BeginX

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Command Execution
Description
Executes a command from a client to the server.
Example of Presumed Tool Use During an Attack
This tool is used to change settings on and acquire information from the remote host.

- Tool Operation Overview

Item Source Host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user
Communication Protocol TCP or UDP, and the port number varies depending on the tool.

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
  • Destination Host
    • Change of the Windows Firewall settings (audit policy)
    • Execution history (Prefetch)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
    • A record that communication via a specified port occurred (audit policy, Sysmon)
  • Destination Host
    • Execution history (audit policy, Sysmon)
    • A record that communication via a specified port occurred (audit policy, Sysmon)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Path to Client Tool] [Destination Host]:[Port Number] [Execution Command])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the client tool)
  • User: Execute as user
2 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Address port number (destination port number)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the client tool)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (path to the server tool)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the server tool)
  • User: Execute as user
2 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number ([Destination Host IP Address]/[Destination Port Number])
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number ([Source Host IP Address]/[High Port])
  • Application Information > Application Name: Execution process (path to the server tool)
  • Network Information > Direction: Communication direction (inbound)
  • Application Information > Process ID: Process ID
3 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentImage: Executable file of the parent process (path to the server tool)
  • CommandLine: Command line of the execution command (netsh advfirewall firewall delete rule name=Trend protocol=TCP dir=in localport=[Port Number])
  • ParentCommandLine: Command line of the parent process (path to the server tool)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)

Registry entry

# Path Value
1 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{[GUID]}[Path to Tool] v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=[Path to Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|
2 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{[GUID]}[Path to Tool] v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=[Path to Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command ([Path to Client Tool] [Destination Host]:[Port Number] [Execution Command])
  • IntegrityLevel: Privilege level
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the client tool)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the client tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Security 4656 Security A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WRITE_DAC and WRITE_OWNER)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[Account Name]\AppData\Local\VirtualStore)
  • Process Information > Process Name: Name of the process that closed the handle (path to the client tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[Account Name]\AppData\Local\VirtualStore)
  • Access Request Information > Access: Requested privileges (WRITE_DAC, WRITE_OWNER)
  • Process Information > Process Name: Name of the process that closed the handle (path to the client tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the client tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Address port number (destination port number)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the client tool)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Address port number (destination port number)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the client tool)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
4 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the client tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the client tool)
  • Subject > Logon ID: Session ID of the user who executed the process
5 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

