EDR

clipboard_capture

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-NNKUICG
EventID	integer		24
Image	string	File path of the process that changed the file creation time	C:\Windows\System32\cmd.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		cmd.exe
TargetObject	string		HKCR
Task	integer		24
User	string		EC2AMAZ-NNKUICG\user
action	string		allowed
id	integer		521599
os	string		Microsoft Windows
process_name	string		cmd.exe
user	string		user
ActivityID	string		"17DE8F6C-8948-4010-A97F-E7B03155B7DB"
Archived	string		true
Channel	string		Microsoft-Windows-Sysmon/Operational
ClientInfo	string		user: EC2AMAZ-NNKUICG\user
Company	string		Microsoft Corporation
EventCode	integer		24
EventData_Xml	string		- 2022-06-28 20:49:29.633 27C5C1F0-53EF-62BB-CC02-000000003100 7812 C:\Windows\System32\rdpclip.exe 2 user: Win10Victim\bob hostname: Freds-MacBook-P MD5=4B6581288053BE17E01F15B655762DC6,SHA256=60F54034AB611F0ACC8588FEAF7E48AD8FBC3863073A864F2599B954BBBF90A5,IMPHASH=00000000000000000000000000000000 true Win10Victim\bob
EventDescription	string		ClipboardChange (New content in the clipboard)
EventRecordID	integer		521599
FileVersion	string		10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Hashes	string		MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000
IMPHASH	string		00000000000000000000000000000000
Keywords	string		0x8000000000000000
Level	integer		4
MD5	string		D41D8CD98F00B204E9800998ECF8427E
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that changed the file creation time	CDE7C745-57AC-62D1-DA00-000000000900
ProcessID	string		"11728"
ProcessId	integer	Process ID used by the os to identify the process changing the file creation time	6424
ProcessPath	string		C:\Windows\System32\
Product	string		Microsoft® Windows® Operating System
RecordNumber	integer		521599
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
Session	integer		2
SigmaEventCode	string		24
SystemTime	string		'2022-06-28 20:49:29.641035 UTC'
System_Props_Xml	string		24 5 4 24 0 0x8000000000000000 521599 Microsoft-Windows-Sysmon/Operational Win10Victim
ThreadID	string		"1288"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-06-28 20:49:29.633
Version	integer	sysmon version	5
dest	string		EC2AMAZ-NNKUICG
dvc	string		EC2AMAZ-NNKUICG
dvc_nt_host	string		DC01_a546dfa7-ead5-45f6-9952-1cdcdb223153
event_id	integer		521599
process_exec	string		cmd.exe
process_guid	string		CDE7C745-57AC-62D1-DA00-000000000900
process_hash	string		MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000
process_id	integer		6424
process_path	string		C:\Windows\System32\cmd.exe
registry_path	string		HKCR
sigma_category	string		clipboard_capture
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		ClipboardChange (New content in the clipboard)
signature_id	integer		24
timeendpos	integer		920
timestartpos	integer		897
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

create_remote_thread

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-1CL0VOR
EventID	integer		8
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		dwm.exe
Task	integer		8
Type	string		Information
User	string		NOT_TRANSLATED
action	string		allowed
id	integer		2126
os	string		Microsoft Windows
process_name	string		tshark.exe
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		NIH-Vc6XTAHNsou
EventCode	integer		8
EventData_Xml	string		- 2022-07-28 14:16:45.182 501694F9-7AA2-62E2-7E00-000000000700 4668 C:\Windows\System32\csrss.exe 501694F9-99AB-62E2-C106-000000000700 4492 C:\Program Files\Wireshark\tshark.exe 5384 0x00007FF9BAB9B880 C:\Windows\System32\KERNELBASE.dll CtrlRoutine NT AUTHORITY\SYSTEM training1\bob
EventDescription	string		CreateRemoteThread
EventRecordID	integer		2126
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		CreateRemoteThread detected: RuleName: - UtcTime: 2022-02-14 21:03:20.074 SourceProcessGuid: {b50c7a1e-c396-620a-4a7d-000000002000} SourceProcessId: 5928 SourceImage: C:\Windows\System32\dwm.exe TargetProcessGuid: {b50c7a1e-c394-620a-457d-000000002000} TargetProcessId: 6552 TargetImage: C:\Windows\System32\csrss.exe NewThreadId: 4620 StartAddress: 0xFFFFF73E3E302A50 StartModule: - StartFunction: -
NewThreadId	integer	Id of the new thread created in the target process	2664
OpCode	string		Info
Opcode	integer		0
ProcessID	string		"3308"
ProcessId	integer		6108
ProcessPath	string		C:\Windows\System32\
RecordNumber	integer		2126
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		8
SourceImage	string	File path of the source process that created a thread in another process	C:\Windows\System32\dwm.exe
SourceName	string		Microsoft-Windows-Sysmon
SourceProcessGuid	string	Process Guid of the source process that created a thread in another process	{b50c7a1e-4b8a-61f8-63a2-000000002000}
SourceProcessId	integer	Process ID used by the os to identify the source process that created a thread in another process	6108
SourceUser	string	Name of the account of the source process that created a thread in another process.	NT AUTHORITY\SYSTEM
StartAddress	string	New thread start address	0x00007FFA812D9CD0
StartFunction	string	Start function is reported if exact match to function in image export table	CtrlRoutine
StartModule	string	Start module determined from thread start address mapping to PEB loaded module list	C:\Windows\System32\KERNELBASE.dll
SystemTime	string		'2022-07-28 14:16:45.193268 UTC'
System_Props_Xml	string		8 2 4 8 0 0x8000000000000000 16884 Microsoft-Windows-Sysmon/Operational training1
TargetImage	string	File path of the target process	C:\Windows\System32\csrss.exe
TargetProcessGuid	string	Process Guid of the target process	{b50c7a1e-2b1d-620d-d301-000000002000}
TargetProcessId	integer	Process ID used by the os to identify the target process	704
TargetUser	string	Name of the account of the target process	EC2AMAZ-1CL0VOR\user
TaskCategory	string		CreateRemoteThread detected (rule: CreateRemoteThread)
ThreadID	string		"3860"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:16:19.976
Version	integer		2
dest	string		EC2AMAZ-1CL0VOR
dvc_nt_host	string		DC01_a546dfa7-ead5-45f6-9952-1cdcdb223153
event_id	integer		2126
extracted_EventType	integer		4
parent_process_exec	string		csrss.exe
parent_process_guid	string		CDE7C745-57E1-62D1-4105-000000000900
parent_process_id	integer		380
parent_process_name	string		csrss.exe
parent_process_path	string		C:\Windows\System32\csrss.exe
process_exec	string		tshark.exe
process_guid	string		CDE7C745-568D-62D1-0C00-000000000900
process_id	integer		704
process_path	string		C:\Program Files\Wireshark\tshark.exe
sigma_category	string		create_remote_thread
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		CreateRemoteThread
signature_id	integer		8
src_address	string		0x0000011EC1090000
src_function	string		CtrlRoutine
src_module	string		C:\Windows\System32\KERNELBASE.dll
timeendpos	integer		917
timestartpos	integer		894
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

create_stream_hash

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-NNKUICG
EventID	integer		15
Image	string	File path of the process that terminated	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		powershell.exe
TargetFilename	string		C:\Users\user\Downloads\HxDPortableSetup.zip
TargetObject	string		HKCR
Task	integer		15
Type	string		Information
User	string	Name of the account that terminated the process.	NOT_TRANSLATED
action	string		allowed
id	integer		17907
os	string		Microsoft Windows
process_name	string		powershell.exe
user	string		user
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string	Company name the image associated with the main process (child) belongs to	Microsoft Corporation
ComputerName	string		NIH-2UKkeAsXtb5
Contents	string		-
CreationUtcTime	string		2022-06-15 13:07:31.620
EventCode	integer		15
EventData_Xml	string		- 2022-06-15 13:07:38.444 5C68405B-D989-62A9-2205-00000000B001 2692 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\user\AppData\Local\Temp\ReadMe.md 2022-06-15 13:07:31.620 MD5=F988E74F79B7BF5BD5E0B61A5FDB5DBA,SHA256=C7869F8957C50976C3DAF0155FBB2074668B3444072E763112C04C4DFD34C84C,IMPHASH=00000000000000000000000000000000 - EC2AMAZ-NNKUICG\user
EventDescription	string		FileCreateStreamHash
EventRecordID	integer		17907
FileVersion	string	Version of the image associated with the main process (child)	10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Hash	string		Unknown
IMPHASH	string		00000000000000000000000000000000
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
MD5	string		F988E74F79B7BF5BD5E0B61A5FDB5DBA
Message	string		File stream created: RuleName: blacklist UtcTime: 2022-02-23 19:58:26.859 ProcessGuid: {b50c7a1e-91e2-6216-200b-000000002000} ProcessId: 8956 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe TargetFilename: C:\Users\user\Downloads\HxDPortableSetup.zip CreationUtcTime: 2022-02-23 19:58:25.147 Hash: MD5=6409DD18A6B77140260943A37CCB7C67,SHA256=55BD984F097C4C1F6091CE30625B89970F74827EA9275AC9BA5D9DD42C0C38F2,IMPHASH=00000000000000000000000000000000 Contents: -
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that terminated	{b50c7a1e-91e2-6216-200b-000000002000}
ProcessID	string		"2652"
ProcessId	integer	Process ID used by the os to identify the process that terminated	8956
ProcessPath	string		C:\Windows\System32\WindowsPowerShell\v1.0\
Product	string	Product name the image associated with the main process (child) belongs to	Microsoft® Windows® Operating System
RecordNumber	integer		80118
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	blacklist
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		C7869F8957C50976C3DAF0155FBB2074668B3444072E763112C04C4DFD34C84C
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	string		15
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-06-15 13:08:38.842479 UTC'
System_Props_Xml	string		15 2 4 15 0 0x8000000000000000 4574 Microsoft-Windows-Sysmon/Operational EC2AMAZ-NNKUICG
TaskCategory	string		File stream created (rule: FileCreateStreamHash)
ThreadID	string		"3440"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-06-15 13:08:28.759
Version	integer		2
dest	string		EC2AMAZ-NNKUICG
dvc_nt_host	string		EC2AMAZ-NNKUICG_670f636f-ffcb-415a-93c8-a284046193df
event_id	integer		17907
extracted_EventType	integer		4
file_create_time	string		2022-06-15 13:07:31.620
file_hash	string		Unknown
file_name	string		ReadMe.md
file_path	string		C:\Users\user\AppData\Local\Temp\ReadMe.md
process_exec	string		powershell.exe
process_guid	string		5C68405B-D9C2-62A9-4605-00000000B001
process_id	integer		5568
process_path	string		C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
registry_path	string		HKCR
sigma_category	string		create_stream_hash
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		FileCreateStreamHash
signature_id	integer		15
timeendpos	integer		920
timestartpos	integer		897
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

