1 |
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\Medium Mandatory Level)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Source Process Name: Path to parent process that created the new process
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\mstsc.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command
- IntegrityLevel: Privilege level
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\mstsc.exe)
|
2 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness)
|
3 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache)
- Access Request Information > Access: Requested privilege
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
4 |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
1024 |
Connection Sequence |
RDP ClientActiveX is trying to connect to the server ([Destination Host Name]). |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
1028 |
Connection Sequence |
The server supports SSL = supported. |
5 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
|
6 |
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (Binary Data)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc)
|
7 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (destination host IP address)
- Image: Path to the executable file (C:\Windows\System32\mstsc.exe)
- DestinationHostname: Destination host name (destination host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- DestinationPort: Destination port number (3389)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\mstsc.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (3389)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (destination host)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\mstsc.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
8 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\MSTSC.EXE-[RANDOM].pf)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Windows\Prefetch\MSTSC.EXE-[RANDOM].pf)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
9 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL)
|
10 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
11 |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
1029 |
Connection Sequence |
Base64(SHA256(UserName)) is = [BASE64 Encoded SHA256 Hash Value of User Name] |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
1025 |
Connection Sequence |
RDP ClientActiveX has connected to the server. |
12 |
Security |
4648 |
Logon |
A logon was attempted using explicit credentials.
- Process Information > Process ID: Process ID that attempted the logon
- Network Information > Port: Source Port (-)
- Account for which Credentials were Used > Account Name: Specified account name
- Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
- Subject > Account Domain: Domain to which the account belongs
- Target Server > Target Server Name: Logon destination host name (destination host)
- Process Information > Process Name: Process name that attempted the logon (C:\Windows\System32\lsass.exe)
- Subject > Account Name: Name of the account that executed the tool
- Subject > Security ID: SID of the user who executed the tool
- Target Server > Additional Information: Additional information on the logon destination host (TERMSRV/[Destination Host])
- Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs
- Network Information > Network Address: Logon source host
|
13 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (source host name)
- SourceIp: Source IP address (source host IP address)
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (source host)
- Application Information > Process ID: Process ID
|
14 |
Security |
4648 |
Logon |
A logon was attempted using explicit credentials.
- Process Information > Process ID: Process ID that attempted the logon
- Network Information > Port: Source Port (-)
- Account for which Credentials were Used > Account Name: Specified account name
- Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
- Subject > Account Domain: Domain to which the account belongs
- Target Server > Target Server Name: Logon destination host name (destination host)
- Process Information > Process Name: Process name that attempted the logon (C:\Windows\System32\lsass.exe)
- Subject > Account Name: Name of the account that executed the tool
- Subject > Security ID: SID of the user who executed the tool
- Target Server > Additional Information: Additional information on the logon destination host (TERMSRV/[Destination Host])
- Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs
- Network Information > Network Address: Logon source host
|
15 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users[User Name]\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache[NUM].bmc)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
16 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\[RANDOM].automaticDestinations-ms)
- CreationUtcTime: File creation date and time (UTC)
|
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\[RANDOM].automaticDestinations-ms)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\explorer.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\explorer.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
17 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Servers\[Target Host])
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (String:[User Name])
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Servers\[Target Host]\UsernameHint)
|
18 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (Binary Data)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumpListChangedAppIds)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (QWORD)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumpListData\Microsoft.Windows.RemoteDesktop)
|
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Registry key/value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\RDPDR)
|
19 |
Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\[User Name]\Documents\Default.rdp)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name (C:\[User Name]\Documents\Default.rdp)
- Audit Success: Success or failure (access successful)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\mstsc.exe)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
20 |
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (Destination)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default\MRU0)
Remarks: The values "MRU0" to "MRU9" are available, and previously connected hosts are recorded. MRU0 indicates the last connection history. |
21 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\mstsc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Terminal Server Client\Default)
|
Microsoft-Windows-Sysmon/Operational |
13 |
Registry value set (rule: RegistryEvent) |
Registry value set.
- EventType: Process type (SetValue)
- Image: Path to the executable file (C:\Windows\Explorer.EXE)
- ProcessGuid/ProcessId: Process ID
- Details: Setting value written to the registry (Binary Data)
- TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc)
|
22 |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
1105 |
Connection Sequence |
The multi-transport connection has been disconnected. |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
1026 |
Connection Sequence |
RDP ClientActiveX has been disconnected (Reason = [Reason]). |
23 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\mstsc.exe)
|
Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\mstsc.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|