| 1 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (System)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID (4)
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (5985)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (5985)
- Network Information > Destination Address: Destination IP address (source host)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (System)
- Network Information > Direction: Communication direction (inbound)
- Network Information > Source Address: Source IP address (destination host)
- Application Information > Process ID: Process ID
|
| 2 |
Security |
4672 |
Special Logon |
Privileges assigned to a new logon.
- Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
|
| Security |
4624 |
Logon |
An account was successfully logged on.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
- Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
- Network Information > Source Port: Source port number
- New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on (NULL SID/-/-)
- Logon Type: Logon path, method, etc. (3=Network)
- Network Information > Workstation Name: Name of the host that requested the logon
- Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
- Process Information > Process Name: Path to the executable file
- Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
- Network Information > Source Network Address: IP address that requested the logon
- Subject > Logon ID: Session ID of the user who executed the authentication (0x0)
|
| 3 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (Unknown)
- Object > Object Server: Service that manages the object (WS-Management Listener)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: File type (Unknown)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (0x0)
|
| 4 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (destination host)
- Application Information > Process ID: Process ID
|
| 5 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
| Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (destination host)
- Application Information > Process ID: Process ID
|
| 6 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL, reference of key values, enumeration of sub keys, notice on key changes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: File type (Key)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 7 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (C:\Windows\system32\WinrHost.exe -Embedding)
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\winrshost.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to parent process that created the new process
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\winrshost.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 8 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (System)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID (4)
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (5985)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
| Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (5985)
- Network Information > Destination Address: Destination IP address (source host)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (System)
- Network Information > Direction: Communication direction (inbound)
- Network Information > Source Address: Source IP address (destination host)
- Application Information > Process ID: Process ID (4)
|
| 9 |
Security |
4672 |
Special Logon |
Privileges assigned to a new logon.
- Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
|
| Security |
4624 |
Logon |
An account was successfully logged on.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (NULL SID/-/-)
- New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
- Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
- Network Information > Source Port: Source port number
- New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
- Logon Type: Logon path, method, etc. (3=Network)
- Network Information > Workstation Name: Name of the host that requested the logon
- Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
- Process Information > Process Name: Path to the executable file
- Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
- Network Information > Source Network Address: IP address that requested the logon
- Subject > Logon ID: Session ID of the user who executed the authentication
|
| 10 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (Unknown)
- Object > Object Server: Service that manages the object (WS-Management Listener)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: File type (Unknown)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (0x0)
|
| 11 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\winrshost.exe)
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (C:\Windows\system32\cmd.exe /C [Command Executed])
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process (C:\Windows\system32\WinrsHost.exe -Embedding)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\cmd.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 12 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1fffff)
- SourceImage: Path to access source process (C:\Windows\system32\WinrsHost.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\cmd.exe)
|
| 13 |
Microsoft-Windows-WinRM/Operational |
169 |
User Authentication |
User [User Name] authenticated successfully using [Authentication Method] authentication
- User Name: User name used
- Authentication Method: Authentication method used (Kerberos)
|
| Microsoft-Windows-WinRM/Operational |
192 |
User Approval |
Authorizing the user |
| Microsoft-Windows-WinRM/Operational |
193 |
User Approval |
A request for the user is made using a WinRM virtual account.
- User Information: Information of the user
- Virtual Account: WinRM virtual account to be used
|
| Microsoft-Windows-WinRM/Operational |
192 |
User Approval |
Authorizing the user |
| Microsoft-Windows-WinRM/Operational |
81 |
Processing of Request |
Processing client request for operation [Operation].
- Operation: Requested process (CreateShell)
|
| Microsoft-Windows-WinRM/Operational |
82 |
Processing of Request |
Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.
- URL: URL of the resource (http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd)
- Operation: Requested process (Shell)
|
| Microsoft-Windows-WinRM/Operational |
134 |
Response Processing |
Sending response for operation [Operation]
- Operation: Process performed (CreateShell)
|
| Microsoft-Windows-WinRM/Operational |
83 |
Processing of Request |
Coming out of the plug-in for executing the operation [Operation].
