Microsoft-Windows-Sysmon
30 events across 1 channel
Event ID 1 — Process creation
Details
The process creation event provides extended information about a newly created process.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that got spawned/created (child) |
ProcessId | Process ID used by the OS to identify the created process (child) |
Image | File path of the process being spawned/created. Considered also the child or source process |
FileVersion | Version of the image associated with the main process (child) |
Description | Description of the image associated with the main process (child) |
Product | Product name the image associated with the main process (child) belongs to |
Company | Company name the image associated with the main process (child) belongs to |
OriginalFileName | Original file name from the PE header, useful for detecting renamed executables |
CommandLine | Arguments which were passed to the executable associated with the main process |
CurrentDirectory | The path without the name of the image associated with the process |
User | Name of the account who created the process (child). It usually contains domain name and user name (parsed to show only username without the domain) |
LogonGuid | Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events) |
LogonId | Logon ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID |
TerminalSessionId | ID of the session the user belongs to |
IntegrityLevel | Integrity label assigned to a process |
Hashes | Hashes captured by Sysmon driver |
ParentProcessGuid | Process GUID of the parent process that spawned/created this process |
ParentProcessId | Process ID of the process that spawned/created the main process (child) |
ParentImage | File path that spawned/created the main process |
ParentCommandLine | Arguments which were passed to the executable associated with the parent process |
ParentUser | Name of the account who created the process that spawned/created the main process (child) |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 1
version: 5
level: 4
task: 1
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:12.512502+00:00'
event_record_id: 1438276
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:04:12.487'
ProcessGuid: E56ADA26-499C-6548-2D0B-000000000D00
ProcessId: 19696
Image: C:\Windows\System32\dllhost.exe
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: COM Surrogate
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: dllhost.exe
CommandLine: C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
CurrentDirectory: C:\Windows\system32\
User: WINDEV2310EVAL\User
LogonGuid: E56ADA26-17F4-6548-C677-020000000000
LogonId: '0x277c6'
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=C521025C55687C1F29B1F3A3C69B3D152CE84981,MD5=144FA51A15E98D84D28EEAB815BC9A8B,SHA256=FDFAD08EADD54A431E431FEBE60E87B574CE90E5502ED0BE2F026A1828120FC6,IMPHASH=FBDAC0471446783AD621D3CAB6033559
ParentProcessGuid: E56ADA26-17EE-6548-0D00-000000000D00
ParentProcessId: 920
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p
ParentUser: NT AUTHORITY\SYSTEM
message: ''
Sigma Rules
- 7Zip Compressing Dump Files
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. - Compress Data and Lock With Password for Exfiltration With 7-ZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities - Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. - Suspicious AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. - Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Showing 5 of 1167 matching Sigma rules.
References
Event ID 2 — A process changed a file creation time
Details
The change file creation time event is registered when a file creation time is explicitly modified by a process.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that changed the file creation time |
ProcessId | Process ID used by the OS to identify the process changing the file creation time |
Image | File path of the process that changed the file creation time |
TargetFilename | Full path name of the file |
CreationUtcTime | New creation time of the file |
PreviousCreationUtcTime | Previous creation time of the file |
User | Name of the account who changed the file creation time of a file |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 2
version: 5
level: 4
task: 2
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:02:42.701590+00:00'
event_record_id: 1434553
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:02:42.686'
ProcessGuid: E56ADA26-1A27-6548-3001-000000000D00
ProcessId: 876
Image: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\119.0.2151.44\msedgewebview2.exe
TargetFilename: C:\Users\User\AppData\Local\Packages\MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy\LocalState\EBWebView\297786f0-3fab-4719-b257-7269fed79fdf.tmp
CreationUtcTime: '2023-11-05 22:37:47.033'
PreviousCreationUtcTime: '2023-11-06 02:02:42.686'
User: WINDEV2310EVAL\User
message: ''
Sigma Rules
- Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
References
Event ID 3 — Network connection
Details
The network connection event logs TCP/UDP connections on the machine.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that made the network connection |
ProcessId | Process ID used by the OS to identify the process that made the network connection |
Image | File path of the process that made the network connection |
User | Name of the account who made the network connection. It usually contains domain name and user name |
Protocol | Protocol being used for the network connection |
Initiated | Indicates whether the process initiated the TCP connection |
SourceIsIpv6 | Is the source IP an IPv6 |
SourceIp | Source IP address that made the network connection |
SourceHostname | Name of the host that made the network connection |
SourcePort | Source port number |
SourcePortName | Name of the source port being used (i.e. netbios-dgm) |
DestinationIsIpv6 | Is the destination IP an IPv6 |
DestinationIp | Destination IP address |
DestinationHostname | Name of the host that received the network connection |
DestinationPort | Destination port number |
DestinationPortName | Name of the destination port |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 3
version: 5
level: 4
task: 3
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:03:45.514949+00:00'
event_record_id: 1437449
correlation: {}
execution:
process_id: 7064
thread_id: 10068
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:03:43.450'
ProcessGuid: E56ADA26-45B9-6548-970A-000000000D00
ProcessId: 13296
Image: C:\Program Files\Google\Chrome\Application\chrome.exe
User: WINDEV2310EVAL\User
Protocol: udp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.92.128
SourceHostname: '-'
SourcePort: 60161
SourcePortName: '-'
DestinationIsIpv6: false
DestinationIp: 239.255.255.250
DestinationHostname: '-'
DestinationPort: 1900
DestinationPortName: '-'
message: ''
Sigma Rules
- Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. - Uncommon Connection to Active Directory Web Services
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. - Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads. - Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. - Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Showing 5 of 51 matching Sigma rules.
