Sysmon Monitoring Different Way

hi everyone welcome to my talk system monitoring different way let's get started my name is merrick i'm a system manager i'm a husband and father uh this is my little handler and i love to learn new new things and figure out things out so let's get started let's do system one-on-one um what the system is basically it's a small monitor and log system activity for the windows even logs it provided details as um process creation network connection dns requests etc they're basically bundled with the security information event management system seen cm and basically what it does they usually grab those logs shipped up somewhere to the center location for the further analysis um what if the system was a graph i started

asking this question to myself because of the bloodhound which basically visualize active directory environment or something has a login tracer that basically shows uh logins even on logon windows events as a graph so on the right hand side there is a windows create a process creation from the sysmod and especially things in the red square are really interesting as a process id and parent process id or because the both are the same thing their processes and there is some kind of relation between them so that give us really good start what is what it can be so let me introduce the system graph what it is is the graphical representation of system logs it looks

like something other things on the right we will see the demonstration later uh it has a really simple ui ui it's basically html file html file and you can run it from the browser as the backend it required new 4j database to query all the graphs there is a lot of lots of javascripts on that html file as you need to javascript to grab those information from neoj4 database uh for for collecting or acquiring logs from the windows i have write the powershell script as well which is on the uh github page there is also the folder called docker which contains information how to spin it up you're talking containers quite easily for demonstration so let's do some demo time

so this is system graph this is how it look like and as you see right here on the top left corner i just basically specified 300 nodes at the beginning it's basically some kind of the protection for how many nodes i really want to acquire from the database because they can be a lot um there is search option which is empty because we have no database load that in so let's get started with it with that you can go to admin we can go to load graph choose file let's pick up our first data set wait a couple seconds and we're gonna be [Music] there you go uh if you scroll a little bit further you will see

lots and lots of information let's pick up some it's a graph let's pick up this one so as you see all those nodes all those bubbles represent the nodes as a process creation and if we click on those there is a detailed information about those on the left is the same there is a search options they basically show you all the information about all the nodes currently in the database such as date such as all the accounts that was used or launched and all the process names

on the data information you see all basically all the information you would see from the c smart logs as well so for the even creation we see something like the current directory command line and hashes uh we basically have a dns request here which was request for one client uh microsoft product we were just one it was one that i've requested that and there's our results there is a stuff also file was created obvious as you can see here uh that's the let's freeze it that's the name of the file and basically the target file name so basically that what we can do we can just basically reset our interface to see like you can see there is a lots and

lots of small i don't know if you can see it there's lots of lots of small if small graphs not tied together we can just change the viewing to circle to basically give us the different perspective of those graphs something like this one we can freeze it one more time and we can do exactly the same things highlight on any of them and follow up the the path of those uh if you decide to follow the path let's say we pick up the soft reporter turtles which was launched by cali user user there you go coming there is a id there is a name file version and everything goes around it was come google uh we can

basically follow this note and just give us only two hops on the notes so there is our reporter there is basically two maximum hubs which is like one one and two these settings can be changed if you highlight over the admin you can just basically change maximum nodes plots 250 and the jump from three if you save the settings you see it reflects right here and if you do if you change it for free so you should yeah it show a couple more extra couple extra notes uh from reporter to chrome to explore a couple externals just reset the interface uh this is how it look like freeze uh we also have lots of different

nodes as you can see every color represent different kind of the nodes so the blue one are usually processes the red one are basically file creation the green the green one is basically file stream created so basically file they created during some events there is network connection as well like we can see a couple of those to even ipv6 and a couple of dns requests as well sometimes it could be so many nodes to figure out what we're really looking for so i create a button for just processes so if you highlight over if you click over this we basically see all the processes connecting to its processes just basically freeze and you see probably one of the most interesting

we are looking right now it's basically hsm mshta exec file which was executed from kali downloads folder well that sounds interesting let's follow what was the next process created after that it's our command command line and if you see if you like once the comma was executed we can see it was a power shell so probably first to investigate this machine a little bit more further if you look a little bit more closely there you see like there there's some common line already executed and there was like lots of really similar action to get some information about this machine probably something like the architecture of the system running from windows 10 folder logs releases pictures for me

okay uh we can go to admin we can also delete all the nodes so we don't see anything else and what we can do right now is just go to admin again load our let's say our second data set and open it up so lots and lots of notes so a couple of seconds it will be booted and it looks like this one just phrase it let's have a look this architecture this is a hierarchy version how it looks like we see some interesting stuff uh you know what let's change to admin let's change our graphs for three again and uh maximum knows for 200 save changes and this one without the name which we

basically if you go into processes you see there is like lots of lots of processes but like one has no name why so you can submit it we can see that okay that has like running from user calling downloads dns cat which that's the comment let's make a circle looks nicer uh [Music] and there is uh some dns server on 10.1 192.168.1.75 which showed there is some dns request so we just follow the notes by three and you basically [Music] kind of start guessing hey what's probably happened can probably adjust our uh settings to let's say four to see one more hop maybe we can see something interesting so let's do it okay that sounds interesting so it seems

our application which dns cuts was executing from the powershell which was download looks like there is a file just download from our explorer which may potentially run from from here who knows that's that's the potential but yeah as you can see we kind of quickly identified that there is a potentially something valuations have been discomputed and should be look a little bit further which basically is supposed to be my tool so it's basically demo time and um if you have any questions just reach out to me via discord or twitter and thank you for watching have a nice day