Microsoft-Windows-Sysmon
30 events across 1 channel
Event ID 1 — Process creation
#Description
The process creation event provides extended information about a newly created process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that got spawned/created (child) |
ProcessId UInt32 → PID | Process ID used by the OS to identify the created process (child) |
Image UnicodeString → string | File path of the process being spawned/created. Considered also the child or source process |
FileVersion UnicodeString → string | Version of the image associated with the main process (child) |
Description UnicodeString → string | Description of the image associated with the main process (child) |
Product UnicodeString → string | Product name the image associated with the main process (child) belongs to |
Company UnicodeString → string | Company name the image associated with the main process (child) belongs to |
OriginalFileName UnicodeString → string | Original file name from the PE header, useful for detecting renamed executables |
CommandLine UnicodeString → string | Arguments which were passed to the executable associated with the main process |
CurrentDirectory UnicodeString → string | The path without the name of the image associated with the process |
User UnicodeString → string | Name of the account who created the process (child). It usually contains domain name and user name (parsed to show only username without the domain) |
LogonGuid GUID → GUID | Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events) |
LogonId HexInt64 → HexInt64 | Logon ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID |
TerminalSessionId UInt32 → unsignedInt | ID of the session the user belongs to |
IntegrityLevel UnicodeString → string | Integrity label assigned to a process |
Hashes UnicodeString → string | Hashes captured by Sysmon driver |
ParentProcessGuid GUID → GUID | Process GUID of the parent process that spawned/created this process |
ParentProcessId UInt32 → PID | Process ID of the process that spawned/created the main process (child) |
ParentImage UnicodeString → string | File path that spawned/created the main process |
ParentCommandLine UnicodeString → string | Arguments which were passed to the executable associated with the parent process |
ParentUser UnicodeString → string | Name of the account who created the process that spawned/created the main process (child) |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 1,
"version": 5,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:12.512502+00:00",
"event_record_id": 1438276,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:12.487",
"ProcessGuid": "E56ADA26-499C-6548-2D0B-000000000D00",
"ProcessId": 19696,
"Image": "C:\\Windows\\System32\\dllhost.exe",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"Description": "COM Surrogate",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "dllhost.exe",
"CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}",
"CurrentDirectory": "C:\\Windows\\system32\\",
"User": "WINDEV2310EVAL\\User",
"LogonGuid": "E56ADA26-17F4-6548-C677-020000000000",
"LogonId": "0x277c6",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "SHA1=C521025C55687C1F29B1F3A3C69B3D152CE84981,MD5=144FA51A15E98D84D28EEAB815BC9A8B,SHA256=FDFAD08EADD54A431E431FEBE60E87B574CE90E5502ED0BE2F026A1828120FC6,IMPHASH=FBDAC0471446783AD621D3CAB6033559",
"ParentProcessGuid": "E56ADA26-17EE-6548-0D00-000000000D00",
"ParentProcessId": 920,
"ParentImage": "C:\\Windows\\System32\\svchost.exe",
"ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
"ParentUser": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
429 rules
Sigma
Show 411 more (414 total)
Splunk
Show 11 more (14 total)
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activityORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
26 rules
Kusto Query Language
Show 23 more (26 total)
Defender-DeviceProcessEvents Event ID 9001000: Process activityANDSecurity-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation
14 rules
Kusto Query Language
Show 11 more (14 total)
9 rules
Splunk
Show 6 more (9 total)
Normalized Process Events
Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated
7 rules
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activity→Security-Auditing Event ID 4688: A new process has been created.→Sysmon Event ID 1: Process creation
7 rules
Kusto Query Language
(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)
7 rules
Splunk
No Command Line
6 rules
Splunk
Normalized Process Events
Asim Version
Persistence: Create or Modify System Process
1 rule
Kusto Query Language
Defense Evasion: Process Hollowing
1 rule
Defense Evasion: Modify Registry
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- 7Zip Compressing Dump Files source medium: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
- Compress Data and Lock With Password for Exfiltration With 7-ZIP source medium: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
- Potential DLL Injection Via AccCheckConsole source medium: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Show 17 more (733 total)
- Suspicious AddinUtil.EXE CommandLine Execution source high: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
- Uncommon AddinUtil.EXE CommandLine Execution source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
- AddinUtil.EXE Execution From Uncommon Directory source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
- Potential Adplus.EXE Abuse source high: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
- AgentExecutor PowerShell Execution source medium: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
- Suspicious AgentExecutor PowerShell Execution source high: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
- Windows AMSI Related Registry Tampering Via CommandLine source high: Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE source medium: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
- Hiding Files with Attrib.exe source medium: Detects usage of attrib.exe to hide files from users.
- Set Suspicious Files as System Files Using Attrib.EXE source high: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
- Audit Policy Tampering Via Auditpol source high: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
- Suspicious Autorun Registry Modified via WMI source high: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
- Indirect Inline Command Execution Via Bash.EXE source medium: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
- Indirect Command Execution From Script File Via Bash.EXE source medium: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
- Boot Configuration Tampering Via Bcdedit.EXE source high: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE source medium: Detects potential malicious and unauthorized usage of bcdedit.exe
- Data Export From MSSQL Table Via BCP.EXE source medium: Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Splunk # view in reference
- Detect Remote Access Software Usage FileInfo source: The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.
- Excessive Usage Of SC Service Utility source: The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.
- MacOS - Re-opened Applications source: The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to "com.apple.loginwindow." This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.
Show 17 more (22 total)
- Malicious PowerShell Process With Obfuscation Techniques source: The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.
- Process Deleting Its Process File Path source: The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts.
- Web or Application Server Spawning a Shell source: The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment.
- Web Servers Executing Suspicious Processes source: The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables", "wget", "service", and "curl". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.
- Windows Account Access Removal via Logoff Exec source: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.
- Windows Browser Process Launched with Unusual Flags source: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations.
- Windows ComputerDefaults Spawning a Process source: The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges. Detection focuses on abnormal execution patterns, unusual parent-child process relationships, or deviations from standard paths. Such behavior may indicate attempts to modify system defaults or run malicious scripts undetected. Monitoring ComputerDefaults.exe is critical to identify potential security threats, prevent privilege escalation, and maintain system integrity by distinguishing normal operations from suspicious activity.
- Windows Credential Target Information Structure in Commandline source: Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages process creation events looking for specific CREDENTIAL_TARGET_INFORMATION structures.
- Windows Default Rdp File Unhidden source: This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is initiated using mstsc.exe. The Default.rdp file stores session configuration details such as the remote host address and screen settings. Unhiding this file is uncommon in normal user behavior and may indicate that an attacker or red team operator is attempting to access or manipulate RDP connection history that was previously hidden—either by default or as part of an earlier anti-forensics effort. This activity may represent part of a broader pattern of reconnaissance or staging for credential reuse, lateral movement, or forensic analysis evasion. Monitoring for this behavior can help uncover suspicious manipulation of user artifacts and highlight interactive attacker activity on a compromised host.
- Windows Disable or Stop Browser Process source: The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise.
- Windows Privilege Escalation Suspicious Process Elevation source: The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations. This behavior is identified using process execution data from Windows process monitoring. This activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks. If confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.
- Windows Privilege Escalation System Process Without System Parent source: The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.
- Windows Privilege Escalation User Process Spawn System Process source: The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location. This behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service. The detection leverages Sysmon data, specifically Event ID 15, to identify such transitions. Monitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.
- Windows RDP Client Launched with Admin Session source: This detection identifies the execution of the Windows Remote Desktop Client (mstsc.exe) with the "/v" and /admin command-line arguments. The "/v" flag specifies the remote host to connect to, while the /admin flag initiates a connection to the target system’s console session, often used for administrative purposes. This combination may indicate that a user or attacker is performing privileged remote access, potentially to manage a system without disrupting existing user sessions. While such usage may be legitimate for IT administrators, it is less common in typical user behavior. Threat actors may abuse this capability during lateral movement to maintain stealthy access to high-value systems. Monitoring for this pattern can help detect interactive hands-on-keyboard activity, privilege abuse, or attempts to access critical infrastructure without leaving typical login traces associated with non-admin RDP sessions.
- Windows Renamed Powershell Execution source: The following analytic identifies instances where the PowerShell executable has been renamed and executed under an alternate filename. This behavior is commonly associated with attempts to evade security controls or bypass logging mechanisms that monitor standard PowerShell usage. While rare in legitimate environments, renamed PowerShell binaries are frequently observed in malicious campaigns leveraging Living-off-the-Land Binaries (LOLBins) and fileless malware techniques. This detection flags executions of PowerShell where the process name does not match the default powershell.exe or pwsh.exe, especially when invoked from unusual paths or accompanied by suspicious command-line arguments.
- Windows Rundll32 Load DLL in Temp Dir source: This detection identifies instances where rundll32.exe is used to load a DLL from a temporary directory, such as C:\Users\<User>\AppData\Local\Temp\ or C:\Windows\Temp\. While rundll32.exe is a legitimate Windows utility used to execute functions exported from DLLs, its use to load libraries from temporary locations is highly suspicious. These directories are commonly used by malware and red team tools to stage payloads or execute code in-memory without writing it to more persistent locations. This behavior often indicates defense evasion, initial access, or privilege escalation, especially when the DLL is unsigned, recently written, or executed shortly after download. In normal user workflows, DLLs are not typically loaded from Temp paths, making this a high-fidelity indicator of potentially malicious activity. Monitoring this pattern is essential for detecting threats that attempt to blend in with native system processes while bypassing traditional application controls.
