Skip to content

Latest commit

 

History

History
523 lines (523 loc) · 17.7 KB

events-table.md

File metadata and controls

523 lines (523 loc) · 17.7 KB
Event ID Channel Fields
1 Microsoft-Windows-Sysmon/Operational Ancestors: System|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System3
2\\smss.exe|C:\\Windows\\System32\\wininit.exe|C:\\Windows\\System32\\services.e
xe
CommandLine: C:\\Windows\\system32\\SecurityHealthService.exe
Company: Microsoft Corporation
CurrentDirectory: C:\\Windows\\system32\\
Description: Windows Security Health Service
FileVersion: 4.18.1901.16384 (WinBuild.160101.0800)
Hashes: SHA1=6506644A113031DF428C20CF4C278468B0C6E017,MD5=FB82EE231870
0D2A1CF497636A9B4710,SHA256=0F0FD4B9DFD555E4A53AE9070447E330EAAF96FF51F012CD9821
57DEDFDDD9A6,IMPHASH=6317654951BFF89546F311B469BB379F
Image: C:\\Windows\\System32\\SecurityHealthService.exe
ImageSize: 913168
IntegrityLevel: System
IntegrityTimeout: false
LogonGuid: {515cd0d1-6e1f-5f22-e703-000000000000}
LogonId: 0x3e7
OriginalFileName: SecurityHealthService.exe
ParentCommandLine: C:\\Windows\\system32\\services.exe
ParentImage: C:\\Windows\\System32\\services.exe
ParentIntegrityLevel: System
ParentProcessGuid: {515cd0d1-6e1f-5f22-0b00-000000004100}
ParentProcessId: 632
ParentProcessIntegrity: -1
ParentServices: N/A
ParentUser: NT AUTHORITY\\SYSTEM
ProcessGuid: {515cd0d1-6e40-5f22-8100-000000004100}
ProcessId: 6540
ProcessIntegrity: -1
Product: Microsoft® Windows® Operating System
RuleName: -
Services: SecurityHealthService
TerminalSessionId: 0
User: NT AUTHORITY\\SYSTEM
UtcTime: 4242-04-24 13:37:42.422
2 Microsoft-Windows-Sysmon/Operational CommandLine: \C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershe
ll.exe\
CreationUtcTime: 2019-06-12 11:03:38.768
CurrentDirectory: C:\\Windows\\system32\\
Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
ImageHashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC
75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D7636
7B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
IntegrityLevel: High
PreviousCreationUtcTime: 2020-07-30 06:53:07.109
ProcessGuid: {515cd0d1-6e50-5f22-9500-000000004100}
ProcessId: 7220
RuleName: -
Services: N/A
TargetFilename: C:\\Users\\Generic\\AppData\\Roaming\\Microsoft\\Windo
ws\\Recent\\CustomDestinations\\JXABLM89H2JOOX8OVGPR.temp
User: DESKTOP-LJRVE06\\Generic
UtcTime: 4242-04-24 13:37:42.422
3 Microsoft-Windows-Sysmon/Operational CommandLine: C:\\Windows\\system32\\svchost.exe -k LocalServiceNetwork
Restricted -p -s Dhcp
CurrentDirectory: C:\\Windows\\system32\\
DestinationHostname: -
DestinationIp: ff02:0:0:0:0:0:1:2
DestinationIsIpv6: true
DestinationPort: 547
DestinationPortName: -
