Find Malwares Using Sysmon in Linux

I am planning to install Sysmon on the Ubuntu distribution. If you are going to do this on a different Linux distribution, you can follow the steps in the link below.

So, let’s start to install Sysmon


wget -q$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb


sudo dpkg -i packages-microsoft-prod.deb


sudo apt-get update


sudo apt-get install sysmonforlinux

If you receive the following error at this stage, try the next step.

5. Note: Only try this step if you get an error in step 4.

sudo apt-get install sysmonforlinux --fix-broken

At this point, Sysmon has been installed, but sysmon also works with a config file. The relevant config file also indicates which logs sysmon will collect. You can obtain a basic Sysmon Config file from the link below.

Then we can import our config file with the relevant command.

sysmon -accepteula -i sysmon-linux-sample-config.xml

After this stage, Sysmon starts writing its logs to its own log file. We can use the following command to see the logs it writes in real time.

tail -f /var/log/syslog

If we need to examine an example log, as we see, the Event ID appears to be 3. If Event ID is 3, it means that a TCP connection has been started. Besides, specifically for this log;

->Protocol used,
->With which User it was done,
->Whether the connection was established successfully or not,
->Information such as Source IP, Source Port, Dest IP, Dest Port information are provided to us.

In addition, you can access information about what other Event IDs mean in the table below.

1ProcessCreateProcess Create
2FileCreateTime File creation time
3NetworkConnect Network connection detected
4n/aSysmon service state change (cannot be filtered)
5ProcessTerminate Process terminated
6DriverLoad Driver Loaded
7ImageLoad Image loaded
8CreateRemoteThread CreateRemoteThread detected
9RawAccessRead RawAccessRead detected
10ProcessAccessProcess accessed
11FileCreateFile created
12RegistryEventRegistry object added or deleted
13RegistryEventRegistry value set
14RegistryEventRegistry object renamed
15FileCreateStreamHashFile stream created
16n/aSysmon configuration change (cannot be filtered)
17PipeEventNamed pipe created
18PipeEventNamed pipe connected
19WmiEventWMI filter
20WmiEventWMI consumer
21WmiEventWMI consumer filter
22DNSQueryDNS query
23FileDeleteFile Delete archived
24ClipboardChangeNew content in the clipboard
25ProcessTamperingProcess image change
26FileDeleteDetectedFile Delete logged
27FileBlockExecutableFile Block Executable
28FileBlockShreddingFile Block Shredding
29FileExecutableDetectedFile Executable Detected
Table Source:

Now, let’s observe what kind of activities a malicious file performs on Linux with Sysmon.

When we look at the logs, we see some events with ID 23. As we can confirm from the table above, event ID number 23 means file deletion. When we look at some of the deleted files, they are binary files such as reboot, shutdown, halt, poweroff. The reason why the malware deletes these may be to increase its control over the endpoint and prevent the endpoint from being closed or restarted.

When we continue to examine the logs, we see that many 3 ID events occur.

It is observed that SYN packets, which are the first packets of TCP connections, are sent to different IPs.

In other words, this malware apparently prevents the system administrator or endpoint owner from accessing functions such as rebooting and shutting down the system after a virus infection, and then initiates a TCP handshake to many different IPs, increasing resource consumption to fill the host’s bandwidth and use system memory. may be aiming for. Because the size of a SYN packet in memory is approximately 62 bytes.

As a result, we can examine activities with Sysmon on Linux endpoints, as we can on Windows endpoints, and provide a layer of visibility for malicious activities.







Leave a Reply

Your email address will not be published. Required fields are marked *