Sysmon provides detailed system, process, and network activity logging that Windows itself does not natively provide. This extra visibility has helped security teams detect many real-world attacks that otherwise would have gone completely unnoticed.
In this post, we’ll walk through some examples of incidents that were exposed due to the expanded telemetry provided by Sysmon. These include credential dumping, Active Directory database extraction, suspicious command line activity, and Exchange Server exploitation via ProxyLogon.
Attackers will often attempt to dump account credentials from memory or extract password database files for offline cracking. Native Windows logging provides very little visibility into things like in-memory credential dumping. Sysmon helps close this gap.
For example, the Comsvcs MiniDump method uses the comsvcs.dll library found in Windows to dump credentials from the LSASS process. Here are the key things Sysmon exposed to detect this attack:
Without Sysmon’s process and memory access logging, there would have been almost no record of this attack taking place. The credential dump likely would have gone completely unnoticed
Attackers with sufficient access will often directly extract Active Directory database files to gather credential hashes and information about an organization’s network. The default Windows logging provides very little insight into this without Sysmon.
In one incident, Sysmon exposed the use of NTDSUtil to backup the NTDS.dit Active Directory database to an alternate location. The key events logged by Sysmon included:
As with the previous example, this attack would have easily gone unseen without having Sysmon’s enhanced process and command line auditing configured.
Attackers will frequently use built-in Windows tools to carry out activities that avoid detection by endpoint security tools. But through detailed command line logging, Sysmon gives high visibility even into these so-called “living off the land” attacks.
In one incident, Sysmon exposed a suspicious use of the Windows command line. The attacker used an encoded PowerShell command that executed from a base64-encoded payload hidden inside the %ComSpec% environment variable. This variable normally handles command line operations.
Sysmon exposed the full obfuscated script contents and how Windows environment variables were abused to hide the code. The stealthy code executed covertly with window output suppressed, avoiding detection by endpoint tools. Only Sysmon’s full command line auditing recorded this activity.
Without Sysmon’s ability to log obfuscated PowerShell scripts and suspicious child process spawning, this attack would have avoided detection entirely.
In early 2021, attackers actively exploited the ProxyLogon and ProxyShell vulnerabilities to compromise on-prem Microsoft Exchange servers. Most environments hit with Exchange exploitation only realized it upon seeing ransomware detonate across their networks.
But with Sysmon, security teams could detect signs of Exchange compromise much earlier. In one case, Sysmon exposed numerous indicators of compromise stemming from Exchange exploitation, including:
With multiple indicators of compromise in a short timeframe, Sysmon showed an Exchange server was actively being exploited even without seeing ransomware. The organization was able to respond to the intrusion significantly faster with Sysmon’s added visibility.
Without Sysmon, these attacks would have gone completely without a trace in standard Windows event logs. But Sysmon’s system, network, and command line logging made the critical difference in detecting and responding to these real-world threats.
By providing enhanced visibility into process creation, network connections, and full command line details, Sysmon empowers security teams to rapidly uncover signs of malicious activity. As these examples illustrate, deploying Sysmon is a straightforward way to close visibility gaps and significantly improve threat detection capabilities in Windows environments.
To learn more about Sysmon threat hunting, check out this video on the subject, featuring Blumira Head of Incident Detection Engineering Amanda Berlin and Security Influencer Tom Lawrence.