Announcement

Collapse
No announcement yet.

what's in a sysmon event - Process creation

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • what's in a sysmon event - Process creation

    I'm currently building a Sysmon kit for Gravwell and I'm thinking a series of "what's in a sysmon event" might be a good set of posts for here!

    Let's start as all things do, with creation...


    # Event ID 1: Process creation



    Microsoft provides the description of this event type:


    The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.


    # Sample Event


    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    
    <System>
    
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
    
    <EventID>1</EventID>
    
    <Version>5</Version>
    
    <Level>4</Level>
    
    <Task>1</Task>
    
    <Opcode>0</Opcode>
    
    <Keywords>0x8000000000000000</Keywords>
    
    <TimeCreated SystemTime="2020-07-29T03:53:16.099233400Z" />
    
    <EventRecordID>3319506</EventRecordID>
    
    <Correlation />
    
    <Execution ProcessID="4932" ThreadID="5540" />
    
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    
    <Computer>RAHZOR</Computer>
    
    <Security UserID="S-1-5-18" />
    
    </System>
    
    <EventData>
    
    <Data Name="RuleName" />
    
    <Data Name="UtcTime">2020-07-29 03:53:16.097</Data>
    
    <Data Name="ProcessGuid">{e8a27be9-f2ac-5f20-0000-0010e2d20b02}</Data>
    
    <Data Name="ProcessId">2916</Data>
    
    <Data Name="Image">C:\Windows\System32\wbem\WMIC.exe</Data>
    
    <Data Name="FileVersion">10.0.18362.1 (WinBuild.160101.0800)</Data>
    
    <Data Name="Description">WMI Commandline Utility</Data>
    
    <Data Name="Product">Microsoft® Windows® Operating System</Data>
    
    <Data Name="Company">Microsoft Corporation</Data>
    
    <Data Name="OriginalFileName">wmic.exe</Data>
    
    <Data Name="CommandLine">wmic computersystem get model,manufacturer /format:csv</Data>
    
    <Data Name="CurrentDirectory">C:\Windows\System32\driver s\RivetNetworks\Killer\</Data>
    
    <Data Name="User">NT AUTHORITY\SYSTEM</Data>
    
    <Data Name="LogonGuid">{e8a27be9-b192-5f20-0000-0020e7030000}</Data>
    
    <Data Name="LogonId">0x3e7</Data>
    
    <Data Name="TerminalSessionId">0</Data>
    
    <Data Name="IntegrityLevel">System</Data>
    
    <Data Name="Hashes">MD5=29B7D02A3B5F670B5AF2DAF008810863 ,SHA256=96BEC668680152DF51EC1DE1D5362C64C2ABA1EDA8 6F9121F517646F5DEC2B72,IMPHASH=2169BDA7AED3E42F1A5 9C8141542EC0C</Data>
    
    <Data Name="ParentProcessGuid">{e8a27be9-b194-5f20-0000-0010f39d0600}</Data>
    
    <Data Name="ParentProcessId">7076</Data>
    
    <Data Name="ParentImage">C:\Windows\System32\drivers\Riv etNetworks\Killer\KAPS.exe</Data>
    
    <Data Name="ParentCommandLine">"KAPS.exe"</Data>
    
    </EventData>
    
    </Event>


    # Key Properties


    The key properties present in the process creation event are:


    * Computer

    * ProcessId

    * Image

    * OriginalFileName

    * Description

    * CommandLine

    * User

    * Hashes

    * ParentImage

    * ParentProcessId

    * ParentCommandLine


    # Sample Queries


    ## Basic Extraction


    Code:
    tag=sysmon winlog EventID==1 Computer ProcessId Image OriginalFileName Description CommandLine User ParentImage ParentProcessId ParentCommandLine | table
    ### Extract Hashes as well (but don't display them)


    Code:
    tag=sysmon winlog EventID==1 Computer ProcessId Image OriginalFileName Description CommandLine User Hashes ParentImage ParentProcessId ParentCommandLine
    
    | kv -e Hashes -d "," MD5 SHA256
    
    | table Computer Image OriginalFileName Description CommandLine User ParentImage ParentProcessId ParentCommandLine
    ## Common Processes table

    Code:
    tag=sysmon winlog EventID==1 Computer ProcessId Image OriginalFileName Description CommandLine User ParentImage ParentProcessId ParentCommandLine
    
    | count by Image Computer User
    
    | table Image Computer User count

    ## Uncommon Processes table


    Code:
    tag=sysmon winlog EventID==1 Computer ProcessId Image OriginalFileName Description CommandLine User ParentImage ParentProcessId ParentCommandLine
    
    | count by Image Computer User
    
    | sort by count asc
    
    | table Image Computer User count

    ## Top Process Spawners


    Code:
    tag=sysmon winlog EventID==1 Computer ProcessId Image OriginalFileName Description CommandLine User ParentImage ParentProcessId ParentCommandLine
    
    | count by Image ParentImage
    
    | stats sum(count) by ParentImage
    
    | table ParentImage count

    ## Search for a specific exe


    Code:
    tag=sysmon winlog EventID==1 Computer ProcessId Image OriginalFileName Description CommandLine User ParentImage ParentProcessId ParentCommandLine
    
    | grep -e Image -i "kaps"
    
    | table


  • #2
    I am very interested in how this works out - I am always intrigued by the posts from the twitter account SwitftOnSecurity where they talk about the breakdown of the SysMon events they're building in their XML config...

    I think because everyone wants to be so awesome... working some of that crazy config into the wells and then into queries and alerting could be a big deal in breaking into the data available...

    Comment


    • #3
      I'm currently building a Sysmon kit and it's really incredible how much info is in here. Sysmon even outstrips some of the commercial tools out there for this stuff. Windows defender to block and sysmon for auditing seems like a combination that'll get you really close for EDR on windows hosts.

      Comment

      Working...
      X