PWDumpX

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Password and Hash Dump
Description
Acquires a password hash from a remote host.
Example of Presumed Tool Use During an Attack
This tool is used to log on to other hosts using acquired hash information.

- Tool Operation Overview

Item Source Host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user Administrator
Communication Protocol 135/tcp, 445/tcp

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
  • Destination Host
    • Execution history (Prefetch)
    • Installation and execution of the PWDumpX service (system log)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
    • Creation of the file "[Destination Address]-PWHashes.txt", in which the results will be recorded (audit policy)
  • Destination Host
    • Execution history (audit policy, Sysmon)
    • Sending and execution of the PWDumpX service from the source host to the destination host (audit policy)
    • Creation of a file for storing hash information (audit policy)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (Command line. The destination host and the account/password used can be confirmed.)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (name of the account that executed the tool)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination port: 135)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source port: 445)
4 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination: high port)
6 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Path to the executable file (path to the tool)

USN journal

# File Name Process
1 [Destination]-PWHashes.txt BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE

MFT

# Path Header Flag Validity
1 [Drive Name]:\[Path at Execution]\[Destination]-PWHashes.txt FILE ALLOCATED

Prefetch

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privileges (including ReadData or ListDirectory, ReadEA, and ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\PWHashes.txt)
  • Network Information > Source Address: Source IP address (source host IP address)
2 System 7036 Service Control Manager The [Service Name] service entered the [Status] state.
  • Status: State after the transition (Stopped)
  • Service Name: Target service name (PWDumpX Service)
3 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\[PWHashes.txt, DumpExt.dll, DumpSvc.exe])
4 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
5 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
6 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (135)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
7 System 7036 Service Control Manager The [Service Name] service entered the [Status] state.
  • Status: State after transition (Running)
  • Service Name: Target service name (PWDumpX Service)
8 Security 5145 Detailed File Share
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile, and DELETE)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\[DumpSvc.exe, DumpExt.dll])
  • Network Information > Source Address: Source IP address (source host IP address)
9 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Object > Object Name: Target file name (C:\Windows\System32\[PWHashes.txt, PWHashes.txt.Obfuscated])
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
10 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410, 0x1F1FFF)
  • SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe, etc.)
11 Security 4689 Process Termination A process has exited.
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
12 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)

USN journal

# File Name Process
1 PWHashes.txt.Obfuscated CLOSE+FILE_DELETE
3 DumpExt.dll CLOSE+FILE_DELETE
2 PWHashes.txt CLOSE+FILE_DELETE
4 DumpSvc.exe CLOSE+FILE_DELETE

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (Command line. The destination host and the account/password used can be confirmed.)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the tool)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (2)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID (4)
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (target IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (IP address of the source host)
  • Application Information > Process ID: Process ID (4)
3 Security 4648 Logon A logon was attempted using explicit credentials.
  • Account for which Credentials were Used > Account Name: Specified account name (account name specified as an option at tool execution)
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs
  • Target Server > Target Server Name: Logon destination host name (FQDN of the logon destination host)
  • Subject > Account Name: Name of the account that executed the tool that executed the tool (account name that executed the tool)
  • Subject > Security ID: SID of the user who executed the tool
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (domain of the specified account or destination host name/IP address)
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (name of the account that executed the tool)
  • DestinationPort: Destination port number (135)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the tool)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (135)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the tool)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
6 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file ([Current Directory]\[Destination]-PWHashes.txt)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (execute as user)
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
7 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
8 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WRITE_DAC)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (execute as user)
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WRITE_DAC)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4670 Authorization Policy Change Permissions on an object were changed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (change successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt)
  • Change permissions > New security descriptor: Security descriptor after the change D:AI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;[Another User SID])
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Change permissions > Original security descriptor: Security descriptor before the change D:(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;[User SID])
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
9 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (execute as user)
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Current Directory]\[Destination]-PWHashes.txt.Obfuscated)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4660 File System An object was deleted.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that closed the handle (tool executable file name)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
10 Security 4673 Sensitive Privilege Use A privileged service was called.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process > Process ID: ID of the process that used the privilege
  • Subject > Logon ID: Session ID of the user who executed the process
  • Service Request Information > Privilege: Privileges used (SeTcbPrivilege)
  • Process > Process Name: Process that used the special privileges (tool executable file name)
11 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process
12 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)

