Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sysmon integ check feature addition #114

Closed
ceramicskate0 opened this issue Sep 19, 2019 · 3 comments
Closed

Add sysmon integ check feature addition #114

ceramicskate0 opened this issue Sep 19, 2019 · 3 comments
Assignees
@ceramicskate0
Labels
App Enhancement Something to make app better or change to current feature New Feature Additional feature to add Searching File Change Something that changes to Searchs.txt in Repo Security Enhancment Not a software vuln. But could/should be something that could be done to better protect software.

Comments

@ceramicskate0
Copy link
Owner

Based on POC at https://github.com/matterpreter/Shhmon an uploaded bad sysmon driver caused crash of sysmon. While IOCs are there the current integ check SWELF does may not by default find this. This shoul dbe built into app due to reliance on sysmon working. (SWELF will not fix or resolve issue but should alert when found per run).

IOCs to add to example Seachs.txt file and Sysmon Event ID 255 into application for sec_check():

  • Sysmon Event ID 255 - Error message with a detail of DriverCommunication
  • Windows System Event ID 1 - From the source "FilterManager" stating File System Filter '<DriverName>' (Version 0.0, <Timstamp>) unloaded successfully.
  • Windows Security Event ID 4672 - SeLoadDriverPrivileges being granted to an account other than SYSTEM
  • Sysmon Event ID 1/Windows Security Event 4688 - Abnormal high-integrity process correlating with the driver unload. This event woudl be the last before the driver error in Sysmon
@ceramicskate0 ceramicskate0 added Security Enhancment Not a software vuln. But could/should be something that could be done to better protect software. New Feature Additional feature to add labels Sep 19, 2019
@ceramicskate0 ceramicskate0 self-assigned this Sep 19, 2019
@ceramicskate0
Copy link
Owner Author

Similar to issue #88

@ceramicskate0
Copy link
Owner Author

(R&D) Notes for dev from github repo:

While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events. Shhmon locates and unloads the driver using this strategy:

  1. Uses fltlib!FilterFindFirst and fltlib!FilterFindNext to enumerate drivers on the system in place of crawling the registry.
    2a. If a driver is found at altitude 385201, it uses kernel32!OpenProcessToken and advapi32!AdjustTokenPrivileges to grant itself SeLoadDriverPrivilege.
    2b. If a driver was not found at 385201, it walks HKLM\SYSTEM\CurrentControlSet\Services looking for a "Sysmon Instance" subkey and if found, assigns the required permission as desrcibed above.
  2. If it was able get the required privilege, it calls fltlib!FilterUnload to unload the driver.

@ceramicskate0
Copy link
Owner Author

Issue to be addressed after my OSCP. Recommend adding some of the info above to searchs.txt in mean time. sysmon does create event for this that could be used to alert. All i plan to do is hard code detection of event into SWELF (NOT FIX IT FOR YOU).

@ceramicskate0 ceramicskate0 added Searching File Change Something that changes to Searchs.txt in Repo App Enhancement Something to make app better or change to current feature labels Jan 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ceramicskate0 ceramicskate0

Labels
App Enhancement Something to make app better or change to current feature New Feature Additional feature to add Searching File Change Something that changes to Searchs.txt in Repo Security Enhancment Not a software vuln. But could/should be something that could be done to better protect software.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ceramicskate0