- Windows UAC Bypass Suspicious Escalation Behavior source: The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process. This detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables. This activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges. If confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.
Kusto Query Language # view in reference
- SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Audit policy manipulation using auditpol utility source medium: This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it. Refer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol Refer to our M365 blog for details on use during the Solorigate attack: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- Modification of Accessibility Features source medium: 'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1] Ref: https://attack.mitre.org/techniques/T1546/008/'
Show 3 more (6 total)
- Lateral Movement via DCOM source medium: 'This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network. Ref: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html'
- Detecting Macro Invoking ShellBrowserWindow COM Objects source medium: 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.'
- Windows Binaries Lolbins Renamed source medium: 'This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html'
References #
Event ID 2 — A process changed a file creation time
#Description
The change file creation time event is registered when a file creation time is explicitly modified by a process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that changed the file creation time |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process changing the file creation time |
Image UnicodeString → string | File path of the process that changed the file creation time |
TargetFilename UnicodeString → string | Full path name of the file |
CreationUtcTime UnicodeString → string | New creation time of the file |
PreviousCreationUtcTime UnicodeString → string | Previous creation time of the file |
User UnicodeString → string | Name of the account who changed the file creation time of a file |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 2,
"version": 5,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:02:42.701590+00:00",
"event_record_id": 1434553,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:02:42.686",
"ProcessGuid": "E56ADA26-1A27-6548-3001-000000000D00",
"ProcessId": 876,
"Image": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\119.0.2151.44\\msedgewebview2.exe",
"TargetFilename": "C:\\Users\\User\\AppData\\Local\\Packages\\MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy\\LocalState\\EBWebView\\297786f0-3fab-4719-b257-7269fed79fdf.tmp",
"CreationUtcTime": "2023-11-05 22:37:47.033",
"PreviousCreationUtcTime": "2023-11-06 02:02:42.686",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Unusual File Modification by dns.exe source high: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Elastic # view in reference
- Potential Timestomp in Executable Files source medium: Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries may modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.
References #
Event ID 3 — Network connection
#Description
The network connection event logs TCP/UDP connections on the machine.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that made the network connection |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that made the network connection |
Image UnicodeString → string | File path of the process that made the network connection |
User UnicodeString → string | Name of the account who made the network connection. It usually contains domain name and user name |
Protocol UnicodeString → string | Protocol being used for the network connection Known values
|
Initiated Boolean → boolean | Indicates whether the process initiated the TCP connection |
SourceIsIpv6 Boolean → boolean | Is the source IP an IPv6 |
SourceIp UnicodeString → string | Source IP address that made the network connection |
SourceHostname UnicodeString → string | Name of the host that made the network connection |
SourcePort UInt16 → unsignedShort | Source port number |
SourcePortName UnicodeString → string | Name of the source port being used (i.e. netbios-dgm) |
DestinationIsIpv6 Boolean → boolean | Is the destination IP an IPv6 |
DestinationIp UnicodeString → string | Destination IP address |
DestinationHostname UnicodeString → string | Name of the host that received the network connection |
DestinationPort UInt16 → unsignedShort | Destination port number |
DestinationPortName UnicodeString → string | Name of the destination port |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 3,
"version": 5,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:03:45.514949+00:00",
"event_record_id": 1437449,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 10068
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:03:43.450",
"ProcessGuid": "E56ADA26-45B9-6548-970A-000000000D00",
"ProcessId": 13296,
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"User": "WINDEV2310EVAL\\User",
"Protocol": "udp",
"Initiated": true,
"SourceIsIpv6": false,
"SourceIp": "192.168.92.128",
"SourceHostname": "-",
"SourcePort": 60161,
"SourcePortName": "-",
"DestinationIsIpv6": false,
"DestinationIp": "239.255.255.250",
"DestinationHostname": "-",
"DestinationPort": 1900,
"DestinationPortName": "-"
},
"message": ""
}
Detection Patterns #
No Command Line
6 rules
Splunk
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Defender-DeviceNetworkEvents Event ID 9004001: Connection succeededORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection
1 rule
Kusto Query Language
Collection: Data from Local System
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Network Connection Initiated By AddinUtil.EXE source high: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
- Uncommon Connection to Active Directory Web Services source medium: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
- Uncommon Network Connection Initiated By Certutil.EXE source high: Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Show 17 more (51 total)
- Outbound Network Connection Initiated By Cmstp.EXE source high: Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
- Outbound Network Connection Initiated By Microsoft Dialer source high: Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process source medium: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
- Network Connection Initiated To BTunnels Domains source medium: Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Network Connection Initiated To Cloudflared Tunnels Domains source medium: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Network Communication With Crypto Mining Pool source high: Detects initiated network connections to crypto mining pools
- New Connection Initiated To Potential Dead Drop Resolver Domain source high: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
- Network Connection Initiated To DevTunnels Domain source medium: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Suspicious Dropbox API Usage source high: Detects an executable that isn't dropbox but communicates with the Dropbox API
- Suspicious Network Connection to IP Lookup Service APIs source medium: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
- Suspicious Non-Browser Network Communication With Google API source medium: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
- Communication To LocaltoNet Tunneling Service Initiated source high: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
- Network Connection Initiated To Mega.nz source low: Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
- Process Initiated Network Connection To Ngrok Domain source high: Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
- Communication To Ngrok Tunneling Service Initiated source high: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
- Potentially Suspicious Network Connection To Notion API source low: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
- Network Communication Initiated To Portmap.IO Domain source medium: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Splunk # view in reference
- Detect Regasm with Network Connection source: The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.
- Detect Regsvcs with Network Connection source: The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.
- LOLBAS With Network Traffic source: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.
Show 6 more (9 total)
- Network Traffic to Active Directory Web Services Protocol source: The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.
- Windows Detect Network Scanner Behavior source: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
- Windows File Transfer Protocol In Non-Common Process Path source: The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like "Program Files" or "Windows\System32". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.
- Windows Mail Protocol In Non-Common Process Path source: The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.
- Windows Suspect Process With Authentication Traffic source: The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.
- Windows Remote Desktop Network Bruteforce Attempt source: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
Kusto Query Language # view in reference
- Zinc Actor IOCs files - October 2022 source high: 'Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-3.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 4 — Sysmon service state changed
#Description
The service state change event reports the state of the Sysmon service (started or stopped).
Message #
Fields #
| Name | Description |
|---|---|
UtcTime UnicodeString → string | Time in UTC when event was created |
State UnicodeString → string | Sysmon service state (i.e. stopped) |
Version UnicodeString → string | Sysmon version |
SchemaVersion UnicodeString → string | Sysmon config schema version |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 4,
"version": 3,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:52:28.220847+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UtcTime": "2023-11-05 22:52:28.214",
"State": "Started",
"Version": "15.0",
"SchemaVersion": "4.90"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Hide Artifacts
1 rule
References #
Event ID 5 — Process terminated
#Description
The process terminate event reports when a process terminates.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that terminated |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that terminated |
Image UnicodeString → string | File path of the process that terminated |
User UnicodeString → string | Name of the account that terminated the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 5,
"version": 3,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:26.566815+00:00",
"event_record_id": 1441121,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:26.536",
"ProcessGuid": "E56ADA26-37A6-6548-5107-000000000D00",
"ProcessId": 16164,
"Image": "C:\\Windows\\System32\\svchost.exe",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
Normalized Process Events
Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated
7 rules
Kusto Query Language
Normalized Process Events
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- High Process Termination Frequency source: The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.
- Windows Processes Killed By Industroyer2 Malware source: The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.
References #
Event ID 6 — Driver loaded
#Description
The driver loaded events provides information about a driver being loaded on the system.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ImageLoaded UnicodeString → string | Full path of the driver loaded |
Hashes UnicodeString → string | Hashes captured by Sysmon driver |
Signed UnicodeString → string | Whether the loaded driver is signed |
Signature UnicodeString → string | The signer |
SignatureStatus UnicodeString → string | Status of the signature (i.e. valid) |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 6,
"version": 4,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:39:25.765471+00:00",
"event_record_id": 1323548,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 10072
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:39:25.719",
"ImageLoaded": "C:\\Windows\\System32\\drivers\\PROCMON24.SYS",
"Hashes": "SHA1=3886A86F350B056EFC662C893326206FE884CCD9,MD5=CBAED2F7F40A71A0F65CA1D7599CA530,SHA256=650B91475689539B99DB6499E3DF2C300AD15A0C70BB33F9470C8401E3248A45,IMPHASH=8477C11BEB2E153801A537EA17631A52",
"Signed": "true",
"Signature": "Microsoft Windows Hardware Compatibility Publisher",
"SignatureStatus": "Valid"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Malicious Driver Load source high: Detects loading of known malicious drivers via their hash.
- Malicious Driver Load By Name source medium: Detects loading of known malicious drivers via the file name of the drivers.
- PUA - Process Hacker Driver Load source high: Detects driver load of the Process Hacker tool
Show 7 more (10 total)
- PUA - System Informer Driver Load source medium: Detects driver load of the System Informer tool
- Driver Load From A Temporary Directory source high: Detects a driver load from a temporary directory
- Vulnerable Driver Load source high: Detects loading of known vulnerable drivers via their hash.
- Vulnerable Driver Load By Name source low: Detects the load of known vulnerable drivers via the file name of the drivers.