dns_query

Field	Data Type	Description	Example
Computer	string		training1
EventID	integer		22
Image	string	File path of the process that changed the file creation time	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		svchost.exe
Task	integer		22
Type	string		Information
User	string		training1\bob
id	integer		1812
process_name	string		SearchApp.exe
query	string		api.msn.com
user	string		bob
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-BZCdydKCLl
EventCode	integer		22
EventData_Xml	string		- 2022-07-28 14:16:58.791 501694F9-9A54-62E2-6206-000000000700 6724 clients2.google.com 0 type: 5 clients.l.google.com;::ffff:172.253.115.101;::ffff:172.253.115.139;::ffff:172.253.115.138;::ffff:172.253.115.113;::ffff:172.253.115.100;::ffff:172.253.115.102; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe NT AUTHORITY\SYSTEM
EventDescription	string		DNSEvent (DNS query)
EventRecordID	integer		1812
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Dns query: RuleName: whitelist UtcTime: 2022-03-22 18:06:07.937 ProcessGuid: {b50c7a1e-0f0e-623a-3c00-000000002000} ProcessId: 2364 QueryName: fe3cr.delivery.mp.microsoft.com QueryStatus: 0 QueryResults: type: 5 fe3.delivery.mp.microsoft.com;type: 5 glb.cws.prod.dcat.dsp.trafficmanager.net;::ffff:52.242.97.97; Image: C:\Windows\System32\svchost.exe
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that changed the file creation time	{b50c7a1e-0f10-623a-4800-000000002000}
ProcessID	string		"3112"
ProcessId	string	Process ID used by the os to identify the process changing the file creation time
ProcessPath	string		C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\
QueryName	string		ocsp.digicert.com
QueryResults	string		type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;
QueryStatus	string
RecordNumber	integer		19498
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	whitelist
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		22
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 10:04:22.194512 UTC'
System_Props_Xml	string		22 5 4 22 0 0x8000000000000000 1812 Microsoft-Windows-Sysmon/Operational training1
TaskCategory	string		Dns query (rule: DnsQuery)
ThreadID	string		"8160"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:16:58.791
Version	integer		5
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		1812
extracted_EventType	integer		4
process_exec	string		SearchApp.exe
process_guid	string		501694F9-9A9B-62E2-6B06-000000000700
query_count	integer		1
reply_code_id	integer		0
sigma_category	string		dns_query
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		DNSEvent (DNS query)
signature_id	integer		22
src	string		training1
timeendpos	integer		914
timestartpos	integer		891
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

driver_load

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-NNKUICG
EventID	integer		6
Image	string		C:\Windows\System32\poqexec.exe
ImageLoaded	string	full path of the driver loaded	C:\Windows\System32\drivers\IndirectKmd.sys
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		poqexec.exe
TargetObject	string		HKCR
Task	integer		6
Type	string		Information
User	string		NOT_TRANSLATED
action	string		allowed
id	integer		17554
os	string		Microsoft Windows
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string		Microsoft Corporation
ComputerName	string		NIH-2UKkeAsXtb5
EventCode	integer		6
EventData_Xml	string		- 2022-06-15 13:09:14.457 C:\Windows\System32\drivers\fsdepends.sys MD5=8B7C64870572FC94A465C243613C2880,SHA256=308A0C48377DE20DB212812CAF22C199886882EB73CF29577C6F48E2AA781B28,IMPHASH=2515900B8FEB8C1081798E60A7714353 true Microsoft Windows Valid
EventDescription	string		Driver loaded
EventRecordID	integer		17554
FileVersion	string		10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Hashes	string	Hashes captured by sysmon driver	MD5=655337A4FD23A0DDEF801E89F15279D9,SHA256=599ED281543F348C35C39C7F28F48CED671B94F8621555F4200F5E95CAE69AF7,IMPHASH=DE255D138C2DE1B7AC5F099957D5A045
IMPHASH	string		67ABB668D261B7279DE750058BBEADB8
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
MD5	string		655337A4FD23A0DDEF801E89F15279D9
Message	string		Driver loaded: RuleName: - UtcTime: 2022-01-07 19:06:50.450 ImageLoaded: C:\Windows\System32\drivers\terminpt.sys Hashes: MD5=C225B94F2B27AC97C3E66C0550AEA249,SHA256=6F88375DD12A648B77BB6EB4BE527FF6678EE76A2059DB5B4CC971CDB31D0DB8,IMPHASH=67ABB668D261B7279DE750058BBEADB8 Signed: true Signature: Microsoft Windows SignatureStatus: Valid
OpCode	string		Info
Opcode	integer		0
ProcessID	string		"2632"
ProcessId	integer		2632
ProcessPath	string		C:\Windows\System32\
Product	string		Microsoft® Windows® Operating System
RecordNumber	integer		357
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		308A0C48377DE20DB212812CAF22C199886882EB73CF29577C6F48E2AA781B28
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	string		6
Signature	string	The signer	Microsoft Windows
SignatureStatus	string	status of the signature (i.e valid)	Valid
Signed	string	is the driver loaded signed	true
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-06-15 13:09:14.487708 UTC'
System_Props_Xml	string		6 4 4 6 0 0x8000000000000000 4453 Microsoft-Windows-Sysmon/Operational EC2AMAZ-NNKUICG
TaskCategory	string		Driver loaded (rule: DriverLoad)
ThreadID	string		"3392"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-06-15 13:09:14.457
Version	integer		4
dest	string		EC2AMAZ-NNKUICG
dvc_nt_host	string		EC2AMAZ-NNKUICG_550b15ba-fc6b-473d-bcdf-25455f293a3d
event_id	integer		17554
extracted_EventType	integer		4
process_hash	string		MD5=655337A4FD23A0DDEF801E89F15279D9,SHA256=599ED281543F348C35C39C7F28F48CED671B94F8621555F4200F5E95CAE69AF7,IMPHASH=DE255D138C2DE1B7AC5F099957D5A045
process_path	string		C:\Users\doadmin\Downloads\mimikatz_trunk\x64\mimidrv.sys
registry_path	string		HKCR
service_signature_exists	string		true
service_signature_verified	string		true
sigma_category	string		driver_load
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		Driver loaded
signature_id	integer		6
timeendpos	integer		918
timestartpos	integer		895
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

file_change

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-1CL0VOR
EventID	integer		2
Image	string	File path of the process that changed the file creation time	C:\WINDOWS\system32\svchost.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		svchost.exe
TargetFilename	string	full path name of the file	C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\~ortanaUnifiedTileModelCache.tmp
Task	integer		2
Type	string		Information
User	string		NOT_TRANSLATED
action	string		modified
id	integer		499
process_name	string		chrome.exe
user	string		bob
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-61ZqeLdZfB
CreationUtcTime	string	new creation time of the file	2022-07-26 15:31:16.252
EventCode	integer		2
EventData_Xml	string		- 2022-07-28 14:18:25.236 501694F9-9A94-62E2-6806-000000000700 8228 C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\41179df7-8737-4afe-b1c1-0c616366e7bb.tmp 2022-07-26 14:12:16.518 2022-07-28 14:18:25.221 training1\bob
EventDescription	string		A process changed a file creation time
EventRecordID	integer		499
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		File creation time changed: RuleName: - UtcTime: 2022-02-23 20:00:12.314 ProcessGuid: {b50c7a1e-90df-6216-970a-000000002000} ProcessId: 8060 Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe TargetFilename: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\c3feab14-e14e-44c2-9c3e-b483d04a19d9.tmp CreationUtcTime: 2020-11-10 17:24:21.829 PreviousCreationUtcTime: 2022-02-23 20:00:12.307
OpCode	string		Info
Opcode	integer		0
PreviousCreationUtcTime	string	previous creation time of the file	2022-07-28 14:18:25.221
ProcessGuid	string	Process Guid of the process that changed the file creation time	{b50c7a1e-32cc-6219-3e00-000000002100}
ProcessID	string		"3112"
ProcessId	integer	Process ID used by the os to identify the process changing the file creation time	8228
ProcessPath	string		C:\Program Files\Google\Chrome\Application\
RecordNumber	integer		88386
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		2
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:18:25.242866 UTC'
System_Props_Xml	string		2 5 4 2 0 0x8000000000000000 2614 Microsoft-Windows-Sysmon/Operational training1
TaskCategory	string		File creation time changed (rule: FileCreateTime)
ThreadID	string		"3780"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:18:25.236
Version	integer		5
dest	string		EC2AMAZ-1CL0VOR
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		499
extracted_EventType	integer		4
file_create_time	string		2022-07-26 15:31:16.252
file_modify_time	string		2022-07-28 14:18:25.236
file_name	string		LOG
file_path	string		C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState\~ortanaUnifiedTileModelCache.tmp
object_category	string		file
process_exec	string		chrome.exe
process_guid	string		501694F9-9A94-62E2-6806-000000000700
process_id	integer		8228
process_path	string		C:\Program Files\Google\Chrome\Application\chrome.exe
sigma_category	string		file_change
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		A process changed a file creation time
signature_id	integer		2
timeendpos	integer		912
timestartpos	integer		889
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

