SDB UAC Bypass

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Privilege Escalation
Description
Uses Application Compatibility Database (SDB) to execute applications that are controlled by User Account Control (UAC) as a user with administrator privileges.
Example of Presumed Tool Use During an Attack
This tool is used to execute an application that is not normally executed while pretending to execute a typical application. In doing so, the tool executes an application that normally requires administrator privileges without obtaining the permission of the relevant user.

- Tool Operation Overview

Item Description
OS Windows 7
Belonging to Domain Not required
Rights A user who has the right to use administrator privileges according to UAC without entering an administrator password (user who belongs to the Administrators group for client machines).

- Information Acquired from Log

Standard Settings
  • Host
    • Execution history (Prefetch)
Additional Settings
  • Host
    • Execution history (audit policy, Sysmon)
    • A record that "C:\Windows\System32\sdbinst.exe" was executed (audit policy, Sysmon)
    • Parent process names (audit policy, Sysmon)
    • A record of "The application used for a bypass" and "The application executed as a bypass" (audit policy, Sysmon)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (sdbinst /q [Tool SDB File].sdb)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (path to the application used for a bypass)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the application used for a bypass)
  • User: Execute as user
3 Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\sdbinst.exe)
  • Object > Object Name: Target file name (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
4 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (path to the application used for a bypass)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (cmd /c C:\Users\[User Name]\AppData\LocalLow\[Batch to be Executed with Escalated Privileges].bat)
  • ParentCommandLine: Command line of the parent process (path to the application used for a bypass)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Image: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
5 Microsoft-Windows-Application-Experience/Program-Telemetry 500 Application-Experience Compatibility fix applied to [Target Path].
  • Target Path: Path to the executable file to which the compatibility fix was applied (path to the application used for a bypass)
  • Program Fix Information: Fixed program and fix details (Redirect.EXE, {[GUID]}, 0x10205)

USN journal

# File Name Process
1 {[GUID]}.sdb CLOSE+FILE_DELETE
2 [Tool SDB File].sdb CLOSE+FILE_DELETE
3 [Batch for Tool SDB Installation].bat CLOSE+FILE_DELETE
4 [Name of Application Executable File Used for Bypass]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE
5 SDBINST.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION

MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf FILE ALLOCATED
2 [Drive Name]:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf FILE ALLOCATED

Prefetch

Registry entry

# Path Value
1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\DisplayName [Display Name of Application Used for Bypass]
2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\UninstallString %windir%\system32\sdbinst.exe -u "C:\Windows\AppPatch\Custom\{[GUID]}.sdb"

- Details: Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (sdbinst /q [Tool SDB File].sdb)
  • IntegrityLevel: Privilege level
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\[Name of Application Executable File Used for Bypass])
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Details: Setting value written to the registry (QWORD value)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\[Name of Application Executable File Used for Bypass]\{[GUID]}.sdb)
3 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • TargetFilename: Created file (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, AppendData, and WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\sdbinst.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\sdbinst.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\sdbinst.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
4 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Details: Setting value written to the registry (display name of the application used for a bypass)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\DisplayName)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Details: Setting value written to the registry (%windir%\system32\sdbinst.exe -u "C:\Windows\AppPatch\Custom\{[GUID]}.sdb")
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\UninstallString)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]})
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Details: Setting value written to the registry (C:\Windows\AppPatch\Custom\{[GUID]}.sdb)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabasePath)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Details: Setting value written to the registry (DWORD:0x00010000)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabaseType)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Details: Setting value written to the registry (display name of the application used for a bypass)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabaseDescription)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Details: Setting value written to the registry (QWORD:[Timestamp])
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{[GUID]}\DatabaseInstallTimeStamp)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\AppCompatCache)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • Details: Setting value written to the registry (Binary Data)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\AppCompatCache\AppCompatCache)
5 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID (PID of the Sysmon Event ID: 1 that occurred before)
  • Image: Path to the executable file (C:\Windows\System32\sdbinst.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\sdbinst.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
6 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, AppendData, and WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
7 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (path to the application used for a bypass)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the application used for a bypass)
Remarks: An executable file which privileges will be escalated is executed.
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the application used for a bypass)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
Remarks: An executable file which privileges will be escalated is executed.
Microsoft-Windows-Application-Experience/Program-Telemetry 500 Application-Experience Compatibility fix applied to [Target Path].
  • Target Path: Path to the executable file to which the compatibility fix was applied (path to the application used for a bypass)
  • Program Fix Information: Fixed program and fix details (Redirect.EXE, {[GUID]}, 0x10205)
8 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (path to the application used for a bypass)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (cmd /c C:\Users\[User Name]\AppData\LocalLow\[Batch to be Executed with Escalated Privileges].bat)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (path to the application used for a bypass)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
Remarks: A batch to be executed with escalated privileges is executed. The parent process is the process executed with escalated privileges.
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\SysWOW64\cmd.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. In Windows 7, "Creator Process ID" (Process ID of the application used for a bypass)
  • Subject > Logon ID: Session ID of the user who executed the process
Remarks: An executable file which privileges will be escalated is executed.
9 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the application used for a bypass)
Remarks: The process executed with escalated privileges is terminated.
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (Hexadecimal) (PID of the Event ID: 4688 that occurred before)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the application used for a bypass)
  • Subject > Logon ID: Session ID of the user who executed the process
10 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Remarks: The Prefetch of the process executed with escalated privileges is created.
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, AppendData, and WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData, WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)

- USN Journal

# File Name Process Attribute
1 {[GUID]}.sdb FILE_CREATE archive
{[GUID]}.sdb CLOSE+FILE_CREATE archive
{[GUID]}.sdb DATA_EXTEND archive
{[GUID]}.sdb DATA_EXTEND+DATA_OVERWRITE archive
{[GUID]}.sdb BASIC_INFO_CHANGE+DATA_EXTEND_DATA_OVERWRITE archive
{[GUID]}.sdb BASIC_INFO_CHANGE+CLOSE+DATA_EXTEND_DATA_OVERWRITE archive
2 SDBINST.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
SDBINST.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
SDBINST.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
3 [Name of Application Executable File Used for Bypass]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Name of Application Executable File Used for Bypass]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Name of Application Executable File Used for Bypass]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
4 SDBINST.EXE-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
SDBINST.EXE-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
SDBINST.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf FILE ALLOCATED
2 [Drive Name]:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\SDBINST.EXE-[RANDOM].pf SDBINST.EXE C:\Windows\System32 Last Run Time (last execution date and time)
C:\Windows\Prefetch\[Name of Application Executable File Used for Bypass]-[RANDOM].pf [Name of Application Executable File Used for Bypass] C:\Windows\System32 Last Run Time (last execution date and time)

- Registry Entry

# Path Type Value
1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\DisplayName String [Display Name of Application Used for Bypass]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{[GUID]}.sdb\UninstallString String %windir%\system32\sdbinst.exe -u "C:\Windows\AppPatch\Custom\{[GUID]}.sdb"

- Remarks