New Bypass against Sysmon-Modular: A Method for Permanent Access Without Creating Sysmon ID 3

Listen to this Post

In a recent development, a new bypass technique against Sysmon-Modular has been implemented, allowing for permanent access without triggering Sysmon Event ID 3. This method serves as an anti-forensic measure, ensuring persistence on a system without detection by traditional Sysmon configurations.

You Should Know:

1. Understanding Sysmon Event ID 3:

Sysmon Event ID 3 is typically triggered when a network connection is made. This event is crucial for detecting suspicious network activities. The new bypass technique avoids generating this event, making it harder for defenders to detect malicious persistence.

2. Updated Sysmon-Modular Configuration:

The attacker mentioned updating the Sysmon-Modular configuration to avoid detection. This highlights the importance of regularly updating and customizing Sysmon configurations to adapt to evolving threats.

3. Persistence Techniques:

Persistence mechanisms often involve creating registry keys, scheduled tasks, or service installations. Below are some commands and techniques attackers might use:

  • Registry Key Creation:
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Backdoor" /t REG_SZ /d "C:\path\to\malware.exe"
    
  • Scheduled Task:
    schtasks /create /tn "PersistenceTask" /tr "C:\path\to\malware.exe" /sc onstart /ru SYSTEM
    
  • Service Installation:
    sc create "MalwareService" binPath= "C:\path\to\malware.exe" start= auto
    

4. Detecting Persistence:

To detect such persistence mechanisms, defenders can use the following commands:

  • Check Scheduled Tasks:
    schtasks /query /fo LIST /v
    
  • Check Registry for Auto-Run Entries:
    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
    
  • List Services:
    sc query state= all
    

5. Sysmon Configuration Best Practices:

Ensure your Sysmon configuration is robust and up-to-date. Regularly review and update the configuration to include new detection rules and exclude benign activities to reduce noise.

What Undercode Say:

The new bypass technique against Sysmon-Modular underscores the importance of continuous monitoring and updating of security configurations. Defenders must stay vigilant and employ a multi-layered defense strategy to detect and mitigate such advanced persistence techniques. Regularly review system logs, update Sysmon configurations, and employ endpoint detection and response (EDR) solutions to enhance your security posture.

For further reading on Sysmon configurations and best practices, refer to the official Sysmon documentation.

References:

Reported By: Hassan Sohrabian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image