sysmon-arangodb

Threat hunting with Sysmon and ArangoDB Graphs

Start database:

docker run -p 8529:8529 -e ARANGO_ROOT_PASSWORD=openSesame arangodb/arangodb:3.6.2

EVTX Logs: https://github.com/lab52io/Syspce/tree/master/Evtx From evtx to jsonl using evtx parser (https://github.com/omerbenamram/evtx)

With that we can process all our logs:

python3 arango_from_evtx.py

Simple query to detect a process started by explorer.exe (manually executed) that acces other process (EventID=10).

FOR startProcess IN SysmonProcess
    FILTER startProcess.Image == "C:\\Windows\\explorer.exe"
    FOR vertex, edge IN 1..4 OUTBOUND startProcess CreateNewProcess
        FOR evil, evilEdge IN 1 OUTBOUND vertex ProcessAccessed
            RETURN {
                "from" : vertex,
                "to" : evil,
                "condition" : evilEdge
            }

Result:

[
  {
    "from": {
      "_key": "1258",
      "_id": "SysmonProcess/1258",
      "_rev": "_aWOCMem---",
      "_name": "ProcessHacker.exe",
      "Image": "C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe",
      "ProcessId": 4852,
      "ProcessGuid": "21207A7E-6EED-5D77-0000-0010EF6E0A00",
      "User": "DESKTOP-CF2FLGA\\pula",
      "ProcessName": "ProcessHacker.exe",
      "LogonGuid": "21207A7E-6ECA-5D77-0000-0020885A0700",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "to": {
      "_key": "551",
      "_id": "SysmonProcess/551",
      "_rev": "_aWOCLsC---",
      "_name": "lsass.exe",
      "Image": "C:\\Windows\\System32\\lsass.exe",
      "ProcessId": 748,
      "ProcessGuid": "21207A7E-6EBA-5D77-0000-00109C970000",
      "User": "NT AUTHORITY\\SYSTEM",
      "ProcessName": "lsass.exe",
      "LogonGuid": "21207A7E-6EBA-5D77-0000-0020E7030000",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "condition": {
      "_key": "1267",
      "_id": "ProcessAccessed/1267",
      "_from": "SysmonProcess/1258",
      "_to": "SysmonProcess/551",
      "_rev": "_aWOCMfO---",
      "_name": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+86139|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+87da9|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1e439|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "UtcTime": "2019-09-10 09:37:50.058",
      "EventRecordID": 14280,
      "User": "S-1-5-18",
      "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+86139|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+87da9|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1e439|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "TargetImage": "",
      "Computer": "DESKTOP-CF2FLGA"
    }
  },
  {
    "from": {
      "_key": "1258",
      "_id": "SysmonProcess/1258",
      "_rev": "_aWOCMem---",
      "_name": "ProcessHacker.exe",
      "Image": "C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe",
      "ProcessId": 4852,
      "ProcessGuid": "21207A7E-6EED-5D77-0000-0010EF6E0A00",
      "User": "DESKTOP-CF2FLGA\\pula",
      "ProcessName": "ProcessHacker.exe",
      "LogonGuid": "21207A7E-6ECA-5D77-0000-0020885A0700",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "to": {
      "_key": "551",
      "_id": "SysmonProcess/551",
      "_rev": "_aWOCLsC---",
      "_name": "lsass.exe",
      "Image": "C:\\Windows\\System32\\lsass.exe",
      "ProcessId": 748,
      "ProcessGuid": "21207A7E-6EBA-5D77-0000-00109C970000",
      "User": "NT AUTHORITY\\SYSTEM",
      "ProcessName": "lsass.exe",
      "LogonGuid": "21207A7E-6EBA-5D77-0000-0020E7030000",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "condition": {
      "_key": "1271",
      "_id": "ProcessAccessed/1271",
      "_from": "SysmonProcess/1258",
      "_to": "SysmonProcess/551",
      "_rev": "_aWOCMfi---",
      "_name": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+88900|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1e439|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "UtcTime": "2019-09-10 09:37:50.058",
      "EventRecordID": 14281,
      "User": "S-1-5-18",
      "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+88900|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1e439|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "TargetImage": "",
