WinRM

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Command Execution
Description
Steals information from a remote host.
Example of Presumed Tool Use During an Attack
This tool is used for an investigation before executing a remote command.

- Tool Operation Overview

Item Source Host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user Administrator
Communication Protocol 5985/tcp (HTTP) or 5986/tcp (HTTPS)

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
    • WinRM execution history (Microsoft-Windows-WinRM/Operational)
  • Destination Host
    • Execution history (Prefetch)
    • WinRM execution history (Microsoft-Windows-WinRM/Operational)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
    • Communication via 5985/tcp (audit policy, Sysmon)
  • Destination Host
    • Execution history (audit policy, Sysmon)
    • Communication via 5985/tcp (audit policy, Sysmon)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe)
  • CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" e winrm/config/listener -r:[Destination Host])
  • ParentCommandLine: Command line of the parent process ("C:\Windows\system32\cmd.exe")
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination port: 5985)
3 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes)
  • Object > Object Type: File type (Key)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe)
  • Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client)
4 Microsoft-Windows-WinRM/Operational 143 Response Processing Received a response from the network layer. Status: [Opcode]
  • Opcode: Return value (200 HTTP_STATUS_OK)
5 Microsoft-Windows-WinRM/Operational 80 Processing of Request Sending the request for operation [Operation]. Destination computer and port [Host]:[Port]
  • Operation: Requested process (Enumeration)
  • Port: Source port number (5985)
  • Host: Requested resource (destination)

Prefetch

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (destination port: 5985)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
2 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Object > Object Type: File type (Unknown)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Server: Service that manages the object (WS-Management Listener)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Name: Target file name (Unknown)
3 Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Process Information > Process Name: Path to the executable file
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
4 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
  • CommandLine: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)

Prefetch

Registry entry

# Path Value
1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\WmiLastTime (RANDOM)

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" e winrm/config/listener -r:[Destination Host])
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process ("C:\Windows\system32\cmd.exe")
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe)
  • Object > Object Type: File type (Key)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cscript.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
3 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows Script Host\Settings)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (5985)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (5985)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
6 Microsoft-Windows-WinRM/Operational 166 User Authentication The chosen authentication mechanism is [authentication mechanism].
  • Authentication Method: Authentication method used (Kerberos)
Microsoft-Windows-WinRM/Operational 80 Processing of Request Sending the request for operation [Operation]. Destination computer and port [Host]:[Port]
  • Operation: Requested process (Enumeration)
  • Port: Source port number (5985)
  • Host: Requested resource (destination)
Microsoft-Windows-WinRM/Operational 166 User Authentication The chosen authentication mechanism is [authentication mechanism].
  • Authentication Method: Authentication method used (Kerberos)
Microsoft-Windows-WinRM/Operational 143 Response Processing Received a response from the network layer. Status: [Opcode]
  • Opcode: Return value (200 HTTP_STATUS_OK)
Microsoft-Windows-WinRM/Operational 143 Response Processing Received a response from the network layer. Status: [Opcode]
  • Opcode: Return value (200 HTTP_STATUS_OK)
Microsoft-Windows-WinRM/Operational 132 Response Processing WSMan operation [Operation] completed successfully.
  • Operation: Process performed (Enumeration)
  • Opcode: Return value (normal)
7 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
8 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
9 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" get winrm/config -r:[Target])
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process ("C:\Windows\system32\cmd.exe")
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
10 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe)
  • Object > Object Type: File type (Key)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cscript.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
11 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows Script Host\Settings)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
12 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (5985)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (5985)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
13 Microsoft-Windows-WinRM/Operational 166 User Authentication The chosen authentication mechanism is [authentication mechanism].
  • Authentication Method: Authentication method used (Kerberos)
Microsoft-Windows-WinRM/Operational 80 Processing of Request Sending the request for operation [Operation]. Destination computer and port [Host]:[Port]
  • Operation: Requested process (Get)
  • Port: Source port number (5985)
  • Host: Requested resource (target)
Microsoft-Windows-WinRM/Operational 166 User Authentication The chosen authentication mechanism is [authentication mechanism].
  • Authentication Method: Authentication method used (Kerberos)
Microsoft-Windows-WinRM/Operational 143 Response Processing Received a response from the network layer. Status: [Opcode]
  • Opcode: Return value (200 HTTP_STATUS_OK)
Microsoft-Windows-WinRM/Operational 143 Response Processing Received a response from the network layer. Status: [Opcode]
  • Opcode: Return value (200 HTTP_STATUS_OK)
Microsoft-Windows-WinRM/Operational 132 Response Processing WSMan operation [Operation] completed successfully.
  • Operation: Process performed (Get)
  • Opcode: Return value (normal)
14 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
15 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
16 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" get wmicimv2/Win32_Service?Name=WinRM -r:[Destination])
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\cmd.exe)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
17 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe)
  • Object > Object Type: File type (Key)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cscript.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
18 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows Script Host\Settings)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
19 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (5985)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (5985)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
20 Microsoft-Windows-WinRM/Operational 166 User Authentication The chosen authentication mechanism is [authentication mechanism].
  • Authentication Method: Authentication method used (Kerberos)
Microsoft-Windows-WinRM/Operational 80 Processing of Request Sending the request for operation [Operation]. Destination computer and port [Host]:[Port]
  • Operation: Requested process (Get)
  • Port: Source port number (5985)
  • Host: Requested resource (destination)
Microsoft-Windows-WinRM/Operational 166 User Authentication The chosen authentication mechanism is [authentication mechanism].
  • Authentication Method: Authentication method used (Kerberos)
Microsoft-Windows-WinRM/Operational 143 Response Processing Received a response from the network layer. Status: [Opcode]
  • Opcode: Return value (200 HTTP_STATUS_OK)
Microsoft-Windows-WinRM/Operational 143 Response Processing Received a response from the network layer. Status: [Opcode]
  • Opcode: Return value (200 HTTP_STATUS_OK)
Microsoft-Windows-WinRM/Operational 132 Response Processing WSMan operation [Operation] completed successfully.
  • Operation: Process performed (Get)
  • Opcode: Return value (normal)
21 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
22 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed. (The handle to an object was closed.)
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

