1 |
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (445)
- Network Information > Destination Address: Destination IP address (destination host IP address)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (System)
- Network Information > Direction: Communication direction (inbound)
- Network Information > Source Address: Source IP address (source host IP address)
- Application Information > Process ID: Process ID (4)
|
2 |
Security |
4776 |
Credential Validation |
The Domain Controller attempted to validate the credentials for an account.
- Authentication Package: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)
- Logon Account: Account used (account specified when the tool is executed at the source)
- Source Workstation: Host that requested account validation (source host name)
- Error Code: Execution result (0x0)
|
Security |
4672 |
Special Logon |
Privileges assigned to a new logon.
- Privileges: Assigned special privileges
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4624 |
Logon |
An account was successfully logged on.
- Process Information > Process ID: Process ID (hexadecimal) (0x0)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (NULL SID)
- New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
- Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on (account specified when the tool is executed at the source)
- Logon Type: Logon path, method, etc. (3=Network)
- Network Information > Workstation Name: Name of the host that requested the logon (source host name)
- Process Information > Process Name: Path to the executable file (-)
- Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
- Network Information > Source Network Address: IP address that requested the logon (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the authentication (0x0)
|
3 |
Security |
5140 |
File Sharing |
A network share object was accessed.
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- Shared Information > Share Path: Share path (\??\C:\Windows)
- Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
- Shared Information > Share Name: Share name used (\\*\ADMIN$)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Network Information > Source Address: Source IP address (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the process
|
4 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetFilename: Created file (C:\Windows\System32\DumpSvc.exe)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
5145 |
Detailed File Share |
A network share object was checked to see whether the client can be granted the desired access.
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- Network Information > Object Type: Type of the created object (File)
- Shared Information > Share Path: Share path (\??\C:\Windows)
- Access Request Information > Access: Requested privileges (including WriteData or AddFile, and DELETE)
- Shared Information > Share Name: Share name (\\*\ADMIN$)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpSvc.exe)
- Network Information > Source Address: Source IP address (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
- Audit Success: Success or failure (access successful)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
5 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetFilename: Created file (C:\Windows\System32\DumpExt.dll)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
5145 |
Detailed File Share |
A network share object was checked to see whether the client can be granted the desired access.
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- Network Information > Object Type: Type of the created object (File)
- Shared Information > Share Path: Share path (\??\C:\Windows)
- Access Request Information > Access: Requested privileges (including WriteData or AddFile, and DELETE)
- Shared Information > Share Name: Share name (\\*\ADMIN$)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpExt.dll)
- Network Information > Source Address: Source IP address (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
- Audit Success: Success or failure (access successful)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
6 |
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (135)
- Network Information > Destination Address: Destination IP address (destination host IP address)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
- Network Information > Direction: Communication direction (inbound)
- Network Information > Source Address: Source IP address (source host IP address)
- Application Information > Process ID: Process ID
|
7 |
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (destination host IP address)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\services.exe)
- Network Information > Direction: Communication direction (inbound)
- Network Information > Source Address: Source IP address (source host IP address)
- Application Information > Process ID: Process ID
|
8 |
System |
7045 |
A service was installed in the system. |
A service was installed.
