Sysmon doing lines

October 2, 2017 in Anti-Forensics, EDR, Forensic Analysis, Incident Response, Malware Analysis

This is just an experiment I ran today to see if I could fool sysmon (or more specifically: any program that parses sysmon logs, or users viewing the sysmon logs in the Event Viewer) into doing an extra line, or two… .

What if…

…the command line of the spawn process (calculator in this case) looked like a part of the Event Log itself? Something along these lines :

calc

 CurrentDirectory: C:\non-existing\
 User: test-pc\user
 LogonGuid: {15a1393e-e37e-58de-0000-0020e0940300}
 LogonId: 0x394E0
 TerminalSessionId: 1
 IntegrityLevel: High
 Hashes: SHA1=2E391131F9B77A8EC0E0172113692F9E2CCCEAF0
 ParentProcessGuid: {15a1393e-97f2-59d2-0000-0010a4d8a500}
 ParentProcessId: 666
 ParentImage: C:\windows\system32\calc.exe

Obviously, you can’t run it from a command line, you need a program to run it for you using the CreateProcess API.

The result would be like this:

So… when the data is previewed, the user can (at least for a moment) believe the calc.exe was indeed spawn by the process ID 666 and parent process is calc.exe (which on its own is kinda difficult), and the current directory is c:\non-existing.

Programs exporting logs into CSV/TXT could get potentially fooled too as the injected data lines up with expected logs and a possible state machine parsing them could be fooled; one could potentially inject a number of such fake logs and potentially disturb the log parsing process and create some funny, non-existing process-tree scenario.

Share this :)

Comments are closed.