      "Computer": "DESKTOP-CF2FLGA"
    }
  },
  {
    "from": {
      "_key": "1258",
      "_id": "SysmonProcess/1258",
      "_rev": "_aWOCMem---",
      "_name": "ProcessHacker.exe",
      "Image": "C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe",
      "ProcessId": 4852,
      "ProcessGuid": "21207A7E-6EED-5D77-0000-0010EF6E0A00",
      "User": "DESKTOP-CF2FLGA\\pula",
      "ProcessName": "ProcessHacker.exe",
      "LogonGuid": "21207A7E-6ECA-5D77-0000-0020885A0700",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "to": {
      "_key": "551",
      "_id": "SysmonProcess/551",
      "_rev": "_aWOCLsC---",
      "_name": "lsass.exe",
      "Image": "C:\\Windows\\System32\\lsass.exe",
      "ProcessId": 748,
      "ProcessGuid": "21207A7E-6EBA-5D77-0000-00109C970000",
      "User": "NT AUTHORITY\\SYSTEM",
      "ProcessName": "lsass.exe",
      "LogonGuid": "21207A7E-6EBA-5D77-0000-0020E7030000",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "condition": {
      "_key": "1275",
      "_id": "ProcessAccessed/1275",
      "_from": "SysmonProcess/1258",
      "_to": "SysmonProcess/551",
      "_rev": "_aWOCMfy---",
      "_name": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85a25|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ee7|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+328ae|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "UtcTime": "2019-09-10 09:37:50.089",
      "EventRecordID": 14282,
      "User": "S-1-5-18",
      "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85a25|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ee7|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+328ae|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "TargetImage": "",
      "Computer": "DESKTOP-CF2FLGA"
    }
  },
  {
    "from": {
      "_key": "1258",
      "_id": "SysmonProcess/1258",
      "_rev": "_aWOCMem---",
      "_name": "ProcessHacker.exe",
      "Image": "C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe",
      "ProcessId": 4852,
      "ProcessGuid": "21207A7E-6EED-5D77-0000-0010EF6E0A00",
      "User": "DESKTOP-CF2FLGA\\pula",
      "ProcessName": "ProcessHacker.exe",
      "LogonGuid": "21207A7E-6ECA-5D77-0000-0020885A0700",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "to": {
      "_key": "551",
      "_id": "SysmonProcess/551",
      "_rev": "_aWOCLsC---",
      "_name": "lsass.exe",
      "Image": "C:\\Windows\\System32\\lsass.exe",
      "ProcessId": 748,
      "ProcessGuid": "21207A7E-6EBA-5D77-0000-00109C970000",
      "User": "NT AUTHORITY\\SYSTEM",
      "ProcessName": "lsass.exe",
      "LogonGuid": "21207A7E-6EBA-5D77-0000-0020E7030000",
      "Computer": "DESKTOP-CF2FLGA"
    },
    "condition": {
      "_key": "1279",
      "_id": "ProcessAccessed/1279",
      "_from": "SysmonProcess/1258",
      "_to": "SysmonProcess/551",
      "_rev": "_aWOCMgC---",
      "_name": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ad6|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ee7|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+328ae|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "UtcTime": "2019-09-10 09:37:50.104",
      "EventRecordID": 14283,
      "User": "S-1-5-18",
      "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ad6|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ee7|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+328ae|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d",
      "TargetImage": "",
      "Computer": "DESKTOP-CF2FLGA"
    }
  }
]

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
Sysmon-graph.png		Sysmon-graph.png
arango.py		arango.py
arango_from_evtx.py		arango_from_evtx.py
arango_sysmon.py		arango_sysmon.py
evtx_syspce.jsonl		evtx_syspce.jsonl
sysmon_cache.py		sysmon_cache.py
sysmon_exceptioner.py		sysmon_exceptioner.py
sysmon_ingest.py		sysmon_ingest.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

sysmon-arangodb

About

Releases

Packages

Languages

License

SecSamDev/sysmon-arangodb

Folders and files

Latest commit

History

Repository files navigation

sysmon-arangodb

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages