1 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (135)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (135)
- Network Information > Destination Address: Destination IP address (source host IP address)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
- Network Information > Direction: Communication direction (inbound)
- Network Information > Source Address: Source IP address (destination host IP address)
- Application Information > Process ID: Process ID
|
2 |
Security |
4672 |
Special Logon |
Privileges assigned to a new logon.
- Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4624 |
Logon |
An account was successfully logged on.
- Process Information > Process ID: Process ID (hexadecimal) (0x0)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
- New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
- Detailed Authentication Information > Package Name (NTLM only): NTLM version (-)
- Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
- Network Information > Source Port: Source port number (high port)
- New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
- Logon Type: Logon path, method, etc. (3=Network)
- Network Information > Workstation Name: Name of the host that requested the logon
- Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
- Process Information > Process Name: Path to the executable file (-)
- Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
- Network Information > Source Network Address: IP address that requested the logon (source host IP address)
- Subject > Logon ID: Session ID of the user who executed the authentication
|
3 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (Domain Controller IP address)
- Image: Path to the executable file (C:\Windows\System32\lsass.exe)
- DestinationHostname: Destination host name (Domain Controller host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (88)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Security |
5158 |
Filtering Platform Connection |
The Windows Filtering Platform has permitted a bind to a local port.
- Network Information > Protocol: Protocol used (6=TCP)
- Network Information > Source Port: Bind local port (high port)
- Application Information > Process ID: Process ID
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (88)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (Domain Controller IP address)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
- Network Information > Direction: Communication direction (outbound)
- Network Information > Source Address: Source IP address (destination host IP address)
- Application Information > Process ID: Process ID
|
4 |
Microsoft-Windows-Sysmon/Operational |
3 |
Network connection detected (rule: NetworkConnect) |
Network connection detected.
- Protocol: Protocol (tcp)
- DestinationIp: Destination IP address (source host IP address)
- Image: Path to the executable file (C:\Windows\System32\svchost.exe)
- DestinationHostname: Destination host name (source host name)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\SYSTEM)
- DestinationPort: Destination port number (high port)
- SourcePort: Source port number (high port)
- SourceHostname: Source host name (destination host name)
- SourceIp: Source IP address (destination host IP address)
|
Security |
5156 |
Filtering Platform Connection |
The Windows Filtering Platform has allowed a connection.
- Network Information > Destination Port: Destination port number (high port)
- Network Information > Source Port: Source port number (high port)
- Network Information > Destination Address: Destination IP address (source host IP address)
- Network Information > Protocol: Protocol used (6=TCP)
- Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
- Network Information > Direction: Communication direction (inbound)
- Network Information > Source Address: Source IP address (destination host IP address)
- Application Information > Process ID: Process ID
|
5 |
Security |
4624 |
Logon |
An account was successfully logged on.
- Process Information > Process ID: Process ID (hexadecimal)
- Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Target Host Name]/[Domain])
- New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
- Detailed Authentication Information > Package Name (NTLM only): NTLM version (-)
- Detailed Authentication Information > Logon Process: Process used for logon (Advapi)
- Network Information > Source Port: Source port number (-)
- New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([NETWORK SERVICE]/[NETWORK SERVICE]/[NT AUTHORITY])
- Logon Type: Logon path, method, etc. (5=Service)
- Network Information > Workstation Name: Name of the host that requested the logon
- Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
- Process Information > Process Name: Path to the executable file (C:\Windows\System32\svchost.exe)
- Detailed Authentication Information > Authentication Package: Authentication package used (Negotiate)
- Network Information > Source Network Address: IP address that requested the logon (-)
- Subject > Logon ID: Session ID of the user who executed the authentication
|
6 |
Microsoft-Windows-Sysmon/Operational |
1 |
Process Create (rule: ProcessCreate) |
Process Create.
- LogonGuid/LogonId: ID of the logon session
- ParentProcessGuid/ParentProcessId: Process ID of the parent process
- ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
- CurrentDirectory: Work directory
- CommandLine: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)
- IntegrityLevel: Privilege level (System)
- ParentCommandLine: Command line of the parent process (C:\Windows\System32\svchost.exe -k DcomLaunch)
- UtcTime: Process execution date and time (UTC)
- ProcessGuid/ProcessId: Process ID
- User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
- Hashes: Hash value of the executable file
- Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
|
Security |
4688 |
Process Create |
A new process has been created.
- Process Information > Required Label: Necessity of privilege escalation
- Process Information > Source Process Name: Path to parent process that created the new process
- Subject > Account Name: Name of the account that executed the tool (destination host name)
- Log Date and Time: Process execution date and time (local time)
- Subject > Account Domain: Domain to which the account belongs (domain)
- Process Information > New Process Name: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
- Process Information > Token Escalation Type: Presence of privilege escalation (1)
- Process Information > New Process ID: Process ID (hexadecimal)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
- Subject > Logon ID: Session ID of the user who executed the process
|
7 |
Microsoft-Windows-Sysmon/Operational |
12 |
Registry object added or deleted (rule: RegistryEvent) |
Registry object added or deleted.
- EventType: Process type (CreateKey)
- Image: Path to the executable file (C:\Windows\system32\wbem\wmiprvse.exe)
- ProcessGuid/ProcessId: Process ID
- TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM)
|
8 |
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\smss.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\csrss.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\wininit.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\winlogon.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\services.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\lsass.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\lsm.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\svchost.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\spoolsv.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\taskhost.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\Dwm.exe)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\Explorer.EXE)
|
Microsoft-Windows-Sysmon/Operational |
10 |
Process accessed (rule: ProcessAccess) |
Process accessed.
- SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
- TargetProcessGUID/TargetProcessId: Process ID of the access destination process
- GrantedAccess: Details of the granted access (0x1410)
- SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
- TargetImage: Path to the access destination process (C:\Windows\System32\SearchIndexer.exe)
|
9 |
Security |
4611 |
Security System Extension |
A trusted logon process has been registered with the Local Security Authority. A logon request was sent by this logon process.
- Subject > Account Name: Account name (destination host name)
- Logon Process Name: Name of the process that logged on (ConsentUI)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Account Domain: Domain (Domain)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4673 |
Sensitive Privilege Use |
A privileged service was called.
- Service Request Information > Privilege: Privileges used (SeTcbPrivilege)
- Subject > Account Name: Name of the account that executed the tool (destination host name)
- Subject > Account Domain: Domain to which the account belongs (domain)
- Process > Process ID: ID of the process that used the privilege
- Process > Process Name: Process that used the privileges (C:\Windows\System32\lsass.exe)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Logon ID: Session ID of the user who executed the process
|
Security |
4611 |
Security System Extension |
A trusted logon process has been registered with the Local Security Authority. A logon request was sent by this logon process.
- Subject > Account Name: Account name (destination host name)
- Logon Process Name: Name of the process that logged on (CredProvConsent)
- Subject > Security ID: SID of the user who executed the tool (SYSTEM)
- Subject > Account Domain: Domain (Domain)
- Subject > Logon ID: Session ID of the user who executed the process
|