Out-Minidump (PowerSploit)

- Table of Contents

Open all sections | Close all sections

- Tool Overview

Category
Password and Hash Dump
Description
Dumps a process into memory.
Example of Presumed Tool Use During an Attack
This tool is used to acquire the user's password and use it for unauthorized login.

- Tool Operation Overview

Item Description
OS Windows
Belonging to Domain Not required
Rights Administrator

- Information Acquired from Log

Standard Settings
  • Host
    • Execution history (Prefetch)
    • Details of the script/command executed (Windows 10 only. They are recorded in "Microsoft-Windows-PowerShell/Operational" and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)
Additional Settings
  • Host
    • Execution history (audit policy, Sysmon)
    • The fact that "reading from process memory" occurred (audit policy)
    • The fact that an lsass dump file was created (audit policy, MFT, and USN journal)
    • Details of the script/command executed (when Windows Management Framework 5.0 is installed on Windows 7. They are recorded in "Microsoft-Windows-PowerShell/Operational" and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • CommandLine: Command line of the execution command (normally, only the path to powershell.exe. However, when the script was specified with an argument, that argument may be left in the command line)
  • User: Execute as user
2 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (reading from process memory)
  • Object > Object Type: Target category (Process)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
3 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file ([Path to PowerSploit]\lsass_[lsass PID].dmp)
  • CreationUtcTime: File creation date and time (UTC)
4 Security 4689 Process Termination A process has exited.
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)

USN journal

# File Name Process
1 lsass_[lsass PID].dmp FILE_CREATE
3 lsass_[lsass PID].dmp DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE
2 lsass_[lsass PID].dmp DATA_EXTEND+FILE_CREATE
4 lsass_[lsass PID].dmp CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE

UserAssist

# Registry Data
1 \REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[GUID]}\Count\{[GUID]}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr Date and time of the initial execution, Total number of executions

MFT

# Path Header Flag Validity
1 [Path to PowerSploit]\lsass_[lsass PID].dmp FILE ALLOCATED

Prefetch

- Details: Host

- Event Log

# Event log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CommandLine: Command line of the execution command (normally, only the path to powershell.exe. However, when the script was specified with an argument, that argument may be left in the command line)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\explorer.exe)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
Microsoft-Windows-PowerShell/Operational 40961 PowerShell Console Startup The PowerShell console is starting up.
Microsoft-Windows-PowerShell/Operational 53504 PowerShell Named Pipe IPC Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain].
Microsoft-Windows-PowerShell/Operational 40962 PowerShell Console Startup PowerShell console is ready for user input
2 Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\Explorer.EXE)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (Binary Data)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[GUID]}\Count\{[GUID]}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)
3 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetImage: Path to the access destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • GrantedAccess: Details of the granted access
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • SourceImage: Path to the access source process (C:\Windows\Explorer.EXE)
4 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetImage: Path to the access destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • GrantedAccess: Details of the granted access
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
5 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
6 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
7 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
8 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
  • Access Request Information > Access: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
9 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
  • Access Request Information > Access: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
10 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_History.txt)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_History.txt)
  • Access Request Information > Access: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
11 Microsoft-Windows-PowerShell/Operational 4104 Execute a Remote Command. Creating Scriptblock text.
12 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • SourceImage: Path to the access source process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • GrantedAccess: Details of the granted access (0x1F3FFF, 0x1FFFFF)
Security 4690 Handle Manipulation An attempt was made to duplicate a handle to an object.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Handle Information > Destination Handle ID: New handle ID at the copy destination
  • Subject > Logon ID: Session ID of the user who executed the process
  • Source Handle Information > Source Process ID: Process ID at the copy source (Process ID of PowerShell)
  • New Handle Information > Destination Process ID: Process ID at the copy destination that has a new handle ID (Process ID of 0x4=System)
  • Source Handle Information > Source Handle ID: Handle ID at the copy source
Remarks: A handle is copied from PowerShell to System (PID 0x4).
Security 4658 Kernel Object The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID copied to System in the immediately prior Event ID: 4690)
Security 4656 Kernel Object A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including reading from the process memory)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: File type (Process)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4690 Handle Manipulation An attempt was made to duplicate a handle to an object.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Handle Information > Destination Handle ID: New handle ID at the copy destination
  • Subject > Logon ID: Session ID of the user who executed the process
  • Source Handle Information > Source Process ID: Process ID at the copy source (Process ID of PowerShell)
  • New Handle Information > Destination Process ID: Process ID at the copy destination that has a new handle ID (Process ID of 0x4=System)
  • Source Handle Information > Source Handle ID: Handle ID at the copy source
Security 4658 Kernel Object The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID copied to System in the immediately prior Event ID: 4690)
13 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file ([Path to PowerSploit]\lsass_[lsass PID].dmp)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Path to PowerSploit]\lsass_[lsass PID].dmp)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4656 Kernel Object A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including reading from the process memory)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: File type (Process)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (reading from process memory)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Target category (Process)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 Kernel Object The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name ([Path to PowerSploit]\lsass_[lsass PID].dmp)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the applicable handle (Handle ID acquired in the Event ID: 4656 for lsass_[lsass PID].dmp)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
14 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Subject > Logon ID: Session ID of the user who executed the process

- USN Journal

# File Name Process Attribute
1 [RANDOM].ps1 FILE_CREATE archive
[RANDOM].ps1 DATA_EXTEND+FILE_CREATE archive
[RANDOM].ps1 CLOSE+DATA_EXTEND+FILE_CREATE archive
[RANDOM].psm1 FILE_CREATE archive
[RANDOM].psm1 DATA_EXTEND+FILE_CREATE archive
[RANDOM].psm1 CLOSE+DATA_EXTEND+FILE_CREATE archive
[RANDOM].ps1 CLOSE+FILE_DELETE archive
[RANDOM].psm1 CLOSE+FILE_DELETE archive
2 ConsoleHost_history.txt DATA_EXTEND archive
ConsoleHost_history.txt CLOSE+DATA_EXTEND archive
3 lsass_[lsass PID].dmp FILE_CREATE archive
lsass_[lsass PID].dmp DATA_EXTEND+FILE_CREATE archive
lsass_[lsass PID].dmp DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE archive
lsass_[lsass PID].dmp CLOSE+DATA_EXTEND+DATA_OVERWRITE+FILE_CREATE archive

- UserAssist

# Registry entry Information That Can Be Confirmed
1 \REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[GUID]}\Count\{[GUID]}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr Date and time of the initial execution, Total number of executions

- MFT

# Path Header Flag Validity
1 [Path to PowerSploit]\lsass_[lsass PID].dmp FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 POWERSHELL.EXE-[RANDOM].pf POWERSHELL.EXE \VOLUME{[GUID]}\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last Run Time (last execution date and time)