References
Event ID 4 — Sysmon service state changed
Details
The service state change event reports the state of the Sysmon service (started or stopped).
Fields
| Name | Description |
|---|---|
UtcTime | Time in UTC when event was created |
State | Sysmon service state (i.e. stopped) |
Version | Sysmon version |
SchemaVersion | Sysmon config schema version |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 4
version: 3
level: 4
task: 4
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-05T22:52:28.220847+00:00'
event_record_id: 2
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
UtcTime: '2023-11-05 22:52:28.214'
State: Started
Version: '15.0'
SchemaVersion: '4.90'
message: ''
Sigma Rules
- Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
References
Event ID 5 — Process terminated
Details
The process terminate event reports when a process terminates.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that terminated |
ProcessId | Process ID used by the OS to identify the process that terminated |
Image | File path of the process that terminated |
User | Name of the account that terminated the process. |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 5
version: 3
level: 4
task: 5
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:26.566815+00:00'
event_record_id: 1441121
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:04:26.536'
ProcessGuid: E56ADA26-37A6-6548-5107-000000000D00
ProcessId: 16164
Image: C:\Windows\System32\svchost.exe
User: NT AUTHORITY\SYSTEM
message: ''
References
Event ID 6 — Driver loaded
Details
The driver loaded events provides information about a driver being loaded on the system.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ImageLoaded | Full path of the driver loaded |
Hashes | Hashes captured by Sysmon driver |
Signed | Whether the loaded driver is signed |
Signature | The signer |
SignatureStatus | Status of the signature (i.e. valid) |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 6
version: 4
level: 4
task: 6
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T01:39:25.765471+00:00'
event_record_id: 1323548
correlation: {}
execution:
process_id: 7064
thread_id: 10072
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 01:39:25.719'
ImageLoaded: C:\Windows\System32\drivers\PROCMON24.SYS
Hashes: SHA1=3886A86F350B056EFC662C893326206FE884CCD9,MD5=CBAED2F7F40A71A0F65CA1D7599CA530,SHA256=650B91475689539B99DB6499E3DF2C300AD15A0C70BB33F9470C8401E3248A45,IMPHASH=8477C11BEB2E153801A537EA17631A52
Signed: 'true'
Signature: Microsoft Windows Hardware Compatibility Publisher
SignatureStatus: Valid
message: ''
Sigma Rules
- Malicious Driver Load
Detects loading of known malicious drivers via their hash. - Malicious Driver Load By Name
Detects loading of known malicious drivers via the file name of the drivers. - PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool - PUA - System Informer Driver Load
Detects driver load of the System Informer tool - Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Showing 5 of 10 matching Sigma rules.
