Forum Discussion

akaraulli's avatar
akaraulli
Copper Contributor
Mar 06, 2024

Hashes (MD3, SHA256) on Sysmon Event ID 3: Network connection

Hi

Is it possible to have the Hashes (MD5, SHA256) field completed for Sysmon Event ID 3: Network connection ?

I have them completed only for events 1, 6 and 7.
In the xml config file - SwitOnSecurity - I can see that tag <HashAlgorithms/> is completed on the top, before any specific event within tags <EventFiltering/>

If this is only some default, can Hash be enforced on some specific Event ID ?

best regards
Altin

  • Hi! No, it is not standard or supported to have MD5 or SHA256 hashes directly filled out for Sysmon Event ID 3 (Network connection) because this event does not pertain to files or executables, which are typically the subjects of hashing. The hashing configuration applies to events where file or executable information is relevant and captured by Sysmon.

    However, if your goal is to correlate network events with file hashes, you would typically need to do this correlation externally from Sysmon, using additional tools or scripts that match network activities (logged by Sysmon Event ID 3) with process or file activities (captured in other Sysmon events that do include hashing, like Event IDs 1, 6, and 7) based on timing, process IDs, or other correlating information.

    Sysmon is super configurable, and while you can't enforce hashing on an unsupported event type like Event ID 3 directly within Sysmon, you can leverage its extensive logging capabilities in conjunction with other tools or processes to achieve the insight or correlation you need.\

    Does this help?
    • akaraulli's avatar
      akaraulli
      Copper Contributor
      The goal is to correlate binaries names, path, parent name and path, and hashes, with the accessibility of these binaries toward certain important services - ex. databases, web-servers, ..... and so.

      Of course I am using an external tool (Splunk) to make the correlations between Hash found on Event ID 1 (Process Create) and the destination port accessed in Event 3 Network by these binaries - ex. toward 1433 port for MS SQL Server.

      The problem I have faced (for which these ticket is created) is as below:

      I can have the Network Event on every connection to the destination port of interest. But the Event ID 1 is on every binary launch. The later goes like this: a certain DB Developer does open the Microsoft SQL Server Management Studio. He keeps it open on his desktop for several weeks. Can be a month or more. In fact, most do this way - me included.
      And when the binary of interest is a server process/service - accessing a DB on another server - it can stay open for months.

      So in my Splunk, I do have the Network Event on every connection, but to correlate it with the process binary hash, I have to go back for a very long time - weeks or months. That makes the monitoring unpractical.

      This is why I thought that having the hash customizable at Event ID level - in my case on the Network Event - would be a much desired feature in Sysmon. Should I have this, I would not need to go much much back in time to have the Hash.

Resources