, the exercise provided critical visibility into
system operations and laid the groundwork for continuous monitoring.

Phase 5: Recommendations

Based on the insights from Event ID 3 and 11, I propose the following:

1. Strengthen Network Monitoring:

 Implement strict firewall rules to block connections to untrusted IP addresses and uncommon
ports.
 Regularly review logs for connections initiated by unusual processes like powershell.exe.
2. Enforce File Integrity Monitoring:

 Monitor sensitive directories (e.g., C:\Windows\System32) for unauthorized file creation

events.
 Deploy alerts for backdated or timestamp-manipulated files.

3. Improve Endpoint Visibility:

 Use Sysmon in conjunction with SIEM tools like Splunk to correlate system and network events
for a more holistic view.
 Continuously update Sysmon configuration to include new indicators of compromise (IOCs).

4. Conduct Regular Threat Hunting:

 Periodically review network and file creation logs to uncover hidden threats or potential
misconfigurations.
 Investigate high-severity events, such as connections to external IPs or suspicious file
operations.

5. Train and Educate Users:

 Educate users on avoiding actions that could introduce malware, such as downloading files from
untrusted sources.

Conclusion

This project demonstrates the effectiveness of Sysmon in capturing granular details about
network activity and file changes. By leveraging Splunk for analysis, I showcased the ability to
extract actionable insights from these logs. The recommendations provided align with best
practices for endpoint monitoring and proactive threat detection, ensuring a robust defense
against potential security risks.