Microsoft-Windows-Sysmon
30 events across 1 channel
Event ID 1: Process creation
#Description
The **process creation** event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that got spawned/created (child) | |
ProcessId UInt32 | Process ID used by the OS to identify the created process (child) | |
Image UnicodeString | File path of the process being spawned/created. Considered also the child or source process | 3447 |
FileVersion UnicodeString | Version of the image associated with the main process (child) | 13 |
Description UnicodeString | Description of the image associated with the main process (child) | 112 |
Product UnicodeString | Product name the image associated with the main process (child) belongs to | 87 |
Company UnicodeString | Company name the image associated with the main process (child) belongs to | 49 |
OriginalFileName UnicodeString | Original file name from the PE header, useful for detecting renamed executables | 1040 |
CommandLine UnicodeString | Arguments which were passed to the executable associated with the main process | 14323 |
CurrentDirectory UnicodeString | The path without the name of the image associated with the process | 29 |
User UnicodeString | Name of the account who created the process (child). It usually contains domain name and user name (parsed to show only username without the domain) | 63 |
LogonGuid GUID | Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events) | |
LogonId HexInt64 | Logon ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID | 4 |
TerminalSessionId UInt32 | ID of the session the user belongs to | |
IntegrityLevel UnicodeString | Integrity label assigned to a process Known values
| 109 |
Hashes UnicodeString | Hashes captured by Sysmon driver | 506 |
ParentProcessGuid GUID | Process GUID of the parent process that spawned/created this process | |
ParentProcessId UInt32 | Process ID of the process that spawned/created the main process (child) | |
ParentImage UnicodeString | File path that spawned/created the main process | 906 |
ParentCommandLine UnicodeString | Arguments which were passed to the executable associated with the parent process | 310 |
ParentUser UnicodeString | Name of the account who created the process that spawned/created the main process (child) | 16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 1,
"version": 5,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:29.2562055+00:00",
"event_record_id": 17612602,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:29.253",
"ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
"ProcessId": "7704",
"Image": "C:\\ludus\\background\\bginfo.exe",
"FileVersion": "4.33",
"Description": "BGInfo - Wallpaper text configurator",
"Product": "BGInfo",
"Company": "Sysinternals - www.sysinternals.com",
"OriginalFileName": "BGInfo.exe",
"CommandLine": "\"C:\\ludus\\background\\bginfo.exe\" /accepteula C:\\ludus\\background\\red.bgi /silent /timer:0",
"CurrentDirectory": "C:\\Windows\\system32\\",
"User": "cell-c\\domainadmin",
"LogonGuid": "{8a99384c-e96f-6a2c-b6f3-0b0000000000}",
"LogonId": "0xbf3b6",
"TerminalSessionId": "1",
"IntegrityLevel": "High",
"Hashes": "SHA1=47C5CB3D6E01E139FEA41E94C43C29698FCD912B,MD5=34072C1DD7E0D04760108F565540F745,SHA256=599B391980A5C9CBADD6C70BA3D5A5258DB8B9D87C68B3FE587D9DC84EFFDF63,IMPHASH=B221E55CFCA1A7D0850D1B749ACE2D69",
"ParentProcessGuid": "{8a99384c-e981-6a2c-c200-000000001000}",
"ParentProcessId": "7180",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -ExecutionPolicy Bypass -NonInteractive -File \"C:\\ludus\\background\\set-bg.ps1\"",
"ParentUser": "cell-c\\domainadmin"
},
"message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:29.253\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nFileVersion: 4.33\r\nDescription: BGInfo - Wallpaper text configurator\r\nProduct: BGInfo\r\nCompany: Sysinternals - www.sysinternals.com\r\nOriginalFileName: BGInfo.exe\r\nCommandLine: \"C:\\ludus\\background\\bginfo.exe\" /accepteula C:\\ludus\\background\\red.bgi /silent /timer:0\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: cell-c\\domainadmin\r\nLogonGuid: {8a99384c-e96f-6a2c-b6f3-0b0000000000}\r\nLogonId: 0xBF3B6\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: SHA1=47C5CB3D6E01E139FEA41E94C43C29698FCD912B,MD5=34072C1DD7E0D04760108F565540F745,SHA256=599B391980A5C9CBADD6C70BA3D5A5258DB8B9D87C68B3FE587D9DC84EFFDF63,IMPHASH=B221E55CFCA1A7D0850D1B749ACE2D69\r\nParentProcessGuid: {8a99384c-e981-6a2c-c200-000000001000}\r\nParentProcessId: 7180\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -ExecutionPolicy Bypass -NonInteractive -File \"C:\\ludus\\background\\set-bg.ps1\"\r\nParentUser: cell-c\\domainadmin"
}
Detection Patterns #
1295 rules
Sigma
Elastic
Splunk
31 rules
Elastic
28 rules
Elastic
25 rules
Elastic
22 rules
Elastic
Network Connection
20 rules
Elastic
15 rules
Elastic
12 rules
Elastic
Share Access Sysmon
Xsl Script Execution
Defense Impairment: Modify Registry
Exfiltration: Exfiltration Over Alternative Protocol
1 rule
Credential Access: DCSync
1 rule
Splunk
1 rule
1 rule
Execution: Exploitation for Client Execution
Persistence: Create or Modify System Process
1 rule
Stealth: Process Hollowing
1 rule
Stealth: Create Process with Token
1 rule
Stealth: Msiexec
1 rule
Lateral Movement: Exploitation of Remote Services
Command & Control: Remote Desktop Software
Stealth: Clear Windows Event Logs
0 rules
Credential Access: NTDS
0 rules
Discovery: System Network Configuration Discovery
0 rules
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
event.type | eq | start | 238 rules | elastic |
Image | ends_with | \powershell.exe | 166 rules | sigma |
Image | ends_with | \pwsh.exe | 152 rules | sigma |
Image | ends_with | \cmd.exe | 121 rules | sigma |
OriginalFileName | eq | powershell.exe | 121 rules | elastic, sigma, splunk |
OriginalFileName | eq | pwsh.dll | 112 rules | elastic, sigma, splunk |
process_name | eq | powershell.exe | 94 rules | elastic, splunk |
Image | ends_with | \rundll32.exe | 86 rules | sigma |
process_name | eq | cmd.exe | 73 rules | elastic, splunk |
OriginalFileName | eq | cmd.exe | 65 rules | elastic, sigma, splunk |
Image | ends_with | \wscript.exe | 63 rules | sigma |
Image | ends_with | \cscript.exe | 63 rules | sigma |
OriginalFileName | eq | rundll32.exe | 62 rules | elastic, sigma, splunk |
OriginalFileName | eq | wmic.exe | 61 rules | elastic, sigma, splunk |
Image | ends_with | \regsvr32.exe | 58 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- 7Zip Compressing Dump Files source medium: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
- Compress Data and Lock With Password for Exfiltration With 7-ZIP source medium: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
- Potential DLL Injection Via AccCheckConsole source medium: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Show 17 more (869 total)
- Suspicious AddinUtil.EXE CommandLine Execution source high: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
- Uncommon AddinUtil.EXE CommandLine Execution source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
- AddinUtil.EXE Execution From Uncommon Directory source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
- Potential Adplus.EXE Abuse source high: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
- AgentExecutor PowerShell Execution source medium: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
- Suspicious AgentExecutor PowerShell Execution source high: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
- Windows AMSI Related Registry Tampering Via CommandLine source high: Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE source medium: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
- Hiding Files with Attrib.exe source medium: Detects usage of attrib.exe to hide files from users.
- Set Suspicious Files as System Files Using Attrib.EXE source high: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
- Audit Policy Tampering Via Auditpol source high: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
- Windows EventLog Autologger Session Registry Modification Via CommandLine source high: Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
- Suspicious Autorun Registry Modified via WMI source high: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
- Indirect Inline Command Execution Via Bash.EXE source medium: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
- Indirect Command Execution From Script File Via Bash.EXE source medium: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
- Boot Configuration Tampering Via Bcdedit.EXE source high: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE source medium: Detects potential malicious and unauthorized usage of bcdedit.exe
Splunk # view in coverage
- Detect Remote Access Software Usage FileInfo source: The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote…
- Excessive Usage Of SC Service Utility source: The following analytic detects excessive usage of the
sc.exeservice utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances wheresc.exeis executed more frequently than normal within a 15-minute window.… - Jscript Execution Using Cscript App source: The following analytic detects the execution of JScript using the cscript.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This behavior is significant…
Show 17 more (269 total)
- MacOS - Re-opened Applications source: The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on…
- Malicious PowerShell Process With Obfuscation Techniques source: The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent…
- Ping Sleep Batch Command source: The following analytic identifies the execution of ping sleep batch commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. This activity is significant as…
- Possible Lateral Movement PowerShell Spawn source: The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection…
- Process Deleting Its Process File Path source: The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via…
- Unusually Long Command Line source: The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This…
- Vbscript Execution Using Wscript App source: The following analytic detects the execution of VBScript using the wscript.exe application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant…
- Web or Application Server Spawning a Shell source: The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and…
- Web Servers Executing Suspicious Processes source: The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables",…
- Windows Account Access Removal via Logoff Exec source: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could…
- Windows Binary Execution from an Archive source: Detects the execution of a binary from archive-related paths in the user's Temp directory. It looks for binaries launched by
explorer.exe,winrar.exe, or7zFM.exe, where the executed process path includes Temp and archive markers… - Windows Browser Process Launched with Unusual Flags source: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or…
- Windows Command Shell DCRat ForkBomb Payload source: The following analytic detects the execution of a DCRat "forkbomb" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data,…
- Windows ComputerDefaults Spawning a Process source: The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account…
- Windows Credential Target Information Structure in Commandline source: Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages process creation events…
- Windows Crowdstrike RTR Script Execution source: Detects usage of Crowdstrike Real Time Response (RTR) to execute a "runscript" command. This can be used by malicious actors with access to the Crowdstrike Dashboard to execute commands on remote managed hosts.
- Windows Default Rdp File Unhidden source: This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is…
Kusto # view in coverage
- SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Audit policy manipulation using auditpol utility source medium: This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it. Refer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol
Refer to our M365 blog for details on use during the Solorigate attack: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ - Modification of Accessibility Features source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1] Ref: https://attack.mitre.org/techniques/T1546/008/
Show 10 more (13 total)
- Lateral Movement via DCOM source medium: This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network. Ref: http://thenegative.zone/incident response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html
- Detecting Macro Invoking ShellBrowserWindow COM Objects source medium: This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.
- Windows Binaries Lolbins Renamed source medium: This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html
- Potential Kerberos Relaying Activity - MDE source: The below query detects potential Kerberos relaying event chain generated by KrbRelay.
- Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matchesEvent ID 3: Network connection, Event ID 11: FileCreate, Event ID 13: RegistryEvent (Value Set) - T1566.002 Spearphishing Link - Rare URL Clicks source: Below query analyzes URLs that are opened from applications like Outlook, Word, Excel, Powerpoint, and Adobe PDF apps. It finds rare URLs that might be a phishing attempt.
It is strongly recommended to enrich results with prevalence information using firewall or proxy logs. You can reduce the noise by filtering specific parent processes according to your needs.
You can further improve the results using logic apps or scripting to get extra information about the URL(age, certificate, VT score etc.) Keep in mind that there ways to bypass controls by hosting the phishing links inside a document stored in the cloud. You don't have any visibility with Sysmon in this scenario. - Potential Lateral Movement via MSI ODBC Driver Install over DCOM source: Detects Potential Lateral Movement via MSI Custom Actions to install ODBC Driver over DCOM remotely.
- Scheduled Task - Suspicious Network Connection source: Below query performs process tree analysis for Scheduled Tasks on MDE/MDATP/M365D and displays anomalous trees. Then, it gets all network connections made by every single process in each anomalous process tree. Before using the query, do a quick analysis on commandlines of the processes spawned by Scheduled Tasks. There might be specific processes executing with a unique argument on each device. You need to whitelist them to get better results.
- Process Tree Analysis source: Below queries perform process tree analysis on MDE/MDATP, Azure Sentinel (Sysmon), and Splunk (Sysmon) and displays anomalous trees. All queries run smoothly even in the large environments. Detailed explanation is here
- Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/↳ also matchesEvent ID 3: Network connection
YARA-L # view in coverage
- Base64 Encoded PowerShell Command Detected source: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
- ConvertTo-SecureString Cmdlet Usage Via CommandLine source: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
- Copy From Or To Admin Share Or Sysvol Folder source: Detects a copy command or a copy utility execution to or from an Admin share or remote
Show 17 more (55 total)
- CreateDump Process Dump source: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
- Direct Autorun Keys Modification source: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe
- File Download Using Notepad++ GUP Utility source: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files
- File Download Via Windows Defender MpCmpRun.EXE source: Detects the use of Windows Defender MpCmdRun.EXE to download files
- Finger.EXE Execution source: Detects execution of the finger.exe utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of finger.exe can be considered suspicious and worth investigating.
- HackTool - Dumpert Process Dumper Execution source: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
- Hacktool - IronSharpPack Execution source: Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
- HackTool - Mimikatz Execution source: Detection well-known mimikatz command line arguments
- Purple Knight Tool Execution Detected source: This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses.
- Hacktool - SharpSuccessor Execution source: SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments.
- Hacktool - WinPEAS Execution Patterns source: This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base.
- Impacket WMIExec CISA Report source: Detects the artifacts generally associated with the use of wmiexec.py↳ also matchesEvent ID 11: FileCreate
- Local Accounts Discovery source: Local accounts, System Owner/User discovery using operating systems utilities
- LSASS Dump Keyword In CommandLine source: Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process
- MITRE ATT&CK T1021.002 Windows Admin Share Basic source: Detect the use of net use for SMB/Windows admin shares
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity source: Net use commands for SMB/Windows admin shares based on asset entity group
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment source: Net use commands for SMB/Windows admin shares focused on UDM enriched user fields
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-1.yml
- MS Learn Mandatory Integrity Control https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
Event ID 2: A process changed a file creation time
#Description
The change **file creation time** event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that changed the file creation time | |
ProcessId UInt32 | Process ID used by the OS to identify the process changing the file creation time | |
Image UnicodeString | File path of the process that changed the file creation time | 13 |
TargetFilename UnicodeString | Full path name of the file | 7 |
CreationUtcTime UnicodeString | New creation time of the file | 1 |
PreviousCreationUtcTime UnicodeString | Previous creation time of the file | 1 |
User UnicodeString | Name of the account who changed the file creation time of a file |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 2,
"version": 5,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:31:51.7752086+00:00",
"event_record_id": 17461544,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 13:31:51.770",
"ProcessGuid": "{8a99384c-5bb9-6a2d-3605-000000001000}",
"ProcessId": "7796",
"Image": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"TargetFilename": "C:\\Windows\\Temp\\B776E034-9102-4917-A2BF-152F782EA60A\\WimProvider.dll",
"CreationUtcTime": "2026-06-13 13:31:38.052",
"PreviousCreationUtcTime": "2026-06-13 13:31:38.052",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": "File creation time changed:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:31:51.770\r\nProcessGuid: {8a99384c-5bb9-6a2d-3605-000000001000}\r\nProcessId: 7796\r\nImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe\r\nTargetFilename: C:\\Windows\\Temp\\B776E034-9102-4917-A2BF-152F782EA60A\\WimProvider.dll\r\nCreationUtcTime: 2026-06-13 13:31:38.052\r\nPreviousCreationUtcTime: 2026-06-13 13:31:38.052\r\nUser: NT AUTHORITY\\SYSTEM"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Image | ends_with | \svchost.exe | 1 rule | sigma |
Image | starts_with | c:\windows\system32\ | 1 rule | sigma |
Image | starts_with | c:\program files\ | 1 rule | sigma |
Image | starts_with | c:\program files (x86)\ | 1 rule | sigma |
Image | eq | c:\windows\system32\msiexec.exe | 1 rule | sigma |
Image | ends_with | \tiworker.exe | 1 rule | sigma |
file.extension | eq | exe | 1 rule | elastic |
file.extension | eq | dll | 1 rule | elastic |
file.extension | eq | pif | 1 rule | elastic |
file.extension | eq | scr | 1 rule | elastic |
Image | eq | c:\windows\immersivecontrolpanel\systemsettings.exe | 1 rule | sigma |
Image | starts_with | c:\windows\temp\ | 1 rule | sigma |
Provider_Name | eq | Microsoft-Windows-Sysmon | 1 rule | elastic |
TargetFilename | wildcard | ?:\programdata\microsoft\windows\start menu\programs\startup\* | 1 rule | elastic |
TargetFilename | wildcard | ?:\users\*\appdata\roaming\microsoft\windows\start menu\programs\startup\* | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Unusual File Modification by dns.exe source high: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
- File Creation Date Changed to Another Year source low: Detects when the file creation time is changed to a year before 2020. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.
