| 1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Log Date and Time: Process execution date and time (local time)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
|
| Microsoft-Windows-PowerShell/Operational |
40961 |
PowerShell Console Startup |
The PowerShell console is starting up. |
| 2 |
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (Binary Data)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)
|
| 3 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
- CreationUtcTime: File creation date and time (UTC)
|
| Microsoft-Windows-Sysmon/Operational |
2 |
File creation time changed (rule: FileCreateTime) |
File creation time changed.
- UtcTime: Date and time the change occurred (UTC)
- CreationUtcTime: New timestamp (UTC)
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- PreviousCreationUtcTime: Old timestamp (UTC)
- TargetFilename: Name of the changed file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 4 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 5 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 6 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms~RF[RANDOM].TMP)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms~RF[RANDOM].TMP)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms~RF[RANDOM].TMP)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 7 |
Security |
4703 |
Token Right Adjusted Events |
A token right was adjusted.
- Disabled Privileges: Disabled privileges (-)
- Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain
- Target Account > Logon ID: Session ID of the target user
- Enabled Privileges: Enabled privileges (SeDebugPrivilege)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Process Information > Process ID: ID of the executed process
- Process Information > Process Name: Name of the executed process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
| Security |
4703 |
Token Right Adjusted Events |
A token right was adjusted.
- Disabled Privileges: Disabled privileges (SeDebugPrivilege)
- Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain
- Target Account > Logon ID: Session ID of the target user
- Enabled Privileges: Enabled privileges (-)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Process Information > Process ID: ID of the executed process
- Process Information > Process Name: Name of the executed process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
| 8 |
Security |
4673 |
Sensitive Privilege Use |
A privileged service was called.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process > Process ID: ID of the process that used the privilege
- Subject > Logon ID: Session ID of the user who executed the process
- Service Request Information > Privilege: Privilege used (SeCreateGlobalPrivilege)
- Process > Process Name: Process that used the privilege (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
| 9 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x40)
- SourceImage: Path to the access source process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- TargetImage: Path to the access destination process (C:\Windows\Explorer.EXE)
|
| 10 |
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (QWORD)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe)
|
| Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps)
|
| 11 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Microsoft-Windows-PowerShell/Operational |
53504 |
PowerShell Named Pipe IPC |
Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain]. |
| Microsoft-Windows-PowerShell/Operational |
40962 |
PowerShell Console Startup |
PowerShell console is ready for user input |
| Microsoft-Windows-PowerShell/Operational |
40961 |
PowerShell Console Startup |
The PowerShell console is starting up. |
| 12 |
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (Binary Data)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)
|
| 13 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 14 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 15 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 16 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
|
| 17 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory (C:\Windows\system32)
- CommandLine: Command line of the execution command ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0)
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Log Date and Time: Process execution date and time (local time)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
|
| Microsoft-Windows-PowerShell/Operational |
40961 |
PowerShell Console Startup |
The PowerShell console is starting up. |
| 18 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 19 |
Microsoft-Windows-PowerShell/Operational |
40961 |
PowerShell Console Startup |
The PowerShell console is starting up. |
| Microsoft-Windows-PowerShell/Operational |
53504 |
PowerShell Named Pipe IPC |
Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain]. |
| Microsoft-Windows-PowerShell/Operational |
40962 |
PowerShell Console Startup |
PowerShell console is ready for user input |
| Microsoft-Windows-PowerShell/Operational |
4104 |
Execute a Remote Command. |
Creating Scriptblock text.
- Message: The content of the script executed. The content of a PowerShell script executed is recorded as is ('Start-Process -FilePath powershell.exe -ArgumentList "-ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0"').
|
| 20 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Execution Path to Tool]\[Date and Time])
- CreationUtcTime: File creation date and time (UTC)
|
| 21 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Execution Path to Tool]\[Date and Time]\Log_[Date and Time].log)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Execution Path to Tool]\[Date and Time]\Log_[Date and Time].log)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| 22 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
- CurrentDirectory: Work directory (C:\Windows\system32)
- CommandLine: Command line of the execution command (C:\Windows\System32\wbem\wmiprvse.exe -secured -Embedding)
- IntegrityLevel: Privilege level (System)
- ParentCommandLine: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\svchost.exe)
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 23 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Account Name: Name of the account that executed the tool
- Subject > Account Domain: Domain to which the account belongs
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID: SID of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 24 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (135)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (135)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 25 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (135)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (135)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 26 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 27 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 28 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 29 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (135)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (135)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 30 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 31 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 32 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 33 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (445)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (445)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (445)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 34 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (88)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 35 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
| 36 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, AppendData, and WRITE_DAC)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to Tool]\[Date and Time]\lsass.dmp)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WRITE_DAC)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to Tool]\[Date and Time]\lsass.dmp)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4670 |
Authorization Policy Change |
Permissions on an object were changed.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (change successful)
- Object > Object Name: Target file name ([Path to Tool]\[Date and Time]\lsass.dmp)
- Subject > Account Name: Name of the account that executed the tool
- Subject > Account Domain: Domain to which the account belongs
- Change permissions > New security descriptor: Security descriptor after the change (D:AI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;[SID])
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Change permissions > Original security descriptor: Security descriptor before the change (D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;[SID])
- Subject > Security ID: SID of the user who executed the tool
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 37 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to Tool]\RWMC\bufferCommand.txt)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to Tool]\RWMC\bufferCommand.txt)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 38 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- CurrentDirectory: Work directory (path to the tool)
- CommandLine: Command line of the execution command ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe [Option])
- IntegrityLevel: Privilege level
- ParentCommandLine: Command line of the parent process ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| Microsoft-Windows-PowerShell/Operational |
4104 |
Execute a Remote Command. |
Creating Scriptblock text.
- Message: The content of the script executed. The content of the executed PowerShell script is recorded as is.
|
| 39 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (DELETE, ReadAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)
- Process Information > Process Name: Name of the process that closed the handle ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)
- Process Information > Process Name: Name of the process that closed the handle ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 40 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file ([Path to Tool]\debugger\pre2r2vm\cdb.exe)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file ([Path to Tool]\debugger\pre2r2vm\cdb.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 41 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\CDB.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\CDB.EXE-[RANDOM].pf)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|