Last week (June 24th, 2020) Sysmon v11.10 was released as part of a lot of enhancements and features from Sysinternals tools.
It’s quite cool to have Sysinternals updates (in the form of videos) that summarize the features and fixes that have been added on the latest versions of Sysinternals tools. Since Sysmon is a member of this family, it is good to understand what other capabilities are being added that could help to detect threat actors and suspicious activities within the corporate networks.
Here is the video that contains the update from June:
The power of Sysmon Event ID 15 FileCreateStreamHash
As described in the original documentation Web Site “This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.”
The latest Schema (4.23) provides the following definition for a FileCreateStreamHahs:
An important update from Sysmon v11.10 is the addition of the new field that captures alternate stream contents based on two main conditions:
- The alternate data stream content is text.
- The alternate data stream content length is less than 1 kilobyte in size.
As explained by Mark on the above video, this new addition is relevant because when downloading files from the Web, Web browsers attach a mark that contains the zone.identifier which at the end will report a string indicating the URL from where the file originally came from, which is an amazing feature that also contains the hashes from those alternate file streams and the primary file streams. When it comes to forensics investigations, this edition becomes quite relevant to identify from where malicious files are coming from.
But what is a zone.identifier anyway?
On his book Troubleshooting with the Windows Sysinternals Tools (page 91) the authors address the concept of Streams and alternate data streams:
Sysinternals Streams reports file-system objects that have alternate data streams (also sometimes called named streams) and, optionally, allows you to delete them. NTFS provides the ability for files and directories to have alternate data streams (ADSes). By default, a file has not ADSes and it is content is stored in its main unnamed stream….
The most apparent use of alternate data streams by Windows is with download files. Window’s Attachment Execution Services adds a Zone.Identifier stream that specifies the security zone from which a file was downloaded so that Windows can continue to treat that file as form the zone. One way to remove that indicator file is to open its Properties dialog in Explorer and click the Unblock button. However, the button and other user policies to remove security zones information are often hidden from users by Group Policy.
As described by Microsoft “URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust. Administrators can customize the default URL security zones by changing the URL policy setting for each URL action, using the default URL security zone manager and URL security zone templates. Additionally, a supplied API provides developers with the tools to either interact with the default URL security zone manager or to create a custom URL security zone manager.”
What are those zones anyway?
The below diagram represents the URL zones available and it’s a respective identifier. For Internet-related downloads, we need to focus on Internet Zone.
Alternate Data Streams for threat detection
Now that we have some background on what an Alternate Data Stream is, let’s analyze how we can use this feature for detecting threats.
In this scenario, we are going to download the so-called eicar.exe virus definition, the download will occur from a Windows Server 2019 Datacenter.
If you are not familiar with it, EICAR is short for European Institute for Computer Anti-Virus Research and they have available an Anti-Malware Test File:
“This test file has been provided to EICAR for distribution as the „EICAR Standard Anti-Virus Test File“, and it satisfies all the criteria listed above. It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as „EICAR-AV-Test“)”.
We attempt to download the sample:
And now let’s see the Sysmon Events that were left behind: Note that the first event’s content contains the transfer zone identifier (3 in this case because it was a download from the internet).
Also note that the event also captures Indicators of Compromise of the file being downloaded such as MD5, SHA256, and IMPHASH.
Now let’s take a look at the second event: Since this is a small file, it matches the two conditions to populate the content field: the stream is a text and the length is less than one kilobyte in size.
Although it is not possible to determine the original URL from where this file is being downloaded from, still is quite relevant because:
- It also provides the Indicators of Compromise in the form of MD5, SHA256, and IMPHASH
- The content of the file itself can be used to do extra analysis and determine what could be happening behind scenes.
It seems like when eicar’s malware sample is being downloaded from Microsoft Edge, we have more visibility in terms of alternate stream content:
I have just asked Mark Russinovich about this behavior, let’s see if this is a configuration on IE or just something being available on modern Web browsers.
Downloading a larger file:
For the sake of a Proof of Concept, I wanted to download a larger file and understand the events Sysmon creates, so here we are downloading Fiddler Web Debugging Tool.
Like many other tools, Telerik does use a CDN or AWS bucket for downloading the file, that is a nice use to understand the download chain.
For downloading Fiddler, 8 FileCreatedHashStream events are left behind in the event log:
And the last event that was created allowed us to see the full place from where the file was downloaded from.
What happens with Internet Explorer 11 and this mechanism?
It seems like Internet Explorer 11 does not provide the same visibility as Edge does when the file is downloaded. I’m using an AWS instance of Windows Server 2018 Datacenter that brings with below IE version:
However, when downloading any file, the information extracted from the Windows Event Log does not provide major visibility. I tried to download Process Hacker withe IE to understand if it was possible to have the same visibility. Had I been paying attention I would have noticed that only two events are created.
It also seems like the captured information is not very useful for understanding from where the file was downloaded from.
We still have valuable indicators of compromise here that allow us to do some other research:
I might need to do further research on why IE does not provide the same visibility that modern Edge browser, it could just be a configuration setting on the former that needs to be set up to see such details. I will be digging a bit and updating this article respectively.
Sysmon is a very powerful tool and the Sysinternals team are doing an amazing job on empowering this tool with different mechanisms for detecting threat actors.
The latest release of Sysmon 11.10, enhancing the Event 15 to add the content, which will show the Zone Identifiers with URLs where files were originally downloaded from, creates a new avenue for implementing detection rules and to support Forensic Investigations when the objective is to have a clear understanding on files downloads.
I’m interested in the next steps and explore all the capabilities around the so-called Fileless attacks. Stay tuned!.