WinRM

Item	Source Host	Destination Host
OS	Windows
Belonging to Domain	Not required
Rights	Standard user	Administrator
Communication Protocol	5985/tcp (HTTP) or 5986/tcp (HTTPS)

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe) CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" e winrm/config/listener -r:[Destination Host]) ParentCommandLine: Command line of the parent process ("C:\Windows\system32\cmd.exe") UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Image: Path to the executable file (C:\Windows\System32\cscript.exe)
2	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file ProcessGuid/ProcessId: Process ID User: Execute as user SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination port: 5985)
3	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes) Object > Object Type: File type (Key) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe) Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client)
4	Microsoft-Windows-WinRM/Operational	143	Response Processing	Received a response from the network layer. Status: [Opcode] Opcode: Return value (200 HTTP_STATUS_OK)
5	Microsoft-Windows-WinRM/Operational	80	Processing of Request	Sending the request for operation [Operation]. Destination computer and port [Host]:[Port] Operation: Requested process (Enumeration) Port: Source port number (5985) Host: Requested resource (destination)

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (System) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (destination port: 5985) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
2	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Object > Object Type: File type (Unknown) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Server: Service that manages the object (WS-Management Listener) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Name: Target file name (Unknown)
3	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Process Information > Process Name: Path to the executable file Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication
4	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the authentication
5	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe) CommandLine: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding) ParentCommandLine: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)

#	Path	Value
1	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\WmiLastTime	(RANDOM)

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe) CurrentDirectory: Work directory (C:\Windows\system32\) CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" e winrm/config/listener -r:[Destination Host]) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process ("C:\Windows\system32\cmd.exe") UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\cscript.exe)
1	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cscript.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
2	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe) Object > Object Type: File type (Key) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
2	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cscript.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
3	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows Script Host\Settings)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
4	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file (C:\Windows\System32\lsass.exe) DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (88) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (88) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
5	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user DestinationPort: Destination port number (5985) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (5985) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
6	Microsoft-Windows-WinRM/Operational	166	User Authentication	The chosen authentication mechanism is [authentication mechanism]. Authentication Method: Authentication method used (Kerberos)
	Microsoft-Windows-WinRM/Operational	80	Processing of Request	Sending the request for operation [Operation]. Destination computer and port [Host]:[Port] Operation: Requested process (Enumeration) Port: Source port number (5985) Host: Requested resource (destination)
	Microsoft-Windows-WinRM/Operational	166	User Authentication	The chosen authentication mechanism is [authentication mechanism]. Authentication Method: Authentication method used (Kerberos)
	Microsoft-Windows-WinRM/Operational	143	Response Processing	Received a response from the network layer. Status: [Opcode] Opcode: Return value (200 HTTP_STATUS_OK)
	Microsoft-Windows-WinRM/Operational	143	Response Processing	Received a response from the network layer. Status: [Opcode] Opcode: Return value (200 HTTP_STATUS_OK)
	Microsoft-Windows-WinRM/Operational	132	Response Processing	WSMan operation [Operation] completed successfully. Operation: Process performed (Enumeration) Opcode: Return value (normal)
7	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\cscript.exe)
7	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (C:\Windows\System32\cscript.exe) Subject > Logon ID: Session ID of the user who executed the process
8	Microsoft-Windows-Sysmon/Operational	11	File created (rule: FileCreate)	File created. Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID TargetFilename: Created file (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf) CreationUtcTime: File creation date and time (UTC)
