HackTool - SysmonEOP Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - SysmonEOP Execution | Standard | Windows | Privilege Escalation: Exploitation for Privilege Escalation (T1068) | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
Severity
Critical
Rule journey
Attack chain scenario
Initial access → Reconnaissance phase → Sysmon detection → Exploit execution → Privilege escalation → Persistence establishment
Impact
- Privilege escalation
- Logging bypass
- Detection evasion
- System compromise
Rule Requirement
Prerequisites
- Using Windows event viewer:
Log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the appropriate OU, then enable "Audit Process Creation" and "Audit Process Termination" under Detailed Tracking with Success auditing. For deeper visibility, enable "Include command line in process creation events" under Audit Process Creation. Additionally, ensure the registry key Microsoft-Windows-Security-Auditing/Operational exists to support event logging.
- Using Sysmon:
Download and install Sysmon from Microsoft Sysinternals, then run it with administrator privileges using a configuration file that enables process creation monitoring. Use the command sysmon.exe -i [configfile.xml] and ensure the configuration captures all process creation events. Finally, verify that the Microsoft-Windows-Sysmon/Operational registry key exists to enable proper event logging.
Criteria
Action1: actionname = "Process started" AND PROCESSNAME endswith "\SysmonEOP.exe" OR HASHES contains "IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5,IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
- Privilege Escalation: Exploitation for Privilege Escalation (T1068)
Security Standards
Enabling this rule will help you meet the security standard's requirements listed below:
- NIST SP 800-53: SI-4 – System Monitoring
Monitors information system events to detect attacks and indicators of potential attacks.
Triggering this rule helps detect unauthorized exploitation attempts targeting Sysmon, enabling prompt response to suspicious system activity. - NIST SP 800-53: SI-3 – Malicious Code Protection
Implements security safeguards against malicious code execution.
Triggering this rule identifies execution of known exploit tools like SysmonEOP, supporting protective actions against privilege escalation threats. - NIST SP 800-53: AU-6 – Audit Review, Analysis, and Reporting
Analyzes and reports audit records to detect suspicious behavior.
Triggering this rule supports audit log analysis by capturing PoC tool usage related to CVE-2022-41120, improving visibility into exploit attempts. - NIST SP 800-53: AC-6 – Least Privilege
Limits user access rights and privileges to the minimum necessary.
Triggering this rule helps enforce least privilege by detecting kernel-mode exploitation that could subvert Sysmon’s logging functionality. - NIST SP 800-137: ISCM – Information Security Continuous Monitoring
Requires continuous monitoring to maintain situational awareness of security posture.
Triggering this rule contributes to continuous security monitoring by identifying real-time exploitation behavior targeting system monitoring tools.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
This rule will be triggered when security researchers or red teamers execute the SysmonEOP PoC tool in a controlled environment for testing purposes. It may also get triggered during legitimate simulation exercises involving exploit detection validation.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Containment: Isolate the affected system to prevent lateral movement and further exploitation of Sysmon or other services.
- Remediation: Patch the vulnerable Sysmon version (CVE-2022-41120) and validate that updated configurations and monitoring are correctly applied.
Mitigation
Mitigation IDs | Mitigation Name | Description |
M1048 | Application Isolation and Sandboxing | Limit adversaries’ ability to exploit unknown or unpatched vulnerabilities by implementing sandboxing techniques. Utilizing virtualization and application-level microsegmentation can further reduce the impact of certain exploit attempts. However, be aware that these systems may still have vulnerabilities that could be targeted. |
M1038 | Execution Prevention | Consider preventing the execution of known vulnerable drivers that attackers could leverage to run code in kernel mode. Before rolling out in production, test driver block rules in audit mode to confirm system stability. |
M1050 | Exploit Protection | Security solutions like Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can help mitigate exploitation techniques by detecting suspicious behavior patterns. Control Flow Integrity (CFI) checking adds another layer of protection by identifying and preventing abnormal code execution paths. However, the effectiveness of these protections may vary depending on the system architecture and the specific application binary, and they might not always prevent privilege escalation attacks. |
M1019 | Threat Intelligence Program | Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. |
M1051 | Update Software | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