file_delete

Field	Data Type	Description	Example
Computer	string		ubuntu
EventID	integer		23
Image	string	File path of the process that made the network connection	C:\users\user\Desktop\1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		chrome.exe
TargetFilename	string	full path name of the file	C:\Windows\Prefetch\TASKKILL.EXE-ECD4FD3D.pf
Task	integer		23
Type	string		Information
User	string	Name of the account who made the network connection. It usually containes domain name and user name	training1\bob
action	string		deleted
id	integer		1800
process_name	string		systemd
user	string		root
Archived	string		true
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		23
EventData_Xml	string		-2022-06-27 16:46:22.263{1c2ae9b7-c15b-62b0-65be-1cdc74550000}1root/usr/lib/systemd/systemd/run/systemd/generator/boot-efi.mount---
EventDescription	string		FileDelete (File Delete archived)
EventRecordID	integer		1800
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Hashes	string		MD5=1E94B11D0E6196DC6427E7FE43BFB1FC,SHA256=267FFAF2D833C7132514A326F3B4921FD0A10C10DA07E19BB68F417F7A949E6E,IMPHASH=00000000000000000000000000000000
IMPHASH	string		00000000000000000000000000000000
IsExecutable	string		true
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
MD5	string		1E94B11D0E6196DC6427E7FE43BFB1FC
Message	string		File Delete: RuleName: - UtcTime: 2022-03-22 18:08:53.389 ProcessGuid: {b50c7a1e-1073-623a-3f02-000000002000} ProcessId: 8328 User: SNAP-CUVR1HLG8S\user Image: C:\users\user\Desktop\1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176.exe TargetFilename: C:\Users\user\Desktop\SysinternalsSuite\Sysmon64.exe Hashes: MD5=3CC92C9B0B56BE9BB7AC2E3C63D3F60F,SHA256=5422E288A3699E1560BF832C8DAABC65D78590B6D78C3BAA9F788DA67DEA049D,IMPHASH=30777134873A03E5D01D04EDE5BEC51E IsExecutable: true Archived: true
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that made the network connection	{b50c7a1e-1073-623a-3f02-000000002000}
ProcessID	string		"989"
ProcessId	integer	Process ID used by the os to identify the process that made the network connection	8328
ProcessPath	string		C:\Program Files\Google\Chrome\Application\
RecordID	integer		118350
RecordNumber	integer		39578
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string
SHA256	string		267FFAF2D833C7132514A326F3B4921FD0A10C10DA07E19BB68F417F7A949E6E
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		23
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:30.427918 UTC'
System_Props_Xml	string		23 5 4 23 0 0x8000000000000000 28014 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		File Delete (rule: FileDelete)
ThreadID	string		"989"
TimeCreated	string		2022-06-28T15:06:40.211846000Z
UserID	string		"S-1-5-18"
UserId	string		"0"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:18:03.610
Version	integer		5
dest	string		ubuntu
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		1800
extracted_EventType	integer		4
file_hash	string		MD5=1E94B11D0E6196DC6427E7FE43BFB1FC,SHA256=267FFAF2D833C7132514A326F3B4921FD0A10C10DA07E19BB68F417F7A949E6E,IMPHASH=00000000000000000000000000000000
file_modify_time	string		2022-07-28 14:18:03.610
file_name	string		TASKKILL.EXE-ECD4FD3D.pf
file_path	string		C:\Windows\Prefetch\TASKKILL.EXE-ECD4FD3D.pf
object_category	string		file
process_exec	string		systemd
process_guid	string		{1c2ae9b7-c15b-62b0-65be-1cdc74550000}
process_id	integer		8228
process_path	string		C:\Program Files\Google\Chrome\Application\chrome.exe
sigma_category	string		file_delete
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		FileDelete (File Delete archived)
signature_id	integer		23
timeendpos	integer		914
timestartpos	integer		891
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

file_delete_logged

Field	Data Type	Description	Example
Image	string	File path of the process that changed the file creation time	C:\Windows\System32\poqexec.exe
ImageLoaded	string	full path of the driver loaded	C:\Windows\SysWOW64\advapi32.dll
ProcessName	string		poqexec.exe
TargetFilename	string	full path name of the file
TargetObject	string		HKCR
Company	string		Microsoft Corporation
FileVersion	string		10.0.20348.469 (WinBuild.160101.0800)
Hashes	string	Hashes captured by sysmon driver
IMPHASH	string		955E66E304B6220AAFAC380689F12689
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
ProcessGuid	string	Process Guid of the process that changed the file creation time
ProcessId	integer	Process ID used by the os to identify the process changing the file creation time
ProcessPath	string		C:\Windows\System32\
Product	string		Microsoft® Windows® Operating System
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
SigmaEventCode	string		N/A
UtcTime	date	Time in UTC when event was created
dvc_nt_host	string		Win2022-AD
registry_path	string		HKCR
sigma_product	string		windows
sigma_service	string		sysmon
vendor_product	string		Microsoft Sysmon

file_event

Field	Data Type	Description	Example
Computer	string		ubuntu
EventID	integer		11
Image	string	File path of the process being spawned/created. Considered also the child or source process	C:\users\user\Desktop\1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		chrome.exe
TargetFilename	string		C:\WindowsAzure\Logs\AggregateStatus\aggregatestatus.json
Task	integer		11
Type	string		Information
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	training1\bob
action	string		created
id	integer		28424
process_name	string		hljdlxxtkx
user	string		root
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
CreationUtcTime	string		2022-07-26 13:36:29.461
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		11
EventData_Xml	string		-2022-07-14 16:55:13.387{ec24d3ab-49a4-62d0-ad1d-7a7d8e550000}3684/opt/microsoft/powershell/7/pwsh/home/ubuntu/capattack/.activesession2022-07-14 16:55:13.387root
EventDescription	string		FileCreate
EventRecordID	integer		573
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		File created: RuleName: - UtcTime: 2022-03-22 18:08:53.389 ProcessGuid: {b50c7a1e-1073-623a-3f02-000000002000} ProcessId: 8328 Image: C:\users\user\Desktop\1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176.exe TargetFilename: C:\Sysmon\3CC92C9B0B56BE9BB7AC2E3C63D3F60F5422E288A3699E1560BF832C8DAABC65D78590B6D78C3BAA9F788DA67DEA049D30777134873A03E5D01D04EDE5BEC51E.exe CreationUtcTime: 2022-03-22 18:08:53.389
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that got spawned/created (child)	{b50c7a1e-1073-623a-3f02-000000002000}
ProcessID	string		"998"
ProcessId	integer	Process ID used by the os to identify the created process (child)	8328
ProcessPath	string		C:\Program Files\Google\Chrome\Application\
RecordID	integer		573
RecordNumber	integer		39577
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		11
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:54.469641 UTC'
System_Props_Xml	string		11 2 4 11 0 0x8000000000000000 28424 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		File created (rule: FileCreate)
ThreadID	string		"998"
TimeCreated	string		2022-07-14T16:55:13.381297000Z
UserID	string		"S-1-5-18"
UserId	string		"0"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:18:15.376
Version	integer		2
dest	string		ubuntu
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		28424
extracted_EventType	integer		4
file_create_time	string		2022-07-26 13:36:29.461
file_name	string		LOG
file_path	string		C:\WindowsAzure\Logs\AggregateStatus\aggregatestatus.json
object_category	string		file
process_exec	string		hljdlxxtkx
process_guid	string		{1c2ae9b7-fd26-6290-64ed-c30000000000}
process_id	integer		8228
process_path	string		C:\Program Files\Google\Chrome\Application\chrome.exe
sigma_category	string		file_event
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		FileCreate
signature_id	integer		11
timeendpos	integer		914
timestartpos	integer		891
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

image_load

Field	Data Type	Description	Example
Computer	string		training1
EventID	integer		7
Image	string	File path of the process that loaded the image	C:\Windows\System32\svchost.exe
ImageLoaded	string	full path of the image loaded	C:\Windows\System32\dcntel.dll
Name	string		"Microsoft-Windows-Sysmon"
OriginalFileName	string	original file name	LOGONCLI.DLL
ProcessName	string		svchost.exe
Task	integer		7
Type	string		Information
User	string	Name of the account that loaded the image.	training1\bob
action	string		success
id	integer		28061
os	string		Microsoft Windows
process_name	string		ffmpeg.exe
user	string		bob
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string	Company name the image loaded belongs to	Microsoft Corporation
ComputerName	string		SNAP-CuvR1hlG8s
Description	string	Description of the image loaded	Microsoft Windows Telemetry Utils
EventCode	integer		7
EventData_Xml	string		- 2022-07-28 14:45:31.308 09661227-A10B-62E2-3B0A-00000000BB01 12800 C:\Windows\capattack\lib\keylogger.exe C:\Windows\capattack\lib\keylogger.exe - - - - - MD5=24F943AF5AB0686A8C0583BDBD6A62DC,SHA256=9A4C2DF1612DEA5344C32140774D4C195914BE2502A87D69707A533150B2380B,IMPHASH=94984869E1C4B93C0069850D9E3B564B false - Unavailable EC2AMAZ-1CL0VOR\user
EventDescription	string		Image loaded
EventRecordID	integer		28061
FileVersion	string	Version of the image loaded	10.0.19041.546 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Hashes	string	hash is a full hash of the file with the algorithms in the HashType field	MD5=BB241519EA9999149A097405234021B1,SHA256=A7B525EBD662D4007CD8AD9FBA2B5C56C3B47F51AD04A0A3E1A2698EC9123324,IMPHASH=7AA08375DD9BA0155C26E3F85DE8C65C
IMPHASH	string		7AA08375DD9BA0155C26E3F85DE8C65C
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
MD5	string		BB241519EA9999149A097405234021B1
Message	string		Image loaded: RuleName: - UtcTime: 2022-03-22 18:08:48.561 ProcessGuid: {b50c7a1e-0f0e-623a-3c00-000000002000} ProcessId: 2364 Image: C:\Windows\System32\svchost.exe ImageLoaded: C:\Windows\System32\shell32.dll FileVersion: 10.0.19041.610 (WinBuild.160101.0800) Description: Windows Shell Common Dll Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: SHELL32.DLL Hashes: MD5=ADCE66E49C5B574AA0501CE13879BE8E,SHA256=566A8BCBDFA0A6074DDB2169F747639FBCF12D9B390A7A5E0DD6BB53D9AEEF5B,IMPHASH=A5FD27DF8EB3A4F110C1225B62481CEE Signed: true Signature: Microsoft Windows SignatureStatus: Valid
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that loaded the image	{b50c7a1e-0f0e-623a-3c00-000000002000}
ProcessID	string		"3092"
ProcessId	integer	Process ID used by the os to identify the process that loaded the image	8488
ProcessPath	string		C:\Users\bob\Desktop\capattack\lib\
Product	string	Product name the image loaded belongs to	Microsoft® Windows® Operating System
RecordNumber	integer		39242
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string
SHA256	string		A7B525EBD662D4007CD8AD9FBA2B5C56C3B47F51AD04A0A3E1A2698EC9123324
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		7
Signature	string	The signer	Microsoft Windows
SignatureStatus	string	status of the signature (i.e valid)	Valid
Signed	string	is the image loaded signed	true
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:31.308490 UTC'
System_Props_Xml	string		7 3 4 7 0 0x8000000000000000 28061 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Image loaded (rule: ImageLoad)
ThreadID	string		"3688"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:14:24.249
Version	integer		3
dest	string		training1
dvc_nt_host	string		training1_0d376ebb-d0c3-4978-8539-d25ad9e52a1e
event_id	integer		28061
extracted_EventType	integer		4
parent_process_exec	string		keylogger.exe
parent_process_guid	string		09661227-A10B-62E2-3C0A-00000000BB01
parent_process_id	integer		8488
parent_process_name	string		keylogger.exe
parent_process_path	string		C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
process_exec	string		ffmpeg.exe
process_hash	string		MD5=BB241519EA9999149A097405234021B1,SHA256=A7B525EBD662D4007CD8AD9FBA2B5C56C3B47F51AD04A0A3E1A2698EC9123324,IMPHASH=7AA08375DD9BA0155C26E3F85DE8C65C
process_path	string		C:\Users\bob\Desktop\capattack\lib\ffmpeg.exe
service_dll_signature_exists	string		false
service_dll_signature_verified	string		false
sigma_category	string		image_load
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		Image loaded
signature_id	integer		7
timeendpos	integer		912
timestartpos	integer		889
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

network_connection

Field	Data Type	Description	Example
Computer	string		ubuntu
EventID	integer		3
Image	string	File path of the process that made the network connection	C:\Windows\System32\svchost.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		svchost.exe
Task	integer		3
Type	string		Information
User	string	Name of the account who made the network connection. It usually containes domain name and user name	systemd-resolve
action	string		allowed
app	string		C:\Windows\System32\svchost.exe
id	integer		28174
process_name	string		systemd-resolved
user	string		systemd-resolve
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
DestinationHostname	string	name of the host that received the network connection	-
DestinationIp	string	ip address destination	169.254.169.254
DestinationIsIpv6	string	is the destination ip an Ipv6	false
DestinationPort	integer	destination port number	53
DestinationPortName	string	name of the destination port	https
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		3
EventData_Xml	string		-2022-06-27 16:48:31.764{1c2ae9b7-ed5a-62b1-9103-c4c102560000}6349/usr/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-45030-
EventDescription	string		Network connection
EventRecordID	integer		28174
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Initiated	string	Indicated process initiated tcp connection	true
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Network connection detected: RuleName: - UtcTime: 2022-03-22 18:06:32.194 ProcessGuid: {b50c7a1e-0f10-623a-4800-000000002000} ProcessId: 2720 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 10.1.2.26 SourceHostname: SNAP-CuvR1hlG8s.ec2.internal SourcePort: 49821 SourcePortName: - DestinationIsIpv6: false DestinationIp: 20.189.173.7 DestinationHostname: - DestinationPort: 443 DestinationPortName: https
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that made the network connection	{b50c7a1e-0f10-623a-4800-000000002000}
ProcessID	string		"989"
ProcessId	integer	Process ID used by the os to identify the process that made the network connection	6349
ProcessPath	string		C:\Windows\System32\
Protocol	string	Protocol being used for the network connection	udp
RecordID	integer		118547
RecordNumber	integer		28174
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		3
SourceHostname	string	name of the host that made the network connection	training1.yh1rsm5jnotebdge05l5szvmza.bx.internal.cloudapp.net
SourceIp	string	source ip address that made the network connection	10.4.0.9
SourceIsIpv6	string	is the source ip an Ipv6	false
SourceName	string		Microsoft-Windows-Sysmon
SourcePort	integer	source port number	5353
SourcePortName	string	name of the source port being used (i.e. netbios-dgm)	-
SystemTime	string		'2022-07-28 14:45:34.051375 UTC'
System_Props_Xml	string		3 5 4 3 0 0x8000000000000000 28174 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Network connection detected (rule: NetworkConnect)
ThreadID	string		"989"
TimeCreated	string		2022-06-28T15:08:49.713425000Z
UserID	string		"S-1-5-18"
UserId	string		"0"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:18:15.087
Version	integer		5
creation_time	string		2022-07-28 14:18:15.087
dest	string		168.63.129.16
dest_ip	string		168.63.129.16
dest_port	integer		53
direction	string		outbound
dvc	string		ubuntu
dvc_ip	string		10.4.0.9
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		28174
extracted_EventType	integer		4
process_exec	string		systemd-resolved
process_guid	string		{1c2ae9b7-ed5a-62b1-9103-c4c102560000}
process_id	integer		6349
protocol	string		ip
protocol_version	string		ipv4
sigma_category	string		network_connection
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		Network connection
signature_id	integer		3
src	string		training1.yh1rsm5jnotebdge05l5szvmza.bx.internal.cloudapp.net
src_host	string		training1.yh1rsm5jnotebdge05l5szvmza.bx.internal.cloudapp.net
src_ip	string		10.4.0.9
src_port	integer		5353
state	string		established
timeendpos	integer		912
timestartpos	integer		889
transport	string		udp
transport_dest_port	string		udp/53
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

pipe_connected

Field	Data Type	Description	Example
Computer	string		training1
EventID	integer		18
Image	string	File path of the process being spawned/created. Considered also the child or source process	C:\WINDOWS\system32\wbem\wmiprvse.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		wmiprvse.exe
Task	integer		18
Type	string		Information
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	training1\bob
action	string		allowed
id	integer		28029
os	string		Microsoft Windows
process_name	string		chrome.exe
user	string		bob
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
EventCode	integer		18
EventData_Xml	string		- ConnectPipe 2022-07-28 14:45:31.088 09661227-A0A4-62E2-8001-00000000BB01 3044 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EC2AMAZ-1CL0VOR\user
EventDescription	string		PipeEvent (Pipe Connected)
EventRecordID	integer		28029
EventType	string
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Pipe Connected: RuleName: - EventType: ConnectPipe UtcTime: 2022-03-22 18:08:45.764 ProcessGuid: {b50c7a1e-0f10-623a-5400-000000002000} ProcessId: 3388 PipeName: \lsass Image: C:\WINDOWS\system32\wbem\wmiprvse.exe
OpCode	string		Info
Opcode	integer		0
PipeName	string		\lsass
ProcessGuid	string	Process Guid of the process that got spawned/created (child)	{b50c7a1e-0f10-623a-5400-000000002000}
ProcessID	string		"3112"
ProcessId	integer	Process ID used by the os to identify the created process (child)	8228
ProcessPath	string		C:\Program Files\Google\Chrome\Application\
RecordNumber	integer		39275
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		18
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:31.065937 UTC'
System_Props_Xml	string		18 1 4 18 0 0x8000000000000000 28029 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Pipe Connected (rule: PipeEvent)
ThreadID	string		"3780"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:18:07.982
Version	integer		1
dest	string		training1
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		28029
extracted_EventType	string		ConnectPipe
pipe_name	string		\crashpad_8228_RFLNGEHNSHCZHKMW
process_exec	string		chrome.exe
process_guid	string		501694F9-9A94-62E2-6806-000000000700
process_id	integer		8228
process_path	string		C:\Program Files\Google\Chrome\Application\chrome.exe
severity_id	string		ConnectPipe
sigma_category	string		pipe_connected
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		PipeEvent (Pipe Connected)
signature_id	integer		18
timeendpos	integer		959
timestartpos	integer		936
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

pipe_created

Field	Data Type	Description	Example
Computer	string		training1
EventID	integer		17
Image	string	File path of the process that connected the pipe	C:\Program Files\Wireshark\tshark.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		tshark.exe
Task	integer		17
Type	string		Information
User	string	Name of the account that loaded the image.	training1\bob
action	string		allowed
id	integer		28028
os	string		Microsoft Windows
process_name	string		tshark.exe
user	string		bob
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		NIH-2UKkeAsXtb5
EventCode	integer		17
EventData_Xml	string		- CreatePipe 2022-07-28 14:45:31.088 09661227-A0A4-62E2-8001-00000000BB01 3044 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EC2AMAZ-1CL0VOR\user
EventDescription	string		PipeEvent (Pipe Created)
EventRecordID	integer		28028
EventType	string	TBD
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Pipe Created: RuleName: - EventType: CreatePipe UtcTime: 2022-02-23 19:58:14.592 ProcessGuid: {b50c7a1e-91c3-6216-fc0a-000000002000} ProcessId: 7736 PipeName: \mojo.7736.5128.5821496115006871816 Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
OpCode	string		Info
Opcode	integer		0
PipeName	string	Name of the pipe connecged	\crashpad_8228_RFLNGEHNSHCZHKMW
ProcessGuid	string	Process Guid of the process that connected the pipe	{b50c7a1e-91c3-6216-fc0a-000000002000}
ProcessID	string		"3112"
ProcessId	integer	Process ID used by the os to identify the process that connected the pipe	8228
ProcessPath	string		C:\Program Files\Wireshark\
RecordNumber	integer		77546
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		17
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:31.065906 UTC'
System_Props_Xml	string		17 1 4 17 0 0x8000000000000000 28028 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Pipe Created (rule: PipeEvent)
ThreadID	string		"3780"
UserID	string		"S-1-5-18"
UtcTime	date	Time in UTC when event was created
UtcTime	string	Time in UTC when event was created	2022-07-28 14:18:07.982
Version	integer		1
dest	string		training1
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		28028
extracted_EventType	string		CreatePipe
pipe_name	string		\crashpad_8228_RFLNGEHNSHCZHKMW
process_exec	string		tshark.exe
process_guid	string		501694F9-9A94-62E2-6806-000000000700
process_id	integer		8228
process_path	string		C:\Program Files\Wireshark\tshark.exe
severity_id	string		CreatePipe
sigma_category	string		pipe_created
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		PipeEvent (Pipe Created)
signature_id	integer		17
timeendpos	integer		958
timestartpos	integer		935
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

