wmiexec.vbs

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Command Execution
Description
Used for Windows system management.
Example of Presumed Tool Use During an Attack
This tool executes a script for other hosts.

- Tool Operation Overview

Item Source Host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user
Communication Protocol 135/tcp, 445/tcp, a randomly selected TCP port 1024 or higher

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
  • Destination Host
    • Execution history (Prefetch)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
  • Destination Host
    • Execution history (audit policy, Sysmon)
    • File creation/delete history, share path use history (audit policy)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (cscript [Path to Tool] /cmd [Destination Host] [Domain]\[User Name] "[Password]" [Execution Command])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination)
3 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cscript.exe)
  • CommandLine: Command line of the execution command ("C:\Windows\System32\cmd.exe" /c net use \\[Destination Host] "[Password]" /user:[Domain]\[User Name])
  • ParentCommandLine: Command line of the parent process (cscript [Path to Tool] /cmd [Destination Host] [Domain]\[User Name] "[Password]" [Execution Command])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe, and other execution commands)

Prefetch

Registry entry

# Path Value
1 HKEY_USERS\[User SID]\Software\Microsoft\Windows Script Host (Key)

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Security 5144 File Sharing A network share object was deleted.
  • Shared Information > Share Name: Name of the deleted object (\\*\WMI_SHARE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Share Path: Path to the deleted object (C:\windows\temp)
2 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cmd.exe)
  • Object > Object Name: Target file name (C:\Windows\Temp\wmi.dll)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (destination)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (domain controller port: 135)
4 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source port: 445)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
6 Security 5142 File Sharing A network share object was added.
  • Shared Information > Share Name: Name of the shared object (\\*\WMI_SHARE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the tool
  • Shared Information > Share Path: Path to the shared object (C:\windows\temp)
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (destination)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
8 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\ipconfig.exe)
  • Object > Object Name: Target file name (C:\Windows\Temp\wmi.dll)
9 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentImage: Executable file of the parent process (C:\Windows\System32\wbem\WmiPrvSE.exe)
  • CommandLine: Command line of the execution command (cmd.exe /c ipconfig.exe > C:\windows\temp\wmi.dll 2>&1)
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
10 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Share Path: Share path (\??\C:\windows\temp)
  • Access Request Information > Access: Requested privileges (READ_CONTROL)
  • Shared Information > Share Name: Share name (\\*\WMI_SHARE)
  • Shared Information > Relative Target Name: Relative target name from the share path (wmi.dll)
  • Network Information > Source Address: Source IP address (source host)
11 Security 4689 Process Termination A process has exited.
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\ipconfig.exe)

USN journal

# File Name Process
1 wmi.dll CLOSE+FILE_DELETE

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (cscript [Path to Tool] /cmd [Destination Host] [Domain]\[User Name] "[Password]" [Execution Command])
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows Script Host\Settings)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD (0x00000000))
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD (0x00000000))
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect)
3 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cscript.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command ("C:\Windows\System32\cmd.exe" /c net use \\[Destination Host] "[Password]" /user:[Domain]\[User Name])
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process (cscript [Path to Tool] /cmd [Destination Host] [Domain]\[User Name] "[Password]" [Execution Command])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
4 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters)
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (net use \\[Destination Host] "[Password]" /user:[Domain]\[User Name])
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process ("C:\Windows\System32\cmd.exe" /c net use \\[Destination Host] "[Password]" /user:[Domain]\[User Name])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
6 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (135)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (135)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (88)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (88)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
8 Security 4648 Logon A logon was attempted using explicit credentials.
  • Process Information > Process ID: Process ID that attempted the logon
  • Network Information > Port: Source Port (-)
  • Account for which Credentials were Used > Account Name: Specified account name (account name)
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Server > Target Server Name: Logon destination host name (destination host)
  • Process Information > Process Name: Name of the process that attempted the logon (C:\Windows\System32\svchost.exe)
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Subject > Security ID: SID of the user who executed the tool (SID of the executed as user)
  • Target Server > Additional Information: Additional information on the logon destination host (RPCSS/[Destination Host])
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (Domain)
  • Network Information > Network Address: Logon source host (-)
9 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (445)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID (4)
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
10 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\cscript.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
11 Security 4648 Logon A logon was attempted using explicit credentials.
  • Process Information > Process ID: Process ID that attempted the logon
  • Network Information > Port: Source Port (-)
  • Account for which Credentials were Used > Account Name: Specified account name
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs
  • Target Server > Target Server Name: Logon destination host name (destination host)
  • Process Information > Process Name: Name of the process that attempted the logon (C:\Windows\System32\cscript.exe)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Security ID: SID of the user who executed the tool
  • Target Server > Additional Information: Additional information on the logon destination host (host/[Destination Host])
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs
  • Network Information > Network Address: Logon source host (-)
12 Security 4648 Logon A logon was attempted using explicit credentials.
  • Process Information > Process ID: Process ID that attempted the logon
  • Network Information > Port: Source Port (-)
  • Account for which Credentials were Used > Account Name: Specified account name (account name)
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Server > Target Server Name: Logon destination host name (target host)
  • Process Information > Process Name: Name of the process that attempted the logon (C:\Windows\System32\cscript.exe)
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Subject > Security ID: SID of the user who executed the tool (SID of the executed as user)
  • Target Server > Additional Information: Additional information on the logon destination host (target host)
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (Domain)
  • Network Information > Network Address: Logon source host (-)
13 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (139)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID (4)
  • Application Information > Application Name: Execution process (System)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (139)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID (4)
14 Security 4648 Logon A logon was attempted using explicit credentials.
  • Process Information > Process ID: Process ID that attempted the logon
  • Network Information > Port: Source Port (-)
  • Account for which Credentials were Used > Account Name: Specified account name (account name)
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Target Server > Target Server Name: Logon destination host name (destination host)
  • Process Information > Process Name: Name of the process that attempted the logon
  • Subject > Account Name: Name of the account that executed the tool (account name)
  • Subject > Security ID: SID of the user who executed the tool (SID of the executed as user)
  • Target Server > Additional Information: Additional information on the logon destination host (destination host)
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (Domain)
  • Network Information > Network Address: Logon source host (-)
15 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
16 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
17 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cscript.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command ("C:\Windows\System32\cmd.exe" /c net use \\[Destination Host] /del)
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process (cscript [Path to Tool] /cmd [Destination Host] [Domain]\[User Name] "[Password]" [Execution Command])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user ([Domain]\[User Name])
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
18 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1fffff)
  • SourceImage: Path to the access source process (C:\Windows\System32\cscript.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\cmd.exe)
19 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\cmd.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (net use \\[Destination Host] /del)
  • IntegrityLevel: Privilege level (Medium)
  • ParentCommandLine: Command line of the parent process ("C:\Windows\System32\cmd.exe" /c net use \\[Destination Host] /del)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user ([Domain]\[User Name])
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
20 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1fffff)
  • SourceImage: Path to access source process (C:\Windows\System32\cmd.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\net.exe)
21 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\net.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\net.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
22 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
23 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cscript.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool ([User SID]/[Account Name]/[Domain])
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cscript.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
24 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\CSCRIPT.EXE-[ALPHANUM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[ALPHANUM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\CSCRIPT.EXE-[ALPHANUM].pf)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Access Request Information > Access: Requested privileges (WriteData, AppendData)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool (source host)
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

# File Name Process Attribute
1 CSCRIPT.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
CSCRIPT.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\CSCRIPT.EXE-[RANDOM].pf CSCRIPT.EXE C:\WINDOWS\SYSTEM32\CSCRIPT.EXE Last Run Time (last execution date and time)

- Registry Entry

# Path Type Value
1 HKEY_USERS\[User SID]\Software\Microsoft\Windows Script Host\Settings Key (No value to be set)

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (135)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (135)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5152 Filtering Platform Packet Drop The Windows Filtering Platform blocked a packet.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID (4)
Security 5157 Filtering Platform Connection The Windows Filtering Platform has blocked a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host IP address)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host IP address)
  • Application Information > Process ID: Process ID (4)
3 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Logon Process: Process used for logon (Kerberos)
  • Network Information > Source Port: Source port number (high port)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (0)
  • Process Information > Process Name: Path to the executable file (-)
  • Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos)
  • Network Information > Source Network Address: IP address that requested the logon (source host)
  • Subject > Logon ID: Session ID of the user who executed the authentication
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (135)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (135)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
6 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
7 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID: SID of the user who executed the tool (SID of the administrator)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Subject > Account Domain: Domain to which the account belongs (domain)
  • Subject > Account Name: Name of the account that executed the tool (administrator)
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal) (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version (NTLM V2)
  • Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
  • Network Information > Source Port: Source port number (high port)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3)
  • Network Information > Workstation Name: Name of the host that requested the logon (source host name)
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (128)
  • Process Information > Process Name: Path to the executable file (-)
  • Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
  • Network Information > Source Network Address: IP address that requested the logon (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the authentication
8 Security 5447 Other Policy Changing Events A Windows Filtering Platform filter has been changed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Provider Information > ID: Provider ID
  • Change Information > Change Type: Details of the performed process (addition)
  • Additional Information > Conditions: Filter conditions
  • Filter Information > ID at Execution: ID at filter execution
  • Subject > Account Name: Name of the account that executed the tool (NT AUTHORITY\LOCAL SERVICE)
  • Filter Information > ID: Filter UUID
  • Provider Information > Name: Provider name (Microsoft Corporation)
  • Filter Information > Name: Filter name (sharing of a file and printer)
  • Subject > Security ID: SID of the user who executed the tool (LOCAL SERVICE)
  • Additional Information > Filter Action: Operation when matched (permission)
9 Security 5142 File Sharing A network share object was added.
  • Shared Information > Share Name: Name of the shared object (\\*\WMI_SHARE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the tool
  • Shared Information > Share Path: Path to the shared object (C:\windows\temp)
10 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\wbem\WmiPrvSE.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (cmd.exe /c ipconfig.exe > C:\windows\temp\wmi.dll 2>&1)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\wbem\WmiPrvSE.exe)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
11 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1fffff)
  • SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)
  • TargetImage: Path to the access destination process (C:\Windows\System32\cmd.exe)
Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\wbem\wmiprvse.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[Administrator SID])
12 Microsoft-Windows-WMI-Activity/Operational 5857 WMI-Activity [Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path]
  • Provider Path: File of the provider (%systemroot%\system32\wbem\cimwin32.dll)
  • Provider: WMI provider (CIMWin32)
  • Result Code: Result code at start (0x0)
  • Host Process: Name of the WMI execution process (wmiprvse.exe)
  • Process ID: ID of the WMI execution process
  • Level:
Microsoft-Windows-WMI-Activity/Operational 5857 WMI-Activity [Provider] provider started with result code [Result Code]. Host Process = [Host Process]; Process ID = [Process ID]; Provider Path = [Provider Path]
  • Provider Path: File of the provider (%systemroot%\system32\smbwmiv2.dll)
  • Provider: WMI provider (smbwmiv2)
  • Result Code: Result code at start (0x0)
  • Host Process: Name of the WMI execution process (wmiprvse.exe)
  • Process ID: ID of the WMI execution process
  • Level:
13 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Temp\wmi.dll)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (READ_CONTROL)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\Temp\wmi.dll)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (ipconfig.exe)
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (cmd.exe /c ipconfig.exe > C:\windows\temp\wmi.dll 2>&1)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\ipconfig.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\ipconfig.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Temp\wmi.dll)
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\ipconfig.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\ipconfig.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\ipconfig.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\ipconfig.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
14 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\cmd.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
15 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (445)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (445)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
16 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege)
  • Subject > Security ID: SID of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Subject > Account Domain: Domain to which the account belongs
  • Subject > Account Name: Name of the account that executed the tool
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal) (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version (NTLM V2)
  • Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
  • Network Information > Source Port: Source port number (high port)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon (source host name)
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (128)
  • Process Information > Process Name: Path to the executable file (-)
  • Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
  • Network Information > Source Network Address: IP address that requested the logon (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the authentication
17 Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Category of the target (File)
  • Shared Information > Share Path: Shared path
  • Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Source Address: Source IP address (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the process
18 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (System)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (139)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (139)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID (4)
19 Security 5140 File Sharing A network share object was accessed.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Category of the target (File)
  • Shared Information > Share Path: Share path (\??\C:\windows\temp)
  • Network Information > Source/Source Port: Execution source host/Port number
  • Access Request Information > Access: Requested privileges (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\WMI_SHARE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\windows\temp)
  • Access Request Information > Access: Requested privileges (READ_CONTROL)
  • Shared Information > Share Name: Share name (\\*\WMI_SHARE)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (wmi.dll)
  • Network Information > Source Address: Source IP address (source host)
  • Subject > Logon ID: Session ID of the user who executed the process
20 Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process (C:\Windows\System32\wbem\WmiPrvSE.exe)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
21 Security 4674 Sensitive Privilege Use An operation was attempted on a privileged object.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Name of the object to be processed (\Device\ConDrv)
  • Object > Object Server: Service that executed the process (Security)
  • Requested operation > Special Privileges: Requested privileges (SeTakeOwnershipPrivilege)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Object > Object Type: Type of the object to be processed (File)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4659 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: Target Handle ID (Event ID: (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cmd.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
22 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Temp\wmi.dll)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\cmd.exe)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\cmd.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
23 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\cmd.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
24 Security 5144 File Sharing A network share object was deleted.
  • Shared Information > Share Name: Name of the deleted object (\\*\WMI_SHARE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the tool
  • Shared Information > Share Path: Path to the deleted object (C:\windows\temp)
25 Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication

- USN Journal

# File Name Process Attribute
1 wmi.dll FILE_CREATE archive
wmi.dll DATA_EXTEND+FILE_CREATE archive
wmi.dll CLOSE+DATA_EXTEND+FILE_CREATE archive
wmi.dll CLOSE+FILE_DELETE archive