- Vulnerable HackSys Extreme Vulnerable Driver Load source high: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
- Vulnerable WinRing0 Driver Load source high: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
- WinDivert Driver Load source high: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Splunk # view in reference
- Windows Drivers Loaded by Signature source: The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.
- Windows Suspicious Driver Loaded Path source: The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.
- Windows Vulnerable Driver Loaded source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.
Show 1 more (4 total)
- XMRIG Driver Loaded source: The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.
References #
Event ID 7 — Image loaded
#Description
The image loaded event logs when a module is loaded in a specific process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that loaded the image |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that loaded the image |
Image UnicodeString → string | File path of the process that loaded the image |
ImageLoaded UnicodeString → string | Full path of the image loaded |
FileVersion UnicodeString → string | Version of the image loaded |
Description UnicodeString → string | Description of the image loaded |
Product UnicodeString → string | Product name that the loaded image belongs to |
Company UnicodeString → string | Company name that the loaded image belongs to |
OriginalFileName UnicodeString → string | Original file name from the PE header, useful for detecting renamed modules |
Hashes UnicodeString → string | Hash of the file contents using the algorithms specified in the HashType field |
Signed UnicodeString → string | Is the image loaded signed |
Signature UnicodeString → string | The signer |
SignatureStatus UnicodeString → string | Status of the signature (i.e. valid) |
User UnicodeString → string | Name of the account that loaded the image. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 7,
"version": 3,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:20.308288+00:00",
"event_record_id": 1440307,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:20.300",
"ProcessGuid": "E56ADA26-3995-6548-3608-000000000D00",
"ProcessId": 16148,
"Image": "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamtray.exe",
"ImageLoaded": "C:\\Windows\\System32\\mobilenetworking.dll",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"Description": "\"MobileNetworking.DYNLINK\"",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "\"MobileNetworking.DYNLINK\"",
"Hashes": "SHA1=260C4C8799D0D4EF4074123DCB0F6CC1BAB8E398,MD5=86DC2DC65542D41C6DAEE47B12CAAF25,SHA256=B75EF0D9BE5C111341DAB495301C5939495487C2A76EB2EC1D1EAC393E6EFC5E,IMPHASH=839E809555F97D103A3AF38B8133172A",
"Signed": "true",
"Signature": "Microsoft Windows",
"SignatureStatus": "Valid",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Regsvr32
1 rule
Kusto Query Language
Execution: Exploitation for Client Execution
1 rule
Execution: User Execution
1 rule
Kusto Query Language
Persistence: Create or Modify System Process
1 rule
Kusto Query Language
Community Notes #
Image loaded. Generated when a process loads a DLL into memory, ie, side-loading.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Clfs.SYS Loaded By Process Located In a Potential Suspicious Location source medium: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
- DLL Loaded From Suspicious Location Via Cmspt.EXE source high: Detects cmstp loading "dll" or "ocx" files from suspicious locations
- Amsi.DLL Loaded Via LOLBIN Process source medium: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Show 17 more (98 total)
- Potential Azure Browser SSO Abuse source low: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32 source high: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
- CredUI.DLL Loaded By Uncommon Process source medium: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded source high: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
- PCRE.NET Package Image Load source high: Detects processes loading modules related to PCRE.NET package
- Load Of RstrtMgr.DLL By A Suspicious Process source high: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
- Load Of RstrtMgr.DLL By An Uncommon Process source low: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE source high: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
- PowerShell Core DLL Loaded By Non PowerShell Process source medium: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
- Time Travel Debugging Utility Usage - Image source high: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
- Unsigned .node File Loaded source medium: Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
- Suspicious Volume Shadow Copy VSS_PS.dll Load source high: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
- Suspicious Volume Shadow Copy Vssapi.dll Load source high: Detects the image load of VSS DLL by uncommon executables
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load source medium: Detects the image load of VSS DLL by uncommon executables
- HackTool - SharpEvtMute DLL Load source high: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
- HackTool - SILENTTRINITY Stager DLL Load source high: Detects SILENTTRINITY stager dll loading activity
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load source critical: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Elastic # view in reference
- Potential Credential Access via Renamed COM+ Services DLL source high: Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.
Splunk # view in reference
- CMLUA Or CMSTPLUA UAC Bypass source: The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.
- Loading Of Dynwrapx Module source: The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended.
- MS Scripting Process Loading Ldap Module source: The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.
Show 17 more (34 total)
- MS Scripting Process Loading WMI Module source: The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.
- MSI Module Loaded by Non-System Binary source: The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.
- Spoolsv Suspicious Loaded Modules source: The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.
- UAC Bypass MMC Load Unsigned Dll source: The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence.
- UAC Bypass With Colorui COM Object source: The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment.
- Wbemprox COM Object Execution source: The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk.
- Windows BitDefender Submission Wizard DLL Sideloading source: Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.
- Windows Credentials Access via VaultCli Module source: The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract credentials from the Windows Credential Vault. It was seen being abused by information stealers such as Meduza. The analytic monitors suspicious API calls, unauthorized credential access patterns, and anomalous process behaviors indicative of malicious activity. By leveraging a combination of signature-based detection and behavioral analysis, it effectively flags attempts to misuse the vault for credential theft, enabling swift response to protect sensitive user data and ensure system security.
- Windows DLL Module Loaded in Temp Dir source: The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often associated with adversary tradecraft, including DLL search order hijacking, side-loading, or execution of malicious payloads staged in temporary folders. Adversaries frequently leverage these directories because they are writable by standard users and often overlooked by security controls, making them convenient locations to drop and execute malicious files. This behavior may indicate attempts to evade detection, execute unauthorized code, or maintain persistence through hijacked execution flows. Detection of DLL loads from %TEMP% can help surface early signs of compromise and should be investigated in the context of the originating process, user account, and potential file creation or modification activity within the same directory.
- Windows DLL Search Order Hijacking Hunt with Sysmon source: The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.
- Windows DLL Side-Loading In Calc source: The following analytic detects the loading of the "WindowsCodecs.dll" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the DLL side-loading activity. In previous versions of the "calc.exe" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named "WindowsCodecs.dll". This technique has been observed in Qakbot malware. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.
- Windows Executable in Loaded Modules source: The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.
- Windows Gather Victim Identity SAM Info source: The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.
- Windows Hijack Execution Flow Version Dll Side Load source: The following analytic detects a process loading a version.dll file from a directory other than %windir%\system32 or %windir%\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host.
- Windows Input Capture Using Credential UI Dll source: The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.
- Windows InstallUtil Credential Theft source: The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.
- Windows Known Abused DLL Loaded Suspiciously source: The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-7.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 8 — CreateRemoteThread
#Description
The CreateRemoteThread event detects when a process creates a thread in another process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
SourceProcessGuid GUID → GUID | Process GUID of the source process that created a thread in another process |
SourceProcessId UInt32 → PID | Process ID used by the OS to identify the source process that created a thread in another process |
SourceImage UnicodeString → string | File path of the source process that created a thread in another process |
TargetProcessGuid GUID → GUID | Process GUID of the target process |
TargetProcessId UInt32 → PID | Process ID used by the OS to identify the target process |
TargetImage UnicodeString → string | File path of the target process |
NewThreadId UInt32 → unsignedInt | ID of the new thread created in the target process |
StartAddress UnicodeString → string | New thread start address |
StartModule UnicodeString → string | Module where the new thread starts execution, resolved from the thread start address |
StartFunction UnicodeString → string | Exported function where the new thread starts, if the start address matches a known export |
SourceUser UnicodeString → string | Name of the account of the source process that created a thread in another process. |
TargetUser UnicodeString → string | Name of the account of the target process |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 8,
"version": 2,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:44:42.883662+00:00",
"event_record_id": 1356672,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:44:42.882",
"SourceProcessGuid": "E56ADA26-17ED-6548-0900-000000000D00",
"SourceProcessId": 644,
"SourceImage": "C:\\Windows\\System32\\csrss.exe",
"TargetProcessGuid": "E56ADA26-4257-6548-200A-000000000D00",
"TargetProcessId": 21332,
"TargetImage": "C:\\Program Files\\PowerShell\\7\\pwsh.exe",
"NewThreadId": 21912,
"StartAddress": "0x00007FFAF7117550",
"StartModule": "C:\\Windows\\System32\\KERNELBASE.dll",
"StartFunction": "CtrlRoutine",
"SourceUser": "NT AUTHORITY\\SYSTEM",
"TargetUser": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Patterns #
Execution: User Execution
Defender-DeviceEvents Event ID 9007004: CreateRemoteThread API callORSysmon Event ID 8: CreateRemoteThread
1 rule
Kusto Query Language
Community Notes #
CreateRemoteThread. Detects some process-injection methods.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- HackTool - CACTUSTORCH Remote Thread Creation source high: Detects remote thread creation from CACTUSTORCH as described in references.
- HackTool - Potential CobaltStrike Process Injection source high: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
- Remote Thread Created In KeePass.EXE source high: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
Show 8 more (11 total)
- Remote Thread Creation In Mstsc.Exe From Suspicious Location source high: Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
- Potential Credential Dumping Attempt Via PowerShell Remote Thread source high: Detects remote thread creation by PowerShell processes into "lsass.exe"
- Remote Thread Creation Via PowerShell In Uncommon Target source medium: Detects the creation of a remote thread from a Powershell process in an uncommon target process
- Password Dumper Remote Thread in LSASS source high: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
- Rare Remote Thread Creation By Uncommon Source Image source high: Detects uncommon processes creating remote threads.
- Remote Thread Creation By Uncommon Source Image source medium: Detects uncommon processes creating remote threads.
- Remote Thread Creation In Uncommon Target Image source medium: Detects uncommon target processes for remote thread creation
- Remote Thread Creation Ttdinject.exe Proxy source high: Detects a remote thread creation of Ttdinject.exe used as proxy
Elastic # view in reference
- Process Injection by the Microsoft Build Engine source low: An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.
Splunk # view in reference
- Create Remote Thread In Shell Application source: The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.
- Create Remote Thread into LSASS source: The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.
- Powershell Remote Thread To Known Windows Process source: The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
Show 5 more (8 total)
- Rundll32 Create Remote Thread To A Process source: The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host.
- Rundll32 CreateRemoteThread In Browser source: The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.
- Windows Process Injection Of Wermgr to Known Browser source: The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.
- Windows Process Injection Remote Thread source: The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host.
- Windows Process Injection With Public Source Path source: The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system.
References #
Event ID 9 — RawAccessRead
#Description
The RawAccessRead event detects when a process conducts reading operations from the drive.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that conducted reading operations from the drive |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that conducted reading operations from the drive |
Image UnicodeString → string | File path of the process that conducted reading operations from the drive |
Device UnicodeString → string | Target device |
User UnicodeString → string | Name of the account of the process that conducted reading operations from the drive |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 9,
"version": 2,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:11.574013+00:00",
"event_record_id": 1438039,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:11.571",
"ProcessGuid": "E56ADA26-17E6-6548-EB03-000000000000",
"ProcessId": 4,
"Image": "System",
"Device": "\\Device\\HarddiskVolume1",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Community Notes #
RawAccessRead, may indicate direct disk reads of ntds.dit, SAM, or page files for offline hash extraction.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Defense Evasion Via Raw Disk Access By Uncommon Tools source low: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Splunk # view in reference
- Windows Raw Access To Disk Volume Partition source: The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.
- Windows Raw Access To Master Boot Record Drive source: The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.
References #
Event ID 10 — ProcessAccess
#Description
The process accessed event reports when a process opens another process.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
SourceProcessGUID GUID → GUID | — |
SourceProcessId UInt32 → PID | Process ID of the source process that opened another process |
SourceThreadId UInt32 → unsignedInt | ID of the specific thread inside of the source process that opened another process |
SourceImage UnicodeString → string | File path of the source process that opened another process |
TargetProcessGUID GUID → GUID | — |
TargetProcessId UInt32 → PID | Process ID used by the OS to identify the target process |
TargetImage UnicodeString → string | File path of the target process |
GrantedAccess HexInt32 → HexInt32 | The access flags (bitmask) associated with the process rights requested for the target process Process access rights reference |
CallTrace UnicodeString → string | Stack trace of where OpenProcess is called, including the DLL and relative virtual address of each function in the call stack |
SourceUser UnicodeString → string | Name of the account of the source process that opened another process. |
TargetUser UnicodeString → string | Name of the account of the target process |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 10,
"version": 3,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:36.621865+00:00",
"event_record_id": 1441177,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:36.619",
"SourceProcessGUID": "E56ADA26-3829-6548-6007-000000000D00",
"SourceProcessId": 15680,
"SourceThreadId": 15676,
"SourceImage": "C:\\Program Files\\Avira\\Endpoint Protection SDK\\SentryEye.exe",
"TargetProcessGUID": "E56ADA26-3766-6548-3C07-000000000D00",
"TargetProcessId": 15280,
"TargetImage": "C:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe",
"GrantedAccess": "0x100000",
"CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+9f8b4|C:\\Windows\\SYSTEM32\\KERNELBASE.dll+2c60e|C:\\Program Files\\Avira\\Endpoint Protection SDK\\SentryEye.exe+213cf|C:\\Program Files\\Avira\\Endpoint Protection SDK\\SentryEye.exe+2ccffe|C:\\Windows\\SYSTEM32\\KERNEL32.DLL+1257d|C:\\Windows\\SYSTEM32\\ntdll.dll+5aa78",
"SourceUser": "NT AUTHORITY\\SYSTEM",
"TargetUser": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Process Hollowing
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CMSTP Execution Process Access source high: Detects various indicators of Microsoft Connection Manager Profile Installer execution
- HackTool - CobaltStrike BOF Injection Pattern source high: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
- HackTool - Generic Process Access source high: Detects process access requests from hacktool processes based on their default image name
Show 17 more (23 total)
- HackTool - HandleKatz Duplicating LSASS Handle source high: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
- HackTool - LittleCorporal Generated Maldoc Injection source high: Detects the process injection of a LittleCorporal generated Maldoc.
- HackTool - SysmonEnte Execution source high: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
- Lsass Memory Dump via Comsvcs DLL source high: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
- LSASS Memory Access by Tool With Dump Keyword In Name source high: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
- Potential Credential Dumping Activity Via LSASS source medium: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
- Credential Dumping Activity By Python Based Tool source high: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
- Remote LSASS Process Access Through Windows Remote Management source high: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
- Suspicious LSASS Access Via MalSecLogon source high: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
- Potentially Suspicious GrantedAccess Flags On LSASS source medium: Detects process access requests to LSASS process with potentially suspicious access flags
- Credential Dumping Attempt Via WerFault source high: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
- LSASS Access From Potentially White-Listed Processes source high: Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
- Uncommon Process Access Rights For Target Image source low: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs source high: Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
- Potential Direct Syscall of NtOpenProcess source medium: Detects potential calls to NtOpenProcess directly from NTDLL.
- Credential Dumping Attempt Via Svchost source high: Detects when a process tries to access the memory of svchost to potentially dump credentials.
- Suspicious Svchost Process Access source high: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Elastic # view in reference
- Potential Credential Access via DuplicateHandle in LSASS source medium: Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
- Suspicious Lsass Process Access source medium: Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.
- Potential Credential Access via LSASS Memory Dump source high: Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
Show 2 more (5 total)
- Potential LSASS Memory Dump via PssCaptureSnapShot source high: Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
- Suspicious Process Access via Direct System Call source high: Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.
Splunk # view in reference
- Access LSASS Memory for Dump Creation source: The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.
- Detect Credential Dumping through LSASS access source: The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.
- Rubeus Kerberos Ticket Exports Through Winlogon Access source: The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk.
Show 11 more (14 total)
- Spoolsv Suspicious Process Access source: The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.
- Windows Access Token Manipulation Winlogon Duplicate Token Handle source: The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path source: The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.
- Windows Handle Duplication in Known UAC-Bypass Binaries source: The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.
- Windows Hunting System Account Targeting Lsass source: The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.
- Windows Non-System Account Targeting Lsass source: The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.
- Windows Possible Credential Dumping source: The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.
- Windows Process Injection into Commonly Abused Processes source: The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.
- Windows Process Injection into Notepad source: The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.
- Windows Terminating Lsass Process source: The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment.
- Windows WMI Impersonate Token source: The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.
Kusto Query Language # view in reference
- Dumping LSASS Process Into a File source high: 'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-10-processaccess
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-10.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 11 — FileCreate
#Description
File create operations are logged when a file is created or overwritten.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that created the file |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that created the file |
Image UnicodeString → string | File path of the process that created the file |
TargetFilename UnicodeString → string | Name of the file |
CreationUtcTime UnicodeString → string | File creation time |
User UnicodeString → string | Name of the account who created the file |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 11,
"version": 2,
"level": 4,
"task": 11,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:29.354644+00:00",
"event_record_id": 1441137,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:29.346",
"ProcessGuid": "E56ADA26-3974-6548-1E08-000000000D00",
"ProcessId": 18984,
"Image": "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
"TargetFilename": "C:\\ProgramData\\Malwarebytes\\MBAMService\\config\\MbamClientConfig.json",
"CreationUtcTime": "2023-11-06 00:56:14.466",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
9 rules
Splunk
Show 6 more (9 total)
(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)
7 rules
Splunk
Sunburst And Supernova Backdoor
Sunburst And Supernova Backdoor
Sunburst And Supernova Backdoor
Defender-DeviceFileEvents Event ID 9002001: File createdORSecurity-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreate
2 rules
Kusto Query Language
Execution: User Execution
Defender-DeviceFileEvents Event ID 9002000: File activity→Security-Auditing Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
Lateral Movement: Lateral Tool Transfer
Defender-DeviceFileEvents Event ID 9002000: File activityANDSecurity-Auditing Event ID 4663: An attempt was made to access an object.ANDSysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- ADSI-Cache File Creation By Uncommon Tool source medium: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
- Advanced IP Scanner - File Event source medium: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
- Anydesk Temporary Artefact source medium: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Show 17 more (166 total)
- Suspicious Binary Writes Via AnyDesk source high: Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
- Suspicious File Created by ArcSOC.exe source high: Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
- Assembly DLL Creation Via AspNetCompiler source medium: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
- BloodHound Collection Files source high: Detects default file names outputted by the BloodHound collection tool SharpHound
- Potentially Suspicious File Creation by OpenEDR's ITSMService source medium: Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
- EVTX Created In Uncommon Location source medium: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
- Creation Of Non-Existent System DLL source medium: Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
- Suspicious Deno File Written from Remote Source source low: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
- New Custom Shim Database Created source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
- Suspicious Screensaver Binary File Creation source medium: Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
- Files With System DLL Name In Unsuspected Locations source medium: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.
