In the third part of Sysmon 101 training course, we are going to talk about the events that are used in Sysmon to hunt for threats.
Part 1: What Is Threat Hunting?
Part 2: What Is Sysmon? And How To Install Sysmon
Event ID 1: Process Creation
Process creation events give us a variety of information about a created process. Detailed information of the command used to create the process. Consider the ProcessGUID value for processes created for correlation. There is also a value in this event called HashType where the hash value of that process is displayed with the hash algorithms. Note – ProcessGUID: Because ProcessIDs are reused by Windows, the ProcessGUID value is used to make events unique.
Fields in 1
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
- FileVersion
- Description
- Product
- Company
- CommandLine
- CurrentDirectory
- User
- LogonGuid
- LogonId
- TerminalSessionId
- IntegrityLevel
- Hashes
- ParentProcessGuid
- ParentProcessId
- ParentImage
- ParentCommandLine
Examples Of 1
UtcTime: 2022-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=F47498BBA884E523FA93E623C4569B94 --mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"Event ID 2: A Process Changed A File Creation Time
This event is displayed when the creation time of a file changes. Attackers use this method to change the backup time of their backdoor files and malicious files because they can use this method and set the time of creation of their malicious file as if it were when the operating system was installed by the operating system. Have been created. Note: This can not always be a malicious operation because many processes do it legally.
Fields in 2
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetFilename
- CreationUtcTime
- PreviousCreationUtcTime
Examples Of 2
UtcTime: 2017-07-30 23:26:47.321
ProcessGuid: {a23eae89-ef48-5978-0000-00104832b112}
ProcessId: 25968
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp
CreationUtcTime: 2016-11-25 18:21:47.692
PreviousCreationUtcTime: 2017-07-30 23:26:47.317Event ID 3: Network Connections
This event gives us a lot of information about network communications over TCP / IP. Through this event we can examine the connections created by the processes and see different values ​​such as IP Address and Port Number.
Fields in 3
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
- User
- Protocol
- Initiated
- SourceIsIpv6
- SourceIp
- SourceHostname
- SourcePort
- SourcePortName
- DestinationIsIpv6
- DestinationIp
- DestinationHostname
- DestinationPort
- DestinationPortName
Examples of 3
UtcTime: 2022-04-28 22:12:22.557
ProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ProcessId: 13220
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
User: LAB\rsmith
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.1.250
SourceHostname: rfsH.lab.local
SourcePort: 3328
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 104.130.229.150
DestinationHostname:
DestinationPort: 443
DestinationPortName: httpsEvent ID 5: Process Terminated
This event is for processes that have been terminated.
Fields In 5
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
Examples Of 5
UtcTime: 2022-04-28 22:13:20.895
ProcessGuid: {a23eae89-bd28-5903-0000-001009665d00}
ProcessId: 12684
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeEvent ID 8: CreateRemoteThreat
This event occurs when a process wants to create a string in another process. This technique is usually used when a malware intends to inject malicious code into another process or use it to hide itself. This event shows us the source process and the target process.
Fields In 8
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- SourceProcessGuid
- SourceProcessId
- SourceImage
- TargetProcessGuid
- TargetProcessId
- TargetImage
- NewThreadId
- StartAddress
- StartModule
- StartFunction
Examples Of 8
UtcTime: 2022-05-13 22:53:43.214
SourceProcessGuid: {a23eae89-8e6d-5917-0000-0010dfaf5004}
SourceProcessId: 8804
SourceImage: C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe
TargetProcessGuid: {a23eae89-8e5a-5917-0000-00100e3e4d04}
TargetProcessId: 2024
TargetImage: C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe
NewThreadId: 20532
StartAddress: 0x00007FFB09321970
StartModule: C:\Windows\SYSTEM32\ntdll.dll
StartFunction: DbgUiRemoteBreakin
Event ID 9: RawAccessRead
The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.
Fields In 9
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- RawAccessRead
- UtcTime: Time event occurred
- ProcessGuid: The GUID of the process that generated the event
- ProcessID: ID of the process that generated the event
- Image: File used to generate the event
- Device
Examples Of 9
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 3/22/2018 1:32:22 PM
Event ID: 9
Task Category: RawAccessRead detected (rule: RawAccessRead)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsH.lab.local
Description:
RawAccessRead detected:
UtcTime: 2018-03-22 20:32:22.332
ProcessGuid: {a23eae89-c65f-5ab2-0000-0010eb030000}
ProcessId: 4
Image: System
Device: \Device\HarddiskVolume2Event 10: ProcessAccess
The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses.
