Using Sysmon to locate the domain name resolution process
1. Instructions
1. Use scenarios
(1) In the case where the killing software cannot be killed, the user has no relevant experience to find the process file corresponding to the resolution of the malicious domain name;
(2) The request of some malicious samples for the remote control domain name is not continuous. It may be once an hour, once a day or once a few days. You can use Sysmon to view the event log and set it as a process file.
2. Scope of application
The method provided in this article is only used to locate the process file corresponding to the IOC domain name resolution, and it is only valid for ordinary malicious samples that have separate processes and do not rely on system processes, and are not applicable to samples without processes and thread injection.
Second, Sysmon introduction
1. Introduction to Sysmon
Sysmon is a Windows system service and device driver. After installation, it will stay resident during system startup, monitor and record system activities in real time, and be recorded in the Windows event log. It provides detailed information about process creation, network connection, and file creation time changes.
We can analyze the event logs recorded by Sysmon and understand how intruders and malware run on the user's network.
2. Operating environment:
Client: Windows 7 and higher.
Server: Windows Server 2008 R2 and higher.
3. Sysmon function overview
(1) Use the complete command line to record the process creation of the parent process of the current behavior;
(2) Use SHA1 (default), MD5, SHA256 or IMPHASH to record the hash of the process image file;
(3) Multiple hashes can be used simultaneously;
(4) Include the process GUID in the process creation event, even if Windows reuses the process ID, the event can also be related;
(5) A session GUID is included in each event to allow events to be associated on the same login session;
(6) Use signatures and hashes to record the loading of drivers or DLLs;
(7) The log is opened for raw read access to disks and volumes;
(8) (Optional) Record the network connection, including the source process, IP address, port number, host name and port name of each connection.
(9) Detect the change in file creation time to understand when the file was actually created. Modifying the file creation timestamp is a technique commonly used by malware to cover its tracks;
(10) If there is a change in the registry, the configuration is automatically reloaded;
(11) Rule filtering to dynamically include or exclude certain events;
(12) Events are generated early in the boot process to capture the activities performed by even complex kernel-mode malware.
Three, Sysmon installation
1. Sysmon download
Sysmon download address : https://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon
Configuration file download address : https://github.com/SwiftOnSecurity/sysmon-config
2. Sysmon installation
1. Open cmd or powershell with administrator rights and switch to the Sysmon program directory.
2. Run and install the Sysmon program. After installation, the service will immediately record the event, and the driver will be installed as a startup driver to capture activities from the beginning of the startup (the service writes it to the event log when it starts) Activities.
sysmon.exe -i
3. Update the configuration file:
sysmon.exe -c sysmonconfig-export.xml
Four, Sysmon log analysis
1. Sysmon's event log needs to be viewed in the Windows Event Viewer:
How to open the event manager:
Method one: win + R-> run compmgmt.msc
Method 2: Right-click "Computer"-> Manage
2. The storage path of the Sysmon event log is:
Application and service logs / Microsoft / Windows / Sysmon / Operational
2. Event analysis : We need to analyze the program corresponding to domain name resolution. Here I use a browser to access a remote control domain name for ransom house arrest for testing:
1) Browser access to ransomware IOC domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
2) Filter the Sysmon event log, and filter the event with the event ID of "22" to indicate the DNS query event. If necessary, you can also limit the recording time:
3) Ctrl + F to perform keyword search on the IOC domain name:
4) The search result can be found that the program requesting the domain name is the browser program "TheWorld.exe", and the domain name, PID, access time, etc. are displayed. After locating the process file to access the domain name, you can Documents are further analyzed or killed.
V. Reference link
https://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon、