The logged event includes the SHA1 hash of the malicious file. We can see that the specimen began running as pand.exe (process ID 3936.) As expected, its parent was Explorer.EXE (process ID 1336). ParentCommandLine C:\Windows\Explorer.EXE System Monitor showed the following event: ProcessId 3936ĬommandLine "C:\Users\REM\Desktop\pand.exe"
I was curious how System Monitor would compare to other tools I use in the lab, namely Process Monitor and Wireshark.Īfter activating the tools, I ran the malicious executable pand.exe by double-clicking on it off the lab system's desktop. To experiment with System Monitor, I infected my laboratory system with a variant of Pandemiya malware. Using System Monitor to Track an Infection According to the tool's documentation, on older systems the events are written to the System event log. To view the events captured by System Monitor, open Event Viewer on the system ("eventvwr.exe") and navigate to Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. You'll be asked to interactively accept the EULA, after which the tool will install itself and start running in the background. The "-n" parameter asks it to log network connections, in addition to capturing process and file creation time events. The "-i" parameter directs the tool to install its service and driver. Then, open the Administrator command prompt, change into that location (e.g., "cd C:\Program Files\Sysmon") and install the tool by running the command: sysmon -i -n To experiment with System Monitor in your lab, download the tool from its website and extract the the archive's contents into the desired folder (e.g., "C:\Program Files\Sysmon") of your Windows laboratory system. Let's take a look at the role that System Monitor might play in a malware analysis lab, possibly supplementing tools such as Process Monitor and Wireshark. This information can assist in troubleshooting and forensic analysis of the host where the tool was installed prior to the incident that's being investigated. System Monitor (Sysmon) is a new tool by Mark Russinovich and Thomas Garnier, designed to run in the Windows system's background, logging details related to process creation, network connections, and changes to file creation time. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
0 kommentar(er)