Image: C:\\Windows\\System32\\svchost.exe
ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99
E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464
418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
Initiated: true
IntegrityLevel: System
ProcessGuid: {515cd0d1-6e20-5f22-2100-000000004100}
ProcessId: 1424
Protocol: udp
RuleName: -
Services: Dhcp
SourceHostname: -
SourceIp: fe80:0:0:0:2ccd:2156:e8b4:895d
SourceIsIpv6: true
SourcePort: 546
SourcePortName: -
User: NT AUTHORITY\\LOCAL SERVICE
UtcTime: 4242-04-24 13:37:42.422
4 Microsoft-Windows-Sysmon/Operational SchemaVersion: 4.32
State: Started
UtcTime: 4242-04-24 13:37:42.422
Version: 11.10
5 Microsoft-Windows-Sysmon/Operational CommandLine: \\SystemRoot\\System32\\smss.exe 000000ac 00000088
CurrentDirectory: C:\\Windows\\
Image: C:\\Windows\\System32\\smss.exe
ImageHashes: SHA1=913D1903C43636A9D760D084B821908139651790,MD5=6CE9396
7F7235F88940092E88AD18AAB,SHA256=14A5FB352FD89A8969147FEEE9473BE2086391AF7D5AF0D
2D5583F4A324826DF,IMPHASH=BC32B6662261DE8469D6EB034C62A6A5
IntegrityLevel: System
ProcessGuid: {515cd0d1-6e1e-5f22-0500-000000004100}
ProcessId: 416
RuleName: -
Services: gpsvc
User: NT AUTHORITY\\SYSTEM
UtcTime: 4242-04-24 13:37:42.422
6 Microsoft-Windows-Sysmon/Operational Hashes: SHA1=D1F95AB2E3B6EF27639E72AE1335D9D00007698B,MD5=7DE33B6BCD21
13B39090D005BA5CFE9E,SHA256=1E84F2E321BB303320F6A40CC1EF22328BC162C9E433E4559F7D
42160058EA78,IMPHASH=DE167A0100AD87EB2C9E1534AB9385B4
ImageLoaded: C:\\Windows\\System32\\drivers\\null.sys
ImageLoadedSize: 7680
RuleName: -
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: true
UtcTime: 4242-04-24 13:37:42.422
7 Microsoft-Windows-Sysmon/Operational CommandLine: %%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Win
dows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=bas
esrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 Profile
Control=Off MaxRequestThreads=16
Company: Microsoft Corporation
CurrentDirectory: C:\\Windows\\system32\\
Description: Client Server Runtime Process
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Hashes: SHA1=2038501676866B87CEE4514CEFF77DAEA9729F30,MD5=23019322FFEC
B179746210BE52D6DE60,SHA256=F2C7D894ABE8AC0B4C2A597CAA6B3EFE7AD2BDB4226845798D95
4C5AB9C9BF15,IMPHASH=A96FA9912E09E361274AD77F1A4B252C
Image: C:\\Windows\\System32\\csrss.exe
ImageHashes: SHA1=2038501676866B87CEE4514CEFF77DAEA9729F30,MD5=2301932
2FFECB179746210BE52D6DE60,SHA256=F2C7D894ABE8AC0B4C2A597CAA6B3EFE7AD2BDB42268457
98D954C5AB9C9BF15,IMPHASH=A96FA9912E09E361274AD77F1A4B252C
ImageLoaded: C:\\Windows\\System32\\csrss.exe
ImageLoadedSize: 17808
IntegrityLevel: System
OriginalFileName: CSRSS.Exe
ParentCommandLine: \\SystemRoot\\System32\\smss.exe 000000ac 00000088

