In-memory attacks have become a serious problem and the number of victims is increasing at a fast pace. Finding out the presence of the hacker in your system is difficult as hackers never write a file on the disk that is a usual way of hacking. They use in-memory instead which leaves little or no footprint in the event logs of the operating system. The perks of anti-viruses are effective only when hackers opt for malicious files on the disk, but they show no positive response when it comes to the in-memory scenario. Sysmon and Azure Security center is highly recommended to cater this problem. Here are the two valuable methods to detect the presence of malicious entities in your system with the help of Sysmon.

The user should understand the strategy of the hacker before looking for a solution. The image depicts the most common method hackers use to breach your security wall.

  1. Process Injection

Hackers email Microsoft Office Word document which asks the victim to enable macros and the malicious code is directly injected into verclsid.exe process space. Verclsid.exe is a trusted Window process and it’s necessary to stop the intrusion activity as early as possible.

  1. Process Interference

Once the attacker enters into the victim’s machine, he takes some measures to hide his presence from the victim. Here we take the example of Invoke-Phantom which uses inter-process Windows API calls that help the user to find out the threads associated with Windows Event Log Service. After completing this process, the hacker can easily hide his presence in the system and his activity won’t get logged.

How to Use Sysmon and Azure Security Service to Detect In-memory Attack?

The user can easily detect the aforementioned attacks by collecting and analyzing Sysmon events. Here are the three steps one needs to follow:

  • Install and Configure Sysmon

The above-mentioned attack techniques access the memory of one process and copy to another process. The memory is being modified in verclsid.exe and svchost.exe. Sysmon can detect such attacks once you download and install it as it determines the level and volume of logging. Use the following code for the configuration:

exampleSysmonConfig.xml:

<Sysmon schemaversion=”3.30″>

<EventFiltering>

<!– Restrict logging to access targeting svchost.exe and verclsid.exe –>

<ProcessAccess onmatch=”exclude”>

<TargetImage condition=”excludes”>verclsid.exe</TargetImage>

<TargetImage condition=”excludes”>svchost.exe</TargetImage>

</ProcessAccess>

<!– Process access requests with suspect privileged access,

or call trace indicative of unknown modules –>

<ProcessAccess onmatch=”include”>

<GrantedAccess condition=”is”>0x1F0FFF</GrantedAccess>

<GrantedAccess condition=”is”>0x1F1FFF</GrantedAccess>

<GrantedAccess condition=”is”>0x1F2FFF</GrantedAccess>

<GrantedAccess condition=”is”>0x1F3FFF</GrantedAccess>

<GrantedAccess condition=”is”>0x1FFFFF</GrantedAccess>

<CallTrace condition=”contains”>unknown</CallTrace>

</ProcessAccess>

</EventFiltering>

</Sysmon>

You can perform the installation with this code. sysmon.exe -i exampleSysmonConfig.xml

Or use this code as an alternative if you are using 64-bit version sysmon64.exe-i exampleSysmonConfig.xml.

  • Enable Collection of Sysmon Data

Azure Security Center keeps an eye on malicious activities and records the specific sets of events. You can check the data from Azure portal. Choose Advanced Settings from Log Analytics Workspace and then go to Data Sources in Log Analytics which is used to get details of many types of data for analytics. Add the following code to collect Sysmon event: Microsoft-Windows-Sysmon/Operational:

 

  • Define Custom Alerts

You can get customer alerts and new alerts from alert details and get data definition from ProcessAccess. Use the following query to get the complete information of every alert.

search “Microsoft-Windows-Sysmon/Operational” | where EventID==10

Likewise, you can view alerts in security center and take necessary action as well.