process_access

Field	Data Type	Description	Example
Computer	string		sysmonlinux-ctus-attack-range-5501
EventID	integer		10
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		wmiprvse.exe
Task	integer		10
Type	string		Information
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	NOT_TRANSLATED
action	string		allowed
id	integer		28576
os	string		Microsoft Windows
process_name	string		conhost.exe
user	string		user
CallTrace	string		C:\Windows\SYSTEM32\ntdll.dll+9feb4
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		10
EventData_Xml	string		-2022-04-04 14:16:15.015{ec21797c-fdaf-624a-681c-28f1b1550000}65436543/usr/bin/strace{ec21797c-fdaf-624a-0000-000000000000}6544-0x0-ubuntuubuntu
EventDescription	string		ProcessAccess
EventRecordID	integer		28576
GrantedAccess	string		0x1410
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Process accessed: RuleName: whitelist UtcTime: 2022-03-22 18:08:45.748 SourceProcessGUID: {b50c7a1e-0f0d-623a-1200-000000002000} SourceProcessId: 960 SourceThreadId: 992 SourceImage: C:\WINDOWS\system32\svchost.exe TargetProcessGUID: {b50c7a1e-0f10-623a-5400-000000002000} TargetProcessId: 3388 TargetImage: C:\WINDOWS\system32\wbem\wmiprvse.exe GrantedAccess: 0x1000 CallTrace: C:\WINDOWS\SYSTEM32\ntdll.dll+9c264
OpCode	string		Info
Opcode	integer		0
ProcessID	string		"4585"
ProcessId	integer	Process ID used by the os to identify the created process (child)	960
ProcessPath	string		C:\Windows\system32\wbem\
RecordID	integer		247795
RecordNumber	integer		39597
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	whitelist
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		10
SourceImage	string		C:\Windows\system32\wbem\wmiprvse.exe
SourceName	string		Microsoft-Windows-Sysmon
SourceProcessGUID	string		{ec21797c-fdaf-624a-681c-28f1b1550000}
SourceProcessGuid	string
SourceProcessId	integer		960
SourceThreadId	integer		992
SourceUser	string		ubuntu
SystemTime	string		'2022-07-28 14:46:07.000493 UTC'
System_Props_Xml	string		10 3 4 10 0 0x8000000000000000 28576 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TargetImage	string		C:\Windows\system32\conhost.exe
TargetProcessGUID	string		{ec21797c-fdaf-624a-0000-000000000000}
TargetProcessGuid	string
TargetProcessId	integer		6544
TargetUser	string		ubuntu
TaskCategory	string		Process accessed (rule: ProcessAccess)
ThreadID	string		"4585"
TimeCreated	string		2022-04-04T14:16:15.011963000Z
UserID	string		"S-1-5-18"
UserId	string		"0"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:46:07.056
Version	integer		3
dest	string		sysmonlinux-ctus-attack-range-5501
dvc	string		sysmonlinux-ctus-attack-range-5501
dvc_nt_host	string		EC2AMAZ-1CL0VOR_d870c861-2aac-445a-bf7d-c5bd479a058c
event_id	integer		28576
extracted_EventType	integer		4
granted_access	string		0x1410
parent_process_exec	string		wmiprvse.exe
parent_process_guid	string		{ec21797c-fdaf-624a-681c-28f1b1550000}
parent_process_id	integer		6543
parent_process_name	string		wmiprvse.exe
parent_process_path	string		C:\Windows\system32\wbem\wmiprvse.exe
process_exec	string		conhost.exe
process_guid	string		{ec21797c-fdaf-624a-0000-000000000000}
process_id	integer		6544
process_path	string		C:\Windows\system32\conhost.exe
sigma_category	string		process_access
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		ProcessAccess
signature_id	integer		10
timeendpos	integer		921
timestartpos	integer		898
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

process_creation

Field	Data Type	Description	Example
CommandLine	string	Arguments which were passed to the executable associated with the main process	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Computer	string		training1
EventID	integer		1
Image	string	File path of the process being spawned/created. Considered also the child or source process	C:\Windows\System32\conhost.exe
Name	string		"Microsoft-Windows-Sysmon"
OriginalFileName	string	original file name	CONHOST.EXE
ParentCommandLine	string	Arguments which were passed to the executable associated with the parent process	C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
ParentImage	string	File path that spawned/created the main process	C:\Windows\System32\svchost.exe
ParentProcessName	string		svchost.exe
ProcessName	string		conhost.exe
TargetFilename	string		/tmp/hsperfdata_root/4525
Task	integer		1
Type	string		Information
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	training1\bob
action	string		allowed
id	integer		2196
os	string		Microsoft Windows
process	string		C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
process_name	string		dash
user	string		root
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string	Company name the image associated with the main process (child) belongs to	Microsoft Corporation
ComputerName	string		SNAP-CuvR1hlG8s
CreationUtcTime	string		2022-07-14 16:55:30.225
CurrentDirectory	string	The path without the name of the image associated with the process	C:\Windows\system32\
Description	string	Description of the image associated with the main process (child)	Console Window Host
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		1
EventData_Xml	string		-2022-07-14 16:56:14.934{ec24d3ab-4aae-62d0-f5f7-6416db550000}4579/usr/bin/dash-----/bin/sh -c xprop -id $(xprop -root
EventDescription	string		Process creation
EventRecordID	integer		806
FileVersion	string	Version of the image associated with the main process (child)	103.0.5060.134
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Hashes	string	Hashes captured by sysmon driver	MD5=54042EE229F73413B52E1DCFCC9CD4E4,SHA256=342A81B814D3715178BFCFEA4F10F0AD37C975C207964C0E4BB9913AF2F93629,IMPHASH=6B4443349D1BF3B7F64F196B03E28222
IMPHASH	string		AFFE8C3BE3BBE4F0AC2EF124256F372D
IntegrityLevel	string	Integrity label assigned to a process	no level
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
LogonGuid	string	Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events)	{ec24d3ab-0000-0000-0000-000001000000}
LogonId	string	Login ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID	0x3E7
MD5	string		54042EE229F73413B52E1DCFCC9CD4E4
Message	string		Process Create: RuleName: - UtcTime: 2022-03-22 18:08:21.452 ProcessGuid: {b50c7a1e-1095-623a-4202-000000002000} ProcessId: 7544 Image: C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.85\MicrosoftEdgeUpdateComRegisterShell64.exe FileVersion: 1.3.155.85 Description: Microsoft Edge Update COM Registration Helper Product: Microsoft Edge Update Company: Microsoft Corporation OriginalFileName: MicrosoftEdgeUpdateComRegisterShell64.exe CommandLine: "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.85\MicrosoftEdgeUpdateComRegisterShell64.exe" CurrentDirectory: C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.85\ User: NT AUTHORITY\SYSTEM LogonGuid: {b50c7a1e-0f0c-623a-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=B59A18CFE2F995542339AF4E50690A89,SHA256=7F47E7ECF8042976352BD161DD74A75AEC38223D63FEF6A01FB1AA1463C184C0,IMPHASH=B7765AC6E7797B3D4568B5E0BF18E9D6 ParentProcessGuid: {b50c7a1e-106c-623a-3e02-000000002000} ParentProcessId: 3984 ParentImage: C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe ParentCommandLine: "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
OpCode	string		Info
Opcode	integer		0
ParentProcessGuid	string	ProcessGUID of the process that spawned/created the main process (child)	{b50c7a1e-0f0d-623a-0e00-000000002000}
ParentProcessId	integer	Process ID of the process that spawned/created the main process (child)	8228
ParentProcessPath	string		C:\Windows\System32\WindowsPowerShell\v1.0\
ParentUser	string	Name of the account who created the process that spawned/created the main process (child)	training1\bob
ProcessGuid	string	Process Guid of the process that got spawned/created (child)	{ec24d3ab-4aae-62d0-3556-46df4a560000}
ProcessID	string		"4271"
ProcessId	integer	Process ID used by the os to identify the created process (child)	4429
ProcessPath	string		C:\Windows\System32\
Product	string	Product name the image associated with the main process (child) belongs to	Microsoft® Windows® Operating System
RecordID	integer		806
RecordNumber	integer		36627
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string
SHA256	string		57B0CCD3AEBC6C7126E7C19F5DAC492DF51D904A505C5F5B0CB02270D53F8684
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		1
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:40.409332 UTC'
System_Props_Xml	string		1 5 4 1 0 0x8000000000000000 28236 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Process Create (rule: ProcessCreate)
TerminalSessionId	integer	ID of the session the user belongs to	3
ThreadID	string		"4271"
TimeCreated	string		2022-07-14T16:56:14.955075000Z
UserID	string		"S-1-5-18"
UserId	string		"0"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:45:40.389
Version	integer		5
dest	string		training1
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		2196
extracted_EventType	integer		4
file_create_time	string		2022-07-14 16:55:30.225
original_file_name	string		CONHOST.EXE
parent_process	string		-
parent_process_exec	string		powershell.exe
parent_process_guid	string		{00000000-0000-0000-0000-000000000000}
parent_process_id	integer		8228
parent_process_name	string		powershell.exe
parent_process_path	string		C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
process_current_directory	string		C:\Windows\system32\
process_exec	string		dash
process_guid	string		{ec24d3ab-4aae-62d0-3556-46df4a560000}
process_hash	string		MD5=54042EE229F73413B52E1DCFCC9CD4E4,SHA256=342A81B814D3715178BFCFEA4F10F0AD37C975C207964C0E4BB9913AF2F93629,IMPHASH=6B4443349D1BF3B7F64F196B03E28222
process_id	integer		4429
process_integrity_level	string		no level
process_path	string		C:\Windows\System32\conhost.exe
sigma_category	string		process_creation
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		Process creation
signature_id	integer		1
timeendpos	integer		912
timestartpos	integer		889
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