- Files With System Process Name In Unsuspected Locations source medium: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
- Creation Exe for Service with Unquoted Path source high: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
- Cred Dump Tools Dropped Files source high: Files with well-known filenames (parts of credential dump software or files produced by them) creation
- WScript or CScript Dropper - File source high: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
- CSExec Service File Creation source medium: Detects default CSExec service filename which indicates CSExec service installation and execution
- Dynamic CSharp Compile Artefact source low: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
Splunk # view in reference
- Email files written outside of the Outlook directory source: The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in "C:\Users\*\My Documents\Outlook Files\*" or "C:\Users\*\AppData\Local\Microsoft\Outlook*". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.
- Batch File Write to System32 source: The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.
- Common Ransomware Extensions source: The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.
Show 17 more (61 total)
- Common Ransomware Notes source: The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs. This activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion. If confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands. Note that this analytic relies on a lookup table (ransomware_notes_lookup) that contains known ransomware note file names. Ensure that this lookup table is regularly updated to include new ransomware note file names as they are identified in the threat landscape. Also this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.
- ConnectWise ScreenConnect Path Traversal source: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.
- Creation of lsass Dump with Taskmgr source: The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.
- Detect AzureHound File Modifications source: The following analytic detects the creation of specific AzureHound-related files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation events with specific filenames. This activity is significant because AzureHound is a tool used to gather information about Azure environments, similar to SharpHound for on-premises Active Directory. If confirmed malicious, this activity could indicate an attacker is collecting sensitive Azure environment data, potentially leading to further exploitation or privilege escalation within the cloud infrastructure.
- Detect Certipy File Modifications source: The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities. This activity is significant as it indicates potential reconnaissance and data exfiltration efforts by an attacker. If confirmed malicious, this could lead to unauthorized access to sensitive AD CS information, enabling further attacks or privilege escalation within the network.
- Detect Exchange Web Shell source: The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. It leverages data from the Endpoint datamodel, focusing on process and filesystem events. This activity is significant as it may indicate a web shell deployment, a common method for persistent access and remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary commands, and potentially escalate privileges within the Exchange environment.
- Detect Remote Access Software Usage File source: The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems. It is best to update both the remote_access_software_usage_exception.csv lookup and the remote_access_software lookup with any known or approved remote access software to reduce false positives and increase coverage. In order to enhance performance, the detection filters for specific file names extensions / names that are used in the remote_access_software lookup. If add additional entries, consider updating the search filters to include those file names / extensions as well, if not alread covered.
- Detect RTLO In File Name source: The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to disguise malicious files as benign by reversing the text that follows the character. If confirmed malicious, this technique can deceive users and security tools, leading to the execution of harmful files and potential system compromise.
- Detect SharpHound File Modifications source: The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.
- Drop IcedID License dat source: The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.
- Executables Or Script Creation In Suspicious Path source: The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
- Executables Or Script Creation In Temp Path source: The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems. It leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in temporary directories (e.g., \windows\Temp\, \AppData\Local\Temp\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
- File with Samsam Extension source: The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.
- GitHub Workflow File Creation or Modification source: The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints. This hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise. GitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers. By monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows. This data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.
- IcedID Exfiltrated Archived File Creation source: The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.
- LLM Model File Creation source: Detects the creation of Large Language Model (LLM) files on Windows endpoints by monitoring file creation events for specific model file formats and extensions commonly used by local AI frameworks. This detection identifies potential shadow AI deployments, unauthorized model downloads, and rogue LLM infrastructure by detecting file creation patterns associated with quantized models (.gguf, .ggml), safetensors model format files, and Ollama Modelfiles. These file types are characteristic of local inference frameworks such as Ollama, llama.cpp, GPT4All, LM Studio, and similar tools that enable running LLMs locally without cloud dependencies. Organizations can use this detection to identify potential data exfiltration risks, policy violations related to unapproved AI usage, and security blind spots created by decentralized AI deployments that bypass enterprise governance and monitoring.
- Msmpeng Application DLL Side Loading source: The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their expected directories. This activity is significant because it is associated with the REvil ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system compromise, and potential data loss or extortion.
Kusto Query Language # view in reference
- Credential Dumping Tools - File Artifacts source high: 'This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/'
References #
Event ID 12 — RegistryEvent (Object create and delete)
#Description
Registry key and value create and delete operations map to this event type.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | Registry event. Either Create or Delete |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that created or deleted a registry key |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that created or deleted a registry key |
Image UnicodeString → string | File path of the process that created or deleted a registry key |
TargetObject UnicodeString → string | Complete path of the registry key |
User UnicodeString → string | The name of the account that created or deleted a registry key or value |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 12,
"version": 2,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:32.928398+00:00",
"event_record_id": 1441161,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "CreateKey",
"UtcTime": "2023-11-06 02:04:32.913",
"ProcessGuid": "E56ADA26-1870-6548-C000-000000000D00",
"ProcessId": 7484,
"Image": "C:\\Windows\\System32\\svchost.exe",
"TargetObject": "HKU\\S-1-5-21-1992711665-1655669231-58201500-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\StorageSense\\Parameters\\StoragePolicy",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
36 rules
Sigma
Show 26 more (29 total)
Splunk
Kusto Query Language
21 rules
Sigma
Show 8 more (11 total)
Splunk
Kusto Query Language
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Defense Evasion: Modify Registry
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Persistence Via Disk Cleanup Handler - Registry source medium: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Splunk # view in reference
- Windows Modify Registry Delete Firewall Rules source: The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.
- Windows Registry Delete Task SD source: The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions of the SD value. This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion. If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security.
- Windows RunMRU Registry Key or Value Deleted source: The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor.
References #
Event ID 13 — RegistryEvent (Value Set)
#Description
This Registry event type identifies Registry value modifications.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | Registry value modification event |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that modified a registry value |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that modified a registry value |
Image UnicodeString → string | File path of the process that modified a registry value |
TargetObject UnicodeString → string | Complete path of the registry key |
Details UnicodeString → string | Details added to the registry key |
User UnicodeString → string | The name of the account that modified a registry value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 13,
"version": 2,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:35.731741+00:00",
"event_record_id": 1441174,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2023-11-06 02:04:35.723",
"ProcessGuid": "E56ADA26-2AFD-6548-9704-000000000D00",
"ProcessId": 10860,
"Image": "C:\\Windows\\explorer.exe",
"TargetObject": "HKU\\S-1-5-21-1992711665-1655669231-58201500-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA",
"Details": "Binary Data",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Patterns #
36 rules
Sigma
Show 26 more (29 total)
Splunk
Kusto Query Language
21 rules
Sigma
Show 8 more (11 total)
Splunk
Kusto Query Language
Defense Evasion: Modify Registry
8 rules
Sigma
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Defense Evasion: Impair Defenses
Defender-DeviceRegistryEvents Event ID 9005003: Registry value setORSecurity-Auditing Event ID 4657: A registry value was modified.ORSysmon Event ID 13: RegistryEvent
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback source medium: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
- Registry Persistence via Service in Safe Mode source high: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
- Add Port Monitor Persistence in Registry source medium: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Show 17 more (204 total)
- Add Debugger Entry To AeDebug For Persistence source medium: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
- Allow RDP Remote Assistance Feature source medium: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
- Potential AMSI COM Server Hijacking source high: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
- AMSI Disabled via Registry Modification source high: Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
- Classes Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Common Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- CurrentControlSet Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- CurrentVersion NT Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Internet Explorer Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Office Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Session Manager Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- System Scripts Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- WinSock2 Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Wow6432Node CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Wow6432Node Classes Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
Splunk # view in reference
- Active Setup Registry Autostart source: The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the "StubPath" value within the "SOFTWARE\\Microsoft\\Active Setup\\Installed Components" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.
- Allow Inbound Traffic By Firewall Rule Registry source: The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.
- Allow Operation with Consent Admin source: The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.
Show 17 more (160 total)
- Auto Admin Logon Registry Entry source: The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "AutoAdminLogon" value within the "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.
- Detect Remote Access Software Usage Registry source: The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.
- Disable AMSI Through Registry source: The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value to "0x00000000". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.
- Disable Defender AntiVirus Registry source: The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.
- Disable Defender BlockAtFirstSeen Feature source: The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.
- Disable Defender Enhanced Notification source: The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts.
- Disable Defender MpEngine Registry source: The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.
- Disable Defender Spynet Reporting source: The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.
- Disable Defender Submit Samples Consent Feature source: The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.
- Disable ETW Through Registry source: The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" with a value set to "0x00000000". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.
- Disable Registry Tool source: The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" with a value of "0x00000001". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.
- Disable Security Logs Using MiniNt Registry source: The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.
- Disable Show Hidden Files source: The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.
- Disable UAC Remote Restriction source: The following analytic detects the modification of the registry to disable UAC remote restriction by setting the "LocalAccountTokenFilterPolicy" value to "0x00000001". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\CurrentVersion\\Policies\\System*". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.
- Disable Windows App Hotkeys source: The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.
- Disable Windows Behavior Monitoring source: The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.
- Disable Windows SmartScreen Protection source: The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections.
Kusto Query Language # view in reference
- DSRM Account Abuse source high: 'This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785'
- Registry Persistence via AppCert DLL Modification source medium: 'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. Ref: https://attack.mitre.org/techniques/T1546/009/'
- Registry Persistence via AppInit DLLs Modification source medium: 'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Ref: https://attack.mitre.org/techniques/T1546/010/'
Show 1 more (4 total)
- WDigest downgrade attack source medium: 'When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory. Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753'
References #
Event ID 14 — RegistryEvent (Key and Value Rename)
#Description
Registry key and value rename operations map to this event type.
