Back to BlogReal-World Examples of Detecting Attacks with Sysmon
Sysmon provides detailed system, process, and network activity logging that Windows itself does not natively provide. This extra visibility has helped security teams detect many real-world attacks that otherwise would have gone completely unnoticed.
In this post, we’ll walk through some examples of incidents that were exposed due to the expanded telemetry provided by Sysmon. These include credential dumping, Active Directory database extraction, suspicious command line activity, and Exchange Server exploitation via ProxyLogon.
Detecting Credential Dumping with Sysmon
Attackers will often attempt to dump account credentials from memory or extract password database files for offline cracking. Native Windows logging provides very little visibility into things like in-memory credential dumping. Sysmon helps close this gap.
For example, the Comsvcs MiniDump method uses the comsvcs.dll library found in Windows to dump credentials from the LSASS process. Here are the key things Sysmon exposed to detect this attack:
- Event ID 1 showed Comsvcs.dll spawning a child process to carry out the dump command. This included the full command line arguments
- Event ID 8 showed the LSASS process having its memory accessed for the dump.
- Additional related events exposed other suspicious activities happening around the same timeframe
Without Sysmon’s process and memory access logging, there would have been almost no record of this attack taking place. The credential dump likely would have gone completely unnoticed
Catching Active Directory Database Theft
Attackers with sufficient access will often directly extract Active Directory database files to gather credential hashes and information about an organization’s network. The default Windows logging provides very little insight into this without Sysmon.
In one incident, Sysmon exposed the use of NTDSUtil to backup the NTDS.dit Active Directory database to an alternate location. The key events logged by Sysmon included:
- Event ID 1 logging the initial NTDSUtil process launch via PowerShell
- Event ID 10 logging NTDSUtil accessing the LSASS process to carry out its backup
- Additional events with the full command line arguments used
As with the previous example, this attack would have easily gone unseen without having Sysmon’s enhanced process and command line auditing configured.
Detecting Suspicious Command Line Activity
Attackers will frequently use built-in Windows tools to carry out activities that avoid detection by endpoint security tools. But through detailed command line logging, Sysmon gives high visibility even into these so-called “living off the land” attacks.
In one incident, Sysmon exposed a suspicious use of the Windows command line. The attacker used an encoded PowerShell command that executed from a base64-encoded payload hidden inside the %ComSpec% environment variable. This variable normally handles command line operations.
Sysmon exposed the full obfuscated script contents and how Windows environment variables were abused to hide the code. The stealthy code executed covertly with window output suppressed, avoiding detection by endpoint tools. Only Sysmon’s full command line auditing recorded this activity.
Without Sysmon’s ability to log obfuscated PowerShell scripts and suspicious child process spawning, this attack would have avoided detection entirely.
Detecting Exchange Server Exploitation via ProxyLogon
In early 2021, attackers actively exploited the ProxyLogon and ProxyShell vulnerabilities to compromise on-prem Microsoft Exchange servers. Most environments hit with Exchange exploitation only realized it upon seeing ransomware detonate across their networks.
But with Sysmon, security teams could detect signs of Exchange compromise much earlier. In one case, Sysmon exposed numerous indicators of compromise stemming from Exchange exploitation, including:
- Event ID 1 showing code injection from PowerShell into DLLHost
- Discovery activities enumeration domain admins with “net group” commands
- Suspicious use of SMB from Exchange server to transfer files
- Encoded PowerShell commands attempting to download and execute malicious payloads
- IIS worker process (w3wp.exe) spawning child PowerShell processes
With multiple indicators of compromise in a short timeframe, Sysmon showed an Exchange server was actively being exploited even without seeing ransomware. The organization was able to respond to the intrusion significantly faster with Sysmon’s added visibility.
Sysmon Visibility Is Critical for Detection & Response
Without Sysmon, these attacks would have gone completely without a trace in standard Windows event logs. But Sysmon’s system, network, and command line logging made the critical difference in detecting and responding to these real-world threats.
By providing enhanced visibility into process creation, network connections, and full command line details, Sysmon empowers security teams to rapidly uncover signs of malicious activity. As these examples illustrate, deploying Sysmon is a straightforward way to close visibility gaps and significantly improve threat detection capabilities in Windows environments.
To learn more about Sysmon threat hunting, check out this video on the subject, featuring Blumira Head of Incident Detection Engineering Amanda Berlin and Security Influencer Tom Lawrence.