Elastic # view in coverage
- Potential Timestomp in Executable Files source medium: Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries may modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.
Kusto # view in coverage
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesEvent ID 7: Image loaded, Event ID 11: FileCreate
YARA-L # view in coverage
- Suspicious Unusual Location LNK File source: Detects creation and movement of .lnk files to specific folders↳ also matchesEvent ID 11: FileCreate, Event ID 23: FileDelete (File Delete archived)
References #
Event ID 3: Network connection
#Description
The **network connection** event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that made the network connection | |
ProcessId UInt32 | Process ID used by the OS to identify the process that made the network connection | |
Image UnicodeString | File path of the process that made the network connection | 394 |
User UnicodeString | Name of the account who made the network connection. It usually contains domain name and user name | 8 |
Protocol UnicodeString | Protocol being used for the network connection. Sysmon emits the literal lowercase transport name rather than the IANA protocol number; tcp / udp are the only values produced by the kernel transport callback that drives this event. Known values
| 8 |
Initiated Boolean | Indicates whether the process initiated the TCP connection | 49 |
SourceIsIpv6 Boolean | Is the source IP an IPv6 | 1 |
SourceIp UnicodeString | Source IP address that made the network connection | 3 |
SourceHostname UnicodeString | Name of the host that made the network connection | 1 |
SourcePort UInt16 | Source port number | 3 |
SourcePortName UnicodeString | Name of the source port being used (i.e. netbios-dgm) | |
DestinationIsIpv6 Boolean | Is the destination IP an IPv6 | 1 |
DestinationIp UnicodeString | Destination IP address | 72 |
DestinationHostname UnicodeString | Name of the host that received the network connection | 457 |
DestinationPort UInt16 | Destination port number | 141 |
DestinationPortName UnicodeString | Name of the destination port | 4 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 3,
"version": 5,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:46.6013699+00:00",
"event_record_id": 17613679,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5404
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:43.178",
"ProcessGuid": "{8a99384c-e92c-6a2c-0c00-000000001000}",
"ProcessId": "896",
"Image": "C:\\Windows\\System32\\lsass.exe",
"User": "NT AUTHORITY\\SYSTEM",
"Protocol": "tcp",
"Initiated": "false",
"SourceIsIpv6": "false",
"SourceIp": "127.0.0.1",
"SourceHostname": "telemetry-DC-c.cell-c.ludus.domain",
"SourcePort": "57872",
"SourcePortName": "-",
"DestinationIsIpv6": "false",
"DestinationIp": "127.0.0.1",
"DestinationHostname": "telemetry-DC-c.cell-c.ludus.domain",
"DestinationPort": "389",
"DestinationPortName": "ldap"
},
"message": "Network connection detected:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:43.178\r\nProcessGuid: {8a99384c-e92c-6a2c-0c00-000000001000}\r\nProcessId: 896\r\nImage: C:\\Windows\\System32\\lsass.exe\r\nUser: NT AUTHORITY\\SYSTEM\r\nProtocol: tcp\r\nInitiated: false\r\nSourceIsIpv6: false\r\nSourceIp: 127.0.0.1\r\nSourceHostname: telemetry-DC-c.cell-c.ludus.domain\r\nSourcePort: 57872\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 127.0.0.1\r\nDestinationHostname: telemetry-DC-c.cell-c.ludus.domain\r\nDestinationPort: 389\r\nDestinationPortName: ldap"
}
Detection Patterns #
31 rules
Elastic
28 rules
Elastic
25 rules
Elastic
20 rules
Elastic
Network Connection
20 rules
Elastic
Asim Network Session Schema
Remote File Download
Adws Connection
Lateral Movement: Distributed Component Object Model
Command & Control: Application Layer Protocol
Exfiltration: Exfiltration Over Alternative Protocol
Stealth: Disable or Modify System Firewall
1 rule
Command & Control: Web Protocols
1 rule
Collection: Data from Local System
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Initiated | eq | true | 48 rules | sigma |
event.type | eq | start | 27 rules | elastic |
dest_ip | cidr_match | 127.0.0.0/8 | 16 rules | sigma |
dest_ip | cidr_match | ::1/128 | 16 rules | sigma |
dest_ip | cidr_match | 10.0.0.0/8 | 15 rules | sigma |
dest_ip | cidr_match | 169.254.0.0/16 | 15 rules | sigma |
dest_ip | cidr_match | 172.16.0.0/12 | 15 rules | sigma |
dest_ip | cidr_match | 192.168.0.0/16 | 15 rules | sigma |
dest_ip | cidr_match | fc00::/7 | 15 rules | sigma |
dest_ip | cidr_match | fe80::/10 | 15 rules | sigma |
src_ip | ne | ::1 | 12 rules | elastic, splunk |
src_ip | ne | 127.0.0.1 | 12 rules | elastic |
DestinationPort | eq | 80 | 10 rules | kusto, sigma |
DestinationPort | eq | 443 | 10 rules | sigma |
Initiated | eq | incoming | 10 rules | elastic |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Network Connection Initiated By AddinUtil.EXE source high: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
- Uncommon Connection to Active Directory Web Services source medium: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
- Uncommon Network Connection Initiated By Certutil.EXE source high: Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Show 17 more (61 total)
- Outbound Network Connection Initiated By Cmstp.EXE source high: Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
- Outbound Network Connection Initiated By Microsoft Dialer source high: Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process source medium: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
- Network Connection Initiated To BTunnels Domains source medium: Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Network Connection Initiated To Cloudflared Tunnels Domains source medium: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Network Communication With Crypto Mining Pool source high: Detects initiated network connections to crypto mining pools
- New Connection Initiated To Potential Dead Drop Resolver Domain source high: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
- Network Connection Initiated To DevTunnels Domain source medium: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Suspicious Dropbox API Usage source high: Detects an executable that isn't dropbox but communicates with the Dropbox API
- Suspicious Network Connection to IP Lookup Service APIs source medium: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
- Suspicious Non-Browser Network Communication With Google API source medium: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
- Communication To LocaltoNet Tunneling Service Initiated source high: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
- Network Connection Initiated To Mega.nz source low: Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
- Process Initiated Network Connection To Ngrok Domain source high: Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
- Communication To Ngrok Tunneling Service Initiated source high: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
- Potentially Suspicious Network Connection To Notion API source low: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
- Network Communication Initiated To Portmap.IO Domain source medium: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Elastic # view in coverage
- Connection to Commonly Abused Web Services source low: Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.
- Network Activity to a Suspicious Top Level Domain source high: Identifies DNS queries to commonly abused Top Level Domains by common LOLBINs or executables running from world writable directories or unsigned binaries. This behavior matches on common malware C2 abusing less formal domain names.
- Connection to Commonly Abused Free SSL Certificate Providers source low: Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.
Show 7 more (10 total)
- Deprecated - SUNBURST Command and Control Activity source high: The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.
- Kerberos Traffic from Unusual Process source medium: Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.
- Potential Kerberos SPN Spoofing via Suspicious DNS Query source high: Identifies queries for a DNS name containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse such names to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). Depending on the coerced service and negotiated authentication, this can support Kerberos relay or NTLM reflection/relay paths without relying on normal NTLM fallback behavior.
- System Public IP Discovery via DNS Query source high: Identifies DNS queries to known public IP address lookup web services from suspicious Windows processes, which can reveal external IP or internet-connectivity discovery before follow-on activity.
- Suspicious File Renamed via SMB source high: Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol.
- Network Connection via Certutil source low: Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.
- Potential Outgoing RDP Connection by Unusual Process source low: Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.
Splunk # view in coverage
- Detect Regasm with Network Connection source: The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is…
- Detect Regsvcs with Network Connection source: The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by…
- LOLBAS With Network Traffic source: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries,…
Show 16 more (19 total)
- Network Traffic to Active Directory Web Services Protocol source: The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and…
- Windows Detect Network Scanner Behavior source: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote…
- Windows File Transfer Protocol In Non-Common Process Path source: The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not…
- Windows Mail Protocol In Non-Common Process Path source: The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird,…
- Windows Network Connection From Program In Suspect Location source: The following analytic detects network connections from processes running out of suspicious Windows directories such as Recycle Bin, Public, PerfLogs, systemprofile, Fonts, IME, and Addins paths. This activity is significant because…
- Windows Potential Cloudflared Network Connection source: This analytic detects network connection events possibly associated with the Cloudflared tool, a tool used to create tunnels via Cloudflare. Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool. It reaches out to…
- Windows Suspect Process With Authentication Traffic source: The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network…
- Windows Remote Desktop Network Bruteforce Attempt source: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that…
- Network Connection with Suspicious Folder (Sysmon) source: Detects potential downloads to suspicious file locations like temp, appdata, and downloads
- Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon) source: A critical vulnerability CVE-2024-21413 in Microsoft Outlook, discovered by Check Point, enables remote code execution from merely opening an email containing malicious links, bypassing Outlook's Protected View. This flaw, exploitable…
- Potential network connection with CVE-2023-21554 (Sysmon) source: Exploitation of CVE-2023-21554 (aka. QueueJumper), allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe by reaching the TCP port 1801.
- Process Connection to Mega - Windows (Sysmon) source: Mega is a cloud storage service used by many threat actors due to its use of end-to-end encryption and semi-anonymous payment options. The client application MEGAsync.exe and command-line interface utility MegaCMD allow threat actors to…
- RDP Connection (Sysmon) source: This use case looks for when an RDP network connection has been established
- Script Connected to External Destination - Windows (Sysmon) source: Adversaries may use scripts to connect to external locations for C2 communications, downloading and executing payloads, data exfiltration, or redirection. This use case detects when a Windows script interpreter (wscript, cscript, mshta,…
- Unexpected Network Connection from System Process (Sysmon) source: Threat actors may abuse legitimate system processes that typically lack network functionality to perform malicious network activity, helping evade detection and blend in with normal system behavior. This technique is often associated with…
- wuauclt.exe Network Connection (Sysmon) source: wuauclt.exe is the Windows Update client. It can be abused to proxy execution of malicious code as documented in the LOLBAS project. This use case detects network connection events with wuauclt.exe. Connections to Microsoft-owned IPs are…
Kusto # view in coverage
- Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/↳ also matchesEvent ID 1: Process creation
- Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matchesEvent ID 1: Process creation, Event ID 11: FileCreate
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents Aggregated Reports telemetry. Use it as a starting point and refine further as it may generate too many results.
Show 5 more (8 total)
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D) source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents data.
- Suspicious Network Beacons - Sysmon source: Below query detects suspicious beaconing activity by analyzing Sysmon network connection events.
- Suspicious Network Connections - Supply Chain Attack source: Below query detects unusual network conenctions from servers that have 3rd party software installed.
You can further improve the query by using a list of servers that have privileges across the whole domain. - Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matchesEvent ID 1: Process creation, Event ID 11: FileCreate, Event ID 13: RegistryEvent (Value Set) - Server Network Connection Anomalies source: Servers have a specific baseline. This makes it easy to create a baseline and detect anomalies.
Below queries analyze the network connections made by the specified servers and detects the rare/anomalous ones.
You can add process info to the analysis, but it will probably generate more results(different processes for the same IP).
YARA-L # view in coverage
- Potential Remote PowerShell Session Initiated source: Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-3.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 4: Sysmon service state changed
#Description
The service state change event reports the state of the Sysmon service (started or stopped).
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
UtcTime UnicodeString | Time in UTC when event was created | |
State UnicodeString | Sysmon service state (i.e. stopped) Known values
| 2 |
Version UnicodeString | Sysmon version | |
SchemaVersion UnicodeString | Sysmon config schema version |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 4,
"version": 3,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:41:34.1645578+00:00",
"event_record_id": 6120906,
"correlation": {},
"execution": {
"process_id": 3872,
"thread_id": 5252
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UtcTime": "2026-06-13 13:41:34.151",
"State": "Started",
"Version": "15.20",
"SchemaVersion": "4.91"
},
"message": "Sysmon service state changed:\r\nUtcTime: 2026-06-13 13:41:34.151\r\nState: Started\r\nVersion: 15.20\r\nSchemaVersion: 4.91"
}
Detection Patterns #
Execution: User Execution
Stealth: Hide Artifacts
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | in | excel.exe | 1 rule | kusto, splunk |
parent_process_name | in | winword.exe | 1 rule | kusto, splunk |
parent_process_name | in | powerpnt.exe | 1 rule | kusto, splunk |
References #
Event ID 5: Process terminated
#Description
The **process terminate** event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString | Time in UTC when event was created |
ProcessGuid GUID | Process GUID of the process that terminated |
ProcessId UInt32 | Process ID used by the OS to identify the process that terminated |
Image UnicodeString | File path of the process that terminated |
User UnicodeString | Name of the account that terminated the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 5,
"version": 3,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:29.7402157+00:00",
"event_record_id": 17612823,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:29.726",
"ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
"ProcessId": "7704",
"Image": "C:\\ludus\\background\\bginfo.exe",
"User": "cell-c\\domainadmin"
},
"message": "Process terminated:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:29.726\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nUser: cell-c\\domainadmin"
}
Detection Patterns #
Execution: User Execution
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | ProcessCreated | 2 rules | kusto |
CommandLine | contains | -s | 2 rules | kusto, sigma, splunk |
CommandLine | contains | -r | 2 rules | kusto, sigma |
CommandLine | contains | delete | 1 rule | kusto, sigma, splunk |
parent_process_name | in | excel.exe | 1 rule | kusto, splunk |
parent_process_name | in | winword.exe | 1 rule | kusto, splunk |
parent_process_name | in | powerpnt.exe | 1 rule | kusto, splunk |
ProviderName | eq | MDATP | 1 rule | kusto |
CommandLine | contains | accepteula | 1 rule | kusto, sigma, splunk |
CommandLine | contains | -q | 1 rule | kusto, sigma, splunk |
CommandLine | contains | advfirewall | 1 rule | kusto, sigma |
CommandLine | contains | /set | 1 rule | kusto, splunk |
CommandLine | contains | execute | 1 rule | kusto, sigma |
CommandLine | contains | regread | 1 rule | kusto, sigma |
CommandLine | contains | set-mppreference | 1 rule | kusto, sigma, splunk |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- High Process Termination Frequency source: The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second…
- Windows Processes Killed By Industroyer2 Malware source: The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is…
References #
Event ID 6: Driver loaded
#Description
The **driver loaded** events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ImageLoaded UnicodeString | Full path of the driver loaded | 370 |
Hashes UnicodeString | Hashes captured by Sysmon driver | 5259 |
Signed UnicodeString | Whether the loaded driver is signed | |
Signature UnicodeString | The signer | 2 |
SignatureStatus UnicodeString | Status of the signature (i.e. valid) |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 6,
"version": 4,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:42:26.1541821+00:00",
"event_record_id": 6170407,
"correlation": {},
"execution": {
"process_id": 3872,
"thread_id": 5268
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 13:41:41.166",
"ImageLoaded": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\Drivers\\WdNisDrv.sys",
"Hashes": "SHA1=F34854FEBF0D58F5F9C2F3081DA0C384E031CC48,MD5=D91B0982401E5C29F1E584228A774142,SHA256=8F98F2093E6373F1D275AAD30D9EF08ECFCE453F6ED02243FD284BDB6012377E,IMPHASH=FBF34F374D5BBC52DBDD4925A27836EF",
"Signed": "true",
"Signature": "Microsoft Windows",
"SignatureStatus": "Valid"
},
"message": "Driver loaded:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:41:41.166\r\nImageLoaded: C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\Drivers\\WdNisDrv.sys\r\nHashes: SHA1=F34854FEBF0D58F5F9C2F3081DA0C384E031CC48,MD5=D91B0982401E5C29F1E584228A774142,SHA256=8F98F2093E6373F1D275AAD30D9EF08ECFCE453F6ED02243FD284BDB6012377E,IMPHASH=FBF34F374D5BBC52DBDD4925A27836EF\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
process_id | eq | 4 | 2 rules | elastic |
EventType | eq | DriverLoad | 2 rules | kusto |
Hashes | contains | imphash=28dc68bb6d6bf4f6b2db8dd7588b2511 | 2 rules | sigma |
Hashes | contains | imphash=45bfe170e0cd654bc1e2ae3fca3ac3f4 | 2 rules | sigma |
Hashes | contains | imphash=821d74031d3f625bcbd0df08b70f1e77 | 2 rules | sigma |
Hashes | contains | imphash=d41fa95d4642dc981f10de36f4dc8cd7 | 2 rules | sigma |
Hashes | contains | imphash=f86759bb4de4320918615dc06e998a39 | 2 rules | sigma |
ImageLoaded | ends_with | \kprocesshacker.sys | 2 rules | sigma |
ImageLoaded | ends_with | \winring0.sys | 2 rules | sigma |
dll.code_signature.exists | eq | false | 1 rule | elastic |
dll.code_signature.trusted | eq | false | 1 rule | elastic |
ImageLoaded | contains | \temp\ | 1 rule | sigma |
dcount_DeviceId | le | 5 | 1 rule | kusto |
is_driver | eq | TRUE | 1 rule | splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Malicious Driver Load source high: Detects loading of known malicious drivers via their hash.
- Malicious Driver Load By Name source medium: Detects loading of known malicious drivers via the file name of the drivers.
- PUA - Process Hacker Driver Load source high: Detects driver load of the Process Hacker tool
Show 7 more (10 total)
- PUA - System Informer Driver Load source medium: Detects driver load of the System Informer tool
- Driver Load From A Temporary Directory source high: Detects a driver load from a temporary directory
- Vulnerable Driver Load source high: Detects loading of known vulnerable drivers via their hash.
- Vulnerable Driver Load By Name source low: Detects the load of known vulnerable drivers via the file name of the drivers.
- Vulnerable HackSys Extreme Vulnerable Driver Load source high: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
- Vulnerable WinRing0 Driver Load source high: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
- WinDivert Driver Load source high: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Elastic # view in coverage
- Untrusted Driver Loaded source high: Identifies an untrusted driver loaded by the Windows kernel. Adversaries may modify code signing policies to enable execution of unsigned or self-signed kernel code.
- Expired or Revoked Driver Loaded source medium: Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.
Splunk # view in coverage
- Windows Drivers Loaded by Signature source: The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This…
- Windows Suspicious Driver Loaded Path source: The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from…
- Windows Vulnerable Driver Loaded source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and…
Show 2 more (5 total)
- XMRIG Driver Loaded source: The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the
WinRing0x64.sysdriver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific… - Driver Loaded from Unusual Path - Windows (Sysmon) source: Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating…
Kusto # view in coverage
- Microsoft Recommended Driver Block List source: The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.
- Suspicious Driver Load source: Below query detects suspicious(unusual/rare) driver loads. Further checks are required on detected files to confirm malicious activity.
References #
Event ID 7: Image loaded
#Description
The **image loaded** event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the -l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that loaded the image | |
ProcessId UInt32 | Process ID used by the OS to identify the process that loaded the image | |
Image UnicodeString | File path of the process that loaded the image | 515 |
ImageLoaded UnicodeString | Full path of the image loaded | 998 |
FileVersion UnicodeString | Version of the image loaded | |
Description UnicodeString | Description of the image loaded | 6 |
Product UnicodeString | Product name that the loaded image belongs to | 4 |
Company UnicodeString | Company name that the loaded image belongs to | 5 |
OriginalFileName UnicodeString | Original file name from the PE header, useful for detecting renamed modules | 29 |
Hashes UnicodeString | Hash of the file contents using the algorithms specified in the HashType field | 18 |
Signed UnicodeString | Is the image loaded signed | 26 |
Signature UnicodeString | The signer | 5 |
SignatureStatus UnicodeString | Status of the signature (i.e. valid) | 19 |
User UnicodeString | Name of the account that loaded the image. | 3 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 7,
"version": 3,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:29.7375531+00:00",
"event_record_id": 17612821,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:29.726",
"ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
"ProcessId": "7704",
"Image": "C:\\ludus\\background\\bginfo.exe",
"ImageLoaded": "C:\\Windows\\SysWOW64\\CoreMessaging.dll",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
"Description": "Microsoft CoreMessaging Dll",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "CoreMessaging.dll",
"Hashes": "SHA1=3461F4349EF97F0FDE633219894DA0F67F4A69BC,MD5=A8D1AC93678A40577CD19E7561D7A714,SHA256=7BF17030A0FFABA28D8322D466718DE8CF499CD1B72B7D7B50543E6D93914998,IMPHASH=345E67613280BA4F965702CB83E693FE",
"Signed": "true",
"Signature": "Microsoft Windows",
"SignatureStatus": "Valid",
"User": "cell-c\\domainadmin"
},
"message": "Image loaded:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:29.726\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nImageLoaded: C:\\Windows\\SysWOW64\\CoreMessaging.dll\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: Microsoft CoreMessaging Dll\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: CoreMessaging.dll\r\nHashes: SHA1=3461F4349EF97F0FDE633219894DA0F67F4A69BC,MD5=A8D1AC93678A40577CD19E7561D7A714,SHA256=7BF17030A0FFABA28D8322D466718DE8CF499CD1B72B7D7B50543E6D93914998,IMPHASH=345E67613280BA4F965702CB83E693FE\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: cell-c\\domainadmin"
}
Detection Patterns #
Xsl Script Execution
Xsl Script Execution
Stealth: DLL
Execution: Exploitation for Client Execution
1 rule
Persistence: Create or Modify System Process
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Signed | eq | true | 10 rules | sigma |
Signed | eq | false | 9 rules | sigma, splunk |
ImageLoaded | starts_with | c:\windows\system32\ | 9 rules | sigma |
ImageLoaded | starts_with | c:\windows\syswow64\ | 9 rules | sigma |
ImageLoaded | starts_with | c:\windows\winsxs\ | 9 rules | sigma |
Image | ends_with | \winword.exe | 8 rules | sigma |
Image | ends_with | \excel.exe | 8 rules | sigma |
Image | ends_with | \rundll32.exe | 7 rules | sigma |
Image | is_null | | 7 rules | sigma |
Image | ends_with | \outlook.exe | 7 rules | sigma |
Image | starts_with | c:\program files\ | 7 rules | sigma |
Image | starts_with | c:\program files (x86)\ | 7 rules | sigma |
ImageLoaded | ends_with | .dll | 7 rules | sigma, splunk |
ImageLoaded | starts_with | c:\program files (x86)\ | 7 rules | sigma |
ImageLoaded | starts_with | c:\program files\ | 7 rules | sigma |
Community Notes #
Image loaded. Generated when a process loads a DLL into memory, ie, side-loading.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Clfs.SYS Loaded By Process Located In a Potential Suspicious Location source medium: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
- DLL Loaded From Suspicious Location Via Cmspt.EXE source high: Detects cmstp loading "dll" or "ocx" files from suspicious locations
- Amsi.DLL Loaded Via LOLBIN Process source medium: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Show 17 more (123 total)
- Potential Azure Browser SSO Abuse source low: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32 source high: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
- CredUI.DLL Loaded By Uncommon Process source medium: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded source high: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
- PCRE.NET Package Image Load source high: Detects processes loading modules related to PCRE.NET package
- Load Of RstrtMgr.DLL By A Suspicious Process source high: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
- Load Of RstrtMgr.DLL By An Uncommon Process source low: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE source high: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
- PowerShell Core DLL Loaded By Non PowerShell Process source medium: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
- Time Travel Debugging Utility Usage - Image source high: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
- Unsigned .node File Loaded source medium: Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
- Suspicious Volume Shadow Copy VSS_PS.dll Load source high: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
- Suspicious Volume Shadow Copy Vssapi.dll Load source high: Detects the image load of VSS DLL by uncommon executables
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load source medium: Detects the image load of VSS DLL by uncommon executables
- HackTool - SharpEvtMute DLL Load source high: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
- HackTool - SILENTTRINITY Stager DLL Load source high: Detects SILENTTRINITY stager dll loading activity
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load source critical: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Elastic # view in coverage
- Untrusted DLL Loaded by Azure AD Connect Authentication Agent source high: Identifies the load of an untrusted DLL by the Azure AD Connect Authentication Agent, which may indicate an attempt to persist or intercept credentials passing through the Pass-through Authentication service.
- Suspicious Module Loaded by LSASS source medium: Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
- Potential Credential Access via Renamed COM+ Services DLL source high: Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.
Show 10 more (13 total)
- Potential Windows Session Hijacking via CcmExec source medium: This detection rule identifies when 'SCNotification.exe' loads an untrusted DLL, which is a potential indicator of an attacker attempt to hijack/impersonate a Windows user session.
- Unsigned DLL Side-Loading from a Suspicious Folder source medium: Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.
- WPS Office Exploitation via DLL Hijack source high: Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.
- Suspicious SolarWinds Web Help Desk Java Module Load or Child Process source high: Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL) or spawning a suspicious child process such as cmd, PowerShell, or rundll32. This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution.
- Unsigned DLL Loaded by Svchost source medium: Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
- Suspicious DLL Loaded for Persistence or Privilege Escalation source high: Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.
- Compression DLL Loaded by Unusual Process source low: Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration.
- Unsigned DLL Loaded by a Trusted Process source low: Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.
- Image Loaded with Invalid Signature source low: Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary.
- Potential Masquerading as VLC DLL source low: Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.
Splunk # view in coverage
- CMLUA Or CMSTPLUA UAC Bypass source: The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by…
- Loading Of Dynwrapx Module source: The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll.…
- MS Scripting Process Loading Ldap Module source: The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads.…
Show 17 more (37 total)
- MS Scripting Process Loading WMI Module source: The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs.…
- MSI Module Loaded by Non-System Binary source: The following analytic detects the loading of
msi.dllby a binary not located insystem32,syswow64,winsxs, orwindowsdirectories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate… - Spoolsv Suspicious Loaded Modules source: The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows…
- UAC Bypass MMC Load Unsigned Dll source: The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe…
- UAC Bypass With Colorui COM Object source: The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system…
- Wbemprox COM Object Execution source: The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically…
- Windows BitDefender Submission Wizard DLL Sideloading source: Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.
- Windows Credentials Access via VaultCli Module source: The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract…
- Windows Devtunnels Image Loaded source: Detects image load events associated with Microsoft Devtunnels usage. Microsoft Devtunnels is a feature within Visual Studio that allows developers to expose their local development environment to the internet via secure, temporary…
- Windows DLL Module Loaded in Temp Dir source: The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often…
- Windows DLL Search Order Hijacking Hunt with Sysmon source: The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references…
- Windows DLL Side-Loading In Calc source: The following analytic detects the loading of the "WindowsCodecs.dll" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the…
- Windows Executable in Loaded Modules source: The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which…
- Windows Gather Victim Identity SAM Info source: The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode…
- Windows Hijack Execution Flow Version Dll Side Load source: The following analytic detects a process loading a version.dll file from a directory other than %windir%\system32 or %windir%\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly…
- Windows Input Capture Using Credential UI Dll source: The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This…
- Windows InstallUtil Credential Theft source: The following analytic detects instances where the Windows InstallUtil.exe binary loads
vaultcli.dllandSamlib.dll. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because…
Kusto # view in coverage
- Hijack Execution Flow - DLL Side-Loading source medium: This detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by "NT Authoriy\System" and the "RID 500" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already.
- Detect .NET runtime being loaded in JScript for code execution source medium: This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.
- Regsvr32 Rundll32 Image Loads Abnormal Extension source high: This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/
Show 3 more (6 total)
- PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).
- Suspicious use of CPL file source: This query identifies .cpl files being loaded and verifies if the corresponding file is suspicious by looking at the signature and global prevalence.
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesEvent ID 2: A process changed a file creation time, Event ID 11: FileCreate
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-7.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 8: CreateRemoteThread
#Description
The **CreateRemoteThread** event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction. Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
SourceProcessGuid GUID | Process GUID of the source process that created a thread in another process | |
SourceProcessId UInt32 | Process ID used by the OS to identify the source process that created a thread in another process | |
SourceImage UnicodeString | File path of the source process that created a thread in another process | 114 |
TargetProcessGuid GUID | Process GUID of the target process | |
TargetProcessId UInt32 | Process ID used by the OS to identify the target process | |
TargetImage UnicodeString | File path of the target process | 107 |
NewThreadId UInt32 | ID of the new thread created in the target process | |
StartAddress UnicodeString | New thread start address | 3 |
StartModule UnicodeString | Module where the new thread starts execution, resolved from the thread start address | 1 |
StartFunction UnicodeString | Exported function where the new thread starts, if the start address matches a known export | 4 |
SourceUser UnicodeString | Name of the account of the source process that created a thread in another process. | |
TargetUser UnicodeString | Name of the account of the target process |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 8,
"version": 2,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:08:51.1140624+00:00",
"event_record_id": 17610309,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:08:51.101",
"SourceProcessGuid": "{8a99384c-e939-6a2c-5900-000000001000}",
"SourceProcessId": "4028",
"SourceImage": "C:\\Tools\\RPCFW_2.2.5\\rpcFwManager.exe",
"TargetProcessGuid": "{8a99384c-6471-6a2d-a005-000000001000}",
"TargetProcessId": "7864",
"TargetImage": "C:\\Windows\\System32\\wsmprovhost.exe",
"NewThreadId": "8000",
"StartAddress": "0x00007FF9A37401F0",
"StartModule": "C:\\Windows\\System32\\KERNEL32.DLL",
"StartFunction": "LoadLibraryA",
"SourceUser": "NT AUTHORITY\\SYSTEM",
"TargetUser": "cell-c\\domainadmin"
},
"message": "CreateRemoteThread detected:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:08:51.101\r\nSourceProcessGuid: {8a99384c-e939-6a2c-5900-000000001000}\r\nSourceProcessId: 4028\r\nSourceImage: C:\\Tools\\RPCFW_2.2.5\\rpcFwManager.exe\r\nTargetProcessGuid: {8a99384c-6471-6a2d-a005-000000001000}\r\nTargetProcessId: 7864\r\nTargetImage: C:\\Windows\\System32\\wsmprovhost.exe\r\nNewThreadId: 8000\r\nStartAddress: 0x00007FF9A37401F0\r\nStartModule: C:\\Windows\\System32\\KERNEL32.DLL\r\nStartFunction: LoadLibraryA\r\nSourceUser: NT AUTHORITY\\SYSTEM\r\nTargetUser: cell-c\\domainadmin"
}
Detection Patterns #
Process Injection
Process Injection
Execution: User Execution
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Image | ends_with | \powershell.exe | 3 rules | sigma |
Image | ends_with | \pwsh.exe | 3 rules | sigma |
EventType | in | CreateRemoteThreadApiCall | 3 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 3 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 3 rules | kusto |
Image | ends_with | \winword.exe | 2 rules | sigma |
Image | ends_with | \excel.exe | 2 rules | sigma |
TargetImage | ends_with | \lsass.exe | 2 rules | sigma |
TargetImage | in | *\\chrome.exe | 2 rules | splunk |
TargetImage | in | *\\firefox.exe | 2 rules | splunk |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
Image | ends_with | \\rundll32.exe | 2 rules | splunk |
TargetImage | ends_with | .exe | 2 rules | splunk |
TargetImage | ends_with | \rundll32.exe | 2 rules | sigma |
Community Notes #
CreateRemoteThread. Detects some process-injection methods.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- HackTool - CACTUSTORCH Remote Thread Creation source high: Detects remote thread creation from CACTUSTORCH as described in references.
- HackTool - Potential CobaltStrike Process Injection source high: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
- Remote Thread Created In KeePass.EXE source high: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
Show 12 more (15 total)
- Remote Thread Creation In Mstsc.Exe From Suspicious Location source high: Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
- Potential Credential Dumping Attempt Via PowerShell Remote Thread source high: Detects remote thread creation by PowerShell processes into "lsass.exe"
- Remote Thread Creation Via PowerShell In Uncommon Target source medium: Detects the creation of a remote thread from a Powershell process in an uncommon target process
- Password Dumper Remote Thread in LSASS source high: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
- Rare Remote Thread Creation By Uncommon Source Image source high: Detects uncommon processes creating remote threads.
- Remote Thread Creation By Uncommon Source Image source medium: Detects uncommon processes creating remote threads.
- Remote Thread Creation In Uncommon Target Image source medium: Detects uncommon target processes for remote thread creation
- Remote Thread Creation Ttdinject.exe Proxy source high: Detects a remote thread creation of Ttdinject.exe used as proxy
- Potential Bumblebee Remote Thread Creation source high: Detects remote thread injection events based on action seen used by bumblebee
- CreateRemoteThread API and LoadLibrary source medium: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
- Remote Thread Creation Via PowerShell source medium: Detects the creation of a remote thread from a Powershell process to another process
- Remote Thread Created In Shell Application source medium: Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
Elastic # view in coverage
- Process Injection by the Microsoft Build Engine source low: An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.
Splunk # view in coverage
- Create Remote Thread In Shell Application source: The following analytic detects suspicious process injection in command shell applications, specifically targeting
cmd.exeandpowershell.exe. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell… - Create Remote Thread into LSASS source: The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in…
- Powershell Remote Thread To Known Windows Process source: The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in…
Show 8 more (11 total)
- Rundll32 Create Remote Thread To A Process source: The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a…
- Rundll32 CreateRemoteThread In Browser source: The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8,…
- Windows Process Injection Of Wermgr to Known Browser source: The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring…
- Windows Process Injection Remote Thread source: The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to…
- Windows Process Injection With Public Source Path source: The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical…
- Rare Remote Thread (Sysmon) source: Rare remote threads are anomalies within an organization and are normally worth looking at. Although these kinds of detections can be false positive prone, they can be utilized as supporting evidence or as a last resort to detect malicious…
- Remote Thread Created by Uncommon Process (Sysmon) source: Remote thread creation involves a process initiating a thread within the address space of another process. While this activity can occur during normal system operation, threat actors may abuse remote threads to attempt privilege…
- Remote Thread from Suspicious Folder (Sysmon) source: Detects potential remote threads created from suspicious file locations like temp, appdata, and downloads
Kusto # view in coverage
- ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matchesEvent ID 3: Network connection
References #
Event ID 9: RawAccessRead
#Description
The **RawAccessRead** event detects when a process conducts reading operations from the drive using the .\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that conducted reading operations from the drive | |
ProcessId UInt32 | Process ID used by the OS to identify the process that conducted reading operations from the drive | |
Image UnicodeString | File path of the process that conducted reading operations from the drive | 36 |
Device UnicodeString | Target device | 5 |
User UnicodeString | Name of the account of the process that conducted reading operations from the drive |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 9,
"version": 2,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:23:56.8470704+00:00",
"event_record_id": 16041099,
"correlation": {},
"execution": {
"process_id": 4008,
"thread_id": 5284
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:23:56.843",
"ProcessGuid": "{8a99384c-c2a8-6a19-9400-000000000f00}",
"ProcessId": "6120",
"Image": "C:\\Windows\\System32\\svchost.exe",
"Device": "\\Device\\HarddiskVolume1",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": "RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:23:56.843\r\nProcessGuid: {8a99384c-c2a8-6a19-9400-000000000f00}\r\nProcessId: 6120\r\nImage: C:\\Windows\\System32\\svchost.exe\r\nDevice: \\Device\\HarddiskVolume1\r\nUser: NT AUTHORITY\\SYSTEM"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Image | starts_with | c:\windows\syswow64\ | 1 rule | sigma |
Image | starts_with | c:\windows\winsxs\ | 1 rule | sigma |
Image | contains | \appdata\ | 1 rule | sigma |
Image | ends_with | \thor.exe | 1 rule | sigma |
Image | starts_with | c:\users\ | 1 rule | sigma |
Image | eq | system | 1 rule | kusto, sigma |
Image | starts_with | c:\programdata\microsoft\windows defender\platform\ | 1 rule | sigma |
Image | eq | c:\windows\immersivecontrolpanel\systemsettings.exe | 1 rule | sigma |
Image | eq | registry | 1 rule | sigma |
Image | starts_with | c:\$winreagent\scratch\ | 1 rule | sigma |
Image | starts_with | c:\windows\temp\ | 1 rule | sigma |
Image | starts_with | c:\windows\temp\asgard2-agent\ | 1 rule | sigma |
Image | starts_with | c:\$windows.~bt\ | 1 rule | sigma |
Image | starts_with | c:\windows\softwaredistribution\ | 1 rule | sigma |
Image | starts_with | c:\windows\systemapps\ | 1 rule | sigma |
Community Notes #
RawAccessRead, may indicate direct disk reads of ntds.dit, SAM, or page files for offline hash extraction.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Defense Evasion Via Raw Disk Access By Uncommon Tools source low: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Splunk # view in coverage
- Windows Raw Access To Disk Volume Partition source: The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate…
- Windows Raw Access To Master Boot Record Drive source: The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate…
References #
Event ID 10: ProcessAccess
#Description
The **process accessed** event reports when a process opens another process, an operation that's often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
SourceProcessGUID GUID | ||
SourceProcessId UInt32 | Process ID used by the os to identify the source process that opened another process. Derived partially from the EPROCESS kernel structure | |
SourceThreadId UInt32 | ID of the specific thread inside of the source process that opened another process | |
SourceImage UnicodeString | File path of the source process that opened another process | 292 |
TargetProcessGUID GUID | ||
TargetProcessId UInt32 | Process ID used by the OS to identify the target process | |
TargetImage UnicodeString | File path of the target process | 110 |
GrantedAccess HexInt32 | The access flags (bitmask) associated with the process rights requested for the target process Process access rights reference | 199 |
CallTrace UnicodeString | Stack trace of where OpenProcess is called, including the DLL and relative virtual address of each function in the call stack | 52 |
SourceUser UnicodeString | Name of the account of the source process that opened another process. | 6 |
TargetUser UnicodeString | Name of the account of the target process |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 10,
"version": 3,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:58.2417162+00:00",
"event_record_id": 17614233,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:58.226",
"SourceProcessGUID": "{8a99384c-e93e-6a2c-7000-000000001000}",
"SourceProcessId": "5508",
"SourceThreadId": "6764",
"SourceImage": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"TargetProcessGUID": "{8a99384c-e976-6a2c-b900-000000001000}",
"TargetProcessId": "6984",
"TargetImage": "C:\\Windows\\System32\\RuntimeBroker.exe",
"GrantedAccess": "0x1410",
"CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+9f3b4|C:\\Windows\\System32\\KERNELBASE.dll+2aafe|C:\\Windows\\system32\\wbem\\cimwin32.dll+e3a5|C:\\Windows\\system32\\wbem\\cimwin32.dll+ea1c|C:\\Windows\\SYSTEM32\\framedynos.dll+4006|C:\\Windows\\SYSTEM32\\framedynos.dll+4e74|C:\\Windows\\system32\\wbem\\wmiprvse.exe+180e|C:\\Windows\\system32\\wbem\\wmiprvse.exe+1420|C:\\Windows\\System32\\RPCRT4.dll+749d3|C:\\Windows\\System32\\RPCRT4.dll+2f745|C:\\Windows\\System32\\combase.dll+c373b|C:\\Windows\\System32\\RPCRT4.dll+58a85|C:\\Windows\\System32\\combase.dll+9e2fd|C:\\Windows\\System32\\combase.dll+9e08e|C:\\Windows\\System32\\combase.dll+c9de6|C:\\Windows\\System32\\combase.dll+658bd|C:\\Windows\\System32\\combase.dll+ba051|C:\\Windows\\System32\\combase.dll+4b4ce|C:\\Windows\\System32\\combase.dll+49f0f|C:\\Windows\\System32\\combase.dll+48839|C:\\Windows\\System32\\RPCRT4.dll+57ff2|C:\\Windows\\System32\\RPCRT4.dll+4762f|C:\\Windows\\System32\\RPCRT4.dll+47258|C:\\Windows\\System32\\RPCRT4.dll+1d1a3",
"SourceUser": "NT AUTHORITY\\NETWORK SERVICE",
"TargetUser": "cell-c\\domainadmin"
},
"message": "Process accessed:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:58.226\r\nSourceProcessGUID: {8a99384c-e93e-6a2c-7000-000000001000}\r\nSourceProcessId: 5508\r\nSourceThreadId: 6764\r\nSourceImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe\r\nTargetProcessGUID: {8a99384c-e976-6a2c-b900-000000001000}\r\nTargetProcessId: 6984\r\nTargetImage: C:\\Windows\\System32\\RuntimeBroker.exe\r\nGrantedAccess: 0x1410\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9f3b4|C:\\Windows\\System32\\KERNELBASE.dll+2aafe|C:\\Windows\\system32\\wbem\\cimwin32.dll+e3a5|C:\\Windows\\system32\\wbem\\cimwin32.dll+ea1c|C:\\Windows\\SYSTEM32\\framedynos.dll+4006|C:\\Windows\\SYSTEM32\\framedynos.dll+4e74|C:\\Windows\\system32\\wbem\\wmiprvse.exe+180e|C:\\Windows\\system32\\wbem\\wmiprvse.exe+1420|C:\\Windows\\System32\\RPCRT4.dll+749d3|C:\\Windows\\System32\\RPCRT4.dll+2f745|C:\\Windows\\System32\\combase.dll+c373b|C:\\Windows\\System32\\RPCRT4.dll+58a85|C:\\Windows\\System32\\combase.dll+9e2fd|C:\\Windows\\System32\\combase.dll+9e08e|C:\\Windows\\System32\\combase.dll+c9de6|C:\\Windows\\System32\\combase.dll+658bd|C:\\Windows\\System32\\combase.dll+ba051|C:\\Windows\\System32\\combase.dll+4b4ce|C:\\Windows\\System32\\combase.dll+49f0f|C:\\Windows\\System32\\combase.dll+48839|C:\\Windows\\System32\\RPCRT4.dll+57ff2|C:\\Windows\\System32\\RPCRT4.dll+4762f|C:\\Windows\\System32\\RPCRT4.dll+47258|C:\\Windows\\System32\\RPCRT4.dll+1d1a3\r\nSourceUser: NT AUTHORITY\\NETWORK SERVICE\r\nTargetUser: cell-c\\domainadmin"
}
Detection Patterns #
Credential Access: DCSync
1 rule
Splunk
1 rule
Stealth: Process Hollowing
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetImage | ends_with | \lsass.exe | 14 rules | sigma |
GrantedAccess | eq | 0x1fffff | 10 rules | kusto, sigma, splunk |
TargetImage | ends_with | lsass.exe | 5 rules | splunk |
CallTrace | contains | unknown | 5 rules | elastic, sigma |
Image | contains | :\windows\syswow64\ | 4 rules | sigma |
CallTrace | contains | dbgcore.dll | 4 rules | kusto, sigma, splunk |
CallTrace | contains | dbghelp.dll | 4 rules | kusto, sigma, splunk |
GrantedAccess | eq | 0x1410 | 4 rules | sigma, splunk |
GrantedAccess | ends_with | 0x14c2 | 4 rules | sigma |
GrantedAccess | ends_with | 10 | 4 rules | sigma |
GrantedAccess | ends_with | 18 | 4 rules | sigma |
GrantedAccess | ends_with | 1a | 4 rules | sigma |
GrantedAccess | ends_with | 30 | 4 rules | sigma |
GrantedAccess | ends_with | 38 | 4 rules | sigma |
GrantedAccess | ends_with | 3a | 4 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- CMSTP Execution Process Access source high: Detects various indicators of Microsoft Connection Manager Profile Installer execution
- HackTool - CobaltStrike BOF Injection Pattern source high: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
- HackTool - Generic Process Access source high: Detects process access requests from hacktool processes based on their default image name
Show 17 more (30 total)
- HackTool - HandleKatz Duplicating LSASS Handle source high: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
- HackTool - LittleCorporal Generated Maldoc Injection source high: Detects the process injection of a LittleCorporal generated Maldoc.
- HackTool - SysmonEnte Execution source high: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
- Lsass Memory Dump via Comsvcs DLL source high: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
- LSASS Memory Access by Tool With Dump Keyword In Name source high: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
- Potential Credential Dumping Activity Via LSASS source medium: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
- Credential Dumping Activity By Python Based Tool source high: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
- Remote LSASS Process Access Through Windows Remote Management source high: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
- Suspicious LSASS Access Via MalSecLogon source high: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
- Potentially Suspicious GrantedAccess Flags On LSASS source medium: Detects process access requests to LSASS process with potentially suspicious access flags
- Credential Dumping Attempt Via WerFault source high: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
- LSASS Access From Potentially White-Listed Processes source high: Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
- Uncommon Process Access Rights For Target Image source low: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs source high: Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
- Potential Direct Syscall of NtOpenProcess source medium: Detects potential calls to NtOpenProcess directly from NTDLL.
- Credential Dumping Attempt Via Svchost source high: Detects when a process tries to access the memory of svchost to potentially dump credentials.
- Suspicious Svchost Process Access source high: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Elastic # view in coverage
- Potential Credential Access via DuplicateHandle in LSASS source medium: Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
- Suspicious Lsass Process Access source medium: Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.
- Potential Credential Access via LSASS Memory Dump source high: Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
Show 2 more (5 total)
- Potential LSASS Memory Dump via PssCaptureSnapShot source high: Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
- Suspicious Process Access via Direct System Call source high: Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.
Splunk # view in coverage
- Access LSASS Memory for Dump Creation source: The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and…
- Detect Credential Dumping through LSASS access source: The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is…
- Rubeus Kerberos Ticket Exports Through Winlogon Access source: The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes…
Show 11 more (14 total)
- Spoolsv Suspicious Process Access source: The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses…
- Windows Access Token Manipulation Winlogon Duplicate Token Handle source: The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is…
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path source: The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific…
- Windows Handle Duplication in Known UAC-Bypass Binaries source: The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by…
- Windows Hunting System Account Targeting Lsass source: The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields…
- Windows Non-System Account Targeting Lsass source: The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM…
- Windows Possible Credential Dumping source: The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to…
- Windows Process Injection into Commonly Abused Processes source: The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and…
- Windows Process Injection into Notepad source: The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and…
- Windows Terminating Lsass Process source: The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant…
- Windows WMI Impersonate Token source: The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where
wmiprvse.exehas a duplicate handle or full granted access in a target…
Kusto # view in coverage
- Dumping LSASS Process Into a File source high: Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/
YARA-L # view in coverage
- Credential Dumping Attempt Via WerFault source: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up
- HackTool - Generic Process Access source: Detects process access requests from hacktool processes based on their default image name
- LSASS Memory Access by Tool With Dump Keyword In Name source: Detects LSASS process access requests from a source process with the dump keyword in its image name
Show 2 more (5 total)
- Lsass Memory Dump via Comsvcs DLL source: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass
- Potential Credential Dumping Activity Via LSASS source: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-10-processaccess
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-10.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 11: FileCreate
#Description
**File create** operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that created the file | |
ProcessId UInt32 | Process ID used by the OS to identify the process that created the file | |
Image UnicodeString | File path of the process that created the file | 478 |
TargetFilename UnicodeString | Name of the file | 1831 |
CreationUtcTime UnicodeString | File creation time | 4 |
User UnicodeString | Name of the account who created the file | 2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 11,
"version": 2,
"level": 4,
"task": 11,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:34.7524084+00:00",
"event_record_id": 17613105,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:34.741",
"ProcessGuid": "{8a99384c-e971-6a2c-b200-000000001000}",
"ProcessId": "6816",
"Image": "C:\\Windows\\Explorer.EXE",
"TargetFilename": "C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg",
"CreationUtcTime": "2026-06-13 14:09:34.741",
"User": "cell-c\\domainadmin"
},
"message": "File created:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:34.741\r\nProcessGuid: {8a99384c-e971-6a2c-b200-000000001000}\r\nProcessId: 6816\r\nImage: C:\\Windows\\Explorer.EXE\r\nTargetFilename: C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg\r\nCreationUtcTime: 2026-06-13 14:09:34.741\r\nUser: cell-c\\domainadmin"
}
Detection Patterns #
15 rules
Elastic
12 rules
Elastic
Share Access Sysmon
Remote File Download
Sunburst And Supernova Backdoor
1 rule
1 rule
Persistence: Boot or Logon Autostart Execution
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetFilename | ends_with | .dll | 23 rules | sigma |
TargetFilename | ends_with | .exe | 21 rules | sigma, splunk |
event.type | eq | creation | 20 rules | elastic |
TargetFilename | ends_with | .vbs | 18 rules | sigma |
TargetFilename | ends_with | .bat | 17 rules | sigma |
TargetFilename | ends_with | .ps1 | 17 rules | sigma |
TargetFilename | ends_with | .vbe | 15 rules | sigma |
TargetFilename | starts_with | c:\users\ | 14 rules | elastic, sigma |
Image | ends_with | \powershell.exe | 13 rules | sigma |
Image | ends_with | \pwsh.exe | 13 rules | sigma |
TargetFilename | contains | \appdata\local\temp\ | 13 rules | sigma |
TargetFilename | ends_with | .hta | 13 rules | sigma |
Image | ends_with | \mshta.exe | 11 rules | sigma |
TargetFilename | ends_with | .js | 9 rules | sigma |
event_action | eq | created | 9 rules | splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- ADSI-Cache File Creation By Uncommon Tool source medium: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
- Advanced IP Scanner - File Event source medium: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
- Anydesk Temporary Artefact source medium: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Show 17 more (235 total)
- Suspicious Binary Writes Via AnyDesk source high: Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
- Suspicious File Created by ArcSOC.exe source high: Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
- Assembly DLL Creation Via AspNetCompiler source medium: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
- BloodHound Collection Files source high: Detects default file names outputted by the BloodHound collection tool SharpHound
- Potentially Suspicious File Creation by OpenEDR's ITSMService source medium: Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
- EVTX Created In Uncommon Location source medium: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
- Creation Of Non-Existent System DLL source medium: Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
- Suspicious Deno File Written from Remote Source source low: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
- New Custom Shim Database Created source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
- Suspicious Screensaver Binary File Creation source medium: Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
- Files With System DLL Name In Unsuspected Locations source medium: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.
- Files With System Process Name In Unsuspected Locations source medium: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
- Creation Exe for Service with Unquoted Path source high: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
- Cred Dump Tools Dropped Files source high: Files with well-known filenames (parts of credential dump software or files produced by them) creation
- WScript or CScript Dropper - File source high: Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
- CSExec Service File Creation source medium: Detects default CSExec service filename which indicates CSExec service installation and execution
- Dynamic CSharp Compile Artefact source low: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
Elastic # view in coverage
- Remote File Copy via TeamViewer source medium: Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.
- Kirbi File Creation source high: Identifies the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz. This can indicate preparation for Kerberos ticket theft or later abuse, including Pass-The-Ticket (PTT), and should be validated with writer process and follow-on activity.
- Windows Registry File Creation in SMB Share source medium: Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.
Show 17 more (21 total)
- Potential Remote Credential Access via Registry source high: Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.
- Executable File Creation with Multiple Extensions source medium: Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
- Unusual File Creation - Alternate Data Stream source high: Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.
- Downloaded Shortcut Files source medium: Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.
- Downloaded URL Files source medium: Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.
- Potential Ransomware Behavior - Note Files by System source medium: This rule identifies the creation of multiple files with same name and over SMB by the same user. This behavior may indicate the successful remote execution of a ransomware dropping file notes to different folders.
- Microsoft Exchange Server UM Writing Suspicious Files source medium: Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.
- Lateral Movement via Startup Folder source high: Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
- Deprecated - Adobe Hijack Persistence source low: Detects writing executable files that will be automatically launched by Adobe on launch.
- Browser Extension Install source low: Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
- Potential Persistence via Mandatory User Profile source medium: Detects the creation or modification of a mandatory user profile hive (NTUSER.MAN) by an unusual process. Adversaries may abuse Windows mandatory profiles by dropping a malicious NTUSER.MAN file containing pre-populated persistence-related registry keys. On the next user logon, Windows loads the registry hive from NTUSER.MAN, causing embedded persistence mechanisms to activate without directly modifying the live registry. This technique can evade traditional registry-based monitoring and indicate a stealthy persistence attempt.
- Deprecated - Suspicious PrintSpooler Service Executable File Creation source low: Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
- File Compressed or Archived into Common Format by Unsigned Process source low: Detects files being compressed or archived into common formats by unsigned processes. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.
- File Staged in Root Folder of Recycle Bin source low: Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.
- Potential Credential Access via Memory Dump File Creation source low: Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory.
- Memory Dump File with Unusual Extension source low: Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses.
- File with Suspicious Extension Downloaded source low: Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.
Splunk # view in coverage
- Email files written outside of the Outlook directory source: The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in…
- Batch File Write to System32 source: The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and…
- Common Ransomware Extensions source: The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This…
Show 17 more (79 total)
- Common Ransomware Notes source: The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and…
- ConnectWise ScreenConnect Path Traversal source: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint…
- Creation of lsass Dump with Taskmgr source: The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches lsass.dmp. This activity is…
- Detect AzureHound File Modifications source: The following analytic detects the creation of specific AzureHound-related files, such as
*-azurecollection.zipand various.jsonfiles, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation… - Detect Certipy File Modifications source: The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the…
- Detect Exchange Web Shell source: The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell.…
- Detect Remote Access Software Usage File source: The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user…
- Detect RTLO In File Name source: The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the…
- Detect SharpHound File Modifications source: The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model,…
- Drop IcedID License dat source: The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for…
- Executables Or Script Creation In Suspicious Path source: The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in…
- Executables Or Script Creation In Temp Path source: The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems. It leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in…
- File with Samsam Extension source: The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity…
- GitHub Workflow File Creation or Modification source: The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints. This hunting query tracks all workflow file activity under .github/workflows…
- IcedID Exfiltrated Archived File Creation source: The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages…
- LLM Model File Creation source: Detects the creation of Large Language Model (LLM) files on Windows endpoints by monitoring file creation events for specific model file formats and extensions commonly used by local AI frameworks. This detection identifies potential…
- Msmpeng Application DLL Side Loading source: The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their…
Kusto # view in coverage
- Credential Dumping Tools - File Artifacts source high: This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/
- Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matchesEvent ID 1: Process creation, Event ID 3: Network connection
- Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matchesEvent ID 1: Process creation
Show 3 more (6 total)
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matchesEvent ID 2: A process changed a file creation time, Event ID 7: Image loaded
- Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matchesEvent ID 1: Process creation, Event ID 3: Network connection, Event ID 13: RegistryEvent (Value Set) - Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matchesEvent ID 13: RegistryEvent (Value Set)
YARA-L # view in coverage
- Cred Dump Tools Dropped Files source: Files with well-known filenames (parts of credential dump software or files produced by them) creation
- HackTool - Dumpert Process Dumper Default File source: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
- Impacket WMIExec CISA Report source: Detects the artifacts generally associated with the use of wmiexec.py↳ also matchesEvent ID 1: Process creation
Show 4 more (7 total)
- LSASS Process Memory Dump Files source: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
- LSASS Process Memory Dump Creation Via Taskmgr.exe source: Detects the creation of an lsass.dmp file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager
- Suspicious Unusual Location LNK File source: Detects creation and movement of .lnk files to specific folders↳ also matchesEvent ID 2: A process changed a file creation time, Event ID 23: FileDelete (File Delete archived)
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report source: Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf↳ also matchesEvent ID 1: Process creation
References #
Event ID 12: RegistryEvent (Object create and delete)
#Description
**Registry key and value create and delete** operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
EventType UnicodeString | Registry event. Either Create or Delete Known values
| 19 |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that created or deleted a registry key | |
ProcessId UInt32 | Process ID used by the OS to identify the process that created or deleted a registry key | |
Image UnicodeString | File path of the process that created or deleted a registry key | 21 |
TargetObject UnicodeString | Complete path of the registry key | 177 |
User UnicodeString | The name of the account that created or deleted a registry key or value | 2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 12,
"version": 2,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:44.0868063+00:00",
"event_record_id": 17613579,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "CreateKey",
"UtcTime": "2026-06-13 14:09:44.085",
"ProcessGuid": "{8a99384c-e939-6a2c-5500-000000001000}",
"ProcessId": "3932",
"Image": "C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe",
"TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": "Registry object added or deleted:\r\nRuleName: -\r\nEventType: CreateKey\r\nUtcTime: 2026-06-13 14:09:44.085\r\nProcessGuid: {8a99384c-e939-6a2c-5500-000000001000}\r\nProcessId: 3932\r\nImage: C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\nUser: NT AUTHORITY\\SYSTEM"
}
Detection Patterns #
120 rules
Sigma
Elastic
Splunk
98 rules
Sigma
Elastic
Splunk
87 rules
Sigma
Elastic
Splunk
68 rules
Sigma
Elastic
Splunk
61 rules
Sigma
Elastic
Splunk
59 rules
Sigma
Elastic
Splunk
30 rules
Sigma
Elastic
Splunk
25 rules
Sigma
Elastic
Splunk
12 rules
Sigma
10 rules
Sigma
Execution: PowerShell
9 rules
Sigma
Stealth: Msiexec
Registry Key Modification
Defense Impairment: Modify Registry
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
event.type | eq | change | 46 rules | elastic |
Details | eq | 1 | 10 rules | elastic, kusto, splunk |
Details | eq | 0x00000001 | 9 rules | elastic, splunk |
Details | eq | 0x00000000 | 8 rules | elastic, splunk |
Details | eq | 0 | 8 rules | elastic, sigma, splunk |
EventType | eq | SetValue | 5 rules | sigma |
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
EventType | ne | deletion | 5 rules | elastic |
EventType | eq | deleted | 4 rules | splunk |
Details | length_compare | 0 | 4 rules | elastic |
Details | length_compare | > | 4 rules | elastic |
event.category | eq | registry | 4 rules | elastic |
Details | eq | (Empty) | 3 rules | sigma |
event.type | in | change | 3 rules | elastic |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Persistence Via Disk Cleanup Handler - Registry source medium: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
- Potential Ursnif Malware Activity - Registry source high: Detects registry keys related to Ursnif malware.