- Service Start Type: Operation of the trigger that starts the service (demand start)
- Service Account: Executing account (LocalSystem)
- Service Type: Type of the service to be executed (user mode service)
- Service Name: Name displayed in the service list (PWDumpX Service)
- Service File Name: Service executable file (%windir%\system32\DumpSvc.exe)
|
System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Running)
- Service Name: Target service name (PWDumpX Service)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (DWORD:0x00000010)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Type)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (DWORD:0x00000003)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Start)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (DWORD:0x00000000)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ErrorControl)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (%windir%\system32\DumpSvc.exe)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ImagePath)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (PWDumpX Service)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\DisplayName)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (LocalSystem)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ObjectName)
|
Security |
4674 |
Sensitive Privilege Use |
An operation was attempted on a privileged object.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Name of the object to be processed (ServicesActive)
- Object > Object Server: Service that executed the process (SC Manager)
- Requested operation > Special Privileges: Requested privileges (including creation of new services)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\services.exe)
- Object > Object Type: Type of the object to be processed (SC_MANAGER_OBJECT)
- Subject > Logon ID: Session ID of the user who executed the process
|
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\services.exe)
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (C:\Windows\system32\DumpSvc.exe)
- IntegrityLevel: Privilege level (System)
- ParentCommandLine: Command line of the parent process (C:\Windows\System32\services.exe)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Log Date and Time: Process execution date and time (local time)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
9 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1FFFFF, 0x1400)
- SourceImage: Path to the access source process (C:\Windows\system32\services.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\DumpSvc.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\smss.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\csrss.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\wininit.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\winlogon.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\services.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410, 0x1F1FFF)
- SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
|
Microsoft-Windows-Sysmon/Operational |
8 |
CreateRemoteThread detected (rule: CreateRemoteThread) |
CreateRemoteThread detected.
- NewThreadId: Thread ID of the new thread
- TargetProcessGuid/TargetProcessId: Process ID of the destination process
- TargetImage: Path to the creation destination process (C:\Windows\System32\lsass.exe)
- UtcTime: Execution date and time (UTC)
- SourceImage: Path to the creation source process (C:\Windows\System32\DumpSvc.exe)
- SourceProcessGuid/SourceProcessId: Process ID of the source process
|
10 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\system32\lsass.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\System32\PWHashes.txt)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
11 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\system32\lsass.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\System32\PWHashes.txt.Obfuscated)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
12 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
13 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
|
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Exit Status: Process return value (0x0)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Log Date and Time: Process terminated date and time (local time)
- Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
|
14 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (System)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID (4)
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (445)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (System)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID (4)
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (135)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (System)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID (4)
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
15 |
System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Stopped)
- Service Name: Target service name (PWDumpX Service)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (DWORD:0x00000001)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\DeleteFlag)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (DWORD:0x00000004)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Start)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (DeleteKey)
- Image: Path to the executable file (C:\Windows\system32\services.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX)
|
16 |
Security |
5145 |
Detailed File Share |
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- Network Information > Object Type: Type of the created object (File)
- Shared Information > Share Path: Share path (\??\C:\Windows)
- Access Request Information > Access: Requested privileges (including ReadData or ListDirectory, ReadEA, and ReadAttributes)
- Shared Information > Share Name: Share name (\\*\ADMIN$)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Shared Information > Relative Target Name: Relative target name from the share path (system32\PWHashes.txt)
- Network Information > Source Address: Source IP address (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the process
|
17 |
Security |
5145 |
Detailed File Share |
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- Network Information > Object Type: Type of the created object (File)
- Shared Information > Share Path: Share path (\??\C:\Windows)
- Access Request Information > Access: Requested privilege (including DELETE)
- Shared Information > Share Name: Share name (\\*\ADMIN$)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Shared Information > Relative Target Name: Relative target name from the share path (system32\PWHashes.txt)
- Network Information > Source Address: Source IP address (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
18 |
Security |
5145 |
Detailed File Share |
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- Network Information > Object Type: Type of the created object (File)
- Shared Information > Share Path: Share path (\??\C:\Windows)
- Access Request Information > Access: Requested privilege (including DELETE)
- Shared Information > Share Name: Share name (\\*\ADMIN$)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpExt.dll)
- Network Information > Source Address: Source IP address (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
19 |
Security |
5145 |
Detailed File Share |
- Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
- Network Information > Object Type: Type of the created object (File)
- Shared Information > Share Path: Share path (\??\C:\Windows)
- Access Request Information > Access: Requested privilege (including DELETE)
- Shared Information > Share Name: Share name (\\*\ADMIN$)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpSvc.exe)
- Network Information > Source Address: Source IP address (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal) (0x4)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
|
20 |
Security |
4634 |
Logoff |
An account was logged off.
- Logon Type: Logon path, method, etc. (3=Network)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
- Subject > Logon ID: Session ID of the user who executed the authentication (logon ID recorded in the prior Event ID: 4624)
|