1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- Image: Path to the executable file (C:\Windows\System32\dcdiag.exe)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- CommandLine: Command line of the execution command (the details of the executed test can be confirmed from the option)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\dcdiag.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
2 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\dcdiag.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (389)
- SourcePort: Source Port Number
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (389)
- Network Information > Source Port: Source port number (high port)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
- Network Information > Direction: Communication direction (outbound)
- Application Information > Process ID: Process ID
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (389)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (inbound)
- Application Information > Process ID: Process ID
|
3 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\dcdiag.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (135)
- SourcePort: Source Port Number
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (135)
- Network Information > Source Port: Source port number (high port)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
- Network Information > Direction: Communication direction (outbound)
- Application Information > Process ID: Process ID
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (135)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
- Network Information > Direction: Communication direction (inbound)
- Application Information > Process ID: Process ID
|
4 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\dcdiag.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (high port)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
- Network Information > Direction: Communication direction (outbound)
- Application Information > Process ID: Process ID
|
5 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (SourcePort of the immediately prior Sysmon Event ID: 3)
- SourcePort: Source port number (DestinationPort of the immediately prior Sysmon Event ID: 3)
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (high port)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (inbound)
- Application Information > Process ID: Process ID
|
6 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (389)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (389)
- Network Information > Source Port: Source port number (high port)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
- Network Information > Direction: Communication direction (outbound)
- Application Information > Process ID: Process ID
|
7 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (389)
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (389)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (inbound)
- Application Information > Process ID: Process ID
|
8 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (udp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\dcdiag.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (53)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (53)
- Network Information > Source Port: Source port number (high port)
- Network Information > Protocol: Protocol used (17=UDP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dcdiag.exe)
- Network Information > Direction: Communication direction (outbound)
- Application Information > Process ID: Process ID
|
9 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (udp)
- DestinationIp: Destination IP address
- Image: Path to the executable file (C:\Windows\System32\dns.exe)
- DestinationHostname: Destination host name
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (53)
- SourceHostname: Source host name
- SourceIp: Source IP address
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (53)
- Network Information > Protocol: Protocol used (17=UDP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\dns.exe)
- Network Information > Direction: Communication direction (inbound, permission)
- Application Information > Process ID: Process ID
|
10 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\dcdiag.exe)
|
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Log Date and Time: Process terminated date and time (local time)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\dcdiag.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|