Message #
Fields #
| Name | Description |
|---|---|
EventType UnicodeString → string | Registry event. Registry key and value renamed |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that renamed a registry value and key |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that renamed a registry value and key |
Image UnicodeString → string | File path of the process that renamed a registry value and key |
TargetObject UnicodeString → string | Complete path of the registry key |
NewName UnicodeString → string | New name of the registry key |
RuleName UnicodeString → string | — |
User UnicodeString → string | — |
Detection Patterns #
36 rules
Sigma
Show 26 more (29 total)
Splunk
Kusto Query Language
Defense Evasion: Modify Registry
8 rules
Sigma
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Delete Defender Scan ShellEx Context Menu Registry Key source medium: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
- Windows Credential Guard Related Registry Value Deleted - Registry source high: Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted source medium: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Show 7 more (10 total)
- Folder Removed From Exploit Guard ProtectedFolders List - Registry source high: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
- Terminal Server Client Connection History Cleared - Registry source high: Detects the deletion of registry keys containing the MSTSC connection history
- Removal Of AMSI Provider Registry Keys source high: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
- Removal of Potential COM Hijacking Registry Keys source medium: Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
- RunMRU Registry Key Deletion - Registry source high: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
- Removal Of Index Value to Hide Schedule Task - Registry source medium: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
- Removal Of SD Value to Hide Schedule Task - Registry source medium: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
References #
Event ID 15 — FileCreateStreamHash
#Description
This event logs when a named file stream is created.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that created the named file stream |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that created the named file stream |
Image UnicodeString → string | File path of the process that created the named file stream |
TargetFilename UnicodeString → string | Name of the file |
CreationUtcTime UnicodeString → string | File download time |
Hash UnicodeString → string | Hash of the file contents using the algorithms specified in the HashType field |
Contents UnicodeString → string | Content of the named file stream (e.g., Zone.Identifier) |
User UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 15,
"version": 2,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:51:44.967041+00:00",
"event_record_id": 1389495,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:51:44.960",
"ProcessGuid": "E56ADA26-46AE-6548-E90A-000000000D00",
"ProcessId": 21364,
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"TargetFilename": "C:\\Users\\User\\Downloads\\b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf:Zone.Identifier",
"CreationUtcTime": "2023-11-06 01:51:40.569",
"Hash": "SHA1=ACEF7488AD1488562925D97A333EE75A91F583A9,MD5=C9D406793D9E74FE319B9E6204D278B4,SHA256=D40F403A0C6E5448F3E5C4B339FE583C50A8BCF7FF2DA26E6A2F01DF62CD965C,IMPHASH=00000000000000000000000000000000",
"Contents": "[ZoneTransfer] ZoneId=3 ReferrerUrl=https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf HostUrl=https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/b91cbd9e6f39cecc89fce0e6aaed8cd9ace56a7c.pdf ",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Community Notes #
May contain Mark of the Web, referrer, and host URL data.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Hidden Executable In NTFS Alternate Data Stream source medium: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
- Creation Of a Suspicious ADS File Outside a Browser Download source medium: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
- Suspicious File Download From File Sharing Websites - File Stream source high: Detects the download of suspicious file type from a well-known file and paste sharing domain
Show 6 more (9 total)
- Unusual File Download From File Sharing Websites - File Stream source medium: Detects the download of suspicious file type from a well-known file and paste sharing domain
- HackTool Named File Stream Created source high: Detects the creation of a named file stream with the imphash of a well-known hack tool
- Exports Registry Key To an Alternate Data Stream source high: Exports the target Registry key and hides it in the specified alternate data stream.
- Unusual File Download from Direct IP Address source high: Detects the download of suspicious file type from URLs with IP
- Potential Suspicious Winget Package Installation source high: Detects potential suspicious winget package installation from a suspicious source.
- Potentially Suspicious File Download From ZIP TLD source high: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Splunk # view in reference
- Download Files Using Telegram source: The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.
- Windows Alternate DataStream - Base64 Content source: The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.
- Windows Alternate DataStream - Executable Content source: The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.
References #
Event ID 16 — ServiceConfigurationChange
#Description
This event logs changes in the Sysmon configuration.
Message #
Fields #
| Name | Description |
|---|---|
UtcTime UnicodeString → string | Time in UTC when event was created |
Configuration UnicodeString → string | Name of the Sysmon config file being updated |
ConfigurationFileHash UnicodeString → string | Hash (SHA1) of the Sysmon config file being updated |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 16,
"version": 3,
"level": 4,
"task": 16,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:47:11.932399+00:00",
"event_record_id": 994662,
"correlation": {},
"execution": {
"process_id": 8688,
"thread_id": 13092
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"UtcTime": "2023-11-06 00:47:11.921",
"Configuration": "C:\\Users\\User\\Downloads\\Sysmon\\sysmonconfig-trace.xml",
"ConfigurationFileHash": "SHA256=43F367924B48AF65F121C0D369E7971C0757CC35D984C71887A5840987E154F9"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Hide Artifacts
1 rule
Community Notes #
May indicate an attacker attempting to reduce visibility prior to staging a payload.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysmon Configuration Change source medium: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
References #
Event ID 17 — PipeEvent (Pipe Created)
#Description
This event generates when a named pipe is created.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | The type of pipe event (CreatePipe) |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that created the pipe |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that created the pipe |
PipeName UnicodeString → string | Name of the pipe created |
Image UnicodeString → string | File path of the process that created the pipe |
User UnicodeString → string | The name of the account that created the named pipe. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 17,
"version": 1,
"level": 4,
"task": 17,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:02:24.642500+00:00",
"event_record_id": 1433023,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "CreatePipe",
"UtcTime": "2023-11-06 02:02:24.630",
"ProcessGuid": "E56ADA26-1A27-6548-3001-000000000D00",
"ProcessId": 876,
"PipeName": "\\LOCAL\\mojo.876.3204.14485637353733294330",
"Image": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\119.0.2151.44\\msedgewebview2.exe",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Patterns #
Named Pipe
23 rules
Sigma
Show 13 more (16 total)
Splunk
Show 2 more (5 total)
Named Pipe
19 rules
Sigma
Splunk
Show 6 more (9 total)
Named Pipe
Defender-DeviceEvents Event ID 9007006: Named pipe eventORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
15 rules
Sigma
Splunk
Show 3 more (6 total)
Kusto Query Language
Named Pipe
Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
13 rules
Sigma
Splunk
Show 2 more (5 total)
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matches:Event ID 18: PipeEvent (Pipe Connected)
Elastic # view in reference
- Privilege Escalation via Rogue Named Pipe Impersonation source high: Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.
References #
Event ID 18 — PipeEvent (Pipe Connected)
#Description
This event logs when a named pipe connection is made between a client and a server.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | The type of pipe event (ConnectPipe) |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that connected the pipe |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that connected the pipe |
PipeName UnicodeString → string | Name of the pipe connected |
Image UnicodeString → string | File path of the process that connected the pipe |
User UnicodeString → string | The name of the account that made a named pipe connection. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 18,
"version": 1,
"level": 4,
"task": 18,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:25.137463+00:00",
"event_record_id": 1441110,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"EventType": "ConnectPipe",
"UtcTime": "2023-11-06 02:04:25.084",
"ProcessGuid": "E56ADA26-17F7-6548-5800-000000000D00",
"ProcessId": 4404,
"PipeName": "\\wkssvc",
"Image": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"User": "NT AUTHORITY\\NETWORK SERVICE"
},
"message": ""
}
Detection Patterns #
Named Pipe
23 rules
Sigma
Show 13 more (16 total)
Splunk
Show 2 more (5 total)
Named Pipe
19 rules
Sigma
Splunk
Show 6 more (9 total)
Named Pipe
Defender-DeviceEvents Event ID 9007006: Named pipe eventORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
15 rules
Sigma
Splunk
Show 3 more (6 total)
Kusto Query Language
Named Pipe
Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
13 rules
Sigma
Splunk
Show 2 more (5 total)
Collection: Data from Local System
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matches:Event ID 17: PipeEvent (Pipe Created)
Kusto Query Language # view in reference
- ADFS Database Named Pipe Connection source medium: 'This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]"'
References #
Event ID 19 — WmiEvent (WmiEventFilter activity detected)
#Description
When a WMI event filter is registered, this event logs the WMI namespace, filter name and filter expression.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | WMI event type |
UtcTime UnicodeString → string | Time in UTC when event was created |
Operation UnicodeString → string | WMI event filter operation Known values
|
User UnicodeString → string | User that created the WMI filter |
EventNamespace UnicodeString → string | Event namespace where the WMI class is registered |
Name UnicodeString → string | WMI filter name being created |
Query UnicodeString → string | WMI filter query |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 19,
"version": 3,
"level": 4,
"task": 19,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-19T14:54:57.044623Z",
"event_record_id": 4055,
"correlation": {},
"execution": {
"process_id": 2796,
"thread_id": 1776
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "",
"EventType": "WmiFilterEvent",
"UtcTime": "2019-07-19 14:54:57.041",
"Operation": "Created",
"User": "MSEDGEWIN10\\IEUser",
"EventNamespace": " \"root\\\\CimV2\"",
"Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
"Query": " \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\""
}
}
Detection Patterns #
WMI Consumer
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
References #
Event ID 20 — WmiEvent (WmiEventConsumer activity detected)
#Description
This event logs the registration of WMI consumers.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | WMI event type |
UtcTime UnicodeString → string | Time in UTC when event was created |
Operation UnicodeString → string | WMI consumer operation (e.g., Created, Deleted) Known values
|
User UnicodeString → string | User that created the WMI consumer |
Name UnicodeString → string | Name of the consumer created |
Type UnicodeString → string | Type of WMI consumer |
Destination UnicodeString → string | Destination or command executed by the WMI consumer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 20,
"version": 3,
"level": 4,
"task": 20,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-19T14:54:58.819106Z",
"event_record_id": 4056,
"correlation": {},
"execution": {
"process_id": 2796,
"thread_id": 1776
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "",
"EventType": "WmiConsumerEvent",
"UtcTime": "2019-07-19 14:54:58.807",
"Operation": "Created",
"User": "MSEDGEWIN10\\IEUser",
"Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
"Type": "Command Line",
"Destination": " \"C:\\\\Windows\\\\System32\\\\notepad.exe\""
}
}
Detection Patterns #
WMI Consumer
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Detect WMI Event Subscription Persistence source: The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
References #
Event ID 21 — WmiEvent (WmiEventConsumerToFilter activity detected)
#Description
When a consumer binds to a filter, this event logs the consumer name and filter path.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
EventType UnicodeString → string | WMI event type |
UtcTime UnicodeString → string | Time in UTC when event was created |
Operation UnicodeString → string | WMI consumer-to-filter binding operation Known values
|
User UnicodeString → string | User that created the WMI consumer-to-filter binding |
Consumer UnicodeString → string | Consumer created to bind |
Filter UnicodeString → string | Filter created to bind |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 21,
"version": 3,
"level": 4,
"task": 21,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-19T14:57:02.378480Z",
"event_record_id": 4057,
"correlation": {},
"execution": {
"process_id": 2796,
"thread_id": 4356
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "",
"EventType": "WmiBindingEvent",
"UtcTime": "2019-07-19 14:57:02.369",
"Operation": "Created",
"User": "MSEDGEWIN10\\IEUser",
"Consumer": " \"\\\\\\\\.\\\\ROOT\\\\subscription:CommandLineEventConsumer.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\"",
"Filter": " \"\\\\\\\\.\\\\ROOT\\\\subscription:__EventFilter.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\""
}
}
Detection Patterns #
WMI Consumer
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
Community Notes #
May surface registration of WMI event-based auto-runs that survive reboots.