	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
9	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe) CurrentDirectory: Work directory (C:\Windows\system32\) CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" get winrm/config -r:[Target]) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process ("C:\Windows\system32\cmd.exe") UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\cscript.exe)
9	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cscript.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
10	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe) Object > Object Type: File type (Key) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
10	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cscript.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
11	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows Script Host\Settings)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
12	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user DestinationPort: Destination port number (5985) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (5985) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
13	Microsoft-Windows-WinRM/Operational	166	User Authentication	The chosen authentication mechanism is [authentication mechanism]. Authentication Method: Authentication method used (Kerberos)
	Microsoft-Windows-WinRM/Operational	80	Processing of Request	Sending the request for operation [Operation]. Destination computer and port [Host]:[Port] Operation: Requested process (Get) Port: Source port number (5985) Host: Requested resource (target)
	Microsoft-Windows-WinRM/Operational	166	User Authentication	The chosen authentication mechanism is [authentication mechanism]. Authentication Method: Authentication method used (Kerberos)
	Microsoft-Windows-WinRM/Operational	143	Response Processing	Received a response from the network layer. Status: [Opcode] Opcode: Return value (200 HTTP_STATUS_OK)
	Microsoft-Windows-WinRM/Operational	143	Response Processing	Received a response from the network layer. Status: [Opcode] Opcode: Return value (200 HTTP_STATUS_OK)
	Microsoft-Windows-WinRM/Operational	132	Response Processing	WSMan operation [Operation] completed successfully. Operation: Process performed (Get) Opcode: Return value (normal)
14	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\cscript.exe)
14	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (C:\Windows\System32\cscript.exe) Subject > Logon ID: Session ID of the user who executed the process
15	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
16	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe) CurrentDirectory: Work directory (C:\Windows\system32\) CommandLine: Command line of the execution command (cscript //nologo "C:\Windows\System32\winrm.vbs" get wmicimv2/Win32_Service?Name=WinRM -r:[Destination]) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process (C:\Windows\system32\cmd.exe) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\cscript.exe)
16	Security	4688	Process Create	A new process has been created. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cscript.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
17	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cscript.exe) Object > Object Type: File type (Key) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
17	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cscript.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
18	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows Script Host\Settings)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\cscript.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
19	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user DestinationPort: Destination port number (5985) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (5985) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
20	Microsoft-Windows-WinRM/Operational	166	User Authentication	The chosen authentication mechanism is [authentication mechanism]. Authentication Method: Authentication method used (Kerberos)
	Microsoft-Windows-WinRM/Operational	80	Processing of Request	Sending the request for operation [Operation]. Destination computer and port [Host]:[Port] Operation: Requested process (Get) Port: Source port number (5985) Host: Requested resource (destination)
	Microsoft-Windows-WinRM/Operational	166	User Authentication	The chosen authentication mechanism is [authentication mechanism]. Authentication Method: Authentication method used (Kerberos)
	Microsoft-Windows-WinRM/Operational	143	Response Processing	Received a response from the network layer. Status: [Opcode] Opcode: Return value (200 HTTP_STATUS_OK)
	Microsoft-Windows-WinRM/Operational	143	Response Processing	Received a response from the network layer. Status: [Opcode] Opcode: Return value (200 HTTP_STATUS_OK)
	Microsoft-Windows-WinRM/Operational	132	Response Processing	WSMan operation [Operation] completed successfully. Operation: Process performed (Get) Opcode: Return value (normal)
21	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\cscript.exe)
21	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (C:\Windows\System32\cscript.exe) Subject > Logon ID: Session ID of the user who executed the process
22	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. (The handle to an object was closed.) Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