- USN Journal

# File Name Process Attribute
1 [Destination]-PWHashes.txt FILE_CREATE archive
[Destination]-PWHashes.txt CLOSE+FILE_CREATE archive
[Destination]-PWHashes.txt DATA_EXTEND archive
[Destination]-PWHashes.txt DATA_EXTEND+DATA_OVERWRITE archive
[Destination]-PWHashes.txt BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE archive
2 [Destination]-PWHashes.txt.Obfuscated FILE_CREATE archive
[Destination]-PWHashes.txt.Obfuscated CLOSE+FILE_CREATE archive
[Destination]-PWHashes.txt.Obfuscated DATA_EXTEND archive
[Destination]-PWHashes.txt.Obfuscated CLOSE+DATA_EXTEND archive
3 [Destination]-PWHashes.txt DATA_TRUNCATION archive
[Destination]-PWHashes.txt DATA_TRUNCATION+SECURITY_CHANGE archive
[Destination]-PWHashes.txt DATA_EXTEND+DATA_TRUNCATION+SECURITY_CHANGE archive
[Destination]-PWHashes.txt DATA_EXTEND+DATA_OVERWRITE+DATA_TRUNCATION+SECURITY_CHANGE archive
[Destination]-PWHashes.txt CLOSE+DATA_EXTEND+DATA_OVERWRITE+DATA_TRUNCATION+SECURITY_CHANGE archive
4 [Destination]-PWHashes.txt.Obfuscated CLOSE+FILE_DELETE archive
5 [Executable File Name of Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\[Path at Execution]\[Destination]-PWHashes.txt FILE ALLOCATED
2 [Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf [Executable File Name of Tool] \VOLUME{[GUID]}\[Path to Tool] Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (445)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID (4)
2 Security 4776 Credential Validation The Domain Controller attempted to validate the credentials for an account.
  • Authentication Package: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)
  • Logon Account: Account used (account specified when the tool is executed at the source)
  • Source Workstation: Host that requested account validation (source host name)
  • Error Code: Execution result (0x0)
Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal) (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (NULL SID)
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on (account specified when the tool is executed at the source)
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon (source host name)
  • Process Information > Process Name: Path to the executable file (-)
  • Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
  • Network Information > Source Network Address: IP address that requested the logon (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the authentication (0x0)
3 Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
4 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • TargetFilename: Created file (C:\Windows\System32\DumpSvc.exe)
  • CreationUtcTime: File creation date and time (UTC)
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile, and DELETE)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpSvc.exe)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
  • Audit Success: Success or failure (access successful)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
5 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • TargetFilename: Created file (C:\Windows\System32\DumpExt.dll)
  • CreationUtcTime: File creation date and time (UTC)
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile, and DELETE)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpExt.dll)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
  • Audit Success: Success or failure (access successful)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
6 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (135)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID
7 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\services.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID
8 System 7045 A service was installed in the system. A service was installed.
  • Service Start Type: Operation of the trigger that starts the service (demand start)
  • Service Account: Executing account (LocalSystem)
  • Service Type: Type of the service to be executed (user mode service)
  • Service Name: Name displayed in the service list (PWDumpX Service)
  • Service File Name: Service executable file (%windir%\system32\DumpSvc.exe)
System 7036 Service Control Manager The [Service Name] service entered the [Status] state.
  • Status: State after the transition (Running)
  • Service Name: Target service name (PWDumpX Service)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000010)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Type)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000003)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Start)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000000)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ErrorControl)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (%windir%\system32\DumpSvc.exe)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ImagePath)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (PWDumpX Service)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\DisplayName)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (LocalSystem)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\ObjectName)
Security 4674 Sensitive Privilege Use An operation was attempted on a privileged object.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Name of the object to be processed (ServicesActive)
  • Object > Object Server: Service that executed the process (SC Manager)
  • Requested operation > Special Privileges: Requested privileges (including creation of new services)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\services.exe)
  • Object > Object Type: Type of the object to be processed (SC_MANAGER_OBJECT)
  • Subject > Logon ID: Session ID of the user who executed the process
Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\services.exe)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (C:\Windows\system32\DumpSvc.exe)
  • IntegrityLevel: Privilege level (System)
  • ParentCommandLine: Command line of the parent process (C:\Windows\System32\services.exe)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Log Date and Time: Process execution date and time (local time)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
9 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1FFFFF, 0x1400)
  • SourceImage: Path to the access source process (C:\Windows\system32\services.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\DumpSvc.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410)
  • SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\smss.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410)
  • SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\csrss.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410)
  • SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\wininit.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410)
  • SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\winlogon.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410)
  • SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\services.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410, 0x1F1FFF)
  • SourceImage: Path to the access source process (C:\Windows\system32\DumpSvc.exe)
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
Microsoft-Windows-Sysmon/Operational 8 CreateRemoteThread detected (rule: CreateRemoteThread) CreateRemoteThread detected.
  • NewThreadId: Thread ID of the new thread
  • TargetProcessGuid/TargetProcessId: Process ID of the destination process
  • TargetImage: Path to the creation destination process (C:\Windows\System32\lsass.exe)
  • UtcTime: Execution date and time (UTC)
  • SourceImage: Path to the creation source process (C:\Windows\System32\DumpSvc.exe)
  • SourceProcessGuid/SourceProcessId: Process ID of the source process
10 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\system32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\System32\PWHashes.txt)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
11 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\system32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\System32\PWHashes.txt.Obfuscated)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
12 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt.Obfuscated)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4660 File System An object was deleted.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
13 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Log Date and Time: Process terminated date and time (local time)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\DumpSvc.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
14 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (135)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
15 System 7036 Service Control Manager The [Service Name] service entered the [Status] state.
  • Status: State after the transition (Stopped)
  • Service Name: Target service name (PWDumpX Service)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000001)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\DeleteFlag)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD:0x00000004)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX\Start)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (DeleteKey)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PWDumpX)
16 Security 5145 Detailed File Share
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privileges (including ReadData or ListDirectory, ReadEA, and ReadAttributes)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\PWHashes.txt)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
17 Security 5145 Detailed File Share
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privilege (including DELETE)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\PWHashes.txt)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\PWHashes.txt)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4660 File System An object was deleted.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
18 Security 5145 Detailed File Share
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privilege (including DELETE)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpExt.dll)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpExt.dll)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4660 File System An object was deleted.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
19 Security 5145 Detailed File Share
  • Network Information > Source Port: Source port number ("destination port" in the Event ID: 5156 via immediately prior 445/tcp)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privilege (including DELETE)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Shared Information > Relative Target Name: Relative target name from the share path (system32\DumpSvc.exe)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Object > Object Name: Target file name (C:\Windows\System32\DumpSvc.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4660 File System An object was deleted.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal) (0x4)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
20 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (account specified when the tool is executed at the source)
  • Subject > Logon ID: Session ID of the user who executed the authentication (logon ID recorded in the prior Event ID: 4624)