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- WMI Permanent Event Subscription - Sysmon source: The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-21.yml
Event ID 22 — DNSEvent (DNS query)
#Description
This event is generated when a process executes a DNS query.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that executed the DNS query |
ProcessId UInt32 → PID | Process ID of the process that executed the DNS query |
QueryName UnicodeString → string | DNS query name |
QueryStatus UnicodeString → string | DNS query status |
QueryResults UnicodeString → string | DNS query results |
Image UnicodeString → string | The full path related to the process that executed the DNS query |
User UnicodeString → string | The name of the account that executes a DNS Query. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 22,
"version": 5,
"level": 4,
"task": 22,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:02:51.121401+00:00",
"event_record_id": 1435196,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 14476
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:02:49.739",
"ProcessGuid": "E56ADA26-3766-6548-3C07-000000000D00",
"ProcessId": 15280,
"QueryName": "ooo-updates.apache.org",
"QueryStatus": "9701",
"QueryResults": "-",
"Image": "C:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Detection Patterns #
Execution: Exploitation for Client Execution
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- DNS Query for Anonfiles.com Domain - Sysmon source high: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
- AppX Package Installation Attempts Via AppInstaller.EXE source medium: Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
- Cloudflared Tunnels Related DNS Requests source medium: Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Show 17 more (22 total)
- DNS Query To Common Malware Hosting and Shortener Services source medium: Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
- DNS Query To Devtunnels Domain source medium: Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- DNS Server Discovery Via LDAP Query source low: Detects DNS server discovery via LDAP query requests from uncommon applications
- DNS Query To AzureWebsites.NET By Non-Browser Process source medium: Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
- DNS Query by Finger Utility source high: Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
- Notepad++ Updater DNS Query to Uncommon Domains source medium: Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
- DNS HybridConnectionManager Service Bus source high: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing source high: Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
- Suspicious Cobalt Strike DNS Beaconing - Sysmon source critical: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
- DNS Query To MEGA Hosting Website source medium: Detects DNS queries for subdomains related to MEGA sharing website
- DNS Query Request To OneLaunch Update Service source low: Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
- DNS Query Request By QuickAssist.EXE source low: Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
- DNS Query Request By Regsvr32.EXE source medium: Detects DNS queries initiated by "Regsvr32.exe"
- DNS Query To Remote Access Software Domain From Non-Browser App source medium: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
- Suspicious DNS Query for IP Lookup Service APIs source medium: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
- TeamViewer Domain Query By Non-TeamViewer Application source medium: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
- DNS Query Tor .Onion Address - Sysmon source high: Detects DNS queries to an ".onion" address related to Tor routing networks
Splunk # view in reference
- Local LLM Framework DNS Query source: Detects DNS queries related to local LLM models on endpoints by monitoring Sysmon DNS query events (Event ID 22) for known LLM model domains and services. Local LLM frameworks like Ollama, LM Studio, and GPT4All make DNS calls to repositories such as huggingface.co and ollama.ai for model downloads, updates, and telemetry. These queries can reveal unauthorized AI tool usage or data exfiltration risks on corporate networks.
- Windows AI Platform DNS Query source: The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is important because it can reveal when systems are accessing external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting such activity enables organizations to enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring provides better control over AI model usage and helps safeguard organizational data flows.
- Windows BitLockerToGo with Network Activity source: The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.
Show 17 more (21 total)
- Windows DNS Query Request To TinyUrl source: The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.
- Windows Visual Basic Commandline Compiler DNSQuery source: The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS lookups. Therefore, any observed DNS activity originating from vbc.exe is highly suspicious and indicative of potential malicious activity. This behavior often suggests that a malicious payload is masquerading as the legitimate vbc.exe process to establish command-and-control (C2) communication, resolve domains for data exfiltration, or download additional stages of malware. Security teams should investigate the process's parent, command-line arguments, and the resolved domains for further indicators of compromise.
- 3CX Supply Chain Attack Network Indicators source: The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.
- Detect DNS Query to Decommissioned S3 Bucket source: This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
- Detect hosts connecting to dynamic domain providers source: The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.
- Detect Remote Access Software Usage DNS source: The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.
- DNS Kerberos Coercion source: Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for specific CREDENTIAL_TARGET_INFORMATION structures in DNS queries.
- DNS Query Length With High Standard Deviation source: The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding two times the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network.
- Ngrok Reverse Proxy on Network source: The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as "*.ngrok.com" and "*.ngrok.io". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security.
- Rundll32 DNSQuery source: The following analytic detects a suspicious `rundll32.exe` process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is commonly associated with IcedID malware, where `rundll32.exe` checks internet connectivity and communicates with C&C servers to download configurations and other components. If confirmed malicious, this activity could allow attackers to establish persistence, download additional payloads, and exfiltrate sensitive data, posing a severe threat to the network.
- Suspicious Process DNS Query Known Abuse Web Services source: The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon EventID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.
- Suspicious Process With Discord DNS Query source: The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing "discord" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system.
- Wermgr Process Connecting To IP Check Web Services source: The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.
- Windows Abused Web Services source: The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.
- Windows DNS Query Request by Telegram Bot API source: The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network.
- Windows Gather Victim Network Info Through Ip Check Web Services source: The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.
- Windows Multi hop Proxy TOR Website Query source: The following analytic identifies DNS queries to known TOR proxy websites, such as "*.torproject.org" and "www.theonionrouter.com". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected.
Kusto Query Language # view in reference
- DNS events related to mining pools (ASIM DNS Schema) source low: 'Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
- DNS events related to ToR proxies (ASIM DNS Schema) source low: 'Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
- Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) source medium: 'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
Show 6 more (9 total)
- Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) source medium: 'This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
- Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) source medium: 'This rule creates an alert when multiple clients report errors for the same DNS query. This helps in identifying possible similar C2 communications originating from different clients. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
- Ngrok Reverse Proxy on Network (ASIM DNS Solution) source medium: 'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
- Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) source medium: 'This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes [ASIM](https://aka.ms/AboutASIM) normalization and is applied to any source that supports the ASIM DNS schema.'
- Google Threat Intelligence - Threat Hunting Domain source medium: 'Google Threat Intelligence domain correlation.'
