Sysmon for Linux PowerShell Module

Sysmon has been a great tool to enhance logging in Windows for many year allowing well organized teams to cover many gaps in their log and even improve their capabilities at detecting all kinds of attacks. Microsoft released a version of Sysmon for Linux to provide the same type of value to those defending Linux systems. Logs are saved in to Syslog as single line XML blobs that can be ingested and parsed by SIEM products. To aid with extracting the Sysmon specific events from syslog I wrote the SysmonLinux.Util module. The module can parse one or more Syslog files even GZip files archived by LogRotate from a Linux system and allow for the search of specific events that meet a given criteria. The module can be use also for aiding in the generation of filter rules based on the resulting objects of queries performed against the logs, greatly speeding the creation and tunning of Sysmon configuration files.


The recommended method for installing the module is to install the module from the PowerShell Gallery, The command to install the module is

Install-Module -Name SysmonLinux.Util -Force

The module source code can also be downloaded from GitHub

Exploring the Module

Once the module is installed we can take a look at the functions made available for working with tge Get-Command cmdlet in PowerShell.

PS /home/carlos> Get-Command -Module sysmonlinux.util                                                                                              
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        ConvertTo-SysmonRule                               0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxConfigChange                        0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxEvent                               0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxFileCreate                          0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxFileDelete                          0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxNetworkConnect                      0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxProcessCreate                       0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxProcessTerminate                    0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxRawAccess                           0.0.3      SysmonLinux.Util
Function        Get-SysmonLinuxState                               0.0.3      SysmonLinux.Util

The functions available at the moment of this is written are described bellow in the table.

Function Description
ConvertTo-SysmonRule Takes resulting objects from the other module function and turns them in to Sysmon Rules
Get-SysmonLinuxConfigChange Gets Sysmon configuration change events from one or more syslog files.
Get-SysmonLinuxEvent Gets any Syslon event allowing filtering either by Image and ProcessGUID from one or more syslog files.
Get-SysmonLinuxFileCreate Gets Sysmon File Create events from one or more syslog files.
Get-SysmonLinuxFileDelete Gets Sysmon File Delete events from one or more syslog files.
Get-SysmonLinuxNetworkConnect Gets Sysmon Network Connect events from one or more syslog files.
Get-SysmonLinuxProcessCreate Gets Sysmon Process Create events from one or more syslog files.
Get-SysmonLinuxProcessTerminate Gets Sysmon Process Terminate events from one or more syslog files.
Get-SysmonLinuxRawAccess Gets Sysmon Raw Access events from one or more syslog files.
Get-SysmonLinuxState Gets Sysmon Linux State events from one or more syslog files.

The Get-Help cmdlet or its alias help can be used to look at the parameters and their details for each of the functions. It will also show which parameters allow for wildcards so as to make searching for specific events much easier.

PS /home/carlos> help Get-SysmonLinuxEvent


    Gets one or more Sysmon for Linux event types from Syslog logs.

    Get-SysmonLinuxEvent -EventType <String[]> [[-SyslogFile] <String[]>] [-Image <String[]>] [-User 
    <String[]>] [<CommonParameters>]

    Get-SysmonLinuxEvent -EventType <String[]> [[-SyslogFile] <String[]>] [-ProcessGuid <String[]>] 
    [-Image <String[]>] [-User <String[]>] [<CommonParameters>]

    Gets one or more Sysmon for Linux event types from Syslog logs. Allows for filtering by ProcessGUID 
    and User.

    -EventType <String[]>
        Event type to pull from Syslog log file.

        Required?                    true
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -SyslogFile <String[]>
        Specifies a path to one or more locations.

        Required?                    false
        Position?                    1
        Default value                @("/var/log/syslog")
        Accept pipeline input?       true (ByValue, ByPropertyName)
        Accept wildcard characters?  false

    -ProcessGuid <String[]>
        ProcessGuid to search for a given event type, ParentProcessGuid will also be matched to this 

        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false

    -Image <String[]>
        Image to search for a given event type.The '*' wildcard is supported for matching.

        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  true

    -User <String[]>
        User to seach for a given event type.