- Potential NetWire RAT Activity - Registry source high: Detects registry keys related to NetWire RAT
Show 1 more (4 total)
- SNAKE Malware Covert Store Registry Key source high: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA↳ also matchesEvent ID 13: RegistryEvent (Value Set), Event ID 14: RegistryEvent (Key and Value Rename)
Splunk # view in coverage
- Windows CrowdStrike Agent Registry Key Removal source: Detects delete events on the CrowdStrike registry keys. These keys are removed as part of the agent uninstallation process. This activity should only occur during planned events and any instances outside that should be evaluated for…
- Windows Modify Registry Delete Firewall Rules source: The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall…
- Windows Registry Delete Task SD source: The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the…
Show 2 more (5 total)
- Windows RunMRU Registry Key or Value Deleted source: The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as…
- Logon Script Registry Key added (Sysmon) source: Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence.↳ also matchesEvent ID 1: Process creation, Event ID 13: RegistryEvent (Value Set)
YARA-L # view in coverage
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matchesEvent ID 1: Process creation, Event ID 13: RegistryEvent (Value Set)
References #
Event ID 13: RegistryEvent (Value Set)
#Description
This Registry event type identifies **Registry value modifications**. The event records the value written for Registry values of type DWORD and QWORD.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
EventType UnicodeString | Registry value modification event | 25 |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that modified a registry value | |
ProcessId UInt32 | Process ID used by the OS to identify the process that modified a registry value | |
Image UnicodeString | File path of the process that modified a registry value | 307 |
TargetObject UnicodeString | Complete path of the registry key | 992 |
Details UnicodeString | Details added to the registry key | 1026 |
User UnicodeString | The name of the account that modified a registry value. | 4 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 13,
"version": 2,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:29.7259683+00:00",
"event_record_id": 17612810,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2026-06-13 14:09:29.710",
"ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
"ProcessId": "7704",
"Image": "C:\\ludus\\background\\bginfo.exe",
"TargetObject": "HKU\\S-1-5-21-1006758700-2167138679-1475694448-1105\\Software\\Winternals\\BGInfo\\WindowPosition",
"Details": "Binary Data",
"User": "cell-c\\domainadmin"
},
"message": "Registry value set:\r\nRuleName: -\r\nEventType: SetValue\r\nUtcTime: 2026-06-13 14:09:29.710\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nTargetObject: HKU\\S-1-5-21-1006758700-2167138679-1475694448-1105\\Software\\Winternals\\BGInfo\\WindowPosition\r\nDetails: Binary Data\r\nUser: cell-c\\domainadmin"
}
Detection Patterns #
121 rules
Sigma
Elastic
Splunk
98 rules
Sigma
Elastic
Splunk
90 rules
Sigma
Elastic
Splunk
73 rules
Sigma
Elastic
Splunk
62 rules
Sigma
Elastic
Splunk
60 rules
Sigma
Elastic
Splunk
Defense Impairment: Modify Registry
54 rules
Sigma
Elastic
Splunk
30 rules
Sigma
Elastic
Splunk
25 rules
Sigma
Elastic
Splunk
12 rules
Sigma
11 rules
Sigma
Elastic
Execution: PowerShell
9 rules
Sigma
Stealth: Msiexec
Registry Key Modification
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Details | eq | 0x00000001 | 63 rules | elastic, splunk |
event.type | eq | change | 46 rules | elastic |
Details | is_not_null | | 44 rules | splunk |
Details | eq | 0x00000000 | 43 rules | elastic, splunk |
Details | eq | DWORD (0x00000001) | 42 rules | chronicle, sigma |
Details | eq | DWORD (0x00000000) | 40 rules | chronicle, sigma |
Details | eq | (Empty) | 24 rules | sigma |
Details | eq | 1 | 12 rules | elastic, kusto, splunk |
Details | is_null | | 12 rules | sigma |
Details | eq | DWORD (0x00000002) | 11 rules | chronicle, kusto, sigma |
Details | eq | 0 | 10 rules | elastic, sigma, splunk |
Image | ends_with | \officeclicktorun.exe | 10 rules | sigma |
Details | contains | powershell | 10 rules | chronicle, sigma |
Details | contains | \appdata\local\temp\ | 8 rules | sigma |
Details | ends_with | .dll | 8 rules | elastic, sigma, splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback source medium: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
- Registry Persistence via Service in Safe Mode source high: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
- Add Port Monitor Persistence in Registry source medium: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Show 17 more (230 total)
- Add Debugger Entry To AeDebug For Persistence source medium: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
- Allow RDP Remote Assistance Feature source medium: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
- Potential AMSI COM Server Hijacking source high: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
- AMSI Disabled via Registry Modification source high: Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
- Classes Autorun Keys Modification source medium: Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
- Common Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- CurrentControlSet Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- CurrentVersion NT Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Internet Explorer Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Office Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
- Session Manager Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- System Scripts Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- WinSock2 Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Wow6432Node CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Wow6432Node Classes Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
Splunk # view in coverage
- Active Setup Registry Autostart source: The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the "StubPath" value within the…
- Allow Inbound Traffic By Firewall Rule Registry source: The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry…
- Allow Operation with Consent Admin source: The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically…
Show 17 more (166 total)
- Auto Admin Logon Registry Entry source: The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "AutoAdminLogon" value within the…
- Detect Remote Access Software Usage Registry source: The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment.…
- Disable AMSI Through Registry source: The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value to "0x00000000". This detection leverages data from the Endpoint.Registry data model,…
- Disable Defender AntiVirus Registry source: The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry…
- Disable Defender BlockAtFirstSeen Feature source: The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path…
- Disable Defender Enhanced Notification source: The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the…
- Disable Defender MpEngine Registry source: The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path…
- Disable Defender Spynet Reporting source: The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with…
- Disable Defender Submit Samples Consent Feature source: The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the…
- Disable ETW Through Registry source: The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path…
- Disable Registry Tool source: The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path…
- Disable Security Logs Using MiniNt Registry source: The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the…
- Disable Show Hidden Files source: The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with…
- Disable UAC Remote Restriction source: The following analytic detects the modification of the registry to disable UAC remote restriction by setting the "LocalAccountTokenFilterPolicy" value to "0x00000001". It leverages data from the Endpoint.Registry data model, specifically…
- Disable Windows App Hotkeys source: The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values…
- Disable Windows Behavior Monitoring source: The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths…
- Disable Windows SmartScreen Protection source: The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with…
Kusto # view in coverage
- COM Registry Key Modified to Point to File in Color Profile Folder source medium: This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
- DSRM Account Abuse source high: This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785
- Registry Persistence via AppCert DLL Modification source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. Ref: https://attack.mitre.org/techniques/T1546/009/
Show 4 more (7 total)
- Registry Persistence via AppInit DLLs Modification source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Ref: https://attack.mitre.org/techniques/T1546/010/
- WDigest downgrade attack source medium: When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory. Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753
- Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matchesEvent ID 1: Process creation, Event ID 3: Network connection, Event ID 11: FileCreate - Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matchesEvent ID 11: FileCreate
YARA-L # view in coverage
- Blackbyte Ransomware Registry source: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
- CurrentControlSet Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
- CurrentVersion Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
Show 12 more (15 total)
- Default RDP Port Changed to Non Standard Port source: Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
- Disable Internal Tools or Feature in Registry source: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
- Modify User Shell Folders Startup Value source: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
- New RUN Key Pointing to Suspicious Folder source: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matchesEvent ID 1: Process creation, Event ID 12: RegistryEvent (Object create and delete)
- Potential Credential Dumping Via LSASS SilentProcessExit Technique source: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
- RDP Sensitive Settings Changed source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
- RDP Sensitive Settings Changed to Zero source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
- RestrictedAdminMode Registry Value Tampering source: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
- Session Manager Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
- Suspicious Powershell In Registry Run Keys source: Detects potential PowerShell commands or code within registry run keys
- Wdigest Enable UseLogonCredential source: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
References #
Event ID 14: RegistryEvent (Key and Value Rename)
#Description
**Registry key and value rename** operations map to this event type, recording the new name of the key or value that was renamed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
EventType UnicodeString → string | Registry event. Registry key and value renamed Known values
| 4 |
UtcTime UnicodeString → string | Time in UTC when event was created | |
ProcessGuid GUID → GUID | Process GUID of the process that renamed a registry value and key | |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that renamed a registry value and key | |
Image UnicodeString → string | File path of the process that renamed a registry value and key | 35 |
TargetObject UnicodeString → string | Complete path of the registry key | 27 |
NewName UnicodeString → string | New name of the registry key | |
RuleName UnicodeString → string | custom tag mapped to event. i.e ATT&CK technique ID | |
User UnicodeString → string |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"event_source_name": "",
"event_id": 14,
"version": 2,
"level": 4,
"task": 14,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-29T23:53:07.2285127+00:00",
"event_record_id": 160620,
"correlation": {},
"execution": {
"process_id": 11572,
"thread_id": 11700
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "RenameKey",
"UtcTime": "2026-05-29 23:53:07.227",
"ProcessGuid": "{e124ce79-26e3-6a1a-dc11-000000000700}",
"ProcessId": "11804",
"Image": "C:\\caps\\dwrename.exe",
"TargetObject": "HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key",
"NewName": "HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key_renamed",
"User": "DESKTOP-FF3N5XK\\localuser"
},
"message": "Registry object renamed:\r\nRuleName: -\r\nEventType: RenameKey\r\nUtcTime: 2026-05-29 23:53:07.227\r\nProcessGuid: {e124ce79-26e3-6a1a-dc11-000000000700}\r\nProcessId: 11804\r\nImage: C:\\caps\\dwrename.exe\r\nTargetObject: HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key\r\nNewName: HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key_renamed\r\nUser: DESKTOP-FF3N5XK\\localuser"
}
Detection Patterns #
107 rules
Sigma
Elastic
Splunk
76 rules
Sigma
Elastic
Splunk
57 rules
Sigma
Elastic
Splunk
55 rules
Sigma
Elastic
Splunk
Defense Impairment: Modify Registry
54 rules
Sigma
Elastic
Splunk
26 rules
Sigma
Elastic
21 rules
Sigma
Elastic
12 rules
Sigma
10 rules
Sigma
Execution: PowerShell
9 rules
Sigma
Stealth: Msiexec
Lateral Movement: Replication Through Removable Media
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
event.type | eq | change | 46 rules | elastic |
Details | eq | 1 | 10 rules | elastic, kusto, splunk |
Details | eq | 0x00000001 | 9 rules | elastic, splunk |
Details | eq | 0x00000000 | 8 rules | elastic, splunk |
Details | eq | 0 | 8 rules | elastic, sigma, splunk |
EventType | ne | deletion | 5 rules | elastic |
EventType | eq | SetValue | 4 rules | sigma |
EventType | eq | DeleteValue | 4 rules | sigma, splunk |
Details | length_compare | 0 | 4 rules | elastic |
Details | length_compare | > | 4 rules | elastic |
event.category | eq | registry | 4 rules | elastic |
Details | eq | (Empty) | 3 rules | sigma |
event.type | in | change | 3 rules | elastic |
event.type | in | creation | 3 rules | elastic |
Details | ends_with | .dll | 3 rules | elastic, sigma, splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Delete Defender Scan ShellEx Context Menu Registry Key source medium: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
- Windows Credential Guard Related Registry Value Deleted - Registry source high: Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted source medium: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Show 8 more (11 total)
- Folder Removed From Exploit Guard ProtectedFolders List - Registry source high: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
- Terminal Server Client Connection History Cleared - Registry source high: Detects the deletion of registry keys containing the MSTSC connection history
- Removal Of AMSI Provider Registry Keys source high: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
- Removal of Potential COM Hijacking Registry Keys source medium: Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
- RunMRU Registry Key Deletion - Registry source high: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
- Removal Of Index Value to Hide Schedule Task - Registry source medium: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
- Removal Of SD Value to Hide Schedule Task - Registry source medium: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
- SNAKE Malware Covert Store Registry Key source high: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA↳ also matchesEvent ID 12: RegistryEvent (Object create and delete), Event ID 13: RegistryEvent (Value Set)
References #
Event ID 15: FileCreateStreamHash
#Description
This event logs when a **named file stream is created**, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier "mark of the web" stream.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that created the named file stream | |
ProcessId UInt32 | Process ID used by the OS to identify the process that created the named file stream | |
Image UnicodeString | File path of the process that created the named file stream | 24 |
TargetFilename UnicodeString | Name of the file | 72 |
CreationUtcTime UnicodeString | File download time | |
Hash UnicodeString | Hash of the file contents using the algorithms specified in the HashType field | 104 |
Contents UnicodeString | Content of the named file stream (e.g., Zone.Identifier) | 78 |
User UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 15,
"version": 2,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:42:03.6658910+00:00",
"event_record_id": 6137955,
"correlation": {},
"execution": {
"process_id": 3872,
"thread_id": 5252
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 13:42:03.651",
"ProcessGuid": "{8a99384c-5e0b-6a2d-4c00-000000000a00}",
"ProcessId": "3488",
"Image": "C:\\Windows\\system32\\DFSRs.exe",
"TargetFilename": "C:\\Windows\\SYSVOL\\staging\\domain\\ContentSet{F961A193-E171-4E37-B0B3-7E1394CCD8E0}-{02199C3B-68C2-47D3-88A0-F16A83088C75}:ReplicatedFolderList",
"CreationUtcTime": "2026-05-28 00:46:59.105",
"Hash": "SHA1=13D7A18758C123CD4479C81E4B2D70301C31F7C3,MD5=2CB80232D48F726137F136C129FB2D2D,SHA256=F0336167989447F25357C51FEF44D321E40A6310DD8DD2FEFF37B8E55E4543A0,IMPHASH=00000000000000000000000000000000",
"Contents": "{",
"User": "F"
},
"message": "File stream created:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:42:03.651\r\nProcessGuid: {8a99384c-5e0b-6a2d-4c00-000000000a00}\r\nProcessId: 3488\r\nImage: C:\\Windows\\system32\\DFSRs.exe\r\nTargetFilename: C:\\Windows\\SYSVOL\\staging\\domain\\ContentSet{F961A193-E171-4E37-B0B3-7E1394CCD8E0}-{02199C3B-68C2-47D3-88A0-F16A83088C75}:ReplicatedFolderList\r\nCreationUtcTime: 2026-05-28 00:46:59.105\r\nHash: SHA1=13D7A18758C123CD4479C81E4B2D70301C31F7C3,MD5=2CB80232D48F726137F136C129FB2D2D,SHA256=F0336167989447F25357C51FEF44D321E40A6310DD8DD2FEFF37B8E55E4543A0,IMPHASH=00000000000000000000000000000000\r\nContents: {\r\nUser: F"
}
Detection Patterns #
Command & Control: Web Protocols
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetFilename | ends_with | :zone.identifier | 3 rules | sigma, splunk |
TargetFilename | contains | .bat:zone | 3 rules | sigma |
TargetFilename | contains | .dll:zone | 3 rules | sigma |
TargetFilename | contains | .exe:zone | 3 rules | sigma |
TargetFilename | contains | .hta:zone | 3 rules | sigma |
TargetFilename | contains | .ps1:zone | 3 rules | sigma |
TargetFilename | contains | .vbe:zone | 3 rules | sigma |
TargetFilename | contains | .vbs:zone | 3 rules | sigma |
TargetFilename | contains | .xll:zone | 3 rules | sigma |
Contents | contains | .githubusercontent.com | 2 rules | sigma |
Contents | contains | anonfiles.com | 2 rules | sigma |
Contents | contains | cdn.discordapp.com | 2 rules | sigma |
Contents | contains | ddns.net | 2 rules | sigma |
Contents | contains | dl.dropboxusercontent.com | 2 rules | sigma |
Contents | contains | ghostbin.co | 2 rules | sigma |
Community Notes #
May contain Mark of the Web, referrer, and host URL data.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Hidden Executable In NTFS Alternate Data Stream source medium: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
- Creation Of a Suspicious ADS File Outside a Browser Download source medium: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
- Suspicious File Download From File Sharing Websites - File Stream source high: Detects the download of suspicious file type from a well-known file and paste sharing domain
Show 6 more (9 total)
- Unusual File Download From File Sharing Websites - File Stream source medium: Detects the download of suspicious file type from a well-known file and paste sharing domain
- HackTool Named File Stream Created source high: Detects the creation of a named file stream with the imphash of a well-known hack tool
- Exports Registry Key To an Alternate Data Stream source high: Exports the target Registry key and hides it in the specified alternate data stream.
- Unusual File Download from Direct IP Address source high: Detects the download of suspicious file type from URLs with IP
- Potential Suspicious Winget Package Installation source high: Detects potential suspicious winget package installation from a suspicious source.
- Potentially Suspicious File Download From ZIP TLD source high: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Splunk # view in coverage
- Download Files Using Telegram source: The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a…
- Windows Alternate DataStream - Base64 Content source: The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can…
- Windows Alternate DataStream - Executable Content source: The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This…
References #
Event ID 16: ServiceConfigurationChange
#Description
This event logs changes in the Sysmon configuration.
Message #
Fields #
| Name | Description |
|---|---|
UtcTime UnicodeString → string | Time in UTC when event was created |
Configuration UnicodeString → string | Name of the Sysmon config file being updated |
ConfigurationFileHash UnicodeString → string | Hash (SHA1) of the Sysmon config file being updated |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 16,
"version": 3,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:47:11.932399+00:00",
"event_record_id": 994662,
"correlation": {},
"execution": {
"process_id": 8688,
"thread_id": 13092
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"UtcTime": "2023-11-06 00:47:11.921",
"Configuration": "C:\\Users\\User\\Downloads\\Sysmon\\sysmonconfig-trace.xml",
"ConfigurationFileHash": "SHA256=43F367924B48AF65F121C0D369E7971C0757CC35D984C71887A5840987E154F9"
},
"message": ""
}
Detection Patterns #
Stealth: Hide Artifacts
1 rule
Community Notes #
May indicate an attacker attempting to reduce visibility prior to staging a payload.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Sysmon Configuration Change source medium: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
References #
Event ID 17: PipeEvent (Pipe Created)
#Description
This event generates when a **named pipe is created**. Malware often uses named pipes for interprocess communication.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
EventType UnicodeString | The type of pipe event (CreatePipe) | 8 |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that created the pipe | |
ProcessId UInt32 | Process ID used by the OS to identify the process that created the pipe | |
PipeName UnicodeString | Name of the pipe created | 104 |
Image UnicodeString | File path of the process that created the pipe | 60 |
User UnicodeString | The name of the account that created the named pipe. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 17,
"version": 1,
"level": 4,
"task": 17,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:08:49.4169649+00:00",
"event_record_id": 17610185,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "CreatePipe",
"UtcTime": "2026-06-13 14:08:49.413",
"ProcessGuid": "{8a99384c-6471-6a2d-a005-000000001000}",
"ProcessId": "7864",
"PipeName": "\\PSHost.134258333292497101.7864.DefaultAppDomain.wsmprovhost",
"Image": "C:\\Windows\\system32\\wsmprovhost.exe",
"User": "cell-c\\domainadmin"
},
"message": "Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2026-06-13 14:08:49.413\r\nProcessGuid: {8a99384c-6471-6a2d-a005-000000001000}\r\nProcessId: 7864\r\nPipeName: \\PSHost.134258333292497101.7864.DefaultAppDomain.wsmprovhost\r\nImage: C:\\Windows\\system32\\wsmprovhost.exe\r\nUser: cell-c\\domainadmin"
}
Detection Patterns #
Named Pipe
32 rules
Sigma
Splunk
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | ConnectPipe | 4 rules | splunk |
EventType | in | CreatePipe | 4 rules | splunk |
tool | is_not_null | | 4 rules | splunk |
EventType | eq | NamedPipeEvent | 2 rules | kusto |
PipeName | eq | \PSEXESVC | 2 rules | sigma |
PipeName | eq | \sdlrpc | 2 rules | sigma |
PipeName | starts_with | \PSHost | 2 rules | sigma |
Image | is_null | | 1 rule | sigma |
Image | starts_with | c:\program files (x86)\ | 1 rule | sigma |
Image | contains | :\users\public\ | 1 rule | sigma |
Image | contains | :\windows\temp\ | 1 rule | sigma |
Image | contains | \downloads\ | 1 rule | sigma |
Image | ends_with | \scrcons.exe | 1 rule | sigma |
Image | contains | \desktop\ | 1 rule | sigma |
Image | contains | \appdata\local\microsoft\windowsapps\microsoft.powershellpreview | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matchesEvent ID 18: PipeEvent (Pipe Connected)
Elastic # view in coverage
- Privilege Escalation via Rogue Named Pipe Impersonation source high: Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.
