1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (sdbinst /q [Tool SDB File].sdb)
- IntegrityLevel: Privilege level
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
2 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\[Name of Application Executable File Used for Bypass])
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Details: Setting value written to the registry (QWORD value)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\[Name of Application Executable File Used for Bypass]\{[GUID]}.sdb)
|
3 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- TargetFilename: Created file (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\sdbinst.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\sdbinst.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\sdbinst.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
4 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Details: Setting value written to the registry (display name of the application used for a bypass)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\DisplayName)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Details: Setting value written to the registry (%windir%\system32\sdbinst.exe -u "C:\Windows\AppPatch\Custom\{[GUID]}.sdb")
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\UninstallString)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]})
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Details: Setting value written to the registry (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabasePath)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Details: Setting value written to the registry (DWORD:0x00010000)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabaseType)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Details: Setting value written to the registry (display name of the application used for a bypass)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabaseDescription)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Details: Setting value written to the registry (QWORD:[Timestamp])
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabaseInstallTimeStamp)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\AppCompatCache)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- Details: Setting value written to the registry (Binary Data)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\AppCompatCache\AppCompatCache)
|
5 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
- Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
|
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\sdbinst.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
6 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
7 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (path to the application used for a bypass)
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (path to the application used for a bypass)
Remarks: An executable file which privileges will be escalated is executed. |
Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (path to the application used for a bypass)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
Remarks: An executable file which privileges will be escalated is executed. |
Microsoft-Windows-Application-Experience/Program-Telemetry |
500 |
Application-Experience |
Compatibility fix applied to [Target Path].
- Target Path: Path to the executable file to which the compatibility fix was applied (path to the application used for a bypass)
- Program Fix Information: Fixed program and fix details (Redirect.EXE, {[GUID]}, 0x10205)
|
8 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (path to the application used for a bypass)
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (cmd /c C:\Users\[User Name]\AppData\LocalLow\[Batch to be Executed with Escalated Privileges].bat)
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process (path to the application used for a bypass)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
Remarks: A batch to be executed with escalated privileges is executed. The parent process is the process executed with escalated privileges. |
Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. In Windows 7, "Creator Process ID" (Process ID of the application used for a bypass)
- Subject > Logon ID: Session ID of the user who executed the process
Remarks: An executable file which privileges will be escalated is executed. |
9 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (path to the application used for a bypass)
Remarks: The process executed with escalated privileges is terminated. |
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (path to the application used for a bypass)
- Subject > Logon ID: Session ID of the user who executed the process
|
10 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf)
- CreationUtcTime: File creation date and time (UTC)
Remarks: The Prefetch of the process executed with escalated privileges is created. |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
|