- USN Journal

# File Name Process Attribute
1 DumpSvc.exe FILE_CREATE archive
DumpSvc.exe FILE_CREATE+SECURITY_CHANGE archive
DumpSvc.exe DATA_EXTEND+FILE_CREATE+SECURITY_CHANGE archive
DumpSvc.exe DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE archive
DumpSvc.exe BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE archive
DumpSvc.exe BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE archive
2 DumpExt.dll FILE_CREATE archive
DumpExt.dll FILE_CREATE+SECURITY_CHANGE archive
DumpExt.dll DATA_EXTEND+FILE_CREATE+SECURITY_CHANGE archive
DumpExt.dll DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE archive
DumpExt.dll BASIC_INFO_CHANGE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE archive
DumpExt.dll BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE+SECURITY_CHANGE archive
3 PWHashes.txt FILE_CREATE archive
PWHashes.txt CLOSE+FILE_CREATE archive
PWHashes.txt DATA_EXTEND archive
PWHashes.txt CLOSE+DATA_EXTEND archive
4 PWHashes.txt.Obfuscated FILE_CREATE archive
PWHashes.txt.Obfuscated CLOSE+FILE_CREATE archive
PWHashes.txt.Obfuscated DATA_EXTEND archive
PWHashes.txt.Obfuscated CLOSE+DATA_EXTEND archive
5 PWHashes.txt DATA_TRUNCATION archive
PWHashes.txt CLOSE+DATA_TRUNCATION archive
PWHashes.txt DATA_EXTEND archive
PWHashes.txt DATA_EXTEND+DATA_OVERWRITE archive
PWHashes.txt CLOSE+DATA_EXTEND+DATA_OVERWRITE archive
6 PWHashes.txt.Obfuscated CLOSE+FILE_DELETE archive
7 PWHashes.txt CLOSE+FILE_DELETE archive
8 DumpExt.dll CLOSE+FILE_DELETE archive
9 DumpSvc.exe CLOSE+FILE_DELETE archive