        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false

        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, see
        about_CommonParameters ( 




        General notes

    -------------------------- EXAMPLE 1 --------------------------

    PS />Get-SysmonLinuxEvent -EventType Any -ProcessGuid "{de9527a5-6a3f-616f-a52f-d98154560000}"

    EventId           : 1
    Version           : 5
    EventType         : ProcessCreate
    Computer          : ubuntu
    EventRecordID     : 35705
    RuleName          : -
    UtcTime           : 2021-10-20 01:00:47.600
    ProcessGuid       : {de9527a5-6a3f-616f-a52f-d98154560000}
    ProcessId         : 2356
    Image             : /usr/sbin/dumpe2fs
    FileVersion       : -
    Description       : -
    Product           : -
    Company           : -
    OriginalFileName  : -
    CommandLine       : dumpe2fs -h /dev/sda5
    CurrentDirectory  : /
    User              : root
    LogonGuid         : {de9527a5-0000-0000-0000-000000000000}
    LogonId           : 0
    TerminalSessionId : 4294967295
    IntegrityLevel    : no level
    Hashes            : -
    ParentProcessGuid : {00000000-0000-0000-0000-000000000000}
    ParentProcessId   : 874
    ParentImage       : -
    ParentCommandLine : -
    ParentUser        : -

    EventId       : 9
    Version       : 2
    EventType     : RawAccessRead
    Computer      : ubuntu
    EventRecordID : 35706
    RuleName      : -
    UtcTime       : 2021-10-20 01:00:47.619
    ProcessGuid   : {de9527a5-6a3f-616f-a52f-d98154560000}
    ProcessId     : 2356
    Image         : /usr/sbin/dumpe2fs
    Device        : /dev/sda5
    User          : root

    EventId       : 5
    Version       : 3
    EventType     : ProcessTerminate
    Computer      : ubuntu
    EventRecordID : 35707
    RuleName      : -
    UtcTime       : 2021-10-20 01:00:47.620
    ProcessGuid   : {de9527a5-6a3f-616f-a52f-d98154560000}
    ProcessId     : 2356
    Image         : /usr/sbin/dumpe2fs
    User          : root

    Find all events that match the specified ProcessGuid.


Leveraging the Functions

The functions are divided in 2 groups, all of the functions minus ConvertTo-SysmonRule are meant for getting from Syslog log files the events for their type and allow to target certain events by filtering based on their properties. Each function returns the log entry as an object, this allows for the use of regular built in PowerShell cmdlets to further filter and process the resulting log entry objects. Bellow we use the Select-Object cmdlet to select only some of the properties of the resulting objects and from the results only have unique entries.

PS /home/carlos> Get-SysmonLinuxNetworkConnect -Image /usr/lib/systemd/systemd-resolved | select destinationip,image -unique                       

DestinationIp Image
------------- -----  /usr/lib/systemd/systemd-resolved     /usr/lib/systemd/systemd-resolved    /usr/lib/systemd/systemd-resolved

By default the functions will open the /var/log/syslog file, a list of files can be passed to the -SyslogFile parameter or passed to the filtering functions via the pipeline. On most distributions of linux the lograted daemon runs on a schedule and archives the syslog log file in to a Gzip compressed file. The SysmonLinux.Util module can handle this files by decompressing in to the temp folder the files and processing each file if they have the .gz extension.

PS /home/carlos> ls /var/log/syslog* | Get-SysmonLinuxRawAccess | select image,user -Unique | Format-List       
Image : /usr/sbin/grub-probe
User  : root

Image : /usr/sbin/blkid
User  : root

Image : /usr/lib/systemd/systemd-logind
User  : root

Image : /usr/sbin/dumpe2fs
User  : root

Image : /usr/lib/systemd/system-generators/systemd-gpt-auto-generator
User  : root

Image : /usr/bin/mount
User  : root

Image : /usr/lib/systemd/systemd-udevd
User  : root

Image : /usr/lib/udev/scsi_id
User  : root

Image : /usr/lib/udev/cdrom_id
User  : root

Image : /usr/lib/udev/ata_id
User  : root

Image : /usr/lib/udisks2/udisksd
User  : root

The ConvertTo-SysmonRule function is the only function whose purpose is not the extraction of log entries from syslog files but for turning the resulting objects in to rules that can then be used for exclude or include rule groups to further tune configuration files.

PS /home/carlos> ls /var/log/syslog* | Get-SysmonLinuxRawAccess | select image,user -Unique | ConvertTo-SysmonRule
<Rule groupRelation="and">
  <Image condition='is'>/usr/sbin/grub-probe</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/sbin/blkid</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/lib/systemd/systemd-logind</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/sbin/dumpe2fs</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/lib/systemd/system-generators/systemd-gpt-auto-generator</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/bin/mount</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/lib/systemd/systemd-udevd</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/lib/udev/scsi_id</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/lib/udev/cdrom_id</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/lib/udev/ata_id</Image>
  <User condition='is'>root</User>
<Rule groupRelation="and">
  <Image condition='is'>/usr/lib/udisks2/udisksd</Image>
  <User condition='is'>root</User>

I do hope that others find the module useful and will leverage it when working with Sysmon for Linux.