process_tampering

Field	Data Type	Description	Example
Computer	string		windowsvictim
EventID	integer		25
Image	string	File path of the process that terminated	C:\Windows\System32\SecurityHealth\1.0.2109.27002-0\SecurityHealthHost.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		SecurityHealthHost.exe
TargetObject	string		HKCR
Task	integer		25
Type	string		Image is locked for access
User	string	Name of the account that terminated the process.	NT AUTHORITY\SYSTEM
action	string		allowed
id	integer		32300
os	string		Microsoft Windows
user	string		SYSTEM
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string		Microsoft Corporation
EventCode	integer		25
EventData_Xml	string		- 2022-07-05 18:43:10.539 0BD59C11-863E-62C4-7306-000000001100 7452 C:\Windows\System32\SecurityHealth\1.0.2109.27002-0\SecurityHealthHost.exe Image is locked for access WINDOWSVICTIM\User
EventDescription	string		ProcessTampering (Process image change)
EventRecordID	integer		32300
FileVersion	string		10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
IMPHASH	string		955E66E304B6220AAFAC380689F12689
Keywords	string		0x8000000000000000
Level	integer		4
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that terminated	0BD59C11-1FF8-62CF-D305-000000001500
ProcessID	string		"2816"
ProcessId	integer	Process ID used by the os to identify the process that terminated	7452
ProcessPath	string		C:\Windows\System32\
Product	string		Microsoft® Windows® Operating System
RecordNumber	integer		32300
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
SigmaEventCode	string		N/A
SystemTime	string		'2022-07-05 18:43:10.546479 UTC'
System_Props_Xml	string		25 5 4 25 0 0x8000000000000000 32300 Microsoft-Windows-Sysmon/Operational windowsvictim
ThreadID	string		"3912"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-05 18:43:10.539
Version	integer		5
dest	string		windowsvictim
dvc_nt_host	string		Win2022-AD
event_id	integer		32300
process_guid	string		0BD59C11-1FF8-62CF-D305-000000001500
process_id	integer		7452
process_path	string		C:\Windows\System32\SecurityHealth\1.0.2109.27002-0\SecurityHealthHost.exe
registry_path	string		HKCR
result	string		Image is locked for access
sigma_category	string		process_tampering
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		ProcessTampering (Process image change)
signature_id	integer		25
timeendpos	integer		919
timestartpos	integer		896
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

process_termination

Field	Data Type	Description	Example
Computer	string		training1
EventID	integer		5
Image	string	File path of the process that terminated	C:\Windows\System32\conhost.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		dllhost.exe
Task	integer		5
Type	string		Information
User	string	Name of the account that terminated the process.	training1\bob
action	string		blocked
id	integer		28649
os	string		Microsoft Windows
process	string		C:\Windows\System32\conhost.exe
process_name	string		pwsh
user	string		root
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		5
EventData_Xml	string		-2022-07-14 16:55:33.058{ec24d3ab-4421-62d0-65ae-d1bf5e550000}1/usr/lib/systemd/systemdroot
EventDescription	string		Process terminated
EventRecordID	integer		810
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Process terminated: RuleName: - UtcTime: 2022-03-22 18:08:22.670 ProcessGuid: {b50c7a1e-1095-623a-4202-000000002000} ProcessId: 7544 Image: C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.85\MicrosoftEdgeUpdateComRegisterShell64.exe
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that terminated	{ec24d3ab-4a70-62d0-adcd-91af4d560000}
ProcessID	string		"4271"
ProcessId	integer	Process ID used by the os to identify the process that terminated	5756
ProcessPath	string		C:\Windows\System32\
RecordID	integer		810
RecordNumber	integer		37073
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		5
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:46:07.066688 UTC'
System_Props_Xml	string		5 3 4 5 0 0x8000000000000000 28649 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Process terminated (rule: ProcessTerminate)
ThreadID	string		"4271"
TimeCreated	string		2022-07-14T16:56:15.016969000Z
UserID	string		"S-1-5-18"
UserId	string		"0"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:18:12.454
Version	integer		3
dest	string		training1
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		28649
extracted_EventType	integer		4
process_exec	string		pwsh
process_guid	string		{ec24d3ab-4a70-62d0-adcd-91af4d560000}
process_id	integer		5756
process_path	string		C:\Windows\System32\conhost.exe
sigma_category	string		process_termination
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		Process terminated
signature_id	integer		5
timeendpos	integer		912
timestartpos	integer		889
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

raw_access_read

Field	Data Type	Description	Example
Computer	string		sysmonlinux-ctus-attack-range-7283
EventID	integer		9
Image	string	File path of the process that conducted reading operations from the drive	C:\Windows\System32\LogonUI.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		LogonUI.exe
Task	integer		9
Type	string		Information
User	string	Name of the account of the process that conducted reading operations from the drive	root
action	string		allowed
id	integer		1098
os	string		Microsoft Windows
process_name	string		systemd-udevd
user	string		root
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
Device	string	Target device	\Device\HarddiskVolume2
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		9
EventData_Xml	string		-2022-04-11 13:20:02.045{ec2a2542-2b02-6254-f8ad-704b96550000}11263/lib/systemd/systemd-udevd/dev/loop3root
EventDescription	string		RawAccessRead
EventRecordID	integer		8871
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		RawAccessRead detected: RuleName: - UtcTime: 2022-03-22 18:06:01.687 ProcessGuid: {b50c7a1e-0ffe-623a-ed01-000000002000} ProcessId: 5372 Image: C:\Windows\System32\DeviceCensus.exe Device: \Device\HarddiskVolume1
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that conducted reading operations from the drive	{ec2a2542-2b02-6254-f8ad-704b96550000}
ProcessID	string		"1900"
ProcessId	integer	Process ID used by the os to identify the process that conducted reading operations from the drive	5372
ProcessPath	string		C:\Windows\System32\
RecordID	integer		8871
RecordNumber	integer		26753
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		9
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:16:47.490833 UTC'
System_Props_Xml	string		9 2 4 9 0 0x8000000000000000 17101 Microsoft-Windows-Sysmon/Operational training1
TaskCategory	string		RawAccessRead detected (rule: RawAccessRead)
ThreadID	string		"3888"
TimeCreated	string		2022-05-27T16:40:57.200131000Z
UserID	string		"S-1-5-18"
UserId	string		"0"
UtcTime	string	Time in UTC when event was created	2022-07-22 20:16:32.960
Version	integer		2
dest	string		sysmonlinux-ctus-attack-range-7283
dvc_nt_host	string		EC2AMAZ-1CL0VOR_a9e2cc50-9153-4616-87e8-b1372a8bd8f5
event_id	integer		1098
extracted_EventType	integer		4
process_exec	string		systemd-udevd
process_guid	string		{ec2a2542-2b02-6254-f8ad-704b96550000}
process_id	integer		3860
process_path	string		C:\Windows\System32\LogonUI.exe
sigma_category	string		raw_access_read
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		RawAccessRead
signature_id	integer		9
timeendpos	integer		917
timestartpos	integer		894
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

raw_access_thread

Field	Data Type	Description
Image	string	File path of the process that conducted reading operations from the drive
ProcessName	string
Device	string	Target device
ProcessGuid	string	Process Guid of the process that conducted reading operations from the drive
ProcessId	integer	Process ID used by the os to identify the process that conducted reading operations from the drive
ProcessPath	string
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID
UtcTime	date	Time in UTC when event was created

registry_add

Field	Data Type	Description
Image	string	File path of the process that changed the file creation time
ProcessName	string
TargetObject	string
EventType	string
ProcessGuid	string	Process Guid of the process that changed the file creation time
ProcessId	integer	Process ID used by the os to identify the process changing the file creation time
ProcessPath	string
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID
UtcTime	date	Time in UTC when event was created

registry_creation_deletion

Field	Data Type	Description	Example
Computer	string		training1
EventID	integer		12
Image	string	File path of the process that changed the file creation time	C:\WINDOWS\system32\svchost.exe
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		svchost.exe
TargetObject	string		HKLM\SOFTWARE\Microsoft\Wbem\CIMOM
Task	integer		12
Type	string		Information
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	training1\bob
action	string		created
id	integer		28240
process_name	string		chrome.exe
status	string		success
user	string		bob
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
EventCode	integer		12
EventData_Xml	string		- CreateKey 2022-07-28 14:19:18.752 501694F9-9507-62E2-3901-000000000700 5232 C:\Windows\Explorer.EXE HKU\S-1-5-21-1155946701-320910489-3936392096-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 training1\bob
EventDescription	string		RegistryEvent (Object create and delete)
EventRecordID	integer		28240
EventType	string
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Registry object added or deleted: RuleName: whitelist EventType: CreateKey UtcTime: 2022-03-22 18:08:48.623 ProcessGuid: {b50c7a1e-0fc8-623a-b901-000000002000} ProcessId: 5804 Image: C:\WINDOWS\Explorer.EXE TargetObject: HKCR\CLSID{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that changed the file creation time	{b50c7a1e-0f0e-623a-3c00-000000002000}
ProcessID	string		"3112"
ProcessId	integer	Process ID used by the os to identify the process changing the file creation time	5232
ProcessPath	string		C:\Program Files\Google\Chrome\Application\
RecordNumber	integer		39227
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	whitelist
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		12
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:40.470421 UTC'
System_Props_Xml	string		12 2 4 12 0 0x8000000000000000 28240 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Registry object added or deleted (rule: RegistryEvent)
ThreadID	string		"3780"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:19:18.752
Version	integer		2
dest	string		training1
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		28240
extracted_EventType	string		CreateKey
object_category	string		registry
object_path	string		HKLM\SOFTWARE\Microsoft\Wbem\CIMOM
process_exec	string		chrome.exe
process_guid	string		501694F9-9507-62E2-3901-000000000700
process_id	integer		5232
process_path	string		C:\Program Files\Google\Chrome\Application\chrome.exe
registry_hive	string		HKEY_CURRENT_USER
registry_key_name	string		HKLM\SOFTWARE\Microsoft\Wbem\CIMOM
registry_path	string		HKLM\SOFTWARE\Microsoft\Wbem\CIMOM
severity_id	string		CreateKey
sigma_category	string		registry_creation_deletion
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		RegistryEvent (Object create and delete)
signature_id	integer		12
timeendpos	integer		957
timestartpos	integer		934
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

