| 1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command ([Path to Tool] [Option])
- IntegrityLevel: Privilege level
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (path to the tool)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to parent process that created the new process
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (path to the tool)
- Process Information > Token Escalation Type: Presence of privilege escalation (2)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 2 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (path to the tool)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa)
|
| Security |
4703 |
Token Right Adjusted Events |
A token right was adjusted.
- Disabled Privileges: Privileges that were disabled
- Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain
- Target Account > Logon ID: Session ID of the target user
- Enabled Privileges: Enabled privileges (SeRestorePrivilege)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Process Information > Process ID: ID of the executed process
- Process Information > Process Name: Name of the process executed (path to the tool)
|
| 3 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (path to the tool)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SECURITY)
|
| Security |
4703 |
Token Right Adjusted Events |
A token right was adjusted.
- Disabled Privileges: Privileges that were disabled
- Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain
- Target Account > Logon ID: Session ID of the target user
- Enabled Privileges: Enabled privileges (SeBackupPrivilege)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Process Information > Process ID: ID of the executed process
- Process Information > Process Name: Name of the process executed (path to the tool)
|
| 4 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (path to the tool)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Temporary Folder]\SAM-[RANDOM].dmp)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp)
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID: 4690)
|
| Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name
- Access Request Information > Access: Requested privilege
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (path to the tool)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4690)
|
| 5 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (path to the tool)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Temporary Folder]\SAM-[RANDOM].dmp.LOG[NUM])
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp.LOG[NUM])
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp.LOG[NUM])
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID: 4690)
|
| Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name
- Access Request Information > Access: Requested privilege
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (path to the tool)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4690)
|
| 6 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (path to the tool)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Temporary Folder]\SAM-[RANDOM].dmp{[GUID]}.TM.blf)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp{[GUID]}.TM.blf)
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp{[GUID]}.TM.blf)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID: 4690)
|
| Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name
- Access Request Information > Access: Requested privilege
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (path to the tool)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4690)
|
| 7 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (path to the tool)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Temporary Folder]\SAM-[RANDOM].dmp{[GUID]}.TMContainer[NUM].regtrans-ms)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp{[GUID]}.TMContainer[NUM].regtrans-ms)
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Temporary Folder]\SAM-[RANDOM].dmp{[GUID]}.TMContainer[NUM].regtrans-ms)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID: 4690)
|
| Security |
4660 |
File System |
An object was deleted.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name
- Access Request Information > Access: Requested privilege
- Process Information > Process Name: Name of the process that closed the handle (path to the tool)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (path to the tool)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4690)
|
| 8 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (path to the tool)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (under \REGISTRY\MACHINE\QUARKS-SAM)
|
| 9 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (path to the tool)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (path to the tool)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 10 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File of Tool]-[RANDOM].pf)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|