Fields In 10
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- SourceProcessGUID
- SourceProcessId
- SourceThreadId
- SourceImage
- TargetProcessGUID
- TargerProcessId
- TargetImage
- GrantedAccess
- CallTrace
- Supercharge
Examples Of 10
UtcTime: 2017-05-15 00:02:01.463
SourceProcessGUID: {d49b2de5-efa6-5918-0000-00104d553c00}
SourceProcessId: 4704
SourceThreadId: 4124
SourceImage: C:\mimikatz\x64\mimikatz.exe
TargetProcessGUID: {d49b2de5-e852-5918-0000-00100b0f0700}
TargetProcessId: 1576
TargetImage: C:\Windows\system32\winlogon.exe
GrantedAccess: 0x40
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+a5594|C:\Windows\system32\KERNELBASE.dll+1e865|C:\mimikatz\x64\mimikatz.exe+77ad|C:\mimikatz\x64\mimikatz.exe+7759|C:\mimikatz\x64\mimikatz.exe+f095|C:\mimikatz\x64\mimikatz.exe+6610a|C:\mimikatz\x64\mimikatz.exe+65dc4|C:\mimikatz\x64\mimikatz.exe+4ac00|C:\mimikatz\x64\mimikatz.exe+4aa36|C:\mimikatz\x64\mimikatz.exe+4a81d|C:\mimikatz\x64\mimikatz.exe+6ebe5|C:\Windows\system32\KERNEL32.DLL+18102|C:\Windows\SYSTEM32\ntdll.dll+5c5b4Event 11: File Create
This event occurs when a file is created or modified. This event is useful for examining files created by malware in the system startup.
Fields In 11
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetFilename
- CreationUtcTime
Examples Of 11
UtcTime: 2022-05-13 19:44:55.313
ProcessGuid: {a23eae89-6237-5917-0000-0010300e6601}
ProcessId: 19200
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b00-0\AxImp.exe CreationUtcTime: 2022-05-13 19:44:55.313Event 12: Registry Event – Object Create Or Delete
This event is to check the operations performed on the Windows Registry. Operations such as adding or removing registry keys are triggered by this event.
Fields In 12
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
Examples Of 12
EventType: DeleteValue
UtcTime: 2022-05-11 04:31:15.792
ProcessGuid: {a23eae89-e8bf-5913-0000-0010db9f7109}
ProcessId: 25228
Image: C:\Windows\regedit.exe
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1Event 13: RegistryEvent (Object Change Values)
This event is for displaying Registry Keys whose values ​​have changed. We can see the changed values ​​through this event.
Fields In 13
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
- Details
Examples Of 13
EventType: SetValue
UtcTime: 2022-05-11 04:31:19.613
ProcessGuid: {a23eae89-e8bf-5913-0000-0010db9f7109}
ProcessId: 25228
Image: C:\Windows\regedit.exe
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolf
Details: runEvent 14: RegistryEvent (Key and Value Rename)
This event is to display the renaming of Registry Key name and value name. We can see the renamed name or renamed key name ​​through this event.
Fields in Event ID 14
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
- NewName
Examples of Event ID 14
EventType: RenameKey
UtcTime: 2017-05-11 04:38:50.499
ProcessGuid: {a23eae89-e8bf-5913-0000-0010db9f7109}
ProcessId: 25228
Image: C:\Windows\regedit.exe
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\asdf
NewName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolfEvent ID 15: FileCreateStreamHash
This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.
Fields In 15
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetFileName
- CreationUtcTime
- Hash
Examples Of 15
UtcTime: 2022-05-12 18:08:19.235
ProcessGuid: {a23eae89-c7f3-5915-0000-001083968417}
ProcessId: 26032
Image: C:\Program Files (x86)\WinMerge\WinMergeU.exe
TargetFilename: C:\repos\uws\Web\training\oiRegister.aspx.vb
CreationUtcTime: 2022-05-12 18:08:12.508Event ID 17: PipeEvent (Pipe Created)
This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication.
Fields In 17
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- Pipe Created
- UtcTime
- ProcessGuid
- ProcessId
- PipeName
- Image
Examples Of 17
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/11/2022 9:07:26 AM
Event ID: 17
Task Category: Pipe Created (rule: PipeEvent)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsh.lab.local
Description:
Pipe Created:
UtcTime: 2022-04-11 16:07:26.244
ProcessGuid: {c47a3e70-32bd-5ace-0000-0010b1f39501}
ProcessId: 19564
PipeName: \testpipe
Image: C:\Users\rsmith\source\repos\namedpipecreate\namedpipecreate\bin\Debug\namedpipecreate.exeEvent ID 18: PipeEvent (Pipe Connected)
This event logs when a named pipe connection is made between a client and a server.
Fields In 18
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- Pipe Connected
- UtcTime
- ProcessGuid
- ProcessId
- PipeName
- Image
Examples Of 18
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/11/2022 9:07:50 AM
Event ID: 18
Task Category: Pipe Connected (rule: PipeEvent)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsh.lab.local
Description:
Pipe Connected:
UtcTime: 2022-04-11 16:07:50.880
ProcessGuid: {c47a3e70-1e13-5ace-0000-001004ab2d00}
ProcessId: 2384
PipeName: \wkssvc
Image: C:\WINDOWS\Explorer.EXEEvent 19: WMIEvent – WMIFilter Activity Detected
This event occurs when a WMI filter is registered. This is a technique used by malware to execute.
