1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (path to the server tool)
- IntegrityLevel: Privilege level
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (path to the server tool)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to parent process that created the new process
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (path to the server tool)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
2 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (path to the server tool)
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (netsh advfirewall firewall delete rule name=Trend protocol=TCP dir=in localport=[Destination Port Number])
- IntegrityLevel: Privilege level (Medium)
- ParentCommandLine: Command line of the parent process (path to the server tool)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to parent process that created the new process
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
3 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access
- SourceImage: Path to the access source process (path to the server tool)
- TargetImage: Path to the access destination process (C:\Windows\SysWOW64\netsh.exe)
|
4 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (path to the server tool)
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (netsh advfirewall firewall add rule name=Trend protocol=TCP dir=in localport=[Destination Port Number] action=allow)
- IntegrityLevel: Privilege level (Medium)
- ParentCommandLine: Command line of the parent process (path to the server tool)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to parent process that created the new process
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
5 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access
- SourceImage: Path to the access source process (path to the server tool)
- TargetImage: Path to the access destination process (C:\Windows\SysWOW64\netsh.exe)
|
6 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC)
|
7 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
|
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x1)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
8 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
|
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x1)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
9 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\Prefetch\NETSH.EXE-[RANDOM].pf)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\NETSH.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
10 |
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (port number)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (path to the server tool)
|
Security |
5154 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- Network Information > Source Address: Source IP address
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Source port number (port number)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (path to the server tool)
|
11 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 7 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "[Path to Server Tool]")
- IntegrityLevel: Privilege level (Medium)
- ParentCommandLine: Command line of the parent process (C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\rundll32.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Process Information > Source Process Name: Path to parent process that created the new process
- Subject > Account Name: Name of the account that executed the tool (LOCAL SERVICE)
- Log Date and Time: Process execution date and time (local time)
- Subject > Account Domain: Domain to which the account belongs (NT AUTHORITY)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\rundll32.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
12 |
Security |
5447 |
Other Policy Changing Events |
A Windows Filtering Platform filter has been changed. This event occurs more than once
- Process Information > Process ID: Process ID (hexadecimal)
- Provider Information > ID: Provider ID
- Change Information > Change Type: Details of the performed process (addition)
- Additional Information > Conditions: Filter conditions
- Filter Information > ID at Execution: ID at filter execution
- Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
- Filter Information > ID: Filter UUID
- Provider Information > Name: Provider name
- Filter Information > Name: Filter name (executable file of the server tool)
- Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
- Additional Information > Filter Action: Operation when matched (permission)
|
Security |
4946 |
MPSSVC Rule-Level Policy Change |
A change was made to the Windows Firewall exception list. A rule was added.
- Added Rule > Rule Name: Name of the process executed (executable file of the server tool)
- Changed Profile: Changed profile (private)
- Added Rule > Rule ID: Rule ID of the process executed (TCP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])
|
Security |
5031 |
Filtering Platform Connection |
The Windows Firewall Service blocked an application from accepting incoming connections on the network.
- Application: Path to the tool (path to the server tool)
- Profile: Profile used (private)
|
Security |
5447 |
Other Policy Changing Events |
A Windows Filtering Platform filter has been changed.
- Process Information > Process ID: Process ID (hexadecimal)
- Provider Information > ID: Provider ID
- Change Information > Change Type: Details of the performed process (addition)
- Additional Information > Conditions: Filter conditions
- Filter Information > ID at Execution: ID at filter execution
- Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
- Filter Information > ID: Filter UUID
- Provider Information > Name: Provider name
- Filter Information > Name: Filter name (executable file of the server tool)
- Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
- Additional Information > Filter Action: Operation when matched (prohibition)
|
13 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
14 |
Security |
5447 |
Other Policy Changing Events |
A Windows Filtering Platform filter has been changed.
- Process Information > Process ID: Process ID (hexadecimal)
- Provider Information > ID: Provider ID
- Change Information > Change Type: Details of the performed process (addition)
- Additional Information > Conditions: Filter conditions
- Filter Information > ID at Execution: ID at filter execution
- Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
- Filter Information > ID: Filter UUID
- Provider Information > Name: Provider name
- Filter Information > Name: Filter name (executable file of the server tool)
- Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
- Additional Information > Filter Action: Operation when matched (permission)
|
Security |
5447 |
Other Policy Changing Events |
A Windows Filtering Platform filter has been changed.
- Process Information > Process ID: Process ID (hexadecimal)
- Provider Information > ID: Provider ID
- Change Information > Change Type: Details of the performed process (deletion)
- Additional Information > Conditions: Filter conditions
- Filter Information > ID at Execution: ID at filter execution
- Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
- Filter Information > ID: Filter UUID
- Provider Information > Name: Provider name
- Filter Information > Name: Filter name (executable file of the server tool)
- Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
- Additional Information > Filter Action: Operation when matched (permission)
|
Security |
5447 |
Other Policy Changing Events |
A Windows Filtering Platform filter has been changed. (A Windows Filtering Platform filter has been changed.)
- Process Information > Process ID: Process ID (hexadecimal)
- Provider Information > ID: Provider ID
- Change Information > Change Type: Details of the performed process (deletion)
- Additional Information > Conditions: Filter conditions
- Filter Information > ID at Execution: ID at filter execution
- Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
- Filter Information > ID: Filter UUID
- Provider Information > Name: Provider name (Microsoft Corporation)
- Filter Information > Name: Filter name (executable file of the tool)
- Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
- Additional Information > Filter Action: Operation when matched (prohibition)
|
Security |
4947 |
MPSSVC Rule-Level Policy Change |
A change was made to the Windows Firewall exception list. A rule was modified.
- Added Rule > Rule Name: Name of the process executed (executable file of the server tool)
- Changed Profile: Changed profile (private)
- Added Rule > Rule ID: Rule ID of the process (UDP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])
|
Security |
4947 |
MPSSVC Rule-Level Policy Change |
A change was made to the Windows Firewall exception list. A rule was modified.
- Added Rule > Rule Name: Name of the process executed (executable file of the server tool)
- Changed Profile: Changed profile (private)
- Added Rule > Rule ID: Rule ID of the process executed (TCP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])
|
15 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\rundll32.exe)
|
16 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (path to the server tool)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (port number)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Source Address/Source Port: Source IP address/Port number ([Destination Host IP Address]/[Destination Port Number])
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Destination Address/Destination Port: Destination IP address/Port number ([Source Host IP Address]/[High Port])
- Application Information > Application Name: Execution process (path to the server tool)
- Network Information > Direction: Communication direction (inbound)
- Application Information > Process ID: Process ID
|
17 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (path to the server tool)
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (cmd /c dir)
- IntegrityLevel: Privilege level (Medium)
- ParentCommandLine: Command line of the parent process (path to the server tool)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to parent process that created the new process
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
18 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access
- SourceImage: Path to the access source process (path to the server tool)
- TargetImage: Path to the access destination process (C:\Windows\SysWOW64\cmd.exe)
|
19 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
|
Security |
4689 |
Process Termination |
A process has exited. (A process has exited.)
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
20 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (path to the server tool)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (destination port number)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|