| 1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CommandLine: Command line of the execution command ([Executable File of Tool] [Executable File Executed with Escalated Privileges])
- IntegrityLevel: Privilege level (Medium)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (non-privileged user who executed the tool)
- Hashes: Hash value of the executable file
- Image: Path to the executable file (executable file of the tool)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (non-privileged user who executed the tool)
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (executable file of the tool)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 2 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process (process ID of the tool executed in the immediately prior Sysmon Event ID: 1)
- ParentImage: Executable file of the parent process (tool executed in the immediately prior Sysmon Event ID: 1)
- CurrentDirectory: Work directory (path to the tool)
- CommandLine: Command line of the execution command ("executable file executed with escalated privileges" part specified by the command line of the immediately prior Sysmon Event ID 1)
- IntegrityLevel: Privilege level (System)
- ParentCommandLine: Command line of the parent process (CommandLine of the immediately prior Sysmon Event ID: 1)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NY AUTHORITY\SYSTEM)
- Hashes: Hash value of the executable file (hash of the executable file, "executable file executed with escalated privileges", which is specified by the command line of the immediately prior Sysmon Even ID: 1)
- Image: Path to the executable file (executable file part of "executable file executed with escalated privileges", which is specified by the command line of the immediately prior Sysmon Event ID: 1)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Subject > Account Name: Name of the account that executed the tool (host name $)
- Log Date and Time: Process execution date and time (local time)
- Subject > Account Domain: Domain to which the account belongs (domain that the host belongs to)
- Process Information > New Process Name: Path to the executable file (executable file of the tool)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. In Windows 7, "Creator Process ID" ("new process ID" in the immediately prior Event ID: 4688)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 3 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID (process ID of the tool)
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process (process ID of the executable file executed with escalated privileges)
- GrantedAccess: Details of the granted access (0x1FFFFF)
- SourceImage: Path to the access source process (executable file of the tool)
- TargetImage: Path to the access destination process (path to the executable file executed with escalated privileges)
|
| 4 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656/4663 |
File System |
A handle to an object was requested. / An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf)
- Subject > Account Name: Name of the account that executed the tool
- Access Request Information > Access: Requested privilege
- Subject > Account Domain: Domain to which the account belongs
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Subject > Security ID: SID of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| 5 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (executable file of the tool)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool (host name $)
- Log Date and Time: Process terminated date and time (local time)
- Subject > Account Domain: Domain to which the account belongs (domain that the host belongs to)
- Process Information > Process Name: Path to the executable file (executable file of the tool)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
|