Event ID 4 — process: payload.
Message #
Fields #
| Name | Description |
|---|---|
process UnicodeString | — |
payload UnicodeString | — |
Example Event #
{
"system": {
"provider": "OpenSSH",
"guid": "C4B57D35-0636-4BC3-A262-370F249F9802",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-25T22:56:14.223049+00:00",
"event_record_id": 40,
"correlation": {},
"execution": {
"process_id": 3136,
"thread_id": 3384
},
"channel": "OpenSSH/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"process": "sshd",
"payload": "Received signal 8; terminating."
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- OpenSSH Server Listening On Socket source medium: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline