| 1 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (vssadmin create shadow /For=C:)
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\vssadmin.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\vssadmin.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 2 |
Security |
4672 |
Special Logon |
Privileges assigned to a new logon.
- Privileges: Assigned privileges (SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Subject > Account Domain: Domain to which the account belongs (NT AUTHORITY)
- Subject > Account Name: Name of the account that executed the tool that executed the tool (SYSTEM)
|
| 3 |
Security |
4670 |
Authorization Policy Change |
Permissions on an object were changed.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (change successful)
- Object > Object Name: Target file name
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Change permissions > New security descriptor: Security descriptor after the change (D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;[SID]))
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\services.exe)
- Change permissions > Original security descriptor: Security descriptor before the change (D:(A;;GA;;;SY)(A;;RCGXGR;;;BA))
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Target category (Token)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| 4 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\services.exe)
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (C:\Windows\system32\vssvc.exe)
- IntegrityLevel: Privilege level (System)
- ParentCommandLine: Command line of the parent process (C:\Windows\System32\services.exe)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\VSSVC.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\VSSVC.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Running)
- Service Name: Target service name (Volume Shadow Copy)
|
| System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Running)
- Service Name: Target service name (Microsoft Software Shadow Copy Provider)
|
| System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Running)
- Service Name: Target service name (Device Setup Manager)
|
| 5 |
Security |
4661 |
SAM |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target object name (CN=Builtin,DC=[Domain Name])
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Access Request Information > Access: Requested privileges (DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, ReadPasswordParameters, WritePasswordParameters, ReadOtherParameters, WriteOtherParameters, CreateUser, CreateGlobalGroup, CreateLocalGroup, GetLocalGroupMembership, ListAccounts)
- Object > Object Server: SecurityAccount Manager (Security Account Manager)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Target category (SAM_DOMAIN)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4661)
|
| Security |
4661 |
SAM |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target object name (CN=Builtin,DC=[Domain Name])
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Access Request Information > Access: Requested privileges (DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, AddMember, RemoveMember, ListMembers, ReadInformation, WriteAccount)
- Object > Object Server: SecurityAccount Manager (Security Account Manager)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Target category (SAM_DOMAIN)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4661)
|
| 6 |
Security |
4624 |
Logon |
An account was successfully logged on.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM)
- New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
- Detailed Authentication Information > Logon Process: Process used for logon (Advapi)
- New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on (SYSTEM)
- Logon Type: Logon path, method, etc. (5=Service)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\services.exe)
- Detailed Authentication Information > Authentication Package: Authentication package used (Negotiate)
- Subject > Logon ID: Session ID of the user who executed the authentication
|
| Security |
4672 |
Special Logon |
Privileges assigned to a new logon.
- Privileges: Assigned privileges (SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Subject > Account Domain: Domain to which the account belongs (NT AUTHORITY)
- Subject > Account Name: Name of the account that executed the tool (SYSTEM)
|
| Security |
4670 |
Authorization Policy Change |
Permissions on an object were changed.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (change successful)
- Object > Object Name: Target file name
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Change permissions > New security descriptor: Security descriptor after the change (D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;[SID]))
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\services.exe)
- Change permissions > Original security descriptor: Security descriptor before the change (D:(A;;GA;;;SY)(A;;RCGXGR;;;BA))
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Target category (Token)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| 7 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1FFFFF, 0x1000)
- SourceImage: Path to the access source process (C:\Windows\system32\services.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\vssvc.exe)
|
| Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1FFFFF, 0x1000)
- SourceImage: Path to the access source process (C:\Windows\system32\csrss.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\vssvc.exe)
|
| Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x100000)
- SourceImage: Path to access source process (C:\Windows\system32\svchost.exe)
- TargetImage: Path to the access destination process (C:\Windows\system32\vssvc.exe)
|
| 8 |
Microsoft-Windows-Sysmon/Operational |
12/13 |
Registry object added or deleted / Registry value set (rule: RegistryEvent) |
Registry object added or deleted. / Registry value set.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\vssvc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS and under it)
|
| Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum)
|
| Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\STORAGE)
|
| Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\STORAGE\VolumeSnapshot)
|
| Microsoft-Windows-Sysmon/Operational |
12/13 |
Registry object added or deleted / Registry value set (rule: RegistryEvent) |
Registry object added or deleted. / Registry value set.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot[Number] and under it)
|
| Microsoft-Windows-Sysmon/Operational |
12/13 |
Registry object added or deleted / Registry value set (rule: RegistryEvent) |
Registry object added or deleted. / Registry value set.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF} and under it)
|
| Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})
|
| Microsoft-Windows-Sysmon/Operational |
12/13 |
Registry object added or deleted / Registry value set (rule: RegistryEvent) |
Registry object added or deleted. / Registry value set.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (System)
- ProcessGuid/ProcessId: Process ID (4)
- TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#VolumeSnapshot#HarddiskVolumeSnapshot[Number]#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} and under it)
|
| 9 |
Security |
4904 |
Audit Policy Change |
An attempt was made to register a security event source.
- Event Source > Source Name: Registered name of the event source (VSSAudit)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Event Source > Event Source ID: Event Source ID (0x1273D5)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process > Process ID: ID of the process that attempted registration
- Process > Process Name: Name of the process that attempted registration (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who attempted registration
|
| Security |
8222 |
VSSAudit |
Shadow copy has been created.
- Shadow Device Name: Created name of the shadow device
- User SID: Created SID of the user
- Process ID: Created ID of the process
- User Name: Created name of the user
- Source Computer: Name of partition in the creation source host (\\?\Volume{[Volume GUID]}\)
- Provider ID: Created host (host name)
- Shadow Set ID/Shadow ID: Created ID of the shadow
- Process Image Name: Created GUID of the process
- Source Volume: Volume served as the creation source (\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number of Shadow Copies])
|
| Security |
4905 |
Audit Policy Change |
An attempt was made to unregister a security event source.