References
Event ID 7 — Image loaded
Details
The image loaded event logs when a module is loaded in a specific process.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that loaded the image |
ProcessId | Process ID used by the OS to identify the process that loaded the image |
Image | File path of the process that loaded the image |
ImageLoaded | Full path of the image loaded |
FileVersion | Version of the image loaded |
Description | Description of the image loaded |
Product | Product name that the loaded image belongs to |
Company | Company name that the loaded image belongs to |
OriginalFileName | Original file name from the PE header, useful for detecting renamed modules |
Hashes | Hash of the file contents using the algorithms specified in the HashType field |
Signed | Is the image loaded signed |
Signature | The signer |
SignatureStatus | Status of the signature (i.e. valid) |
User | Name of the account that loaded the image. |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 7
version: 3
level: 4
task: 7
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:20.308288+00:00'
event_record_id: 1440307
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:04:20.300'
ProcessGuid: E56ADA26-3995-6548-3608-000000000D00
ProcessId: 16148
Image: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
ImageLoaded: C:\Windows\System32\mobilenetworking.dll
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
Description: '"MobileNetworking.DYNLINK"'
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: '"MobileNetworking.DYNLINK"'
Hashes: SHA1=260C4C8799D0D4EF4074123DCB0F6CC1BAB8E398,MD5=86DC2DC65542D41C6DAEE47B12CAAF25,SHA256=B75EF0D9BE5C111341DAB495301C5939495487C2A76EB2EC1D1EAC393E6EFC5E,IMPHASH=839E809555F97D103A3AF38B8133172A
Signed: 'true'
Signature: Microsoft Windows
SignatureStatus: Valid
User: WINDEV2310EVAL\User
message: ''
Community Notes
Image loaded. Generated when a process loads a DLL into memory, ie, side-loading.Sigma Rules
- Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File. - DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations - Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack - Potential Azure Browser SSO Abuse
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. - Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
Showing 5 of 99 matching Sigma rules.
References
Event ID 8 — CreateRemoteThread
Details
The CreateRemoteThread event detects when a process creates a thread in another process.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
SourceProcessGuid | Process GUID of the source process that created a thread in another process |
SourceProcessId | Process ID used by the OS to identify the source process that created a thread in another process |
SourceImage | File path of the source process that created a thread in another process |
TargetProcessGuid | Process GUID of the target process |
TargetProcessId | Process ID used by the OS to identify the target process |
TargetImage | File path of the target process |
NewThreadId | ID of the new thread created in the target process |
StartAddress | New thread start address |
StartModule | Module where the new thread starts execution, resolved from the thread start address |
StartFunction | Exported function where the new thread starts, if the start address matches a known export |
SourceUser | Name of the account of the source process that created a thread in another process. |
TargetUser | Name of the account of the target process |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 8
version: 2
level: 4
task: 8
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T01:44:42.883662+00:00'
event_record_id: 1356672
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 01:44:42.882'
SourceProcessGuid: E56ADA26-17ED-6548-0900-000000000D00
SourceProcessId: 644
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: E56ADA26-4257-6548-200A-000000000D00
TargetProcessId: 21332
TargetImage: C:\Program Files\PowerShell\7\pwsh.exe
NewThreadId: 21912
StartAddress: '0x00007FFAF7117550'
StartModule: C:\Windows\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: WINDEV2310EVAL\User
message: ''
Community Notes
CreateRemoteThread. Detects some process-injection methods.Sigma Rules
- HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references. - HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons - Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity - Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials. - Potential Credential Dumping Attempt Via PowerShell Remote Thread
Detects remote thread creation by PowerShell processes into "lsass.exe"
Showing 5 of 11 matching Sigma rules.
References
Event ID 9 — RawAccessRead
Details
The RawAccessRead event detects when a process conducts reading operations from the drive.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that conducted reading operations from the drive |
ProcessId | Process ID used by the OS to identify the process that conducted reading operations from the drive |
Image | File path of the process that conducted reading operations from the drive |
Device | Target device |
User | Name of the account of the process that conducted reading operations from the drive |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 9
version: 2
level: 4
task: 9
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:11.574013+00:00'
event_record_id: 1438039
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:04:11.571'
ProcessGuid: E56ADA26-17E6-6548-EB03-000000000000
ProcessId: 4
Image: System
Device: \Device\HarddiskVolume1
User: NT AUTHORITY\SYSTEM
message: ''
Community Notes
RawAccessRead, may indicate direct disk reads of ntds.dit, SAM, or page files for offline hash extraction.Sigma Rules
- Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
References
Event ID 10 — ProcessAccess
Details
The process accessed event reports when a process opens another process.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
SourceProcessGUID | — |
SourceProcessId | Process ID of the source process that opened another process |
SourceThreadId | ID of the specific thread inside of the source process that opened another process |
SourceImage | File path of the source process that opened another process |
TargetProcessGUID | — |
TargetProcessId | Process ID used by the OS to identify the target process |
TargetImage | File path of the target process |
GrantedAccess | The access flags (bitmask) associated with the process rights requested for the target process |
CallTrace | Stack trace of where OpenProcess is called, including the DLL and relative virtual address of each function in the call stack |
SourceUser | Name of the account of the source process that opened another process. |
TargetUser | Name of the account of the target process |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 10
version: 3
level: 4
task: 10
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:36.621865+00:00'
event_record_id: 1441177
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:04:36.619'
SourceProcessGUID: E56ADA26-3829-6548-6007-000000000D00
SourceProcessId: 15680
SourceThreadId: 15676
SourceImage: C:\Program Files\Avira\Endpoint Protection SDK\SentryEye.exe
TargetProcessGUID: E56ADA26-3766-6548-3C07-000000000D00
TargetProcessId: 15280
TargetImage: C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe
GrantedAccess: '0x100000'
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9f8b4|C:\Windows\SYSTEM32\KERNELBASE.dll+2c60e|C:\Program
Files\Avira\Endpoint Protection SDK\SentryEye.exe+213cf|C:\Program Files\Avira\Endpoint
Protection SDK\SentryEye.exe+2ccffe|C:\Windows\SYSTEM32\KERNEL32.DLL+1257d|C:\Windows\SYSTEM32\ntdll.dll+5aa78
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
message: ''
Sigma Rules
- CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution - HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes - HackTool - Generic Process Access
Detects process access requests from hacktool processes based on their default image name - HackTool - HandleKatz Duplicating LSASS Handle
Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles - HackTool - LittleCorporal Generated Maldoc Injection
Detects the process injection of a LittleCorporal generated Maldoc.