- Operation: Requested process (Shell)
|
| Microsoft-Windows-WinRM/Operational |
169 |
User Authentication |
User [User Name] authenticated successfully using [Authentication Method] authentication
- User Name: User name used
- Authentication Method: Authentication method used (Kerberos)
|
| Microsoft-Windows-WinRM/Operational |
192 |
User Approval |
Authorizing the user |
| Microsoft-Windows-WinRM/Operational |
193 |
User Approval |
A request for the user is made using a WinRM virtual account.
- User Information: Information of the user
- Virtual Account: WinRM virtual account to be used
|
| Microsoft-Windows-WinRM/Operational |
192 |
User Approval |
Authorizing the user |
| Microsoft-Windows-WinRM/Operational |
81 |
Processing of Request |
Processing client request for operation [Operation].
- Operation: Requested process (Command)
|
| Microsoft-Windows-WinRM/Operational |
82 |
Processing of Request |
Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.
- URL: URL of the resource (http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd)
- Operation: Requested process (Command)
|
| Microsoft-Windows-WinRM/Operational |
134 |
Response Processing |
Sending response for operation [Operation]
- Operation: Process performed (Command)
|
| Microsoft-Windows-WinRM/Operational |
83 |
Processing of Request |
Coming out of the plug-in for executing the operation [Operation].
- Operation: Requested process (Command)
|
| Microsoft-Windows-WinRM/Operational |
192 |
User Approval |
Authorizing the user |
| Microsoft-Windows-WinRM/Operational |
81 |
Processing of Request |
Processing client request for operation [Operation].
- Operation: Requested process (Receive)
|
| Microsoft-Windows-WinRM/Operational |
82 |
Processing of Request |
Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.
- URL: URL of the resource (http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd)
- Operation: Requested process (Receive)
|
| Microsoft-Windows-WinRM/Operational |
83 |
Processing of Request |
Coming out of the plug-in for executing the operation [Operation].
- Operation: Requested process (Receive)
|
| Microsoft-Windows-WinRM/Operational |
134 |
Response Processing |
Sending response for operation [Operation]
- Operation: Process performed (Receive)
|
| Microsoft-Windows-WinRM/Operational |
192 |
User Approval |
Authorizing the user |
| Microsoft-Windows-WinRM/Operational |
81 |
Processing of Request |
Processing client request for operation [Operation].
- Operation: Requested process (Signal)
|
| Microsoft-Windows-WinRM/Operational |
82 |
Processing of Request |
Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.
- URL: URL of the resource (http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd)
- Operation: Requested process (Signal)
|
| Microsoft-Windows-WinRM/Operational |
134 |
Response Processing |
Sending response for operation [Operation]
- Operation: Process performed (Signal)
|
| Microsoft-Windows-WinRM/Operational |
83 |
Processing of Request |
Coming out of the plug-in for executing the operation [Operation].
- Operation: Requested process (Signal)
|
| Microsoft-Windows-WinRM/Operational |
192 |
User Approval |
Authorizing the user |
| Microsoft-Windows-WinRM/Operational |
81 |
Processing of Request |
Processing client request for operation [Operation].
- Operation: Requested process (DeleteShell)
|
| Microsoft-Windows-WinRM/Operational |
82 |
Processing of Request |
Entering the plug-in for executing the operation [Operation]. ResourceURI <[URL]> is used.
- URL: URL of the resource (http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd)
- Operation: Requested process (DeleteShell)
|
| Microsoft-Windows-WinRM/Operational |
134 |
Response Processing |
Sending response for operation [Operation]
- Operation: Process performed (DeleteShell)
|
| Microsoft-Windows-WinRM/Operational |
83 |
Processing of Request |
Coming out of the plug-in for executing the operation [Operation].
- Operation: Requested process (DeleteShell)
|
| 14 |
Security |
4634 |
Logoff |
An account was logged off.
- Logon Type: Logon path, method, etc. (3=Network)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the authentication
|
| 15 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\cmd.exe)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 16 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\winrshost.exe)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\winrshost.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 17 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Windows\Prefetch\WINRSHOST.EXE-[RANDOM].pf)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\WINRSHOST.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\WINRSHOST.EXE-[RANDOM].pf)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|