- Packet Capture

# Process Source Host Source Port Number Destination Host Destination Port Number Protocol/Application
1 Session Setup Request, NTLMSSP_AUTH, User: [User Name] [Source Host] [High Port] [Destination Host] 445 SMB2
Session Setup Response [Destination Host] 445 [Source Host] [High Port] SMB2
2 Tree Connect Request Tree: \\[Target NetBIOS Name]\ADMIN$ [Source Host] [High Port] [Destination Host] 445 SMB2
3 Create Request File: DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: DumpSvc.exe [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request FS_INFO/FileFsVolumeInformation File: system32\DumpSvc.exe;GetInfo Request FS_INFO/FileFsAttributeInformation File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response;GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Create Request File: system32 [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: system32 [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: system32 [Destination Host] [High Port] [Source Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request FILE_INFO/SMB2_FILE_ENDOFFILE_INFO File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Write Request Len:59871 Off:0 File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
Write Response [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request FILE_INFO/SMB2_FILE_BASIC_INFO File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request FILE_INFO/SMB2_NETWORK_OPEN_INFO File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
4 Create Request File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: system32\DumpExt.dll [Destination Host] 445 [Source Host] [High Port] SMB2
Create Request File: system32 [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: system32 [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: system32 [Destination Host] [High Port] [Source Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request FILE_INFO/SMB2_FILE_ENDOFFILE_INFO File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Write Request Len:65536 Off:0 File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
Write Request Len:2569 Off:65536 File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
Write Response [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request FILE_INFO/SMB2_FILE_BASIC_INFO File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request FILE_INFO/SMB2_NETWORK_OPEN_INFO File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
5 Close Request File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
6 Close Request File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
7 Create Request File: system32\PWHashes.txt [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: system32\PWHashes.txt [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request FILE_INFO/SMB2_FILE_EA_INFO File: system32\PWHashes.txt;GetInfo Request FILE_INFO/SMB2_FILE_STREAM_INFO File: system32\PWHashes.txt;GetInfo Request SEC_INFO/SMB2_SEC_INFO_00 File: system32\PWHashes.txt [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response;GetInfo Response;GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Read Request Len:251 Off:0 File: system32\PWHashes.txt [Source Host] [High Port] [Destination Host] 445 SMB2
Read Response [Destination Host] 445 [Source Host] [High Port] SMB2
Create Request File: system32\PWHashes.txt [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: system32\PWHashes.txt [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request FILE_INFO/SMB2_FILE_DISPOSITION_INFO File: system32\PWHashes.txt [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: system32\PWHashes.txt [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
Create Request File: system32\ErrorLog.txt [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response: STATUS_OBJECT_NAME_NOT_FOUND [Destination Host] 445 [Source Host] [High Port] SMB2
8 Create Request File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: system32\DumpExt.dll [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request FILE_INFO/SMB2_FILE_DISPOSITION_INFO File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: system32\DumpExt.dll [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
9 Create Request File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: system32\DumpSvc.exe [Destination Host] 445 [Source Host] [High Port] SMB2
SetInfo Request FILE_INFO/SMB2_FILE_DISPOSITION_INFO File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
SetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: system32\DumpSvc.exe [Source Host] [High Port] [Destination Host] 445 SMB2
Close Response [Destination Host] 445 [Source Host] [High Port] SMB2
10 Tree Disconnect Request [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Disconnect Response [Destination Host] 445 [Source Host] [High Port] SMB2
11 Session Logoff Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Logoff Response [Destination Host] 445 [Source Host] [High Port] SMB2