YARA-L # view in coverage
- ADFS DB Suspicious Named Pipe Connection source: Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes↳ also matchesEvent ID 18: PipeEvent (Pipe Connected)
References #
Event ID 18: PipeEvent (Pipe Connected)
#Description
This event logs when a named pipe connection is made between a client and a server.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
EventType UnicodeString | The type of pipe event (ConnectPipe) | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that connected the pipe | |
ProcessId UInt32 | Process ID used by the OS to identify the process that connected the pipe | |
PipeName UnicodeString | Name of the pipe connected | 1 |
Image UnicodeString | File path of the process that connected the pipe | |
User UnicodeString | The name of the account that made a named pipe connection. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 18,
"version": 1,
"level": 4,
"task": 18,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:29.4179487+00:00",
"event_record_id": 17612764,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "ConnectPipe",
"UtcTime": "2026-06-13 14:09:29.413",
"ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
"ProcessId": "7704",
"PipeName": "\\srvsvc",
"Image": "C:\\ludus\\background\\bginfo.exe",
"User": "cell-c\\domainadmin"
},
"message": "Pipe Connected:\r\nRuleName: -\r\nEventType: ConnectPipe\r\nUtcTime: 2026-06-13 14:09:29.413\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nPipeName: \\srvsvc\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nUser: cell-c\\domainadmin"
}
Detection Patterns #
Named Pipe
32 rules
Sigma
Splunk
Named Pipe
15 rules
Sigma
Splunk
Collection: Data from Local System
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | ConnectPipe | 4 rules | splunk |
EventType | in | CreatePipe | 4 rules | splunk |
tool | is_not_null | | 4 rules | splunk |
Computer | eq | ADFS_Servers | 2 rules | kusto |
PipeName | eq | \\MICROSOFT##WID\\tsql\\query | 2 rules | chronicle, kusto |
EventType | eq | NamedPipeEvent | 2 rules | kusto |
PipeName | eq | \PSEXESVC | 2 rules | sigma |
PipeName | eq | \sdlrpc | 2 rules | sigma |
PipeName | starts_with | \PSHost | 2 rules | sigma |
Image | is_null | | 1 rule | sigma |
Image | contains | :\users\public\ | 1 rule | sigma |
DestinationPort | eq | 80 | 1 rule | kusto, sigma |
Image | contains | \downloads\ | 1 rule | sigma |
Image | ends_with | \scrcons.exe | 1 rule | sigma |
Image | contains | \desktop\ | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matchesEvent ID 17: PipeEvent (Pipe Created)
Kusto # view in coverage
- ADFS Database Named Pipe Connection source medium: This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]"
YARA-L # view in coverage
- ADFS DB Suspicious Named Pipe Connection source: Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes↳ also matchesEvent ID 17: PipeEvent (Pipe Created)
References #
Event ID 19: WmiEvent (WmiEventFilter activity detected)
#Description
When a WMI event filter is registered, this event logs the WMI namespace, filter name and filter expression.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | WMI event type |
UtcTime UnicodeString → string | Time in UTC when event was created |
Operation UnicodeString → string | WMI event filter operation Known values
|
User UnicodeString → string | User that created the WMI filter |
EventNamespace UnicodeString → string | Event namespace where the WMI class is registered |
Name UnicodeString → string | WMI filter name being created |
Query UnicodeString → string | WMI filter query |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 19,
"version": 3,
"level": 4,
"task": 19,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-19T14:54:57.044623Z",
"event_record_id": 4055,
"correlation": {},
"execution": {
"process_id": 2796,
"thread_id": 1776
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "",
"EventType": "WmiFilterEvent",
"UtcTime": "2019-07-19 14:54:57.041",
"Operation": "Created",
"User": "MSEDGEWIN10\\IEUser",
"EventNamespace": " \"root\\\\CimV2\"",
"Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
"Query": " \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\""
}
}
Detection Patterns #
WMI Consumer
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | contains | rundll32 | 1 rule | chronicle, kusto, sigma |
Computer | eq | ADFS_Servers | 1 rule | kusto |
References #
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
#Description
This event logs the **registration of WMI consumers**, recording the consumer name, log, and destination.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | WMI event type |
UtcTime UnicodeString → string | Time in UTC when event was created |
Operation UnicodeString → string | WMI consumer operation (e.g., Created, Deleted) Known values
|
User UnicodeString → string | User that created the WMI consumer |
Name UnicodeString → string | Name of the consumer created |
Type UnicodeString → string | Type of WMI consumer |
Destination UnicodeString → string | Destination or command executed by the WMI consumer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 20,
"version": 3,
"level": 4,
"task": 20,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-19T14:54:58.819106Z",
"event_record_id": 4056,
"correlation": {},
"execution": {
"process_id": 2796,
"thread_id": 1776
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "",
"EventType": "WmiConsumerEvent",
"UtcTime": "2019-07-19 14:54:58.807",
"Operation": "Created",
"User": "MSEDGEWIN10\\IEUser",
"Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
"Type": "Command Line",
"Destination": " \"C:\\\\Windows\\\\System32\\\\notepad.exe\""
}
}
Detection Patterns #
WMI Consumer
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | contains | rundll32 | 1 rule | chronicle, kusto, sigma |
Computer | eq | ADFS_Servers | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Detect WMI Event Subscription Persistence source: The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and…
References #
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
#Description
When a consumer binds to a filter, this event logs the consumer name and filter path.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | WMI event type |
UtcTime UnicodeString → string | Time in UTC when event was created |
Operation UnicodeString → string | WMI consumer-to-filter binding operation Known values
|
User UnicodeString → string | User that created the WMI consumer-to-filter binding |
Consumer UnicodeString → string | Consumer created to bind |
Filter UnicodeString → string | Filter created to bind |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 21,
"version": 3,
"level": 4,
"task": 21,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-19T14:57:02.378480Z",
"event_record_id": 4057,
"correlation": {},
"execution": {
"process_id": 2796,
"thread_id": 4356
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "",
"EventType": "WmiBindingEvent",
"UtcTime": "2019-07-19 14:57:02.369",
"Operation": "Created",
"User": "MSEDGEWIN10\\IEUser",
"Consumer": " \"\\\\\\\\.\\\\ROOT\\\\subscription:CommandLineEventConsumer.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\"",
"Filter": " \"\\\\\\\\.\\\\ROOT\\\\subscription:__EventFilter.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\""
}
}
Detection Patterns #
WMI Consumer
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | contains | rundll32 | 1 rule | chronicle, kusto, sigma |
Computer | eq | ADFS_Servers | 1 rule | kusto |
Community Notes #
May surface registration of WMI event-based auto-runs that survive reboots.
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- WMI Permanent Event Subscription - Sysmon source: The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-21.yml
Event ID 22: DNSEvent (DNS query)
#Description
This event generates when a process executes a **DNS query**, whether the result is successful or fails, cached or not.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString | Time in UTC when event was created | |
ProcessGuid GUID | Process GUID of the process that executed the DNS query | |
ProcessId UInt32 | Process ID of the process that executed the DNS query | |
QueryName UnicodeString | DNS query name | 307 |
QueryStatus UnicodeString | DNS query status Known values
| |
QueryResults UnicodeString | DNS query results | |
Image UnicodeString | The full path related to the process that executed the DNS query | 175 |
User UnicodeString | The name of the account that executes a DNS Query. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 22,
"version": 5,
"level": 4,
"task": 22,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:53.5641227+00:00",
"event_record_id": 6320060,
"correlation": {},
"execution": {
"process_id": 3872,
"thread_id": 5372
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:52.247",
"ProcessGuid": "{8a99384c-5e0c-6a2d-5d00-000000000a00}",
"ProcessId": "3872",
"QueryName": "172.210.232.199.in-addr.arpa.",
"QueryStatus": "9003",
"QueryResults": "-",
"Image": "C:\\Windows\\Sysmon64.exe",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": "Dns query:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:52.247\r\nProcessGuid: {8a99384c-5e0c-6a2d-5d00-000000000a00}\r\nProcessId: 3872\r\nQueryName: 172.210.232.199.in-addr.arpa.\r\nQueryStatus: 9003\r\nQueryResults: -\r\nImage: C:\\Windows\\Sysmon64.exe\r\nUser: NT AUTHORITY\\SYSTEM"
}
Detection Patterns #
1 rule
Execution: Exploitation for Client Execution
1 rule
Discovery: System Network Configuration Discovery
0 rules
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Image | ends_with | \opera.exe | 4 rules | sigma |
Image | ends_with | \msedge.exe | 3 rules | sigma |
Image | ends_with | \brave.exe | 3 rules | sigma |
Image | ends_with | \vivaldi.exe | 3 rules | sigma |
Image | ends_with | \msmpeng.exe | 3 rules | sigma |
Image | ends_with | \msedgewebview2.exe | 3 rules | sigma |
Image | ends_with | \maxthon.exe | 3 rules | sigma |
Image | ends_with | \seamonkey.exe | 3 rules | sigma |
Image | ends_with | \whale.exe | 3 rules | sigma |
Image | eq | c:\program files\google\chrome\application\chrome.exe | 3 rules | sigma |
Image | ends_with | \safari.exe | 3 rules | sigma |
Image | ends_with | \windowsapps\microsoftedge.exe | 3 rules | sigma |
Image | eq | c:\program files\mozilla firefox\firefox.exe | 3 rules | sigma |
Image | eq | c:\program files (x86)\google\chrome\application\chrome.exe | 3 rules | sigma |
Image | eq | c:\program files (x86)\microsoft\edge\application\msedge.exe | 3 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- DNS Query for Anonfiles.com Domain - Sysmon source high: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
- AppX Package Installation Attempts Via AppInstaller.EXE source medium: Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
- Cloudflared Tunnels Related DNS Requests source medium: Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Show 17 more (27 total)
- DNS Query To Common Malware Hosting and Shortener Services source medium: Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
- DNS Query To Devtunnels Domain source medium: Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- DNS Server Discovery Via LDAP Query source low: Detects DNS server discovery via LDAP query requests from uncommon applications
- DNS Query To AzureWebsites.NET By Non-Browser Process source medium: Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
- DNS Query by Finger Utility source high: Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
- Notepad++ Updater DNS Query to Uncommon Domains source medium: Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
- DNS HybridConnectionManager Service Bus source high: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing source high: Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
- Suspicious Cobalt Strike DNS Beaconing - Sysmon source critical: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
- DNS Query To MEGA Hosting Website source medium: Detects DNS queries for subdomains related to MEGA sharing website
- DNS Query Request To OneLaunch Update Service source low: Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
- DNS Query Request By QuickAssist.EXE source low: Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
- DNS Query Request By Regsvr32.EXE source medium: Detects DNS queries initiated by "Regsvr32.exe"
- DNS Query To Remote Access Software Domain From Non-Browser App source medium: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
- Suspicious DNS Query for IP Lookup Service APIs source medium: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
- TeamViewer Domain Query By Non-TeamViewer Application source medium: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
- DNS Query Tor .Onion Address - Sysmon source high: Detects DNS queries to an ".onion" address related to Tor routing networks
Elastic # view in coverage
- First Time Seen DNS Query to RMM Domain source medium: Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services.
- External IP Lookup from Non-Browser Process source low: Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.
Splunk # view in coverage
- Local LLM Framework DNS Query source: Detects DNS queries related to local LLM models on endpoints by monitoring Sysmon DNS query events (Event ID 22) for known LLM model domains and services. Local LLM frameworks like Ollama, LM Studio, and GPT4All make DNS calls to…
- Windows AI Platform DNS Query source: The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is…
- Windows BitLockerToGo with Network Activity source: The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for…
Show 17 more (22 total)
- Windows DNS Query Request To TinyUrl source: The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl. URL shorteners are frequently used by threat actors to obfuscate malicious…
- Windows Visual Basic Commandline Compiler DNSQuery source: The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS…
- 3CX Supply Chain Attack Network Indicators source: The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can…
- Detect DNS Query to Decommissioned S3 Bucket source: This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for…
- Detect hosts connecting to dynamic domain providers source: The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the
Network_Resolutiondata model and cross-references them with a lookup file containing known dynamic DNS… - Detect Remote Access Software Usage DNS source: The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and…
- DNS Kerberos Coercion source: Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for…
- DNS Query Length With High Standard Deviation source: The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding two times the standard deviation. It leverages DNS query data from the…
- Ngrok Reverse Proxy on Network source: The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as "*.ngrok.com" and…
- Rundll32 DNSQuery source: The following analytic detects a suspicious
rundll32.exeprocess making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is… - Suspicious Process DNS Query Known Abuse Web Services source: The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon EventID 22 logs to identify queries from…
- Suspicious Process With Discord DNS Query source: The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing "discord" in the QueryName field. This…
- Wermgr Process Connecting To IP Check Web Services source: The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is…
- Windows Abused Web Services source: The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon…
- Windows DNS Query Request by Telegram Bot API source: The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By…
- Windows Gather Victim Network Info Through Ip Check Web Services source: The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and…
- Windows Multi hop Proxy TOR Website Query source: The following analytic identifies DNS queries to known TOR proxy websites, such as "*.torproject.org" and "www.theonionrouter.com". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints.…
Kusto # view in coverage
- DNS events related to mining pools (ASIM DNS Schema) source low: Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
- DNS events related to ToR proxies (ASIM DNS Schema) source low: Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
- Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) source medium: This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
Show 8 more (11 total)
- Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) source medium: This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
- Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) source medium: This rule creates an alert when multiple clients report errors for the same DNS query. This helps in identifying possible similar C2 communications originating from different clients. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
- Ngrok Reverse Proxy on Network (ASIM DNS Solution) source medium: This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.
- Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) source medium: This rule identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
- Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution) source medium: This rule makes use of the series decompose anomaly method to identify clients with high reverse DNS counts. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
- Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) source medium: This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
- Google Threat Intelligence - Threat Hunting Domain source medium: Google Threat Intelligence domain correlation.