Getting DNS Client Cached Entries with CIM/WMI

What is DNS Cache

The DNS cache maintains a database of recent DNS resolution in memory. This allows for faster resolution of hosts that have been queried in the recent past. To keep this cache fresh and reduce the chance of stale records the time of items in the cache is of 1 day on Windows clients. 

The DNS Client service in Windows is the one that manages the cache on a system, This time Window can be modified via the registry in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters where the MaxCacheTtl property controls the time in the cache in seconds and the MaxNegativeCacheTtl property controls the time a failed response is cached.  

Why is it Important

For an attacker, it means primarily situational awareness. It allows him to know what other systems this host has accessed and the IP address of the host. This may allow identifying security platforms by the FQDNs used as well as business process systems, both internal or in the cloud. On an important note for the attacker is that if his implant/agent on the system does not include its own resolution capability it has an IOC present on the system that can be used to track its command and control infrastructure. 

For a defender, the ability to know what hosts a system may have connected to in the last 24 hours. This will permit a defender to query across his environment for hosts that are communicating or have communicated with a specific host if DNS resolution was part of the process and if the attacker is not using its own resolution method. If the attacker is “Living off the Land” and using OS tools it will still leave the femoral trace on the system until the cached entry TTL (Time to Live) expires.

MSFT_DNSClientCache class

In Windows 8/2012 Microsoft added the MSFT_DNSClientCache class into the CIM object database in Windows. The class is under the new namespace that was also added to Root\StandardCimv2 and the resources are provided as part of the DnsClientCim.dll. This allows us to query for instances of the class and get all entries for the DNS Cache database. 

Read More

Operating Offensively Against Sysmon

Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Management) tools. 

 Sysmon has the capability to log information for:

  • Process Creation and Termination

  • Process changing a file creation time.

  • Network Connection

  • Driver Load

  • Image Load

  • CreateRemoteThread

  • Raw Access Read of a file

  • A process opens another process memory

  • File Creation

  • Registry Events

  • Pipe Events

  • WMI Permanent Events 

Read More

Some Comments and Thoughts on Tradecraft

I have been writing a series on the new Windows Defender Exploit Guard features on Attack Surface Reduction where I cover my research on it. I'm researching the controls to add the information in to my personal playbook. Surprisingly in conversations with some Red Teamers I know they dismissed the information as it is a Blue/Defense technology. These comments surprised me and I would like to share why it surprised me.

Let me start by saying that this is only an opinion. The steps and tradecraft for me would vary on level of skill of the defenders, scope, time and rule of engagements. This is blog post is only for me to share my though process and opinions on this area.

When it comes to attack and defense, red and blue, attack simulation. However, you want to call it in its essence it is an adversarial process, it is one team or person against another. Sometimes it can be a attacker against a defender or it can even be the attacker against a vendor research team that adds new features or modifies existing one. But it is one person trying to outwit another. So, if you are an attacker why are you not studying about defenses and mitigations?

What is the purpose of a red team or pentester? For me it is to show alternate ways of thinking and exercise the current controls in place to show areas of improvement to mitigate risks. To be able to do this knowledge on how systems works, how different lack of controls or misconfigured ones can have a negative impact for a given customer environment is of the upmost importance.

When it comes to the tradecraft one applies it will depend on the red team exercise you are conducting. If you are performing a simulation of a specific threat with blue your TTPs will be dictated by the threat intelligence you have on the adversary you are simulating to test the controls.

Knowledge of one’s tools, the opponent, his tools and how each implements them and uses them determines the actions. As Sun Tzu said:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Read More

Windows Defender Exploit Guard ASR Rules for Office

On this blog post I continue looking at the ASR rules, this time I'm looking at the ASR rules for Office.  The ASR rules for office are:

  • Block Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Win32 API calls from Office macro

These rules only work on the following versions of Microsoft Office on Windows 10, version 1709 (and later) with Windows Defender configured with Real-Time protection enabled:

  • Microsoft Office 365
  • Microsoft Office 2016
  • Microsoft Office 2013
  • Microsoft Office 2010

Another thing to take in to account is that these controls only work with the following Office applications:

  • Microsoft Word
  • Microsoft Excel
  • Microsoft PowerPoint
  • Microsoft OneNote

for my testing I will use Word 2016 and Excel for my tests of the feature. 

Read More