Showing 5 of 23 matching Sigma rules.
References
Event ID 11 — FileCreate
Details
File create operations are logged when a file is created or overwritten.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that created the file |
ProcessId | Process ID used by the OS to identify the process that created the file |
Image | File path of the process that created the file |
TargetFilename | Name of the file |
CreationUtcTime | File creation time |
User | Name of the account who created the file |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 11
version: 2
level: 4
task: 11
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:29.354644+00:00'
event_record_id: 1441137
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:04:29.346'
ProcessGuid: E56ADA26-3974-6548-1E08-000000000D00
ProcessId: 18984
Image: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
TargetFilename: C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
CreationUtcTime: '2023-11-06 00:56:14.466'
User: NT AUTHORITY\SYSTEM
message: ''
Sigma Rules
- ADSI-Cache File Creation By Uncommon Tool
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. - Advanced IP Scanner - File Event
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. - Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) - Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Showing 5 of 165 matching Sigma rules.
References
Event ID 12 — RegistryEvent (Object create and delete)
Details
Registry key and value create and delete operations map to this event type.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType | Registry event. Either Create or Delete |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that created or deleted a registry key |
ProcessId | Process ID used by the OS to identify the process that created or deleted a registry key |
Image | File path of the process that created or deleted a registry key |
TargetObject | Complete path of the registry key |
User | The name of the account that created or deleted a registry key or value |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 12
version: 2
level: 4
task: 12
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:32.928398+00:00'
event_record_id: 1441161
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
EventType: CreateKey
UtcTime: '2023-11-06 02:04:32.913'
ProcessGuid: E56ADA26-1870-6548-C000-000000000D00
ProcessId: 7484
Image: C:\Windows\System32\svchost.exe
TargetObject: HKU\S-1-5-21-1992711665-1655669231-58201500-1000\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy
User: NT AUTHORITY\SYSTEM
message: ''
Sigma Rules
- Potential Persistence Via Disk Cleanup Handler - Registry
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. - Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account. - UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. - CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution - Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
Showing 5 of 33 matching Sigma rules.
References
Event ID 13 — RegistryEvent (Value Set)
Details
This Registry event type identifies Registry value modifications.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType | Registry value modification event |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that modified a registry value |
ProcessId | Process ID used by the OS to identify the process that modified a registry value |
Image | File path of the process that modified a registry value |
TargetObject | Complete path of the registry key |
Details | Details added to the registry key |
User | The name of the account that modified a registry value. |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 13
version: 2
level: 4
task: 13
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:35.731741+00:00'
event_record_id: 1441174
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
EventType: SetValue
UtcTime: '2023-11-06 02:04:35.723'
ProcessGuid: E56ADA26-2AFD-6548-9704-000000000D00
ProcessId: 10860
Image: C:\Windows\explorer.exe
TargetObject: HKU\S-1-5-21-1992711665-1655669231-58201500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
Details: Binary Data
User: WINDEV2310EVAL\User
message: ''
Sigma Rules
- Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account. - UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. - CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution - Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. - Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Showing 5 of 236 matching Sigma rules.
References
Event ID 14 — RegistryEvent (Key and Value Rename)
Details
Registry key and value rename operations map to this event type.
Fields
| Name | Description |
|---|---|
EventType | Registry event. Registry key and value renamed |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that renamed a registry value and key |
ProcessId | Process ID used by the OS to identify the process that renamed a registry value and key |
Image | File path of the process that renamed a registry value and key |
TargetObject | Complete path of the registry key |
NewName | New name of the registry key |
Sigma Rules
- Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious. - Windows Credential Guard Related Registry Value Deleted - Registry
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. - Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder - Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Showing 5 of 42 matching Sigma rules.
