Fake wpad

- Table of Contents

Open all sections | Close all sections

- Tool Overview

Category
Malicious Communication Relay
Description
Acquires and changes communication contents from the client by operating as the wpad server.
Example of Presumed Tool Use During an Attack
This tool is used to alter the response and embed a malicious URL that leads the client to the attacker's site by maliciously relaying communication from the client to an external website.

- Tool Operation Overview

Item Source Host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user Administrator privileges (Administrator privileges are required because the Windows Firewall configuration needs to be changed to allow files to be received.)
Communication Protocol 80/tcp, 8888/tcp 80/tcp, 8888/tcp

- Information Acquired from Log

Standard Settings
  • Source host
    • The last acquired proxy setting (registry) is recorded. *The setting cannot be distinguished if wpad is used in regular operations.
  • Destination Host
    • Execution history (Prefetch)
Additional Settings
  • Source host
    • The fact that communication was made via 80/tcp and 8888/tcp to the host that executes the tool is recorded (audit policy, Sysmon).
    • The fact that a wpad.dat cache was created is recorded (audit policy).
  • Destination Host
    • The fact that 80/tcp and 8888/tcp were listened to is recorded (audit policy).
    • Handle requests to wpad.dat and the proxy log proxy.log are recorded (audit policy).

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (port: 137)
  • Protocol: Protocol (udp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (port: 137)
2 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Program Files\Internet Explorer\iexplore.exe)
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\[RANDOM]\wpad[1].htm)
3 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (WPAD settings are saved under: \REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]})
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (port: 8888)
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number

USN journal

# File Name Process
1 wpad[1].htm BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+FILE_CREATE

MFT

# Path Header Flag Validity
1 [Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\[RANDOM]\wpad[1].htm FILE ALLOCATED

Registry entry

# Path Value
1 HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork {[GUID]}
2 Under: HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad (multiple pieces of data)

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (executable file name of the tool)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (udp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (port: 137)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (port: 137)
3 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection. (The host name "WPAD" used by the source host when obtaining WPAD is registered with NetBIOS)
  • Network Information > Destination Port: Destination port number (137)
  • Network Information > Source Port: Source port number (137)
  • Network Information > Destination Address: Destination IP address (broadcast address)
  • Network Information > Protocol: Protocol used (17=UDP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host IP address)
  • Application Information > Process ID: Process ID (4)
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected. (HTTP communication using a proxy. The port number to be used may be different depending on the relay software and WPAD content)
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (port: 8888)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected. (Communication to acquire WPAD)
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (port: 80)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number
6 Security 4663 File System An attempt was made to access an object. (The "proxy.log" file is created in the folder of the tool. Any event, such as when WPAD was provided or HTTP communication was tunneled, is written to this file)
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Name: Target file name ([Tool Folder]\proxy.log)

USN journal

# File Name Process
1 proxy.log CLOSE+DATA_EXTEND

MFT

# Path Header Flag Validity
1 [Drive Name]:\[Path to Tool]\proxy.log FILE ALLOCATED

Prefetch

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (udp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (137)
  • SourcePort: Source port number (137)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (137)
  • Network Information > Source Port: Source port number (137)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Network Information > Protocol: Protocol used (17=UDP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (C:\Program Files\Internet Explorer\iexplore.exe)
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
3 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]})
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000000)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID}\WpadDecisionReason)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (Binary Data)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\WpadDecisionTime)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000001)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\WpadDecision)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (network)
  • TargetObject: Setting value written to the registry (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\WpadNetworkName)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\[MAC Address])
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\[MAC Address])
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000000)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\[MAC Address]\WpadDecisionReason)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (Binary Data)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\[MAC Address]\WpadDecisionTime)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000001)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\[MAC Address]\WpadDecision)
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (80)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\program files\internet explorer\iexplore.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number 80
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\program files\internet explorer\iexplore.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
5 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\[RANDOM]\wpad[1].htm)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\[RANDOM]\wpad[1].htm)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Program Files\Internet Explorer\iexplore.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\[RANDOM]\wpad[1].htm)
  • Access Request Information > Access: Requested privileges (WriteAttributes, WriteData, AppendData)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Program Files\Internet Explorer\iexplore.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Program Files\Internet Explorer\iexplore.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
6 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (C:\Program Files\Internet Explorer\iexplore.exe)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (8888)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\program files\internet explorer\iexplore.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (8888)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\program files\internet explorer\iexplore.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID

- USN Journal

# File Name Process Attribute
1 wpad[1].htm FILE_CREATE archive+not_indexed
wpad[1].htm BASIC_INFO_CHANGE+FILE_CREATE archive+not_indexed
wpad[1].htm BASIC_INFO_CHANGE+DATA_EXTEND+FILE_CREATE archive+not_indexed
wpad[1].htm BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Users\[User Name]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\[RANDOM]\wpad[1].htm FILE ALLOCATED

- Registry Entry

# Path Type Value
1 HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork String {[GUID]}
2 HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\[MAC Address]\WpadDecisionReason DWORD 0x00000000
HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\[MAC Address]\WpadDecisionTime String ([binary value])
HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\[MAC Address]\WpadDecision DWORD 0x00000001
3 HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\[MAC Address] Key (No value to be set)
HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\WpadDecisionReason DWORD 0x00000000
HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\WpadDecisionTime String ([binary value])
HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\WpadDecision DWORD 0x00000001
HKEY_USERS\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{[GUID]}\WpadNetworkName String Network

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (executable file name of the tool)
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the tool)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (137)
  • Network Information > Source Port: Source port number (137)
  • Network Information > Destination Address: Destination IP address (broadcast address)
  • Network Information > Protocol: Protocol used (17=UDP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host IP address)
  • Application Information > Process ID: Process ID (4)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (137)
  • Network Information > Source Port: Source port number (137)
  • Network Information > Destination Address: Destination IP address (source host IP address)
  • Network Information > Protocol: Protocol used (17=UDP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (broadcast address)
  • Application Information > Process ID: Process ID
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (udp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (137)
  • SourcePort: Source port number (137)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (137)
  • Network Information > Source Port: Source port number (137)
  • Network Information > Destination Address: Destination IP address (source host IP address)
  • Network Information > Protocol: Protocol used (17=UDP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host IP address)
  • Application Information > Process ID: Process ID
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (80)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (80)
  • Network Information > Destination Address: Destination IP address (source host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (destination host IP address)
  • Application Information > Process ID: Process ID
5 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (path to the wpad.dat proxy setting file)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
6 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (80)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (80)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
8 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (8888)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (8888)
  • Network Information > Destination Address: Destination IP address (source host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (destination host IP address)
  • Application Information > Process ID: Process ID
9 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file ([Tool Folder]\proxy.log)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Tool Folder]\proxy.log)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Tool Folder]\proxy.log)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Target category
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool (destination host name)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
10 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
11 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process

- USN Journal

# File Name Process Attribute
1 [Executable File Name of Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
2 proxy.log FILE_CREATE archive
proxy.log DATA_EXTEND+FILE_CREATE archive
proxy.log CLOSE+DATA_EXTEND+FILE_CREATE archive
3 proxy.log DATA_EXTEND archive
proxy.log CLOSE+DATA_EXTEND archive

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf FILE ALLOCATED
2 [Drive Name]:\[Path to Tool]\proxy.log FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf [Executable File Name of Tool] [Path to Tool] Last Run Time (last execution date and time)

- Remarks