Threat Hunting using Sysmon with Slack Notifications
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
- After downloading the sysmon from the link above, extract the compressed folder to any location of your choosing.
2. Open powershell or cmd as Administrator and move the the sysmon directory. Use command .\Sysmon64.exe -c to check current sysmon configuration. As you can see below, sysmon is not yet running in the system.
3. Installing or enabling sysmon service. Use command .\Sysmon64.exe -i for basic setup without defining an existing config. You may also use a more extensive command .\Sysmon64.exe -i -accepteula -h md5,sha256,imphash -l -n.
3. By running command .\Sysmon64.exe -c , it will show the existing rules. But since this is the initial setup, we will not be able to see one.
4. Confirm sysmon’s schema version using command .\Sysmon64.exe -? config. It will also provide a sample configuration file.
5. Create or generate a config file using the commands Install-Module -Name posh-sysmon, Get-Module -Name posh-sysmon, Get-Command -Module posh-sysmon.
6. Create new configuration file using command:New-SysmonConfiguration -Path ./config.xml -HashingAlgorithm SHA256 -CreateRemoteThread -Verbose
7. Use the generated config.xml file and update sysmon configuration using command .\Sysmon64.exe -c config.xml .
8. Verify sysmon logging is running in Event Viewer. Go to Applications and Services Logs → Microsoft → Windows → Sysmon → Operational
9. Testing whether the rule CreateRemoteThread works using Process Hacker 2.
- Open notepad.exe
- Inject DLL using Process Hacker
- Check Event Viewer Logs
10. Blocking executable downloads. Modify the configuration file and update sysmon using .\Sysmon64.exe -c config.xml.
<Sysmon schemaversion="4.83">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 27 == File Block Executable -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="end with">.exe</TargetFilename>
<TargetFilename condition="end with">.dll</TargetFilename>
<TargetFilename condition="end with">.php</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>11. Setting up Slack Notification every time executable is downloaded.
- Open Task Scheduler
- Setup the Event Trigger. Event 27 is based from the sysmon event filtering. Event 27 is the FileBlockExecutable.
- Setup the Action to use the python script below. Note that the $(User), $(Target), and $(Image) are associated with the args required in python script.
- Export the File Block scheduler and add ValueQueries.
- Values can be retrieved from the log details in Event Viewer.
12. Setting up Python script and Slack Webhook. Save the python script as SlackMsg.py.
import requests
import json
import sys
USER=sys.argv[1] # Data Name="User"
FILENAME=sys.argv[2] # Data Name="TargetFilename"
PROC=sys.argv[3] # Data Name="Image"
def send_slack():
# Sends message to slack channel whenever the script finds a php shell
url = "https://hooks.slack.com/services/T05CN3C8BGQ/B05BRNACC22/XXXXXXXY" # Replace with your Slack webhook URL
payload = {
"channel": "#threat-hunting-training", # Replace with your channel
"username": "Sysmon", # Replace with the bot username you want to use
"text": f"The user {USER} tried to download {FILENAME} from {PROC}",
"icon_emoji": ":crossed_swords:"
}
data = {"payload": json.dumps(payload)}
requests.post(url, data=data)
return
if __name__ == "__main__":
send_slack()13. Testing file download and slack notification.
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
https://learn.microsoft.com/en-us/shows/inside/event-viewer
https://processhacker.sourceforge.io/
https://slack-us55969.slack.com/apps/A0F7XDUAZ-incoming-webhooks
https://github.com/clarencesubia/threat-hunting-php-shells