ParentImage: C:\\Windows\\System32\\smss.exe
ProcessGuid: {515cd0d1-6e1e-5f22-0600-000000004100}
ProcessId: 424
Product: Microsoft® Windows® Operating System
RuleName: -
Services: N/A
Signature: Microsoft Windows Publisher
SignatureStatus: Valid
Signed: true
User: NT AUTHORITY\\SYSTEM
UtcTime: 4242-04-24 13:37:42.422
8
9 Microsoft-Windows-Sysmon/Operational CommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuaus
erv
CurrentDirectory: C:\\Windows\\system32\\
Device: \\Device\\HarddiskVolume2
Image: C:\\Windows\\System32\\svchost.exe
ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99
E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464
418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
IntegrityLevel: System
ProcessGuid: {515cd0d1-6e21-5f22-3d00-000000004100}
ProcessId: 2296
RuleName: -
Services: wuauserv
User: NT AUTHORITY\\SYSTEM
UtcTime: 4242-04-24 13:37:42.422
10 Microsoft-Windows-Sysmon/Operational CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System3
2\\KERNELBASE.dll+6a685|c:\\windows\\system32\\lsm.dll+ff97|C:\\Windows\\System3
2\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+da036|C:\\Windows\\System3
2\\RPCRT4.dll+37a5c|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System3
2\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c1eb|C:\\Windows\\System3
2\\RPCRT4.dll+1a86f|C:\\Windows\\System32\\RPCRT4.dll+19d1a|C:\\Windows\\System3
2\\RPCRT4.dll+19301|C:\\Windows\\System32\\RPCRT4.dll+18d6e|C:\\Windows\\System3
2\\RPCRT4.dll+169a5|C:\\Windows\\SYSTEM32\\ntdll.dll+333fd|C:\\Windows\\SYSTEM32
\\ntdll.dll+34152|C:\\Windows\\System32\\KERNEL32.DLL+17944|C:\\Windows\\SYSTEM3
2\\ntdll.dll+6ce71
GrantedAccess: 0x1000
RuleName: -
SourceHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A9
9E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A46
4418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
SourceImage: C:\\Windows\\system32\\svchost.exe
SourceIntegrityLevel: System
SourceProcessGUID: {515cd0d1-6e1f-5f22-1200-000000004100}
SourceProcessId: 928
SourceServices: LSM
SourceThreadId: 956
SourceUser: NT AUTHORITY\\SYSTEM
TargetHashes: SHA1=9FE3BA25E5660C23DFE478D577CFACDE5795870C,MD5=03C709
33698C6E3E466076DD9C3FAA18,SHA256=AA52B2D3DD4B9B47FF4496C0460BDEDDA791354018CF07
82B899EF28ACEE8D21,IMPHASH=09FDE88C65E2BC5F1F90E96B673C52B1
TargetImage: C:\\Windows\\system32\\lsass.exe
TargetIntegrityLevel: System
TargetParentProcessGuid: {515cd0d1-6e1e-5f22-0800-000000004100}
TargetProcessGUID: {515cd0d1-6e1f-5f22-0c00-000000004100}
TargetProcessId: 652
TargetServices: KeyIso,SamSs
TargetUser: NT AUTHORITY\\SYSTEM
UtcTime: 4242-04-24 13:37:42.422
11 Microsoft-Windows-Sysmon/Operational CommandLine: \C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_1
2007.1001.2.0_x64__8wekyb3d8bbwe\\WinStore.App.exe\ -ServerName:App.AppXc75wvwne
d5vhz4xyxxecvgdjhdkgsdza.mca
CreationUtcTime: 2020-07-21 06:16:09.011
CurrentDirectory: C:\\Program Files\\WindowsApps\\Microsoft.WindowsSto
re_12007.1001.2.0_x64__8wekyb3d8bbwe\\
Image: C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_12007.10
01.2.0_x64__8wekyb3d8bbwe\\WinStore.App.exe
ImageHashes: SHA1=A70B1B664DFAD439CFEFACCBC6690E157DC23633,MD5=C1B3806
40D11FEC6CBB35FF20F58A17E,SHA256=3AF6BE21B6DFC06E3A3A78CC726CFA2007854244E74C8A4
21B09ECBE0C12EC61,IMPHASH=CA878514C158EF3E1C1EE824024717CA
IntegrityLevel: AppContainer
ProcessGuid: {515cd0d1-6e6f-5f22-9f00-000000004100}
ProcessId: 7960
RuleName: -
Services: N/A
TargetFilename: C:\\Users\\Generic\\AppData\\Local\\Packages\\Microsof
t.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\index
User: DESKTOP-LJRVE06\\Generic