References
Event ID 15 — FileCreateStreamHash
Details
This event logs when a named file stream is created.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that created the named file stream |
ProcessId | Process ID used by the OS to identify the process that created the named file stream |
Image | File path of the process that created the named file stream |
TargetFilename | Name of the file |
CreationUtcTime | File download time |
Hash | Hash of the file contents using the algorithms specified in the HashType field |
Contents | Content of the named file stream (e.g., Zone.Identifier) |
User | — |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 15
version: 2
level: 4
task: 15
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T01:51:44.967041+00:00'
event_record_id: 1389495
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 01:51:44.960'
ProcessGuid: E56ADA26-46AE-6548-E90A-000000000D00
ProcessId: 21364
Image: C:\Program Files\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\User\Downloads\b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf:Zone.Identifier
CreationUtcTime: '2023-11-06 01:51:40.569'
Hash: SHA1=ACEF7488AD1488562925D97A333EE75A91F583A9,MD5=C9D406793D9E74FE319B9E6204D278B4,SHA256=D40F403A0C6E5448F3E5C4B339FE583C50A8BCF7FF2DA26E6A2F01DF62CD965C,IMPHASH=00000000000000000000000000000000
Contents: '[ZoneTransfer] ZoneId=3 ReferrerUrl=https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf HostUrl=https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf '
User: WINDEV2310EVAL\User
message: ''
Community Notes
May contain Mark of the Web, referrer, and host URL data.Sigma Rules
- Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash - Creation Of a Suspicious ADS File Outside a Browser Download
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers - Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain - Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain - HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Showing 5 of 9 matching Sigma rules.
References
Event ID 16 — ServiceConfigurationChange
Details
This event logs changes in the Sysmon configuration.
Fields
| Name | Description |
|---|---|
UtcTime | Time in UTC when event was created |
Configuration | Name of the Sysmon config file being updated |
ConfigurationFileHash | Hash (SHA1) of the Sysmon config file being updated |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 16
version: 3
level: 4
task: 16
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T00:47:11.932399+00:00'
event_record_id: 994662
correlation: {}
execution:
process_id: 8688
thread_id: 13092
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
UtcTime: '2023-11-06 00:47:11.921'
Configuration: C:\Users\User\Downloads\Sysmon\sysmonconfig-trace.xml
ConfigurationFileHash: SHA256=43F367924B48AF65F121C0D369E7971C0757CC35D984C71887A5840987E154F9
message: ''
Community Notes
May indicate an attacker attempting to reduce visibility prior to staging a payload.Sigma Rules
- Sysmon Configuration Change
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration - Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
References
Event ID 17 — PipeEvent (Pipe Created)
Details
This event generates when a named pipe is created.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType | The type of pipe event (CreatePipe) |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that created the pipe |
ProcessId | Process ID used by the OS to identify the process that created the pipe |
PipeName | Name of the pipe created |
Image | File path of the process that created the pipe |
User | The name of the account that created the named pipe. |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 17
version: 1
level: 4
task: 17
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:02:24.642500+00:00'
event_record_id: 1433023
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
EventType: CreatePipe
UtcTime: '2023-11-06 02:02:24.630'
ProcessGuid: E56ADA26-1A27-6548-3001-000000000D00
ProcessId: 876
PipeName: \LOCAL\mojo.876.3204.14485637353733294330
Image: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\119.0.2151.44\msedgewebview2.exe
User: WINDEV2310EVAL\User
message: ''
Sigma Rules
- ADFS Database Named Pipe Connection By Uncommon Tool
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. - CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike - CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles - CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles - HackTool - CoercedPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
Showing 5 of 17 matching Sigma rules.
References
Event ID 18 — PipeEvent (Pipe Connected)
Details
This event logs when a named pipe connection is made between a client and a server.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType | The type of pipe event (ConnectPipe) |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that connected the pipe |
ProcessId | Process ID used by the OS to identify the process that connected the pipe |
PipeName | Name of the pipe connected |
Image | File path of the process that connected the pipe |
User | The name of the account that made a named pipe connection. |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 18
version: 1
level: 4
task: 18
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:25.137463+00:00'
event_record_id: 1441110
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
EventType: ConnectPipe
UtcTime: '2023-11-06 02:04:25.084'
ProcessGuid: E56ADA26-17F7-6548-5800-000000000D00
ProcessId: 4404
PipeName: \wkssvc
Image: C:\Windows\system32\wbem\wmiprvse.exe
User: NT AUTHORITY\NETWORK SERVICE
message: ''
Sigma Rules
- ADFS Database Named Pipe Connection By Uncommon Tool
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. - CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike - CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles - CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles - HackTool - CoercedPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
Showing 5 of 17 matching Sigma rules.
