Closed ceramicskate0 closed 4 years ago
Similar to issue https://github.com/ceramicskate0/SWELF/issues/88
(R&D) Notes for dev from github repo:
While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events. Shhmon locates and unloads the driver using this strategy:
Issue to be addressed after my OSCP. Recommend adding some of the info above to searchs.txt in mean time. sysmon does create event for this that could be used to alert. All i plan to do is hard code detection of event into SWELF (NOT FIX IT FOR YOU).
Based on POC at https://github.com/matterpreter/Shhmon an uploaded bad sysmon driver caused crash of sysmon. While IOCs are there the current integ check SWELF does may not by default find this. This shoul dbe built into app due to reliance on sysmon working. (SWELF will not fix or resolve issue but should alert when found per run).
IOCs to add to example Seachs.txt file and Sysmon Event ID 255 into application for sec_check():