Attack & DefenseBlue Team

Using Sysmon to Block Files and sending alert to slack using webhook

Complete Knowledge from IPPSEC youtube channel, there is video related to which i written below.

This well explained blog for people who lazy to watch video, you can copy paste get done with this. also recommend you to watch video.

Create Slack account and make it private channel which will be using to receive the alerts, Make use your channel is private because you don’t want your data available publicly.

After that in Intergration select Add an App there you can search for webhook app and install it.

after install select configuration, there you can select the Channel which you like to received alert on.

Please take note of your webhook URL we will be needing it to send alert which look similar to this.

https://hooks.slack.com/services/[end of your webhook url]
  1. initial part was complete now we need to setup Sysmon, Download Sysmon and place it on System32 if you have PATH enviroment configured you can place there also.
  2. Now need to download the sysmon rules which can be found in Florian Roth github repo sysmon-config and download the sysmonconfig-export-block.xml file.
  3. Edit the XML file according to your requirment, which rules are need to implemented
  4. Make sure you placed sysmonconfig-export-block.xml and Sysmon64 both file in C:\Windows\System32\
  5. Run Command Prompt as Administrator and execute this command.
Microsoft Windows [Version 10.0.19044.2006]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>Sysmon64.exe -i sysmon-config-block.xml

You will get success message from cmd, also can be checked in Event Viewer In Event Viewer

Applications and Services Logs  🠲  Microsoft   🠲  Windows  🠲  Sysmon

In there we can see the newly added Event, now we need to send alert to slack for that we need to create new task in Task Scheduler.

  1. Goto Task Scheduler and click on Task Scheduler Library on right side panel, right-click and select Create New Task
  2. Task should be run as SYSTEM and with highest privileges.
  1. In Triggers tab create new trigger.
  • Begin Task should be set to On an event
  • In Settings choose Custom and browse for Event. which can be found again in Applications and Services Logs  🠲  Microsoft   🠲  Windows  🠲  Sysmon
  • After selecting correct event we need to edit this event again, for blocked alert it trigger EventID 27 so we need manually edit XML as mention below.
<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
	*[System[EventID='27']]
   </Select>
  </Query>
</QueryList>
  • After adding details export the Task open it with notepad++ or preferred text editor and add below XML data, It should be add after ending of </Subscription> tag.
   <ValueQueries>
	   <Value name="User">Event/EventData/Data[@Name="User"]</Value>
	   <Value name="Image">Event/EventData/Data[@Name="Image"]</Value>
	   <Value name="TargetFilename">Event/EventData/Data[@Name="TargetFilename"]</Value>
   </ValueQueries>
  1. Successfully Triggers are added now we need to add Actions which need to perform after that event trigger which means our slack alert.
  • Create powershell script which will be sending the alert to slack, you can check if this working or not using powershell.
$u = $args[0]
$fn = $args[1]
$i = $args[2]
$msg = "Hostname: ${env:computername}`nUsername: ${u}`nFilename: ${fn}`nProcess: ${i}"
$body = ConvertTo-Json @{
	pretext = "File Save Blocked"
	text=$msg
	icon_emoji="ghost"
}
Invoke-RestMethod https://hooks.slack.com/services/[your webhook url] -Method Post -Body $body -ContentType 'application/json' 
  • Save file as ps1 and run with 3 arguments and it will send data to slacks
powershell.exe -ExecutionPolicy Bypass -F C:\Users\BaseUser\Desktop\test.ps1 abcd test random
  • Since code is working we need to modify code again to get our parameter automatically send details to slacks. modified code is below
param
(
	[Parameter(Mandatory)]
	[string]
	$Test
)
$u,$fn,$i = $Test -Split "@"
$msg = "Hostname: ${env:computername}`nUsername: ${u}`nFilename: ${fn}`nProcess: ${i}"
$body = ConvertTo-Json @{
	username = "Bot"
	pretext = "File Save Blocked"
	text=$msg
	icon_emoji="ghost"
}
Invoke-RestMethod https://hooks.slack.com/services/[your webhook url] -Method Post -Body $body -ContentType 'application/json'
  • This modified code cannot be insert it to Actions like this no we need to encode this.
  • encoded text need to add some additional detail ad below and it will be finalized
/c "echo $(User)@$(TargetFilename)@$(Image) | powershell -nop -enc cABhAHIAYQBtAAoAKAAKAAkAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5ACkAXQAKAAkAWwBzAHQAcgBpAG4AZwBdAAoACQAkAFQAZQBzAHQACgApAAoAJAB1ACwAJABmAG4ALAAkAGkAIAA9ACAAJABUAGUAcwB0ACAALQBTAHAAbABpAHQAIAAiAEAAIgAKACQAbQBzAGcAIAA9ACAAIgAgAEgAbwBzAHQAbgBhAG0AZQA6ACAAJAB7AGUAbgB2ADoAYwBvAG0AcAB1AHQAZQByAG4AYQBtAGUAfQBBjAG8AbgBfAGUAbQBvAGoAaQA9ACIAZwBoAG8AcwB0ACIACgB9AAoASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAAaAB0AHQAcABzADoALwAvAGgAbwBvAGsAcwAuAHMAbABhAGMAawAuAGMAbwBtAC8AcwBlAHIAdgBpAGMAZQBzAC8AVAAwADQANABYAFIARAA5AFUAUABQAC8AQgAwADQANQA0AEcAVwBFAFgARAAyAC8ANABmAEkAegBYAEcARQBkAGwAdQBuAGsAUwBRAHcASABOAHAASQA0AGkAWQBsAG8AIAAtAE0AZQB0AGgAbwBkACAAUABvAHMAdAAgAC0AQgBvAGQAeQAgACQAYgBvAGQAeQAgAC0AQwBvAG4AdABlAG4AdABUAHkAcABlACAAJwBhAHAAcABsAGkAYwBhAHQAaQBvAG4ALwBqAHMAbwBuACcA"
  • Use above code insert it to Actions also we need to select Program/script as cmd.exe

5. try to trigger event by curl download file and save it on Downloads.

Share this post