References
Event ID 19 — WmiEvent (WmiEventFilter activity detected)
Details
When a WMI event filter is registered, this event logs the WMI namespace, filter name and filter expression.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType | WMI event type |
UtcTime | Time in UTC when event was created |
Operation | WMI event filter operation |
User | User that created the WMI filter |
EventNamespace | Event namespace where the WMI class is registered |
Name | WMI filter name being created |
Query | WMI filter query |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 19
version: 3
level: 4
task: 19
opcode: 0
keywords: 9223372036854775808
time_created: '2019-07-19T14:54:57.044623Z'
event_record_id: 4055
correlation: {}
execution:
process_id: 2796
thread_id: 1776
channel: Microsoft-Windows-Sysmon/Operational
computer: MSEDGEWIN10
security:
user_id: S-1-5-18
event_data:
RuleName: ''
EventType: WmiFilterEvent
UtcTime: '2019-07-19 14:54:57.041'
Operation: Created
User: MSEDGEWIN10\IEUser
EventNamespace: ' "root\\CimV2"'
Name: ' "AtomicRedTeam-WMIPersistence-Example"'
Query: ' "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance
ISA ''Win32_PerfFormattedData_PerfOS_System'' AND TargetInstance.SystemUpTime
>= 240 AND TargetInstance.SystemUpTime < 325"'
Sigma Rules
- WMI Event Subscription
Detects creation of WMI event subscription persistence method - Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers - Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
References
Event ID 20 — WmiEvent (WmiEventConsumer activity detected)
Details
This event logs the registration of WMI consumers.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType | WMI event type |
UtcTime | Time in UTC when event was created |
Operation | WMI consumer operation (e.g., Created, Deleted) |
User | User that created the WMI consumer |
Name | Name of the consumer created |
Type | Type of WMI consumer |
Destination | Destination or command executed by the WMI consumer |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 20
version: 3
level: 4
task: 20
opcode: 0
keywords: 9223372036854775808
time_created: '2019-07-19T14:54:58.819106Z'
event_record_id: 4056
correlation: {}
execution:
process_id: 2796
thread_id: 1776
channel: Microsoft-Windows-Sysmon/Operational
computer: MSEDGEWIN10
security:
user_id: S-1-5-18
event_data:
RuleName: ''
EventType: WmiConsumerEvent
UtcTime: '2019-07-19 14:54:58.807'
Operation: Created
User: MSEDGEWIN10\IEUser
Name: ' "AtomicRedTeam-WMIPersistence-Example"'
Type: Command Line
Destination: ' "C:\\Windows\\System32\\notepad.exe"'
Sigma Rules
- WMI Event Subscription
Detects creation of WMI event subscription persistence method - Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers - Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
References
Event ID 21 — WmiEvent (WmiEventConsumerToFilter activity detected)
Details
When a consumer binds to a filter, this event logs the consumer name and filter path.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType | WMI event type |
UtcTime | Time in UTC when event was created |
Operation | WMI consumer-to-filter binding operation |
User | User that created the WMI consumer-to-filter binding |
Consumer | Consumer created to bind |
Filter | Filter created to bind |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 21
version: 3
level: 4
task: 21
opcode: 0
keywords: 9223372036854775808
time_created: '2019-07-19T14:57:02.378480Z'
event_record_id: 4057
correlation: {}
execution:
process_id: 2796
thread_id: 4356
channel: Microsoft-Windows-Sysmon/Operational
computer: MSEDGEWIN10
security:
user_id: S-1-5-18
event_data:
RuleName: ''
EventType: WmiBindingEvent
UtcTime: '2019-07-19 14:57:02.369'
Operation: Created
User: MSEDGEWIN10\IEUser
Consumer: ' "\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""'
Filter: ' "\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""'
Community Notes
May surface registration of WMI event-based auto-runs that survive reboots.Sigma Rules
- WMI Event Subscription
Detects creation of WMI event subscription persistence method - Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers - Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
References
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-21.yml
Event ID 22 — DNSEvent (DNS query)
Details
This event is generated when a process executes a DNS query.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that executed the DNS query |
ProcessId | Process ID of the process that executed the DNS query |
QueryName | DNS query name |
QueryStatus | DNS query status |
QueryResults | DNS query results |
Image | The full path related to the process that executed the DNS query |
User | The name of the account that executes a DNS Query. |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 22
version: 5
level: 4
task: 22
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:02:51.121401+00:00'
event_record_id: 1435196
correlation: {}
execution:
process_id: 7064
thread_id: 14476
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:02:49.739'
ProcessGuid: E56ADA26-3766-6548-3C07-000000000D00
ProcessId: 15280
QueryName: ooo-updates.apache.org
QueryStatus: '9701'
QueryResults: '-'
Image: C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe
User: NT AUTHORITY\SYSTEM
message: ''
Sigma Rules
- DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes - AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL - Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts. - DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Showing 5 of 22 matching Sigma rules.
References
Event ID 23 — FileDelete (File Delete archived)
Details
A file was deleted. Additionally the deleted file is saved in the ArchiveDirectory.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that deleted the file |
ProcessId | Process ID used by the OS to identify the process that deleted the file |
User | Name of the account who deleted the file. |
Image | File path of the process that deleted the file |
TargetFilename | Full path name of the deleted file |
Hashes | Hashes captured by the Sysmon driver of the deleted file |
IsExecutable | Whether the deleted file is a PE executable |
Archived | States if the file was archived when deleted |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 23
version: 5
level: 4
task: 23
opcode: 0
keywords: 9223372036854775808
time_created: '2020-10-20T11:50:55.461859Z'
event_record_id: 769
correlation: {}
execution:
process_id: 7212
thread_id: 9748
channel: Microsoft-Windows-Sysmon/Operational
computer: DESKTOP-NTSSLJD
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2020-10-20 11:50:55.457'
ProcessGuid: 23F38D93-CF1F-5F8E-CA08-000000000C00
ProcessId: 8736
User: DESKTOP-NTSSLJD\den
Image: C:\Program Files\Internet Explorer\IEInstal.exe
TargetFilename: C:\Users\den\AppData\Local\Temp\dfcc1807-03a1-4ae1-ab29-5675b285edea\consent.exe.dat
Hashes: SHA1=6BFB38629570909D3D9EEDFC783A948CE7849105,MD5=EE2A1C85C472F89B146CC8EE598CCCBC,SHA256=19FD0010DA92B654D1CA270247061A39EA13C0A58529FD8257A97E2EF7794911,IMPHASH=522D83761201075834F05037F5307949
IsExecutable: true
Archived: 'true'
Sigma Rules
- Backup Files Deleted
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. - EventLog EVTX File Deleted
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence - Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence - IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence - Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
Showing 5 of 12 matching Sigma rules.
References
Event ID 24 — ClipboardChange (New content in the clipboard)
Details
This event is generated when the system clipboard contents change.
Fields
| Name | Description |
|---|---|
RuleName | — |
UtcTime | — |
ProcessGuid | — |
ProcessId | — |
Image | — |
Session | — |
ClientInfo | — |
Hashes | — |
Archived | — |
User | — |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 24
version: 5
level: 4
task: 24
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T01:34:43.177918+00:00'
event_record_id: 1300545
correlation: {}
execution:
process_id: 7064
thread_id: 18652
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 01:34:43.168'
ProcessGuid: E56ADA26-3DE0-6548-E908-000000000D00
ProcessId: 11112
Image: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
Session: 1
ClientInfo: 'user: WINDEV2310EVAL\User'
Hashes: SHA1=179A4D08834E913B14727CF6474BAC31E082D275,MD5=64D76D5B160C1EB41680025DD778622D,SHA256=35EC5A2FD3F20757A957DC280EF330892A9D76378252CD381BF34518E6A30427,IMPHASH=00000000000000000000000000000000
Archived: 'true'
User: WINDEV2310EVAL\User
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-24-clipboardchange-new-content-in-the-clipboard
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 25 — ProcessTampering (Process image change)
Details
This event is generated when process hiding techniques are being detected.
Fields
| Name | Description |
|---|---|
RuleName | — |
UtcTime | — |
ProcessGuid | — |
ProcessId | — |
Image | — |
Type | — |
User | — |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 25
version: 5
level: 4
task: 25
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:03:39.070256+00:00'
event_record_id: 1436931
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:03:39.059'
ProcessGuid: E56ADA26-497A-6548-2A0B-000000000D00
ProcessId: 18308
Image: C:\Program Files\Avira\Endpoint Protection SDK\wsc_agent.exe
Type: Image is locked for access
User: NT AUTHORITY\SYSTEM
message: ''
Community Notes
Process tampering, detects process herpaderping.Sigma Rules
- Potential Process Hollowing Activity
Detects when a memory process image does not match the disk image, indicative of process hollowing.
References
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-25-processtampering-process-image-change
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 26 — FileDeleteDetected (File Delete logged)
Details
A file was deleted.
