1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CommandLine: Command line of the execution command (normally, only the path to powershell.exe. However, when the script was specified with an argument, that argument may be left in the command line)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\explorer.exe)
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
Microsoft-Windows-PowerShell/Operational |
40961 |
PowerShell Console Startup |
The PowerShell console is starting up. |
Microsoft-Windows-PowerShell/Operational |
53504 |
PowerShell Named Pipe IPC |
Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain]. |
Microsoft-Windows-PowerShell/Operational |
40962 |
PowerShell Console Startup |
PowerShell console is ready for user input |
2 |
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (Binary Data)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[GUID]}\Count\{[GUID]}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)
|
3 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetImage: Path to the access destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- GrantedAccess: Details of the granted access
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- SourceImage: Path to the access source process (C:\Windows\Explorer.EXE)
|
4 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetImage: Path to the access destination process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- GrantedAccess: Details of the granted access
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
|
5 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
6 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
7 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
8 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (including DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)
- Access Request Information > Access: Requested privilege
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
9 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)
- Access Request Information > Access: Requested privilege
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
10 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_History.txt)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_History.txt)
- Access Request Information > Access: Requested privilege
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
11 |
Microsoft-Windows-PowerShell/Operational |
4104 |
Execute a Remote Command. |
Creating Scriptblock text. |
12 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetImage: Path to the access destination process (C:\Windows\system32\lsass.exe)
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- SourceImage: Path to the access source process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- GrantedAccess: Details of the granted access (0x1F3FFF, 0x1FFFFF)
|
Security |
4690 |
Handle Manipulation |
An attempt was made to duplicate a handle to an object.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- New Handle Information > Destination Handle ID: New handle ID at the copy destination
- Subject > Logon ID: Session ID of the user who executed the process
- Source Handle Information > Source Process ID: Process ID at the copy source (Process ID of PowerShell)
- New Handle Information > Destination Process ID: Process ID at the copy destination that has a new handle ID (Process ID of 0x4=System)
- Source Handle Information > Source Handle ID: Handle ID at the copy source
Remarks: A handle is copied from PowerShell to System (PID 0x4). |
Security |
4658 |
Kernel Object |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID copied to System in the immediately prior Event ID: 4690)
|
Security |
4656 |
Kernel Object |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including reading from the process memory)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: File type (Process)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4690 |
Handle Manipulation |
An attempt was made to duplicate a handle to an object.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- New Handle Information > Destination Handle ID: New handle ID at the copy destination
- Subject > Logon ID: Session ID of the user who executed the process
- Source Handle Information > Source Process ID: Process ID at the copy source (Process ID of PowerShell)
- New Handle Information > Destination Process ID: Process ID at the copy destination that has a new handle ID (Process ID of 0x4=System)
- Source Handle Information > Source Handle ID: Handle ID at the copy source
|
Security |
4658 |
Kernel Object |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID copied to System in the immediately prior Event ID: 4690)
|
13 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Path to PowerSploit]\lsass_[lsass PID].dmp)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to PowerSploit]\lsass_[lsass PID].dmp)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4656 |
Kernel Object |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including reading from the process memory)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: File type (Process)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (reading from process memory)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Target category (Process)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
Kernel Object |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path to PowerSploit]\lsass_[lsass PID].dmp)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the applicable handle (Handle ID acquired in the Event ID: 4656 for lsass_[lsass PID].dmp)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
14 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
|
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|