Wednesday, July 18, 2018

Reduce Friction: extracting Sysmon logs with Joe Sandbox



Sysmon is a powerful tool to monitor endpoints, it is free and can be easily installed on many machines. It creates lots of log messages and stores them in the Windows event log. Those logs are usually routinely sent to a central log server such as Graylog, where blue teams can easily search them:



To get meaningful search terms, blue teams often use sandboxes such as Joe Sandbox, to deeply analyze malware. However, the IOCs generated by sandboxes are many times not in the appropriate format to easily correlate them to the Sysmon events. Blue teams in turn have to translate IOCs, which is a painful job. In addition, Sysmon event logs can serve as an input for various other tools. For instance, they can be easily translated to Sigma which allows a wider search across many other logs.

To reduce friction and make the blue teams job less painful, we added Sysmon output to Joe Sandbox.

Using a Cookbook to generate Sysmon output


In order to get Sysmon logs you have to use a custom Cookbook which will first install Sysmon. Cookbooks are small scripts which define how an analysis is executed. They give blue teams a way to fully customize a dynamic analysis. Let us have a look at our Sysmon cookbook:




In line 3 the cookbook specifies that the malware is executed on a sandbox named w7_1. On the submission page you find a mapping of system names to system configurations:





In lines 7 to 16 Sysmon is installed. Please note that you can use any Sysmon config you like, there is no restriction. By default, the template from SwiftOnSecurity is used.

In lines 18 to 24 all the analysis engines are started including the network and behavior engines.

In line 26 the sample is started and in line 30 the cookbook sleeps a maximum of two minutes. Right after that, the analysis engines are stopped and finally the machine is cleaned up.

Generate Sysmon Events for SmokeLoader


Let us take a concrete example and assume you want to verify if one of your hosts is infected by the latest SmokeLoader malware.

The cookbook is submitted together with the malware sample in the advanced tab:




In the generated analysis report, go to the explorer.exe process and then Sysmon Activities:







Joe Sandbox lists all the Sysmon events log in various formats. To construct your search query for Graylog, you can use the first 3 fields. For instance, you can easily search for LNK file creation by explorer:



You can also use the last field, copy it to a file and then use the evt2sigma converter to get a Sigma rule:



Sigma then can be converted to various other formats:


Cookbooks - Agile Malware Analysis


Thanks to Cookbooks, blue teams can benefit from a full customization of the malware analysis. Installing Sysmon is just one example. By using our Cookbook technology, analysts can easily:

  • Accelerate system time and date
  • Change keyboard layouts
  • Change the DNS server
  • Simulate USB memory sticks
  • Browse URLs on Chrome or Firefox
  • Execute multipart malware
  • Install their custom tools


Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!