# File Name Process Attribute
1 CSCRIPT.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
2 CSCRIPT.EXE-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
3 CSCRIPT.EXE-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf CSCRIPT.EXE C:\WINDOWS\SYSTEM32\CSCRIPT.EXE Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-WMI-Activity/Operational 5857 WMI-Activity [Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path]
  • Provider Path: File of the provider (%systemroot%\system32\wbem\cimwin32.dll)
  • Provider: WMI provider (CIMWin32)
  • Result Code: Result code at start (0x0)
  • Host Process: Name of the WMI execution process (wmiprvse.exe)
  • Process ID: ID of the WMI execution process
  • Level: (0)
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (5985)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (5985)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
3 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (135)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (135)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
6 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (Unknown)
  • Object > Object Server: Service that manages the object (WS-Management Listener)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: File type (Unknown)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (5985)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (5985)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
8 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
9 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (unknown unique access (bit 0), unknown unique access (bit 1), unknown unique access (bit 2)/-/0x7)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (Unknown)
  • Object > Object Server: Service that manages the object (WS-Management Listener)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: File type (Unknown)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
10 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication
11 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\wbem\wmiprvse.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Wbem)
12 Microsoft-Windows-WMI-Activity/Operational 5857 WMI-Activity [Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path]
  • Provider Path: File of the provider (%systemroot%\system32\wbem\cimwin32.dll)
  • Provider: WMI provider (CIMWin32)
  • Result Code: Result code at start (0x0)
  • Host Process: Name of the WMI execution process (wmiprvse.exe)
  • Process ID: ID of the WMI execution process
  • Level: (0)
Microsoft-Windows-WMI-Activity/Operational 5857 WMI-Activity [Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path]
  • Provider Path: File of the provider (%SystemRoot%\system32\tscfgwmi.dll)
  • Provider: WMI provider (Win32_WIN32_TERMINALSERVICE_Prov)
  • Result Code: Result code at start (0x0)
  • Host Process: Name of the WMI execution process (wmiprvse.exe)
  • Process ID: ID of the WMI execution process
  • Level: (0)
13 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (5985)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (5985)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
14 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc.
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
15 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (Unknown)
  • Object > Object Server: Service that manages the object (WS-Management Listener)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: File type (Unknown)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
16 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)
  • IntegrityLevel: Privilege level (System)
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
17 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication
18 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

# File Name Process Attribute
1 WMIPRVSE.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
WMIPRVSE.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
WMIPRVSE.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf WMIPRVSE.EXE C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE Last Run Time (last execution date and time)

- Registry Entry

# Path Type Value
1 HKEY_USERS\[User SID]\Software\Classes\Local Settings\MuiCache\1\826182D0\@%Systemroot%\system32\wsmsvc.dll,-102 String The Windows Remote Management (WinRM) service has the WS-Management protocol for remote management implemented in it. WS-Management is a standard web service protocol used for the management of remote software and hardware. The WinRM service listens to and processes WS-Management requests on the network. In order for the WinRM service to be able to listen to the network, it is necessary to configure listeners for the WinRM service by using the winrm.cmd command line tool or via a group policy. Using this service allows access to WMI data and collect events. Before collecting events or executing a subscription to events, it must be ensured that the WinRM service is running. WinRM messages use HTTP and HTTPS as the transport. Although the WinRM service is not dependent on IIS, settings have been configured in advance so that the service shares one port with IIS on the same computer. For this service, "/wsman" is reserved as the URL prefix. In order to prevent a conflict with IIS, it is necessary to confirm that "/wsman" is not used in any websites on IIS as a URL prefix.
HKEY_USERS\[User SID]_Classes\Local Settings\MuiCache\1\826182D0\@%Systemroot%\system32\wsmsvc.dll,-102 String The Windows Remote Management (WinRM) service has the WS-Management protocol for remote management implemented in it. WS-Management is a standard web service protocol used for the management of remote software and hardware. The WinRM service listens to and processes WS-Management requests on the network. In order for the WinRM service to be able to listen to the network, it is necessary to configure listeners for the WinRM service by using the winrm.cmd command line tool or via a group policy. Using this service allows access to WMI data and collect events. Before collecting events or executing a subscription to events, it must be ensured that the WinRM service is running. WinRM messages use HTTP and HTTPS as the transport. Although the WinRM service is not dependent on IIS, settings have been configured in advance so that the service shares one port with IIS on the same computer. For this service, "/wsman" is reserved as the URL prefix. In order to prevent a conflict with IIS, it is necessary to confirm that "/wsman" is not used in any websites on IIS as a URL prefix.
2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\WmiLastTime String (RANDOM)

- Remarks