Bro-Sysmon is what?
By the Bro-OSQuery ( inspired https://github.com/bro/bro-osquery) project, in order to Bro-IDS (Bro) monitor Windows endpoints activity so developed this software
Source Address: https://github.com/salesforce/bro-sysmon/
Use of technology
In analyzing the network traffic as more samples based encryption, and JA3 HASSH fingerprint may provide network characteristic data hash value. These tools will create a fingerprint according to changes in the configuration of the encryption library, the application itself, the underlying operating system or Bypass technology.
Display mode
Bro-Sysmon focus on integration of the Windows of Sysmon ID. 3: and SSL / TLS Bro analyzer is connected to the network , to generate a log record, which contains the process ID, the executable file path and JA3 fingerprint.
Mapja3.log example of the output created by mapJA3-Proc.bro script.
DESKTOP-SHFK4CF 2836 192.168.200.100 53223 35.231.36.130 443 54328bd36c14bd82ddaa0c04b25ed9ad faa88e75a7471aaa07850841e28f87f1 www.usualsusp3cts.com C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe — CN=usualsusp3cts.com CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US
1, get JSON format log Sysmon events.
2, read the script in Python JSON format of the log, the script will establish communication with Bro, JSON parsing logs, generate Bro events and publish events to the message bus.
3, Bro will subscribe message bus and triggered event.
4, Bro script to handle these events. Sysmon script will be provided by the event to disk. Further comprising means for performing the mapping script JA3 to process.
Use scene
C2 domain www.usualsusp3cts.com uses encryption certificate.
Ssl.log example from a log.
1544648162.452073 CTbIwm1WsTyY0UVwD 192.168.200.100 53256 35.231.36.130 443 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA www.usualsusp3cts.com F — — T Fxm3n21gKDX2gxnK0e,FFzF7E3fy4C2Wa7qM3 (empty) CN=usualsusp3cts.com CN=Let’s Encrypt Authorit X3,O=Let’s Encrypt,C=US — — ok 54328bd36c14bd82ddaa0c04b25ed9ad faa88e75a7471aaa07850841e28f87f1
1544648495.863132 C39S4l1DLLpknJSOh9 192.168.200.100 53267 35.231.36.130 443 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA www.usualsusp3cts.com F — — T Fi89Ii46H5HLo2tE6d,FP9n7QotVOK9ONPte (empty) CN=usualsusp3cts.com CN=Let’s Encrypt Authorit X3,O=Let’s Encrypt,C=US — — ok 54328bd36c14bd82ddaa0c04b25ed9ad faa88e75a7471aaa07850841e28f87f1Event Details provides network traffic generated ProcessId and Image.
By collecting this information, analysts can see the command and control of the victim.
Source Address: 192.168.200.100
Destination Address: 35.231.36.130
Domain Name: www.usualsusp3cts.com
JA3: 54328bd36c14bd82ddaa0c04b25ed9ad
Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHow JA3 and HASSH fingerprint mapped to the application on the host?
Switching from Windows host streaming events and logs to provide JSON closer to real-time data collection. The following is the victim host the event from the host to the 3952 event format JSON formats.
'event_data': {
'DestinationHostname': '130.36.231.35.bc.googleusercontent.com',
'DestinationIp': '35.231.36.130',
'DestinationIsIpv6': 'false',
'DestinationPort': '443',
'DestinationPortName': 'https',
'Image': 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
'Initiated': 'true',
'ProcessGuid': '{9A5530DB-7A19–5C11–0000–00105331C300}',
'ProcessId': '3952',
'Protocol': 'tcp',
'SourceHostname': 'DESKTOP-SHFK4CF',
'SourceIp': '192.168.200.100',
'SourceIsIpv6': 'false',
'SourcePort': '53223',
'User': 'DESKTOP-SHFK4CF\\Kai',
'UtcTime': '2018–12–11 04:52:43.748'
}Connection information (PID, source IP, source port, destination IP address, destination port) network Ganso find information through the network event ID.