JonMon-Lite: The Remote Agentless EDR Proof-of-Concept for ETW Trace Monitoring
JonMon-Lite is a research proof-of-concept “Remote Agentless EDR” that creates an ETW Trace Session through a Data Collector Set. This session can be created locally or remotely.
Events Collected
JonMon-Lite collects the following data:
| EventType | Provider |
|---|---|
| Process Creation | Microsoft-Windows-Kernel-Process |
| File Creation | Microsoft-Windows-Kernel-File |
| DotNetLoad | Microsoft-Windows-DotNETRuntime |
| WMIEventFilter | Microsoft-Windows-WMI-Activity |
| RPCClientCall ETW | Microsoft-Windows-RPC |
| RPCServerCall | Microsoft-Windows-RPC |
| CryptUnprotectData | Microsoft-Windows-Crypto-DPAPI |
| AMSI | Microsoft-Antimalware-Scan-Interface |
JonMon-Lite is broken up into 4 pieces:
- JonMon-Lite.exe – resonsible for creation of data collection sets and collection
- JonMon-Lite.json – configuration file
- JonMon-Lite.xml – XML file that the data collector set will use
- JonMon-Lite manifest files (.dll/.man) – needed to set up events in the Event Viewer
To execute:
Update the JonMon-Lite.json to fit your environment (This assumes you are running this from Machine3):
[pastacode lang=”markup” manual=”%7B%0A%20%20%20%20%22XMLFilePath%22%3A%20%22C%3A%5C%5CPath%5C%5CTo%5C%5CJonMon-Lite.xml%22%2C%0A%20%20%20%20%22ETLFilePath%22%3A%20%22C%3A%5C%5CPerfLogs%5C%5CAdmin%5C%5CJonMon-Lite%5C%5C%22%2C%0A%20%20%20%20%22RootPath%22%3A%20%22%5C%5CMachine3%5C%5CC%24%5C%5CPerfLogs%5C%5CAdmin%5C%5CJonMon-Lite%5C%5C%22%2C%0A%20%20%20%20%22TraceName%22%3A%20%22JonMon-Lite%22%2C%0A%20%20%20%20%22WorkstationName%22%3A%20%5B%22Machine1%22%2C%20%22Machine2%22%5D%2C%0A%20%20%20%20%22User%22%3A%20%22TestUser%22%2C%0A%20%20%20%20%22Password%22%3A%20%22ChangeMe1!%22%0A%20%20%20%20%0A%7D” message=”” highlight=”” provider=”manual”/]
Make sure that the user inserted in User and Password is an Administrator on all machines. If you want to test locally, you can simply do:
[pastacode lang=”markup” manual=”%7B%0A%20%20%20%20%22XMLFilePath%22%3A%20%22C%3A%5C%5CPath%5C%5CTo%5C%5CJonMon-Lite.xml%22%2C%0A%20%20%20%20%22ETLFilePath%22%3A%20%22C%3A%5C%5CPerfLogs%5C%5CAdmin%5C%5CJonMon-Lite%5C%5C%22%2C%0A%20%20%20%20%22RootPath%22%3A%20%22C%3A%5C%5CPerfLogs%5C%5CAdmin%5C%5CJonMon-Lite%5C%5C%22%2C%0A%20%20%20%20%22TraceName%22%3A%20%22JonMon-Lite%22%2C%0A%20%20%20%20%22WorkstationName%22%3A%20%5B%22LocalMachineName%22%5D%2C%0A%20%20%20%20%22User%22%3A%20%22%22%2C%0A%20%20%20%20%22Password%22%3A%20%22%22%0A%20%20%20%20%0A%7D” message=”” highlight=”” provider=”manual”/]
Afterwards, simply run: JonMon-Lite.exe as an Administrator. You should see something like this:
[pastacode lang=”markup” manual=”Reading%20JonMon-Lite%20Config%20File…%0A%0AUninstalling%20ETW%20Manifest%0AInstalling%20ETW%20Manifest%0AXMLFilePath%3A%20C%3A%5CUsers%5Cthor%5CDesktop%5CJonMon-Lite%5CJonMon-Lite.xml%0ATraceName%3A%20JonMon-Lite%0AETLFilePath%20C%3A%5CPerfLogs%5CAdmin%5CJonMon-Lite%5C%0ARootPath%3A%20%5C%5CAsgard-Wrkstn%5CC%24%5CPerfLogs%5CAdmin%5CJonMon-Lite%5C%0AWorkstationName%3A%20Wakanda-Wrkstn%0AUser%3A%20thor%0APassword%3A%20GodofLightning1!%0A%0ACreating%20JonMon-Lite%20Trace…%0AXMLFilePath%3A%20C%3A%5CUsers%5Cthor%5CDesktop%5CJonMon-Lite%5CJonMon-Lite.xml%0ATraceName%3A%20JonMon-Lite%0AETLFilePath%20C%3A%5CPerfLogs%5CAdmin%5CJonMon-Lite%5C%0ARootPath%3A%20%5C%5CAsgard-Wrkstn%5CC%24%5CPerfLogs%5CAdmin%5CJonMon-Lite%5C%0AWorkstationName%3A%20Asgard-Wrkstn%0AUser%3A%20thor%0APassword%3A%20GodofLightning1!%0A%0AProcessing%20events…%0ACreating%20JonMon-Lite%20Trace…%0AETL%20file%20not%20found%3A%20C%3A%5CPerfLogs%5CAdmin%5CJonMon-Lite%5CWakanda-Wrkstn_%5CJonMon-Lite.etl%2C%20waiting%204%20seconds…%0AProcessing%20events…%0AETL%20file%20not%20found%3A%20C%3A%5CPerfLogs%5CAdmin%5CJonMon-Lite%5CAsgard-Wrkstn_%5CJonMon-Lite.etl%2C%20waiting%204%20seconds…%0ACredentials%20set%20successfully.%0ACredentials%20set%20successfully.%0ApDataCollectorSet-%3Eput_RootPath%20was%20set%20successfully%0ApDataCollectorSet-%3Eput_RootPath%20was%20set%20successfully%0ApDataCollectorSet-%3ESetXml%20was%20set%20successfully%0ApDataCollectorSet-%3ESetXml%20was%20set%20successfully%0ACollector%20set%20’JonMon-Lite’%20has%20been%20created%2Fupdated%20successfully.%0ACollector%20set%20’JonMon-Lite’%20has%20been%20created%2Fupdated%20successfully.%0ACollector%20set%20’JonMon-Lite’%20started%20successfully.%0ACollector%20set%20’JonMon-Lite’%20started%20successfully” message=”” highlight=”” provider=”manual”/]
To stop the collection, simply go to the JonMon-Lite window and type “exit” and press enter.
One thing to note – I don’t manually clean up the ETL files, just in case someone wants to grab them, so before you start the next session – you will need to manually remove them.
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