UtcTime: 4242-04-24 13:37:42.422
12 Microsoft-Windows-Sysmon/Operational EventType: CreateKey
Image: System
ProcessGuid: {515cd0d1-6e1b-5f22-0100-000000004100}
ProcessId: 4
RuleName: -
TargetObject: HKLM\\System\\CurrentControlSet\\Enum\\PCI\\VEN_8086&
;DEV_2668&SUBSYS_76808384&REV_01\\3&267a616a&0&28\\Device Pa
rameters\\Interrupt Management
UtcTime: 4242-04-24 13:37:42.422
13 Microsoft-Windows-Sysmon/Operational Details: Binary Data
EventType: SetValue
Image: System
ProcessGuid: {515cd0d1-6e1b-5f22-0100-000000004100}
ProcessId: 4
RuleName: -
TargetObject: HKLM\\System\\CurrentControlSet\\Enum\\STORAGE\\Volume\\
{1eeaac07-8cf7-11e9-9661-806e6f6e6963}#0000000000100000\\Properties\\{83da6326-9
7a6-4088-9453-a1923f573b29}\\0066\\(Default)
UtcTime: 4242-04-24 13:37:42.422
14
15
16
17 Microsoft-Windows-Sysmon/Operational CommandLine: C:\\Windows\\System32\\svchost.exe -k LocalServiceNetwork
Restricted -p -s EventLog
CurrentDirectory: C:\\Windows\\system32\\
EventType: CreatePipe
Image: C:\\Windows\\System32\\svchost.exe
ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99
E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464
418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
IntegrityLevel: System
PipeName: \\Winsock2\\CatalogChangeListener-4fc-0
ProcessGuid: {515cd0d1-6e20-5f22-1d00-000000004100}
ProcessId: 1276
RuleName: -
Services: EventLog
User: NT AUTHORITY\\LOCAL SERVICE
UtcTime: 4242-04-24 13:37:42.422
18 Microsoft-Windows-Sysmon/Operational CommandLine: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embed
ding
CurrentDirectory: C:\\Windows\\system32\\
EventType: ConnectPipe
Image: C:\\Windows\\system32\\wbem\\wmiprvse.exe
ImageHashes: SHA1=51B8646308EE0B68AD1F7F1291B85395434DE49A,MD5=801E800
3C257C8F540B20F1E0DECD3A6,SHA256=A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7
991CAA38A6DE0F50C,IMPHASH=CC058866636CC184AD452F88EE39368A
IntegrityLevel: System
PipeName: \\lsass
ProcessGuid: {515cd0d1-6e21-5f22-4100-000000004100}
ProcessId: 2744
RuleName: -
Services: N/A
User: NT AUTHORITY\\NETWORK SERVICE
UtcTime: 4242-04-24 13:37:42.422
19
20
21
22 Microsoft-Windows-Sysmon/Operational CommandLine: C:\\Windows\\System32\\spoolsv.exe
CurrentDirectory: C:\\Windows\\system32\\
Image: C:\\Windows\\System32\\spoolsv.exe
ImageHashes: SHA1=D5F2D846DC244E840BE558D9D21BF4BEF5FAA4D6,MD5=1096F67
170CCD4DCE97D2DE3FC421712,SHA256=A26658A11FB78B9EDB9189A7DF3CB69DF24AF1B57941543
F53FE5A90E02FEB8C,IMPHASH=3908F13E6362FF821A5A7A58C7C88A99
IntegrityLevel: System
ProcessGuid: {515cd0d1-6e21-5f22-3f00-000000004100}
ProcessId: 2476
QueryName: DESKTOP-LJRVE06
QueryResults: 10.0.2.15;
QueryStatus: 0
RuleName: -
Services: Spooler
User: NT AUTHORITY\\SYSTEM
UtcTime: 4242-04-24 13:37:42.422
23 Microsoft-Windows-Sysmon/Operational Archived: true
CommandLine: C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkR
estricted -p -s SysMain
CurrentDirectory: C:\\Windows\\system32\\
Hashes: SHA1=C8180192DDCFAC99F0A4AA693D155D2F04AB4577,MD5=250748E3EAE1
5E3277916ED7EC8E6D95,SHA256=9514A9D8A33DA79A67167EA64DCE2AFDEAA5A9184A35B40674F8
784166D9168A,IMPHASH=00000000000000000000000000000000
Image: C:\\Windows\\system32\\svchost.exe
ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99
E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464
418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
IntegrityLevel: System
IsExecutable: false
ProcessGuid: {515cd0d1-6e20-5f22-2700-000000004100}
ProcessId: 1716
RuleName: -
Services: SysMain
TargetFilename: C:\\Windows\\Prefetch\\WSL.EXE-59D55F1E.pf
User: NT AUTHORITY\\SYSTEM
UtcTime: 4242-04-24 13:37:42.422