Sysmon Event ID 9: RawAccessRead - Add target file

[davidpany]

Hi Sysmon team,

Is there a way to add in the file being targeted by an EID 9 RawAccessRead event? There seems to be quite a bit of legitimate activity happening from processes such as svchost.exe. Attackers regularly inject into svchost.exe which makes this not a very useful detection or log with the limited data available.

If there was a way to determine the file being accessed, it would allow for high fidelity filtering/alerting for files such as ntds.dit on domain controllers. This would also just be generally way more helpful because even if you see a tool such as RawCopy.exe accessing a file, investigators still have no log of what file the process accessed. To avoid an assumption, filtering on the target file would be great as well.

I have no idea how Sysmon does the monitoring but one solution may be to compare which data runs/clusters the raw file read accessed (if that data is available?) and look those up against $MFT data.

Thanks to @jwillyamz for the idea!

Thank you, sysmon team, for considering this request.

[markrussinovich]

Can you please share a log with the Svchost raw access read events?

From: davidpany @.> Sent: Monday, February 7, 2022 6:46 AM To: MicrosoftDocs/sysinternals @.> Cc: Subscribed @.***> Subject: [MicrosoftDocs/sysinternals] Sysmon Event ID 9: RawAccessRead - Add target file (Issue #495)

Hi Sysmon team,

Is there a way to add in the file being targeted by an EID 9 RawAccessRead event? There seems to be quite a bit of legitimate activity happening from processes such as svchost.exe. Attackers regularly inject into svchost.exe which makes this not a very useful detection or log with the limited data available.

If there was a way to determine the file being accessed, it would allow for high fidelity filtering/alerting for files such as ntds.dit on domain controllers. This would also just be generally way more helpful because even if you see a tool such as RawCopy.exe accessing a file, investigators still have no log of what file the process accessed. To avoid an assumption, filtering on the target file would be great as well.

I have no idea how Sysmon does the monitoring but one solution may be to compare which data runs/clusters the raw file read accessed (if that data is available?) and look those up against $MFT data.

Thanks to @jwillyamzhttps://github.com/jwillyamz for the idea!

Thank you, sysmon team, for considering this request.

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/sysinternals/issues/495, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAVEZVGXT46HINKZNPATKLTUZ7LMLANCNFSM5NXVAC6A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>

[davidpany]

Hey Mark,

Here is a ZIP of an EVTX for you with a couple minutes of background data and some tests with C:\Users\FEMandiant\Desktop\RawCopy64.exe.

sysmontest.zip

For reference, here is a pivot table of Image Paths and counts recorded: Image Path Count of Image Path C:\Users\FEMandiant\Desktop\RawCopy64.exe 9 C:\Windows\System32\CompatTelRunner.exe 18 C:\Windows\System32\svchost.exe 474 C:\Windows\System32\usocoreworker.exe 48 C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 12 System 30 Grand Total 591

Let me know what else I can do to support.

[markrussinovich]

What service(s) is running in that process?

From: davidpany @.> Sent: Monday, February 7, 2022 12:14 PM To: MicrosoftDocs/sysinternals @.> Cc: Mark Russinovich @.>; Comment @.> Subject: Re: [MicrosoftDocs/sysinternals] Sysmon Event ID 9: RawAccessRead - Add target file (Issue #495)

Hey Mark,

Here is a ZIP of an EVTX for you with a couple minutes of background data and some tests with C:\Users\FEMandiant\Desktop\RawCopy64.exe.

sysmontest.ziphttps://github.com/MicrosoftDocs/sysinternals/files/8018393/sysmontest.zip

For reference, here is a pivot table of Image Paths and counts recorded: Image Path Count of Image Path C:\Users\FEMandiant\Desktop\RawCopy64.exe 9 C:\Windows\System32\CompatTelRunner.exe 18 C:\Windows\System32\svchost.exe 474 C:\Windows\System32\usocoreworker.exe 48 C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 12 System 30 Grand Total 591

Let me know what else I can do to support.

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/sysinternals/issues/495#issuecomment-1031877183, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAVEZVHQRC6QVZJAZUROVXDU2ARZLANCNFSM5NXVAC6A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you commented.Message ID: @.**@.>>

[davidpany]

For the testing I just opened up cmd.exe and ran the command: C:\Users\FEMandiant\Desktop>RawCopy64.exe /FileNamePath:C:\$MFT

For reference, RawCopy is from https://github.com/jschicht/RawCopy. In real life investigations though the attacker has injected their malware into svchost.exe and accessed ntds.dit which is what we are trying to look for in the real world.

Let me know if I'm misunderstanding what you are looking for though.

[markrussinovich]

So the svchost raw access events aren’t from a svchost service, but from injected code?

There’s a ton of complexity reversing raw blocks to files, which is out of scope for Sysmon.

From: davidpany @.> Sent: Monday, February 7, 2022 1:27 PM To: MicrosoftDocs/sysinternals @.> Cc: Mark Russinovich @.>; Comment @.> Subject: Re: [MicrosoftDocs/sysinternals] Sysmon Event ID 9: RawAccessRead - Add target file (Issue #495)

For the testing I just opened up cmd.exe and ran the command: C:\Users\FEMandiant\Desktop>RawCopy64.exe /FileNamePath:C:$MFT

For reference, RawCopy is from https://github.com/jschicht/RawCopy. In real life investigations though the attacker has injected their malware into svchost.exe and accessed ntds.dit which is what we are trying to look for in the real world.

Let me know if I'm misunderstanding what you are looking for though.

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/sysinternals/issues/495#issuecomment-1031942298, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAVEZVB2BMCG7W3PPH2EYQLU2A2JPANCNFSM5NXVAC6A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you commented.Message ID: @.**@.>>

[davidpany]

In my test data data uploaded, the process RawCopy64.exe performed the raw access events. In real world scenarios, attackers could perform raw access events with their own processes or after they've injected into another process.

it makes sense that reversing the raw blocks back to the file that was accessed would be challenging. Unless there is some Windows API or something that does a lookup, I imagine you'd have to parse out the entire $MFT to identify the data blocks until you get a file path that matches. I'm no Windows programmer though so it could be way worse than that.

As a starting point, is it possible to resolve the Device # to the letter of the drive and list out the raw data blocks accessed? As a forensic analyst, I could then parse the $MFT to find what clusters the file used.