#	File Name	Process	Attribute
1	CSCRIPT.EXE-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	CSCRIPT.EXE-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	CSCRIPT.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed
2	CSCRIPT.EXE-[RANDOM].pf	DATA_TRUNCATION	archive+not_indexed
	CSCRIPT.EXE-[RANDOM].pf	DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed
	CSCRIPT.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed
3	CSCRIPT.EXE-[RANDOM].pf	DATA_TRUNCATION	archive+not_indexed
	CSCRIPT.EXE-[RANDOM].pf	DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed
	CSCRIPT.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+DATA_TRUNCATION	archive+not_indexed

- MFT

#	Path	Header Flag	Validity
1	[Drive Name]:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf	FILE	ALLOCATED

- Prefetch

#	Prefetch File	Process Name	Process Path	Information That Can Be Confirmed
1	C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf	CSCRIPT.EXE	C:\WINDOWS\SYSTEM32\CSCRIPT.EXE	Last Run Time (last execution date and time)

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-WMI-Activity/Operational	5857	WMI-Activity	[Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path] Provider Path: File of the provider (%systemroot%\system32\wbem\cimwin32.dll) Provider: WMI provider (CIMWin32) Result Code: Result code at start (0x0) Host Process: Name of the WMI execution process (wmiprvse.exe) Process ID: ID of the WMI execution process Level: (0)
2	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (5985) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
2	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (5985) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
3	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process
3	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication
4	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (Domain Controller IP address) Image: Path to the executable file (C:\Windows\System32\lsass.exe) DestinationHostname: Destination host name (Domain Controller host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (135) SourcePort: Source port number (high port) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (135) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (destination host) Application Information > Process ID: Process ID
5	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (Domain Controller IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (Domain Controller host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (high port) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (destination host) Application Information > Process ID: Process ID
6	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (Unknown) Object > Object Server: Service that manages the object (WS-Management Listener) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: File type (Unknown) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
7	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (5985) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
7	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (5985) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID (4)
8	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process
8	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication
9	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (unknown unique access (bit 0), unknown unique access (bit 1), unknown unique access (bit 2)/-/0x7) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (Unknown) Object > Object Server: Service that manages the object (WS-Management Listener) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: File type (Unknown) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
10	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the authentication
11	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\wbem\wmiprvse.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Wbem)
12	Microsoft-Windows-WMI-Activity/Operational	5857	WMI-Activity	[Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path] Provider Path: File of the provider (%systemroot%\system32\wbem\cimwin32.dll) Provider: WMI provider (CIMWin32) Result Code: Result code at start (0x0) Host Process: Name of the WMI execution process (wmiprvse.exe) Process ID: ID of the WMI execution process Level: (0)
12	Microsoft-Windows-WMI-Activity/Operational	5857	WMI-Activity	[Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path] Provider Path: File of the provider (%SystemRoot%\system32\tscfgwmi.dll) Provider: WMI provider (Win32_WIN32_TERMINALSERVICE_Prov) Result Code: Result code at start (0x0) Host Process: Name of the WMI execution process (wmiprvse.exe) Process ID: ID of the WMI execution process Level: (0)
13	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (5985) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
13	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (5985) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
14	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process
14	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon Subject > Logon ID: Session ID of the user who executed the authentication
15	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (Unknown) Object > Object Server: Service that manages the object (WS-Management Listener) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: File type (Unknown) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
16	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe) CurrentDirectory: Work directory (C:\Windows\system32\) CommandLine: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding) IntegrityLevel: Privilege level (System) ParentCommandLine: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
16	Security	4688	Process Create	A new process has been created. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
17	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the authentication
18	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

#	File Name	Process	Attribute
1	WMIPRVSE.EXE-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	WMIPRVSE.EXE-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	WMIPRVSE.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed

- MFT

#	Path	Header Flag	Validity
1	[Drive Name]:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf	FILE	ALLOCATED

- Prefetch

#	Prefetch File	Process Name	Process Path	Information That Can Be Confirmed
1	C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf	WMIPRVSE.EXE	C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE	Last Run Time (last execution date and time)

- Registry Entry

#	Path	Type	Value
1	HKEY_USERS\[User SID]\Software\Classes\Local Settings\MuiCache\1\826182D0\@%Systemroot%\system32\wsmsvc.dll,-102	String	The Windows Remote Management (WinRM) service has the WS-Management protocol for remote management implemented in it. WS-Management is a standard web service protocol used for the management of remote software and hardware. The WinRM service listens to and processes WS-Management requests on the network. In order for the WinRM service to be able to listen to the network, it is necessary to configure listeners for the WinRM service by using the winrm.cmd command line tool or via a group policy. Using this service allows access to WMI data and collect events. Before collecting events or executing a subscription to events, it must be ensured that the WinRM service is running. WinRM messages use HTTP and HTTPS as the transport. Although the WinRM service is not dependent on IIS, settings have been configured in advance so that the service shares one port with IIS on the same computer. For this service, "/wsman" is reserved as the URL prefix. In order to prevent a conflict with IIS, it is necessary to confirm that "/wsman" is not used in any websites on IIS as a URL prefix.
1	HKEY_USERS\[User SID]_Classes\Local Settings\MuiCache\1\826182D0\@%Systemroot%\system32\wsmsvc.dll,-102	String	The Windows Remote Management (WinRM) service has the WS-Management protocol for remote management implemented in it. WS-Management is a standard web service protocol used for the management of remote software and hardware. The WinRM service listens to and processes WS-Management requests on the network. In order for the WinRM service to be able to listen to the network, it is necessary to configure listeners for the WinRM service by using the winrm.cmd command line tool or via a group policy. Using this service allows access to WMI data and collect events. Before collecting events or executing a subscription to events, it must be ensured that the WinRM service is running. WinRM messages use HTTP and HTTPS as the transport. Although the WinRM service is not dependent on IIS, settings have been configured in advance so that the service shares one port with IIS on the same computer. For this service, "/wsman" is reserved as the URL prefix. In order to prevent a conflict with IIS, it is necessary to confirm that "/wsman" is not used in any websites on IIS as a URL prefix.
2	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\WmiLastTime	String	(RANDOM)

WinRM

- Table of Contents

- Tool Overview

- Tool Operation Overview

- Information Acquired from Log

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

Prefetch

- Destination Host

Event log

Prefetch

Registry entry

- Details: Source Host

- Event Log

- USN Journal

- MFT

- Prefetch

- Details: Destination Host

- Event Log

- USN Journal

- MFT

- Prefetch

- Registry Entry

- Remarks