# File Name Process Attribute
1 [Executable File Name of Client Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Executable File Name of Client Tool]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Executable File Name of Client Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 :\Windows\Prefetch\[Executable File Name of Client Tool]-[RANDOM].pf [Executable File Name of Client Tool] [Path to Client Tool] Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (path to the server tool)
  • IntegrityLevel: Privilege level
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the server tool)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the server tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (path to the server tool)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (netsh advfirewall firewall delete rule name=Trend protocol=TCP dir=in localport=[Destination Port Number])
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process (path to the server tool)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
3 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access
  • SourceImage: Path to the access source process (path to the server tool)
  • TargetImage: Path to the access destination process (C:\Windows\SysWOW64\netsh.exe)
4 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (path to the server tool)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (netsh advfirewall firewall add rule name=Trend protocol=TCP dir=in localport=[Destination Port Number] action=allow)
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process (path to the server tool)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
5 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access
  • SourceImage: Path to the access source process (path to the server tool)
  • TargetImage: Path to the access destination process (C:\Windows\SysWOW64\netsh.exe)
6 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC)
7 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x1)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
8 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x1)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\SysWOW64\netsh.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
9 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\NETSH.EXE-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\NETSH.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
10 Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (port number)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the server tool)
Security 5154 Filtering Platform Connection The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
  • Network Information > Source Address: Source IP address
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Source port number (port number)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the server tool)
11 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 7 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "[Path to Server Tool]")
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process (C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\rundll32.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Subject > Account Name: Name of the account that executed the tool (LOCAL SERVICE)
  • Log Date and Time: Process execution date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs (NT AUTHORITY)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\rundll32.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
12 Security 5447 Other Policy Changing Events A Windows Filtering Platform filter has been changed. This event occurs more than once
  • Process Information > Process ID: Process ID (hexadecimal)
  • Provider Information > ID: Provider ID
  • Change Information > Change Type: Details of the performed process (addition)
  • Additional Information > Conditions: Filter conditions
  • Filter Information > ID at Execution: ID at filter execution
  • Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
  • Filter Information > ID: Filter UUID
  • Provider Information > Name: Provider name
  • Filter Information > Name: Filter name (executable file of the server tool)
  • Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
  • Additional Information > Filter Action: Operation when matched (permission)
Security 4946 MPSSVC Rule-Level Policy Change A change was made to the Windows Firewall exception list. A rule was added.
  • Added Rule > Rule Name: Name of the process executed (executable file of the server tool)
  • Changed Profile: Changed profile (private)
  • Added Rule > Rule ID: Rule ID of the process executed (TCP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])
Security 5031 Filtering Platform Connection The Windows Firewall Service blocked an application from accepting incoming connections on the network.
  • Application: Path to the tool (path to the server tool)
  • Profile: Profile used (private)
Security 5447 Other Policy Changing Events A Windows Filtering Platform filter has been changed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Provider Information > ID: Provider ID
  • Change Information > Change Type: Details of the performed process (addition)
  • Additional Information > Conditions: Filter conditions
  • Filter Information > ID at Execution: ID at filter execution
  • Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
  • Filter Information > ID: Filter UUID
  • Provider Information > Name: Provider name
  • Filter Information > Name: Filter name (executable file of the server tool)
  • Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
  • Additional Information > Filter Action: Operation when matched (prohibition)
13 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Server Tool]-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
14 Security 5447 Other Policy Changing Events A Windows Filtering Platform filter has been changed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Provider Information > ID: Provider ID
  • Change Information > Change Type: Details of the performed process (addition)
  • Additional Information > Conditions: Filter conditions
  • Filter Information > ID at Execution: ID at filter execution
  • Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
  • Filter Information > ID: Filter UUID
  • Provider Information > Name: Provider name
  • Filter Information > Name: Filter name (executable file of the server tool)
  • Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
  • Additional Information > Filter Action: Operation when matched (permission)
Security 5447 Other Policy Changing Events A Windows Filtering Platform filter has been changed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Provider Information > ID: Provider ID
  • Change Information > Change Type: Details of the performed process (deletion)
  • Additional Information > Conditions: Filter conditions
  • Filter Information > ID at Execution: ID at filter execution
  • Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
  • Filter Information > ID: Filter UUID
  • Provider Information > Name: Provider name
  • Filter Information > Name: Filter name (executable file of the server tool)
  • Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
  • Additional Information > Filter Action: Operation when matched (permission)
Security 5447 Other Policy Changing Events A Windows Filtering Platform filter has been changed. (A Windows Filtering Platform filter has been changed.)
  • Process Information > Process ID: Process ID (hexadecimal)
  • Provider Information > ID: Provider ID
  • Change Information > Change Type: Details of the performed process (deletion)
  • Additional Information > Conditions: Filter conditions
  • Filter Information > ID at Execution: ID at filter execution
  • Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
  • Filter Information > ID: Filter UUID
  • Provider Information > Name: Provider name (Microsoft Corporation)
  • Filter Information > Name: Filter name (executable file of the tool)
  • Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
  • Additional Information > Filter Action: Operation when matched (prohibition)
Security 4947 MPSSVC Rule-Level Policy Change A change was made to the Windows Firewall exception list. A rule was modified.
  • Added Rule > Rule Name: Name of the process executed (executable file of the server tool)
  • Changed Profile: Changed profile (private)
  • Added Rule > Rule ID: Rule ID of the process (UDP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])
Security 4947 MPSSVC Rule-Level Policy Change A change was made to the Windows Firewall exception list. A rule was modified.
  • Added Rule > Rule Name: Name of the process executed (executable file of the server tool)
  • Changed Profile: Changed profile (private)
  • Added Rule > Rule ID: Rule ID of the process executed (TCP Query User{[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]-[ALPHANUM]}[Path to Tool])
15 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\rundll32.exe)
16 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (path to the server tool)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (port number)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number ([Destination Host IP Address]/[Destination Port Number])
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number ([Source Host IP Address]/[High Port])
  • Application Information > Application Name: Execution process (path to the server tool)
  • Network Information > Direction: Communication direction (inbound)
  • Application Information > Process ID: Process ID
17 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (path to the server tool)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (cmd /c dir)
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process (path to the server tool)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
18 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access
  • SourceImage: Path to the access source process (path to the server tool)
  • TargetImage: Path to the access destination process (C:\Windows\SysWOW64\cmd.exe)
19 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
Security 4689 Process Termination A process has exited. (A process has exited.)
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
20 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (path to the server tool)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (destination port number)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)

- USN Journal

# File Name Process Attribute
1 [Executable File Name of Server Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Executable File Name of Server Tool]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Executable File Name of Server Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File Name of Server Tool]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 :\Windows\Prefetch\[Executable File Name of Server Tool]-[RANDOM].pf [Executable File Name of Server Tool] [Path to Server Tool] Last Run Time (last execution date and time)

- Registry Entry

# Path Type Value
1 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{[GUID]}[Path to Server Tool] String v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{[GUID]}[Path to Server Tool] String v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{[GUID]}[Path to Server Tool] String v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{[GUID]}[Path to Server Tool] String v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=[Path to Server Tool]|Name=tpcsrv.exe|Desc=tpcsrv.exe|Defer=User|

- Packet Capture

# Process Source Host Source Port Number Destination Host Destination Port Number Protocol/Application
1 [PSH, ACK]: Although the details and the result of the execution cannot be determined based on the header, etc., they can be confirmed by analyzing the captured packet as it is written in plaintext. Source host High port Destination host Port specified at execution TCP