Sysmon will log EventID 1 for the creation of any new process when it registers with the kernel.
On Windows Sysmon will generate a ProcessGuid and LogonGuid with the information it obtains and it will hash the process main image. The command line of the process will be parsed and logged in to eventlog. When storage permits a common practice is to log all processes and to filter out common day to day processes for Windows and Applications after profiling usage.
The fields on a process creation event are:
-
ProcessGuid -- Unique process GUID generated by Sysmon.
-
ProcessId -- Process ID represented as a integer number.
-
Image -- Full path of the executable image that was executed.
-
FileVersion -- File version filed in the image metadata. (Windows Only)
-
Description -- Description field in the image metadata.(Windows Only)
-
Product -- Product field in the image metadata. (Windows Only)
-
Company - Company field in the image metadata. (Windows Only)
-
OriginalFileName -- Original image name if renamed. (Windows Only)
-
CommandLine -- Command line that executed the image.
-
CurrentDirectory -- Directory under which the image was executed.
-
User - Name of the account who created the process (child) . It usually contains domain name and user name
-
LogonGuid - Logon GUID of the user who created the new process.
-
LogonId -Login ID of the user who created the new process.
-
TerminalSessionId - ID of the session the user belongs to
-
IntegrityLevel - Integrity label assigned to a process
-
Hashes - Full hash of the file with the algorithms in the HashType field. (Windows Only)
-
ParentProcessGuid - ProcessGUID of the process that spawned/created the main process (child)
-
ParentProcessId - Process ID of the process that spawned/created the main process (child)
-
ParentImage - File path that spawned/created the main process.
-
ParentCommandLine - Arguments which were passed to the executable associated with the parent process
Sysmon offers an advantage over the regular process logging in Windows since it not only pulls the same information as with EventID 4688 but it also pulls information from the PE header, hashes the images for correlation with IOC databases like Virus Total and it also provides unique fields when querying for events.
In Linux the advantage provided by Sysmon is that the data is structured in a wa that makes it easier to parse and leverage in a SIEM that leverages the logs. Bellow is an auditd example of the "ping -c 8.8.8.8" command.
type=PROCTITLE msg=audit(10/26/2021 12:51:14.046:1385) : proctitle=-bash
type=PATH msg=audit(10/26/2021 12:51:14.046:1385) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=401163 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/26/2021 12:51:14.046:1385) : item=0 name=/usr/bin/ping inode=394173 dev=08:05 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=net_raw cap_fi=none cap_fe=1 cap_fver=2 cap_frootid=0
type=CWD msg=audit(10/26/2021 12:51:14.046:1385) : cwd=/root
type=EXECVE msg=audit(10/26/2021 12:51:14.046:1385) : argc=4 a0=ping a1=-c a2=3 a3=8.8.8.8
type=SYSCALL msg=audit(10/26/2021 12:51:14.046:1385) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55c090caa2b0 a1=0x55c090ca9050 a2=0x55c090cb0750 a3=0x8 items=2 ppid=9313 pid=10184 auid=carlos uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=ping exe=/usr/bin/ping subj=unconfined key=(null)
Here is the same command logged in Sysmon where the event is contained in XML format.
Oct 26 13:11:11 ubuntu sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2021-10-26T20:11:11.156042000Z"/><EventRecordID>216077</EventRecordID><Correlation/><Execution ProcessID="1032" ThreadID="1032"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ubuntu</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2021-10-26 20:11:11.159</Data><Data Name="ProcessGuid">{2424faa4-60df-6178-315b-20b68b550000}</Data><Data Name="ProcessId">2669</Data><Data Name="Image">/usr/bin/ping</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">ping -c 3 8.8.8.8</Data><Data Name="CurrentDirectory">/home/carlos/Desktop</Data><Data Name="User">carlos</Data><Data Name="LogonGuid">{2424faa4-0000-0000-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data Name="TerminalSessionId">3</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{2424faa4-60b3-6178-0517-a76010560000}</Data><Data Name="ParentProcessId">2641</Data><Data Name="ParentImage">/usr/bin/bash</Data><Data Name="ParentCommandLine">bash</Data><Data Name="ParentUser">carlos</Data></EventData></Event>
In addition to this having a unique LogonGUID and ProcessGUID for correlation makes correlation much quicker.