- Event Source > Source Name: Name of the event source that was unregistered (VSSAudit)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Event Source > Event Source ID: Event Source ID (0x1273D5)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process > Process ID: ID of the process that attempted unregistration
- Process > Process Name: Name of the process that attempted unregistration (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who attempted unregistration
|
| 10 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\vssadmin.exe)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\vssadmin.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 11 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\VSSVC.exe)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\VSSVC.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 12 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (vssadmin list shadows)
- IntegrityLevel: Privilege level (High)
- ParentCommandLine: Command line of the parent process
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\vssadmin.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\vssadmin.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 13 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\services.exe)
- CurrentDirectory: Work directory (C:\Windows\system32\)
- CommandLine: Command line of the execution command (C:\Windows\system32\vssvc.exe)
- IntegrityLevel: Privilege level (System)
- ParentCommandLine: Command line of the parent process (C:\Windows\System32\services.exe)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\VSSVC.exe)
|
| Security |
4688 |
Process Create |
A new process has been created.
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Log Date and Time: Process execution date and time (local time)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\VSSVC.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
| 14 |
Security |
4661 |
SAM |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target object name (CN=Builtin,DC=[Domain Name])
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Access Request Information > Access: Requested privileges (DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, ReadPasswordParameters, WritePasswordParameters, ReadOtherParameters, WriteOtherParameters, CreateUser, CreateGlobalGroup, CreateLocalGroup, GetLocalGroupMembership, ListAccounts)
- Object > Object Server: SecurityAccount Manager (Security Account Manager)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Target category (SAM_DOMAIN)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4661)
|
| Security |
4661 |
SAM |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target object name (CN=Builtin,DC=[Domain Name])
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Access Request Information > Access: Requested privileges (DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, AddMember, RemoveMember, ListMembers, ReadInformation, WriteAccount)
- Object > Object Server: SecurityAccount Manager (Security Account Manager)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Target category (SAM_DOMAIN)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4661)
|
| 15 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\system32\vssvc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\System Volume Information\RemoteVss)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (SYNCHRONIZE, WriteAttributes)
- Object > Object Name: Target file name (C:\System Volume Information\RemoteVss)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (SYNCHRONIZE, WriteAttributes)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target file name (C:\System Volume Information\RemoteVss)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 16 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file (C:\Windows\system32\vssvc.exe)
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file (C:\System Volume Information\RemoteVss\{[GUID]}-{[GUID]}.PMS)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
- Object > Object Name: Target file name (C:\System Volume Information\RemoteVss\{[GUID]}-{[GUID]}.PMS)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData)
- Audit Success: Success or failure (access successful)
- Object > Object Name: Target file name (C:\System Volume Information\RemoteVss\{[GUID]}-{[GUID]}.PMS)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
- Subject > Account Domain: Domain to which the account belongs (domain name)
- Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\VSSVC.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 17 |
Microsoft-Windows-Sysmon/Operational |
5 |
Process terminated (rule: ProcessTerminate) |
Process terminated.
- UtcTime: Process terminated date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- Image: Path to the executable file (C:\Windows\System32\vssadmin.exe)
|
| Security |
4689 |
Process Termination |
A process has exited.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Process Information > Exit Status: Process return value (0x0)
- Log Date and Time: Process terminated date and time (local time)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\vssadmin.exe)
- Subject > Logon ID: Session ID of the user who executed the process
|
| 18 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Path]\ntds.dit)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE, WRITE_DAC, WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Any Path]\ntds.dit)
- Process Information > Process Name: Name of the process that closed the handle
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE, WRITE_DAC, WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Any Path]\ntds.dit)
- Process Information > Process Name: Name of the process that closed the handle
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 19 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Path]\SYSTEM)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE, WRITE_DAC, WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path]\SYSTEM)
- Process Information > Process Name: Name of the process that closed the handle
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE, WRITE_DAC, WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path]\SYSTEM)
- Process Information > Process Name: Name of the process that closed the handle
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| 20 |
Microsoft-Windows-Sysmon/Operational |
11 |
File created (rule: FileCreate) |
File created.
- Image: Path to the executable file
- ProcessGuid/ProcessId: Process ID
- TargetFilename: Created file ([Path]\SAM)
- CreationUtcTime: File creation date and time (UTC)
|
| Security |
4656 |
File System/Other Object Access Events |
A handle to an object was requested.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE, WRITE_DAC, WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path]\SAM)
- Process Information > Process Name: Name of the process that closed the handle
- Object > Object Type: Type of the file (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4663 |
File System |
An attempt was made to access an object.
- Process Information > Process ID: Process ID (hexadecimal)
- Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including SYNCHRONIZE, WRITE_DAC, WriteData or AddFile, AppendData, and WriteAttributes)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Object > Object Name: Target file name ([Path]\SAM)
- Process Information > Process Name: Name of the process that closed the handle
- Object > Object Type: Category of the target (File)
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle
|
| Security |
4658 |
File System |
The handle to an object was closed.
- Process Information > Process ID: Process ID (hexadecimal)
- Process Information > Process Name: Name of the process that requested the object
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
- Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
|
| System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Stopped)
- Service Name: Target service name (Device Setup Manager)
|
| System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Stopped)
- Service Name: Target service name (Volume Shadow Copy)
|
| System |
7036 |
Service Control Manager |
The [Service Name] service entered the [Status] state.
- Status: State after the transition (Stopped)
- Service Name: Target service name (Microsoft Software Shadow Copy Provider)
|