registry_delete

Field	Data Type	Description
Image	string	File path of the process that changed the file creation time
ProcessName	string
TargetObject	string
EventType	string
ProcessGuid	string	Process Guid of the process that changed the file creation time
ProcessId	integer	Process ID used by the os to identify the process changing the file creation time
ProcessPath	string
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID
UtcTime	date	Time in UTC when event was created

registry_event

Field	Data Type	Description
Image	string	File path of the process that renamed a registry value and key
ProcessName	string
TargetObject	string	complete path of the registry key
Details	string	Details added to the registry key
EventType	string	registry event. Registry key and value renamed
NewName	string	new name of the registry key
ProcessGuid	string	Process Guid of the process that renamed a registry value and key
ProcessId	integer	Process ID used by the os to identify the process that renamed a registry value and key
ProcessPath	string
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID
UtcTime	date	Time in UTC when event was created

registry_rename

Field	Data Type	Description	Example
EventID	integer		14
Image	string	File path of the process being spawned/created. Considered also the child or source process	C:\Windows\System32\poqexec.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
ProcessName	string		regedit.exe
TargetObject	string		HKU\S-1-5-21-1103654211-1238870038-1204021333-1002\SOFTWARE\Microsoft\Phone\New Key #1
Type	string		Information
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	NOT_TRANSLATED
Company	string	Company name the image associated with the main process (child) belongs to	Microsoft Corporation
ComputerName	string		NIH-XEaZVjyHijA
EventCode	integer		14
EventType	string
FileVersion	string	Version of the image associated with the main process (child)	10.0.20348.469 (WinBuild.160101.0800)
IMPHASH	string		955E66E304B6220AAFAC380689F12689
Keywords	string		None
LogName	string		Microsoft-Windows-Sysmon/Operational
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
Message	string		Registry object renamed: RuleName: - EventType: RenameKey UtcTime: 2022-01-21 02:36:12.175 ProcessGuid: {b50c7a1e-1c01-61ea-f50b-000000002000} ProcessId: 8096 Image: C:\WINDOWS\regedit.exe TargetObject: HKU\S-1-5-21-1103654211-1238870038-1204021333-1002\SOFTWARE\Microsoft\Phone\New Key #1 NewName: HKU\S-1-5-21-1103654211-1238870038-1204021333-1002\SOFTWARE\Microsoft\Phone\user
NewName	string		HKU\S-1-5-21-1103654211-1238870038-1204021333-1002\SOFTWARE\Microsoft\Phone\user
OpCode	string		Info
ProcessGuid	string	Process Guid of the process that got spawned/created (child)	{b50c7a1e-1c01-61ea-f50b-000000002000}
ProcessId	integer	Process ID used by the os to identify the created process (child)	8096
ProcessPath	string		C:\Windows\System32\
Product	string	Product name the image associated with the main process (child) belongs to	Microsoft® Windows® Operating System
RecordNumber	integer		53197
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	string		N/A
SourceName	string		Microsoft-Windows-Sysmon
TaskCategory	string		Registry object renamed (rule: RegistryEvent)
UtcTime	string	Time in UTC when event was created	2022-01-21 02:36:12.175
dvc_nt_host	string		Win2022-AD
extracted_EventType	integer		4
registry_path	string		HKCR
sigma_category	string		registry_rename
sigma_product	string		windows
sigma_service	string		sysmon
timeendpos	integer		23
timestartpos	integer		0
vendor_product	string		Microsoft Sysmon

registry_set

Field	Data Type	Description
Image	string	File path of the process that made the network connection
ProcessName	string
TargetObject	string
Details	string
EventType	string
ProcessGuid	string	Process Guid of the process that made the network connection
ProcessId	integer	Process ID used by the os to identify the process that made the network connection
ProcessPath	string
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID
UtcTime	date	Time in UTC when event was created

registry_value_set

Field	Data Type	Description	Example
Computer	string		training1
EventID	integer		13
Image	string	File path of the process that made the network connection	C:\Windows\Explorer.EXE
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		MicrosoftEdgeUpdate.exe
TargetObject	string		HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1155946701-320910489-3936392096-500\Device\HarddiskVolume4\Program Files\Google\Chrome\Application\chrome.exe
Task	integer		13
Type	string		Information
User	string	Name of the account who made the network connection. It usually containes domain name and user name	training1\bob
action	string		modified
id	integer		28235
process_name	string		Explorer.EXE
status	string		success
user	string		bob
Channel	string		Microsoft-Windows-Sysmon/Operational
ComputerName	string		SNAP-CuvR1hlG8s
Details	string		Binary Data
EventCode	integer		13
EventData_Xml	string		- SetValue 2022-07-28 14:19:12.783 501694F9-9506-62E2-3701-000000000700 3396 C:\Windows\system32\ctfmon.exe HKU\S-1-5-21-1155946701-320910489-3936392096-500\SOFTWARE\Microsoft\Input\TypingInsights\Insights Binary Data training1\bob
EventDescription	string		RegistryEvent (Value Set)
EventRecordID	integer		28235
EventType	string
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
Message	string		Registry value set: RuleName: - EventType: SetValue UtcTime: 2022-03-22 18:08:48.108 ProcessGuid: {b50c7a1e-0fc8-623a-b901-000000002000} ProcessId: 5804 Image: C:\WINDOWS\Explorer.EXE TargetObject: HKU\S-1-5-21-1103654211-1238870038-1204021333-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${3d8f9d2e-0759-4938-b072-8bf73f8dec96}$$windows.data.unifiedtile.localstartvolatiletilepropertiesmap\Current\Data Details: Binary Data
OpCode	string		Info
Opcode	integer		0
ProcessGuid	string	Process Guid of the process that made the network connection	{b50c7a1e-106c-623a-3e02-000000002000}
ProcessID	string		"3112"
ProcessId	integer	Process ID used by the os to identify the process that made the network connection	5232
ProcessPath	string		C:\Windows\
RecordNumber	integer		39231
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA256	string		62E482B94F6CB0A5FDD3243168267CDBFDE58D0FFD3E1E664A28CD2B86EFF823
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	integer		13
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-07-28 14:45:40.390274 UTC'
System_Props_Xml	string		13 2 4 13 0 0x8000000000000000 28235 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR
TaskCategory	string		Registry value set (rule: RegistryEvent)
ThreadID	string		"3780"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-07-28 14:19:18.752
Version	integer		2
dest	string		training1
dvc	string		training1
dvc_nt_host	string		training1_863ebc76-4615-40a1-bf8b-665d8fd38884
event_id	integer		28235
extracted_EventType	string		SetValue
object_category	string		registry
object_path	string		HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1155946701-320910489-3936392096-500\Device\HarddiskVolume4\Program Files\Google\Chrome\Application\chrome.exe
process_exec	string		Explorer.EXE
process_guid	string		501694F9-9507-62E2-3901-000000000700
process_id	integer		5232
process_path	string		C:\Windows\Explorer.EXE
registry_hive	string		HKEY_CURRENT_USER
registry_key_name	string		HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1155946701-320910489-3936392096-500\Device\HarddiskVolume4\Program Files\Google\Chrome\Application\chrome.exe
registry_path	string		HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1155946701-320910489-3936392096-500\Device\HarddiskVolume4\Program Files\Google\Chrome\Application\chrome.exe
registry_value_data	string		Binary Data
registry_value_name	string		HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1155946701-320910489-3936392096-500\Device\HarddiskVolume4\Program Files\Google\Chrome\Application\chrome.exe
severity_id	string		SetValue
sigma_category	string		registry_value_set
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		RegistryEvent (Value Set)
signature_id	integer		13
timeendpos	integer		956
timestartpos	integer		933
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

sysmon_error

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-NNKUICG
EventID	integer		255
ID	string		IMAGE_LOAD
Image	string	File path of the process that terminated	C:\Windows\System32\poqexec.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		poqexec.exe
TargetObject	string		HKCR
Task	integer		255
Type	string		Error
User	string	Name of the account that terminated the process.	NOT_TRANSLATED
description	string		Error occured within Sysmon
id	integer		4674
service	string		Sysmon
status	string		critical
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string		Microsoft Corporation
ComputerName	string		SNAP-CuvR1hlG8s
Description	string		Failed to send message to the driver to update configuration - Last error: The system cannot find the file specified.
EventCode	integer		255
EventData_Xml	string		2022-06-15 13:10:00.279 ConfigMonitorThread Failed to send message to the driver to update configuration - Last error: The system cannot find the file specified.
EventDescription	string		Error
EventRecordID	integer		4674
FileVersion	string		10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
IMPHASH	string		955E66E304B6220AAFAC380689F12689
Keywords	string		None
Level	integer		2
LogName	string		Microsoft-Windows-Sysmon/Operational
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
Message	string		Error report: UtcTime: 2022-02-25 19:55:56.832 ID: IMAGE_LOAD Description: Failed to find process image name
OpCode	string		Info
Opcode	integer		0
ProcessID	string		"2644"
ProcessId	integer	Process ID used by the os to identify the process that terminated	2644
ProcessPath	string		C:\Windows\System32\
Product	string		Microsoft® Windows® Operating System
RecordNumber	integer		4674
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
Sid	string		S-1-5-18
SidType	integer		0
SigmaEventCode	string		255
SourceName	string		Microsoft-Windows-Sysmon
SystemTime	string		'2022-06-15 13:10:00.281566 UTC'
System_Props_Xml	string		255 3 2 255 0 0x8000000000000000 4929 Microsoft-Windows-Sysmon/Operational EC2AMAZ-NNKUICG
TaskCategory	string		None
ThreadID	string		"3448"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-06-15 13:10:00.279
Version	integer		3
dest	string		EC2AMAZ-NNKUICG
dvc	string		EC2AMAZ-NNKUICG
dvc_nt_host	string		EC2AMAZ-NNKUICG_1ecf4626-3650-49a2-af8a-c3dd1f6122dc
event_id	integer		4674
extracted_EventType	integer		2
process_id	string		"2644"
registry_path	string		HKCR
result	string		Failed to send message to the driver to update configuration - Last error: The system cannot find the file specified.
service_name	string		Sysmon
sigma_category	string		sysmon_error
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		Error
signature_id	integer		255
timeendpos	integer		888
timestartpos	integer		865
user_id	string		"S-1-5-18"
vendor_product	string		Microsoft Sysmon