- RecordedFuture Threat Hunting Domain All Actors source medium: Recorded Future Threat Hunting domain correlation for all actors.
YARA-L # view in coverage
- Recon Environment Enumeration Network CISA Report source: Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into↳ also matchesEvent ID 1: Process creation
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-22.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
- MS Learn DNS_ERROR_* (winerror.h codes 9000-11999) https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes--9000-11999-
Event ID 23: FileDelete (File Delete archived)
#Description
A file was deleted. Additionally the deleted file is saved in the ArchiveDirectory.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID | |
UtcTime UnicodeString → string | Time in UTC when event was created | |
ProcessGuid GUID → GUID | Process GUID of the process that deleted the file | |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that deleted the file | |
User UnicodeString → string | Name of the account who deleted the file. | 2 |
Image UnicodeString → string | File path of the process that deleted the file | 22 |
TargetFilename UnicodeString → string | Full path name of the deleted file | 79 |
Hashes UnicodeString → string | Hashes captured by the Sysmon driver of the deleted file | |
IsExecutable Boolean → boolean | Whether the deleted file is a PE executable | |
Archived UnicodeString → string | States if the file was archived when deleted |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 23,
"version": 5,
"level": 4,
"task": 23,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2020-10-20T11:50:55.461859Z",
"event_record_id": 769,
"correlation": {},
"execution": {
"process_id": 7212,
"thread_id": 9748
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "DESKTOP-NTSSLJD",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2020-10-20 11:50:55.457",
"ProcessGuid": "23F38D93-CF1F-5F8E-CA08-000000000C00",
"ProcessId": 8736,
"User": "DESKTOP-NTSSLJD\\den",
"Image": "C:\\Program Files\\Internet Explorer\\IEInstal.exe",
"TargetFilename": "C:\\Users\\den\\AppData\\Local\\Temp\\dfcc1807-03a1-4ae1-ab29-5675b285edea\\consent.exe.dat",
"Hashes": "SHA1=6BFB38629570909D3D9EEDFC783A948CE7849105,MD5=EE2A1C85C472F89B146CC8EE598CCCBC,SHA256=19FD0010DA92B654D1CA270247061A39EA13C0A58529FD8257A97E2EF7794911,IMPHASH=522D83761201075834F05037F5307949",
"IsExecutable": true,
"Archived": "true"
}
}
Detection Patterns #
23 rules
Sigma
Elastic
15 rules
Sigma
Threat Hunting Hash
1 rule
Persistence: Boot or Logon Autostart Execution
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetFilename | ends_with | :zone.identifier | 3 rules | sigma, splunk |
event.type | eq | deletion | 3 rules | elastic |
event.type | in | change | 2 rules | elastic |
IsActive | eq | true | 2 rules | kusto |
ObservableValue | is_not_null | | 2 rules | kusto |
event.category | eq | file | 2 rules | elastic |
TargetFilename | ends_with | .log | 2 rules | sigma |
Hashes | is_not_null | | 2 rules | kusto |
ObservableKey | contains | file:hashes | 2 rules | kusto |
count | ge | 100 | 2 rules | splunk |
event.type | in | deletion | 2 rules | elastic |
Image | ends_with | \powershell.exe | 1 rule | sigma |
Image | ends_with | \pwsh.exe | 1 rule | sigma |
Image | ends_with | \cmd.exe | 1 rule | sigma |
Image | ends_with | \rundll32.exe | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matchesEvent ID 26: FileDeleteDetected (File Delete logged)
Splunk # view in coverage
- Windows Mark Of The Web Bypass source: The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it…
- Windows MSI Rollback Script Deleted By Non-Msiexec Process source: Detects deletion of a Rollback Script (.rbs) file under C:\Config.Msi, the critical filesystem manipulation step in an MSI Rollback privilege escalation attack that converts an arbitrary file delete primitive into full SYSTEM code…
- Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records…↳ also matchesEvent ID 26: FileDeleteDetected (File Delete logged)
YARA-L # view in coverage
- Suspicious Unusual Location LNK File source: Detects creation and movement of .lnk files to specific folders↳ also matchesEvent ID 2: A process changed a file creation time, Event ID 11: FileCreate
References #
Event ID 24: ClipboardChange (New content in the clipboard)
#Description
This event is generated when the system clipboard contents change.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | |
UtcTime UnicodeString → string | |
ProcessGuid GUID → GUID | |
ProcessId UInt32 → PID | |
Image UnicodeString → string | |
Session UInt32 → unsignedInt | |
ClientInfo UnicodeString → string | |
Hashes UnicodeString → string | |
Archived UnicodeString → string | |
User UnicodeString → string |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 24,
"version": 5,
"level": 4,
"task": 24,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:34:43.177918+00:00",
"event_record_id": 1300545,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 18652
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:34:43.168",
"ProcessGuid": "E56ADA26-3DE0-6548-E908-000000000D00",
"ProcessId": 11112,
"Image": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe\\WindowsTerminal.exe",
"Session": 1,
"ClientInfo": "user: WINDEV2310EVAL\\User",
"Hashes": "SHA1=179A4D08834E913B14727CF6474BAC31E082D275,MD5=64D76D5B160C1EB41680025DD778622D,SHA256=35EC5A2FD3F20757A957DC280EF330892A9D76378252CD381BF34518E6A30427,IMPHASH=00000000000000000000000000000000",
"Archived": "true",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-24-clipboardchange-new-content-in-the-clipboard
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 25: ProcessTampering (Process image change)
#Description
This event is generated when process hiding techniques are being detected.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString | ||
UtcTime UnicodeString | ||
ProcessGuid GUID | ||
ProcessId UInt32 | ||
Image UnicodeString | 7 | |
Type UnicodeString | Known values
| 1 |
User UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 25,
"version": 5,
"level": 4,
"task": 25,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:41:34.2634917+00:00",
"event_record_id": 6122317,
"correlation": {},
"execution": {
"process_id": 3872,
"thread_id": 5252
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 13:41:19.666",
"ProcessGuid": "{00000000-0000-0000-0000-000000000000}",
"ProcessId": "604",
"Image": "<unknown process>",
"Type": "Image is replaced",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": "Process Tampering:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:41:19.666\r\nProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nProcessId: 604\r\nImage: <unknown process>\r\nType: Image is replaced\r\nUser: NT AUTHORITY\\SYSTEM"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Image | ends_with | \opera.exe | 1 rule | sigma |
Image | ends_with | \windowsapps\microsoftedge.exe | 1 rule | sigma |
Image | contains | :\program files\ | 1 rule | sigma |
Image | contains | \appdata\local\programs\opera\ | 1 rule | sigma |
Community Notes #
Process tampering, detects process herpaderping.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Process Hollowing Activity source medium: Detects when a memory process image does not match the disk image, indicative of process hollowing.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-25-processtampering-process-image-change
- jxy-s/herpaderping research repository https://github.com/jxy-s/herpaderping
- Process Herpaderping technique writeup https://jxy-s.github.io/herpaderping/
Event ID 26: FileDeleteDetected (File Delete logged)
#Description
A file was deleted.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString | Time in UTC when event was created |
ProcessGuid GUID | Process GUID of the process that deleted the file |
ProcessId UInt32 | Process ID used by the OS to identify the process that deleted the file |
User UnicodeString | Name of the account who deleted the file. |
Image UnicodeString | File path of the process that deleted the file |
TargetFilename UnicodeString | Full path name of the deleted file |
Hashes UnicodeString | Hashes captured by the Sysmon driver of the deleted file |
IsExecutable Boolean | Whether the deleted file is a PE executable |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 26,
"version": 5,
"level": 4,
"task": 26,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T14:09:29.6982228+00:00",
"event_record_id": 17612805,
"correlation": {},
"execution": {
"process_id": 4080,
"thread_id": 5392
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-06-13 14:09:29.694",
"ProcessGuid": "{8a99384c-e971-6a2c-b200-000000001000}",
"ProcessId": "6816",
"User": "cell-c\\domainadmin",
"Image": "C:\\Windows\\Explorer.EXE",
"TargetFilename": "C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg",
"Hashes": "SHA1=45418D43C67E2CEE415B678094EABC2A7D9FF2E4,MD5=210CC081ECEF04E020E21D53341EE954,SHA256=4F3BA3A9948CDDF013F02C82832BE6CE9203B2E874D9675BAEF3F9026C3B266F,IMPHASH=00000000000000000000000000000000",
"IsExecutable": "false"
},
"message": "File Delete logged:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:29.694\r\nProcessGuid: {8a99384c-e971-6a2c-b200-000000001000}\r\nProcessId: 6816\r\nUser: cell-c\\domainadmin\r\nImage: C:\\Windows\\Explorer.EXE\r\nTargetFilename: C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg\r\nHashes: SHA1=45418D43C67E2CEE415B678094EABC2A7D9FF2E4,MD5=210CC081ECEF04E020E21D53341EE954,SHA256=4F3BA3A9948CDDF013F02C82832BE6CE9203B2E874D9675BAEF3F9026C3B266F,IMPHASH=00000000000000000000000000000000\r\nIsExecutable: false"
}
Detection Patterns #
23 rules
Sigma
Elastic
15 rules
Sigma
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
event.type | eq | deletion | 3 rules | elastic |
event.type | in | change | 2 rules | elastic |
TargetFilename | ends_with | :zone.identifier | 2 rules | sigma, splunk |
IsActive | eq | true | 2 rules | kusto |
ObservableValue | is_not_null | | 2 rules | kusto |
event.category | eq | file | 2 rules | elastic |
TargetFilename | ends_with | .log | 2 rules | sigma |
Hashes | is_not_null | | 2 rules | kusto |
ObservableKey | contains | file:hashes | 2 rules | kusto |
count | ge | 100 | 2 rules | splunk |
event.type | in | deletion | 2 rules | elastic |
Image | ends_with | \powershell.exe | 1 rule | sigma |
Image | ends_with | \pwsh.exe | 1 rule | sigma |
Image | ends_with | \cmd.exe | 1 rule | sigma |
Image | ends_with | \rundll32.exe | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matchesEvent ID 23: FileDelete (File Delete archived)
Splunk # view in coverage
- Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records…↳ also matchesEvent ID 23: FileDelete (File Delete archived)
References #
Event ID 27: FileBlockExecutable
#Description
This event is generated when Sysmon detects and blocks the creation of executable files.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | |
UtcTime UnicodeString → string | |
ProcessGuid GUID → GUID | |
ProcessId UInt32 → PID | |
User UnicodeString → string | |
Image UnicodeString → string | |
TargetFilename UnicodeString → string | |
Hashes UnicodeString → string |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 27,
"version": 5,
"level": 4,
"task": 27,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-08-29T04:43:48.128507Z",
"event_record_id": 1341,
"correlation": {},
"execution": {
"process_id": 2060,
"thread_id": 7132
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "DESKTOP-VQBONAV",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "ImageBlock",
"UtcTime": "2022-08-29 04:43:48.117",
"ProcessGuid": "3E153517-4404-630C-0003-000000000400",
"ProcessId": 8636,
"User": "DESKTOP-VQBONAV\\user",
"Image": "C:\\Windows\\system32\\certutil.exe",
"TargetFilename": "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\02E7958E9A9619FDA0A027756E601291",
"Hashes": "MD5=E112A827FAB9F8378C76040187A6F336,SHA256=ED369187681A62247E38D930320F1CD771756D0B7B67072D8EC655EF99E14AEB,IMPHASH=8EEAA9499666119D13B3F44ECD77A729"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Sysmon Blocked Executable source high: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 28: FileBlockShredding
#Description
This event is generated when Sysmon detects and blocks file shredding.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | |
UtcTime UnicodeString → string | |
ProcessGuid GUID → GUID | |
ProcessId UInt32 → PID | |
User UnicodeString → string | |
Image UnicodeString → string | |
TargetFilename UnicodeString → string | |
Hashes UnicodeString → string | |
IsExecutable Boolean → boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 28,
"version": 5,
"level": 4,
"task": 28,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T03:06:00.105995+00:00",
"event_record_id": 36714962,
"correlation": {},
"execution": {
"process_id": 3860,
"thread_id": 5148
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-03-12 03:06:00.101",
"ProcessGuid": "3792AB3B-0B4D-69B1-4300-000000000F00",
"ProcessId": 3544,
"User": "NT AUTHORITY\\LOCAL SERVICE",
"Image": "C:\\Windows\\System32\\svchost.exe",
"TargetFilename": "C:\\Windows\\System32\\sru\\SRU.log",
"Hashes": "SHA1=1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961,MD5=FCD6BCB56C1689FCEF28B57C22475BAD,SHA256=DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31,IMPHASH=00000000000000000000000000000000",
"IsExecutable": false
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Sysmon Blocked File Shredding source high: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
References #
Event ID 29: FileExecutableDetected
#Description
This event is generated when Sysmon detects the creation of a new executable file.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RuleName UnicodeString → string | ||
UtcTime UnicodeString → string | ||
ProcessGuid GUID → GUID | ||
ProcessId UInt32 → PID | ||
User UnicodeString → string | ||
Image UnicodeString → string | ||
TargetFilename UnicodeString → string | 1 | |
Hashes UnicodeString → string |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 29,
"version": 5,
"level": 4,
"task": 29,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T19:59:50.724328+00:00",
"event_record_id": 25592993,
"correlation": {},
"execution": {
"process_id": 3516,
"thread_id": 4964
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-03-13 19:59:50.723",
"ProcessGuid": "3792AB3B-6CAF-69B4-C304-000000000800",
"ProcessId": 6332,
"User": "NT AUTHORITY\\SYSTEM",
"Image": "C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe",
"TargetFilename": "C:\\Windows\\WinSxS\\Temp\\InFlight\\4d85a1f323b3dc0131020000bc18500b\\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.22621.1_none_e8f6dc1e2b2810c4\\hcsdiag.exe",
"Hashes": "SHA1=4151B8801065408E851608F5F586E83F841DDF73,MD5=5CDE58E943D06BF77B4595CF917E4BD6,SHA256=148B44E4D5251D533F66EB2352AE396DB612AE926703682C8CD271ADC8A8B03A,IMPHASH=BC0760AED3654197B70538C4350C093A"
},
"message": ""
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetFilename | ends_with | .sed | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potentially Suspicious Self Extraction Directive File Created source medium: Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
- Sysmon File Executable Creation Detected source medium: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
Splunk # view in coverage
- Windows Executable Masquerading as Benign File Types source: The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables…
References #
Event ID 255: Error report: UtcTime: UtcTime ID: ID Description: Description.
#Description
This event is generated when an **error occurred within Sysmon**. They can happen if the system is under heavy load and certain tasks could not be performed or a bug exists in the Sysmon service.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
UtcTime UnicodeString | ||
ID UnicodeString | ||
Description UnicodeString | 6 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"event_source_name": "",
"event_id": 255,
"version": 3,
"level": 2,
"task": 255,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:41:07.6428879+00:00",
"event_record_id": 6120904,
"correlation": {},
"execution": {
"process_id": 3720,
"thread_id": 5400
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UtcTime": "2026-06-13 13:41:07.630",
"ID": "GetConfigurationOptions",
"Description": "Failed to open service configuration with error 92 - Last error: The media is write protected.\n"
},
"message": "Error report:\r\nUtcTime: 2026-06-13 13:41:07.630\r\nID: GetConfigurationOptions\r\nDescription: Failed to open service configuration with error 92 - Last error: The media is write protected.\r\n"
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Sysmon Configuration Error source high: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
References #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {5770385F-C22A-43E0-BF4C-06F5698FFBD9}
Defined in Sysmon64.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893 · sample captured from a live trace · binary version 15.15 · captured 2026-06-02
- WS2022-20348.4893 · schema read from the registered manifest · binary version 15.15 · captured 2026-06-02