Fields In 19
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- Operation
- User
- EventNamespace
- Name
- Query
Examples Of 19
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/11/2022 9:26:16 AM
Event ID: 19
Task Category: WmiEventFilter activity detected (rule: WmiEvent)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsh.lab.local
Description:
WmiEventFilter activity detected:
EventType: WmiFilterEvent
UtcTime: 2022-04-11 16:26:16.327
Operation: Created
User: LAB\rsmith
EventNamespace: "root\\cimv2"
Name: "BotFilter82"
Query: "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320Event ID 20: WmiEvent (WmiEventConsumer activity detected)
This event logs the registration of WMI consumers, recording the consumer name, log, and destination.
Fields In 20
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- Operation
- User
- Name
- Type
- Destination
Examples Of 20
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/11/2022 9:26:16 AM
Event ID: 20
Task Category: WmiEventConsumer activity detected (rule: WmiEvent)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsh.lab.local
Description:
WmiEventConsumer activity detected:
EventType: WmiConsumerEvent
UtcTime: 2022-04-11 16:26:16.360
Operation: Created
User: LAB\rsmith
Name: "BotConsumer23"
Type: Command Line
Destination: "C:\\Windows\\System32\\evil.exe"Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
When a consumer binds to a filter, this event logs the consumer name and filter path.
Fields In 21
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- Operation
- User
- Consumer
- Filter
Examples Of 21
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/11/2022 9:27:02 AM
Event ID: 21
Task Category: WmiEventConsumerToFilter activity detected (rule: WmiEvent)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsh.lab.local
Description:
WmiEventConsumerToFilter activity detected:
EventType: WmiBindingEvent
UtcTime: 2022-04-11 16:27:02.565
Operation: Created
User: LAB\rsmith
Consumer: "CommandLineEventConsumer.Name=\"BotConsumer23\""
Filter: "__EventFilter.Name=\"BotFilter82\""Event ID 22: DNS Event – DNS Query
This event occurs when a process executes a DNS request. Note: This issue does not exist in Windows 8.1 or earlier.
Fields In 22
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- RuleName
- UtcTime
- ProcessGuid
- ProcessId
- QueryName
- QueryStatus
- QueryResults
- Image
Examples Of 22
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/15/2022 1:07:01 PM
Event ID: 22
Task Category: Dns query (rule: DnsQuery)
Level: Information
Keywords:
User: SYSTEM
Computer: w19-ex-111.Win2019.local
Description: Dns query:
RuleName: -
UtcTime: 2022-04-15 20:06:58.876
ProcessGuid: {ff9115ad-7aff-6078-4000-000000002c00}
ProcessId: 3292
QueryName: w19-sc-114.win2019.local
QueryStatus: 0
QueryResults: ::ffff:10.42.1.114;
Image: C:\Program Files\Supercharger Controller\Mtg.Supercharger.ControllerService.exeEvent 23: FileDelete – File Delete Archived
This event is for when the file is deleted. In addition to the deleted file event being recorded for us, the deleted file is also stored in Active Directory Note: It is usually registered in the following path C: / sysmon.
Fields In 23
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- RuleName
- UtcTime
- ProcessGuid
- ProcessId
- User
- Image
- TargetFilename
- Hashes
- IsExecutable
- Archived
Examples Of 23
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/15/2021 1:07:01 PM
Event ID: 23
Task Category: File Delete (rule: FileDelete)
Level: Information
Keywords:
User: SYSTEM
Computer: w19-ex-111.Win2019.local
Description: File Delete:
RuleName: -
UtcTime: 2021-04-15 20:06:32.807
ProcessGuid: {ff9115ad-7ba0-6078-bf00-000000002c00}
ProcessId: 6468
User: NT AUTHORITY\SYSTEM
Image: C:\Program Files\Microsoft Exchange\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe
TargetFileName: C:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\PerformanceLogsToBeProcessed\ExchangeDiagnosticsPerformanceLog_04151301.blg
Hashes: SHA1=9EB203E8CD0DA806D91D6C2EB9669C28E29D5330,MD5=234A0C813539AB6B2CCAE02EAD314381,SHA256=48ED6A8C89DB330140D82BA0FE8F1D901645A0E18262172E6CDACE57C18B9720,IMPHASH=00000000000000000000000000000000
IsExecutable: false
Archived: trueEvent ID 25: ProcessTampering (Process image change)
This event is generated when process hiding techniques such as “hollow” or “herpaderp” are being detected.
Event ID 26: FileDeleteDetected (File Delete logged)
A file was deleted.
If you wouâ…¼d like to obtain a great deal from thÑ–s paragraph then you have to apply these
strategies to your won website.