Fields
| Name | Description |
|---|---|
RuleName | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime | Time in UTC when event was created |
ProcessGuid | Process GUID of the process that deleted the file |
ProcessId | Process ID used by the OS to identify the process that deleted the file |
User | Name of the account who deleted the file. |
Image | File path of the process that deleted the file |
TargetFilename | Full path name of the deleted file |
Hashes | Hashes captured by the Sysmon driver of the deleted file |
IsExecutable | Whether the deleted file is a PE executable |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 26
version: 5
level: 4
task: 26
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T02:04:29.353937+00:00'
event_record_id: 1441136
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
RuleName: '-'
UtcTime: '2023-11-06 02:04:29.346'
ProcessGuid: E56ADA26-3974-6548-1E08-000000000D00
ProcessId: 18984
User: NT AUTHORITY\SYSTEM
Image: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
TargetFilename: C:\ProgramData\Malwarebytes\MBAMService\config\MbamClientConfig.json
Hashes: SHA1=313DF92678806809A0DA4150870A71DEEEC67790,MD5=48523B42CDEEC91FF7020302F0EF58D5,SHA256=54A882E183B3882F54222737ED16BA98E06D91C30DECD478BF9C0EDBE6728BFB,IMPHASH=00000000000000000000000000000000
IsExecutable: false
message: ''
Sigma Rules
- Backup Files Deleted
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. - EventLog EVTX File Deleted
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence - Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence - IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence - Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
Showing 5 of 12 matching Sigma rules.
References
Event ID 27 — FileBlockExecutable
Details
This event is generated when Sysmon detects and blocks the creation of executable files.
Fields
| Name | Description |
|---|---|
RuleName | — |
UtcTime | — |
ProcessGuid | — |
ProcessId | — |
User | — |
Image | — |
TargetFilename | — |
Hashes | — |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 27
version: 5
level: 4
task: 27
opcode: 0
keywords: 9223372036854775808
time_created: '2022-08-29T04:43:48.128507Z'
event_record_id: 1341
correlation: {}
execution:
process_id: 2060
thread_id: 7132
channel: Microsoft-Windows-Sysmon/Operational
computer: DESKTOP-VQBONAV
security:
user_id: S-1-5-18
event_data:
RuleName: ImageBlock
UtcTime: '2022-08-29 04:43:48.117'
ProcessGuid: 3E153517-4404-630C-0003-000000000400
ProcessId: 8636
User: DESKTOP-VQBONAV\user
Image: C:\Windows\system32\certutil.exe
TargetFilename: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\02E7958E9A9619FDA0A027756E601291
Hashes: MD5=E112A827FAB9F8378C76040187A6F336,SHA256=ED369187681A62247E38D930320F1CD771756D0B7B67072D8EC655EF99E14AEB,IMPHASH=8EEAA9499666119D13B3F44ECD77A729
Sigma Rules
- Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
References
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 28 — FileBlockShredding
Details
This event is generated when Sysmon detects and blocks file shredding.
Fields
| Name | Description |
|---|---|
RuleName | — |
UtcTime | — |
ProcessGuid | — |
ProcessId | — |
User | — |
Image | — |
TargetFilename | — |
Hashes | — |
IsExecutable | — |
Sigma Rules
- Sysmon Blocked File Shredding
Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
References
Event ID 29 — FileExecutableDetected
Details
This event is generated when Sysmon detects the creation of a new executable file.
Fields
| Name | Description |
|---|---|
RuleName | — |
UtcTime | — |
ProcessGuid | — |
ProcessId | — |
User | — |
Image | — |
TargetFilename | — |
Hashes | — |
Sigma Rules
- Potentially Suspicious Self Extraction Directive File Created
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries. - Sysmon File Executable Creation Detected
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
References
Event ID 255 —
Details
This event is generated when an **error occurred within Sysmon**. They can happen if the system is under heavy load and certain tasks could not be performed or a bug exists in the Sysmon service.
Fields
| Name | Description |
|---|---|
UtcTime | — |
ID | — |
Description | — |
Example Event
system:
provider: Microsoft-Windows-Sysmon
guid: 5770385F-C22A-43E0-BF4C-06F5698FFBD9
event_source_name: ''
event_id: 255
version: 3
level: 2
task: 255
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T00:55:58.314139+00:00'
event_record_id: 1050594
correlation: {}
execution:
process_id: 7064
thread_id: 9788
channel: Microsoft-Windows-Sysmon/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
UtcTime: '2023-11-06 00:55:58.306'
ID: IMAGE_LOAD
Description: Failed to find process image name
message: ''
Sigma Rules
- Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
References
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-255-error
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-255.yml