- RecordedFuture Threat Hunting Domain All Actors source medium: 'Recorded Future Threat Hunting domain correlation for all actors.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-22.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 23 — FileDelete (File Delete archived)
#Description
A file was deleted. Additionally the deleted file is saved in the ArchiveDirectory.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that deleted the file |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that deleted the file |
User UnicodeString → string | Name of the account who deleted the file. |
Image UnicodeString → string | File path of the process that deleted the file |
TargetFilename UnicodeString → string | Full path name of the deleted file |
Hashes UnicodeString → string | Hashes captured by the Sysmon driver of the deleted file |
IsExecutable Boolean → boolean | Whether the deleted file is a PE executable |
Archived UnicodeString → string | States if the file was archived when deleted |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 23,
"version": 5,
"level": 4,
"task": 23,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2020-10-20T11:50:55.461859Z",
"event_record_id": 769,
"correlation": {},
"execution": {
"process_id": 7212,
"thread_id": 9748
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "DESKTOP-NTSSLJD",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2020-10-20 11:50:55.457",
"ProcessGuid": "23F38D93-CF1F-5F8E-CA08-000000000C00",
"ProcessId": 8736,
"User": "DESKTOP-NTSSLJD\\den",
"Image": "C:\\Program Files\\Internet Explorer\\IEInstal.exe",
"TargetFilename": "C:\\Users\\den\\AppData\\Local\\Temp\\dfcc1807-03a1-4ae1-ab29-5675b285edea\\consent.exe.dat",
"Hashes": "SHA1=6BFB38629570909D3D9EEDFC783A948CE7849105,MD5=EE2A1C85C472F89B146CC8EE598CCCBC,SHA256=19FD0010DA92B654D1CA270247061A39EA13C0A58529FD8257A97E2EF7794911,IMPHASH=522D83761201075834F05037F5307949",
"IsExecutable": true,
"Archived": "true"
}
}
Detection Patterns #
15 rules
Sigma
Splunk
14 rules
Sigma
Show 8 more (11 total)
Sunburst And Supernova Backdoor
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matches:Event ID 26: FileDeleteDetected (File Delete logged)
Splunk # view in reference
- Windows Mark Of The Web Bypass source: The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.
- Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.↳ also matches:Event ID 26: FileDeleteDetected (File Delete logged)
References #
Event ID 24 — ClipboardChange (New content in the clipboard)
#Description
This event is generated when the system clipboard contents change.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
Image UnicodeString → string | — |
Session UInt32 → unsignedInt | — |
ClientInfo UnicodeString → string | — |
Hashes UnicodeString → string | — |
Archived UnicodeString → string | — |
User UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 24,
"version": 5,
"level": 4,
"task": 24,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:34:43.177918+00:00",
"event_record_id": 1300545,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 18652
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:34:43.168",
"ProcessGuid": "E56ADA26-3DE0-6548-E908-000000000D00",
"ProcessId": 11112,
"Image": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe\\WindowsTerminal.exe",
"Session": 1,
"ClientInfo": "user: WINDEV2310EVAL\\User",
"Hashes": "SHA1=179A4D08834E913B14727CF6474BAC31E082D275,MD5=64D76D5B160C1EB41680025DD778622D,SHA256=35EC5A2FD3F20757A957DC280EF330892A9D76378252CD381BF34518E6A30427,IMPHASH=00000000000000000000000000000000",
"Archived": "true",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-24-clipboardchange-new-content-in-the-clipboard
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 25 — ProcessTampering (Process image change)
#Description
This event is generated when process hiding techniques are being detected.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
Image UnicodeString → string | — |
Type UnicodeString → string | — |
User UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 25,
"version": 5,
"level": 4,
"task": 25,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:03:39.070256+00:00",
"event_record_id": 1436931,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:03:39.059",
"ProcessGuid": "E56ADA26-497A-6548-2A0B-000000000D00",
"ProcessId": 18308,
"Image": "C:\\Program Files\\Avira\\Endpoint Protection SDK\\wsc_agent.exe",
"Type": "Image is locked for access",
"User": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
Community Notes #
Process tampering, detects process herpaderping.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Process Hollowing Activity source medium: Detects when a memory process image does not match the disk image, indicative of process hollowing.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-25-processtampering-process-image-change
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 26 — FileDeleteDetected (File Delete logged)
#Description
A file was deleted.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that deleted the file |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that deleted the file |
User UnicodeString → string | Name of the account who deleted the file. |
Image UnicodeString → string | File path of the process that deleted the file |
TargetFilename UnicodeString → string | Full path name of the deleted file |
Hashes UnicodeString → string | Hashes captured by the Sysmon driver of the deleted file |
IsExecutable Boolean → boolean | Whether the deleted file is a PE executable |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 26,
"version": 5,
"level": 4,
"task": 26,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:04:29.353937+00:00",
"event_record_id": 1441136,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:04:29.346",
"ProcessGuid": "E56ADA26-3974-6548-1E08-000000000D00",
"ProcessId": 18984,
"User": "NT AUTHORITY\\SYSTEM",
"Image": "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
"TargetFilename": "C:\\ProgramData\\Malwarebytes\\MBAMService\\config\\MbamClientConfig.json",
"Hashes": "SHA1=313DF92678806809A0DA4150870A71DEEEC67790,MD5=48523B42CDEEC91FF7020302F0EF58D5,SHA256=54A882E183B3882F54222737ED16BA98E06D91C30DECD478BF9C0EDBE6728BFB,IMPHASH=00000000000000000000000000000000",
"IsExecutable": false
},
"message": ""
}
Detection Patterns #
15 rules
Sigma
Splunk
14 rules
Sigma
Show 8 more (11 total)
Sunburst And Supernova Backdoor
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matches:Event ID 23: FileDelete (File Delete archived)
Splunk # view in reference
- Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.↳ also matches:Event ID 23: FileDelete (File Delete archived)
References #
Event ID 27 — FileBlockExecutable
#Description
This event is generated when Sysmon detects and blocks the creation of executable files.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
User UnicodeString → string | — |
Image UnicodeString → string | — |
TargetFilename UnicodeString → string | — |
Hashes UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 27,
"version": 5,
"level": 4,
"task": 27,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-08-29T04:43:48.128507Z",
"event_record_id": 1341,
"correlation": {},
"execution": {
"process_id": 2060,
"thread_id": 7132
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "DESKTOP-VQBONAV",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "ImageBlock",
"UtcTime": "2022-08-29 04:43:48.117",
"ProcessGuid": "3E153517-4404-630C-0003-000000000400",
"ProcessId": 8636,
"User": "DESKTOP-VQBONAV\\user",
"Image": "C:\\Windows\\system32\\certutil.exe",
"TargetFilename": "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\02E7958E9A9619FDA0A027756E601291",
"Hashes": "MD5=E112A827FAB9F8378C76040187A6F336,SHA256=ED369187681A62247E38D930320F1CD771756D0B7B67072D8EC655EF99E14AEB,IMPHASH=8EEAA9499666119D13B3F44ECD77A729"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysmon Blocked Executable source high: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 28 — FileBlockShredding
#Description
This event is generated when Sysmon detects and blocks file shredding.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
User UnicodeString → string | — |
Image UnicodeString → string | — |
TargetFilename UnicodeString → string | — |
Hashes UnicodeString → string | — |
IsExecutable Boolean → boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 28,
"version": 5,
"level": 4,
"task": 28,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T03:06:00.105995+00:00",
"event_record_id": 36714962,
"correlation": {},
"execution": {
"process_id": 3860,
"thread_id": 5148
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-03-12 03:06:00.101",
"ProcessGuid": "3792AB3B-0B4D-69B1-4300-000000000F00",
"ProcessId": 3544,
"User": "NT AUTHORITY\\LOCAL SERVICE",
"Image": "C:\\Windows\\System32\\svchost.exe",
"TargetFilename": "C:\\Windows\\System32\\sru\\SRU.log",
"Hashes": "SHA1=1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961,MD5=FCD6BCB56C1689FCEF28B57C22475BAD,SHA256=DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31,IMPHASH=00000000000000000000000000000000",
"IsExecutable": false
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysmon Blocked File Shredding source high: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
References #
Event ID 29 — FileExecutableDetected
#Description
This event is generated when Sysmon detects the creation of a new executable file.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
User UnicodeString → string | — |
Image UnicodeString → string | — |
TargetFilename UnicodeString → string | — |
Hashes UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 29,
"version": 5,
"level": 4,
"task": 29,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T19:59:50.724328+00:00",
"event_record_id": 25592993,
"correlation": {},
"execution": {
"process_id": 3516,
"thread_id": 4964
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2026-03-13 19:59:50.723",
"ProcessGuid": "3792AB3B-6CAF-69B4-C304-000000000800",
"ProcessId": 6332,
"User": "NT AUTHORITY\\SYSTEM",
"Image": "C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe",
"TargetFilename": "C:\\Windows\\WinSxS\\Temp\\InFlight\\4d85a1f323b3dc0131020000bc18500b\\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.22621.1_none_e8f6dc1e2b2810c4\\hcsdiag.exe",
"Hashes": "SHA1=4151B8801065408E851608F5F586E83F841DDF73,MD5=5CDE58E943D06BF77B4595CF917E4BD6,SHA256=148B44E4D5251D533F66EB2352AE396DB612AE926703682C8CD271ADC8A8B03A,IMPHASH=BC0760AED3654197B70538C4350C093A"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potentially Suspicious Self Extraction Directive File Created source medium: Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
- Sysmon File Executable Creation Detected source medium: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
Splunk # view in reference
- Windows Executable Masquerading as Benign File Types source: The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables with extensions commonly associated with documents, images, or other non-executable formats (e.g., .pdf, .jpg, .doc, .png).
References #
Event ID 255 — Error report: UtcTime: UtcTime ID: ID Description: Description.
#Description
This event is generated when an **error occurred within Sysmon**. They can happen if the system is under heavy load and certain tasks could not be performed or a bug exists in the Sysmon service.
Message #
Fields #
| Name | Description |
|---|---|
UtcTime UnicodeString → string | — |
ID UnicodeString → string | — |
Description UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 255,
"version": 3,
"level": 2,
"task": 255,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:55:58.314139+00:00",
"event_record_id": 1050594,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 9788
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UtcTime": "2023-11-06 00:55:58.306",
"ID": "IMAGE_LOAD",
"Description": "Failed to find process image name"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysmon Configuration Error source high: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-255-error
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-255.yml