sysmon_status

Field	Data Type	Description	Example
CommandLine	string	Arguments which were passed to the executable associated with the main process	xhost +local:
Computer	string		ip-10-0-76-180
EventID	integer		16
Image	string		C:\Windows\System32\poqexec.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
OriginalFileName	string	original file name	-
ParentCommandLine	string	Arguments which were passed to the executable associated with the parent process	-
ParentImage	string	File path that spawned/created the main process	-
ProcessName	string		poqexec.exe
TargetFilename	string		/home/ubuntu/capattack-ps/.activesession
TargetObject	string		HKCR
Task	integer		16
Type	string		Information
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	root
description	string		Sysmon configuration changed
id	integer		7
service	string		Sysmon
status	string		started
user	string		root
Archived	string		-
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string		Microsoft Corporation
ComputerName	string		NIH-2UKkeAsXtb5
Configuration	string	name of the sysmon config file being updated	C:\sysmon_snapattack.xml
ConfigurationFileHash	string	hash (SHA1) of the sysmon config file being updated	SHA256=62E482B94F6CB0A5FDD3243168267CDBFDE58D0FFD3E1E664A28CD2B86EFF823
CreationUtcTime	string		2022-02-25 16:58:21.570
CurrentDirectory	string	The path without the name of the image associated with the process	/home/ubuntu/capattack-ps
Description	string	Description of the image associated with the main process (child)	-
DestinationHostname	string		-
DestinationIp	string		10.0.64.2
DestinationIsIpv6	string		false
DestinationPort	integer		53
DestinationPortName	string		-
EventChannel	string		Linux-Sysmon/Operational
EventCode	integer		16
EventData_Xml	string		2022-06-28 20:48:37.913 C:\Users\bob\Desktop\capattack\sysmon_snapattack.xml SHA256=62E482B94F6CB0A5FDD3243168267CDBFDE58D0FFD3E1E664A28CD2B86EFF823
EventDescription	string		ServiceConfigurationChange
EventRecordID	integer		7
FileVersion	string		10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"
Hashes	string	Hashes captured by sysmon driver	-
IMPHASH	string		955E66E304B6220AAFAC380689F12689
Initiated	string		true
IntegrityLevel	string	Integrity label assigned to a process	no level
IsExecutable	string		-
Keywords	string		None
Level	integer		4
LogName	string		Microsoft-Windows-Sysmon/Operational
LogonGuid	string	Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events)	{8cc9602e-0000-0000-e803-000000000000}
LogonId	integer	Login ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID	1000
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
Message	string		Sysmon config state changed: UtcTime: 2022-01-26 21:47:52.016 Configuration: C:\sysmon_snapattack.xml ConfigurationFileHash: SHA1=B866D26DFF4C16C4F7E254FFBC117C0B1CAE6E5B
OpCode	string		Info
Opcode	integer		0
ParentProcessGuid	string	ProcessGUID of the process that spawned/created the main process (child)	{00000000-0000-0000-0000-000000000000}
ParentProcessId	integer	Process ID of the process that spawned/created the main process (child)	12307
ParentUser	string	Name of the account who created the process that spawned/created the main process (child)	-
ProcessGuid	string	Process Guid of the process that got spawned/created (child)	{8cc9602e-0aad-6219-69cd-9c079b550000}
ProcessID	string		"665"
ProcessId	integer	Process ID used by the os to identify the created process (child)	4792
ProcessPath	string		C:\Windows\System32\
Product	string		Microsoft® Windows® Operating System
Protocol	string		udp
RecordID	integer		5
RecordNumber	integer		7
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		B866D26DFF4C16C4F7E254FFBC117C0B1CAE6E5B
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
SchemaVersion	string	sysmon config schema version
Sid	string		S-1-5-21-1103654211-1238870038-1204021333-1002
SidType	integer		0
SigmaEventCode	integer		16
SigmaEventCode	string		N/A
SourceHostname	string		-
SourceIp	string		10.0.76.180
SourceIsIpv6	string		false
SourceName	string		Microsoft-Windows-Sysmon
SourcePort	integer		36528
SourcePortName	string		-
State	string	sysmon service state (i.e. stopped)
SystemTime	string		'2022-06-28 20:48:37.915410 UTC'
System_Props_Xml	string		16 3 4 16 0 0x8000000000000000 520803 Microsoft-Windows-Sysmon/Operational Win10Victim
TaskCategory	string		Sysmon config state changed
TerminalSessionId	integer	ID of the session the user belongs to	2
ThreadID	string		"7148"
TimeCreated	string		2022-03-09T18:30:05.047800000Z
UserID	string		"S-1-5-21-2414553406-2212388514-3030099854-1009"
UserId	string		"0"
UtcTime	date	Time in UTC when event was created
UtcTime	string	Time in UTC when event was created	2022-06-28 20:48:37.913
Version	integer		3
Version	string	sysmon version
dest	string		ip-10-0-76-180
dest_ip	string		10.0.64.2
dest_port	integer		53
dvc_ip	string		10.0.76.180
dvc_nt_host	string		Win2022-AD
event_id	integer		7
extracted_EventType	integer		4
file_create_time	string		2022-02-25 16:58:21.570
parent_process	string		-
process_current_directory	string		/home/ubuntu/capattack-ps
process_id	string		"665"
process_integrity_level	string		no level
registry_path	string		HKCR
service_name	string		Sysmon
sigma_category	string		sysmon_status
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		ServiceConfigurationChange
signature_id	integer		16
src	string		-
src_ip	string		10.0.76.180
src_port	integer		36528
timeendpos	integer		921
timestartpos	integer		898
transport	string		udp
transport_dest_port	string		udp/53
user_id	string		"S-1-5-21-2414553406-2212388514-3030099854-1009"
vendor_product	string		Microsoft Sysmon

wmi_consumer

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-NNKUICG
EventID	integer		20
Image	string	File path of the process that changed the file creation time	C:\Windows\System32\poqexec.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		poqexec.exe
TargetObject	string		HKCR
Task	integer		20
Type	string		Command Line
User	string		EC2AMAZ-NNKUICG\user
action	string		created
id	integer		4359
status	string		success
user	string		user
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string		Microsoft Corporation
Destination	string		"C:\Windows\System32\notepad.exe"
EventCode	integer		20
EventData_Xml	string		- WmiConsumerEvent 2022-06-15 13:08:14.794 Created EC2AMAZ-NNKUICG\user "AtomicRedTeam-WMIPersistence-Example" Command Line "C:\Windows\System32\notepad.exe"
EventDescription	string		WmiEvent (WmiEventConsumer activity detected)
EventRecordID	integer		4359
EventType	string
FileVersion	string		10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
IMPHASH	string		955E66E304B6220AAFAC380689F12689
Keywords	string		0x8000000000000000
Level	integer		4
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
Opcode	integer		0
Operation	string		Created
ProcessID	string		"2732"
ProcessId	integer	Process ID used by the os to identify the process changing the file creation time	2732
ProcessPath	string		C:\Windows\System32\
Product	string		Microsoft® Windows® Operating System
RecordNumber	integer		4359
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
SigmaEventCode	string		N/A
SystemTime	string		'2022-06-15 13:08:14.805013 UTC'
System_Props_Xml	string		20 3 4 20 0 0x8000000000000000 4359 Microsoft-Windows-Sysmon/Operational EC2AMAZ-NNKUICG
ThreadID	string		"3068"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-06-15 13:08:14.794
Version	integer		3
change_type	string		filesystem
dest	string		EC2AMAZ-NNKUICG
dvc	string		EC2AMAZ-NNKUICG
dvc_nt_host	string		EC2AMAZ-NNKUICG_8a39c206-b706-4fb1-b834-c8f8ce7c7c61
event_id	integer		4359
extracted_EventType	string		WmiConsumerEvent
object	string		notepad.exe
object_category	string		wmi
registry_path	string		HKCR
severity_id	string		WmiConsumerEvent
sigma_category	string		wmi_consumer
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		WmiEvent (WmiEventConsumer activity detected)
signature_id	integer		20
src	string		EC2AMAZ-NNKUICG
timeendpos	integer		970
timestartpos	integer		947
user_id	string		"S-1-5-18"
user_name	string		user
vendor_product	string		Microsoft Sysmon

wmi_consumer_filter

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-NNKUICG
EventID	integer		21
Image	string	File path of the process being spawned/created. Considered also the child or source process	C:\Windows\System32\poqexec.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		poqexec.exe
TargetObject	string		HKCR
Task	integer		21
User	string	Name of the account who created the process (child) . It usually contains domain name and user name (Parsed to show only username without the domain)	EC2AMAZ-NNKUICG\user
action	string		created
id	integer		5102
status	string		success
user	string		user
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string	Company name the image associated with the main process (child) belongs to	Microsoft Corporation
Consumer	string		"\\.\ROOT\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""
EventCode	integer		21
EventData_Xml	string		- WmiBindingEvent 2022-06-15 13:08:34.752 Created EC2AMAZ-NNKUICG\user "\\.\ROOT\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\"" "\\.\ROOT\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""
EventDescription	string		WmiEvent (WmiEventConsumerToFilter activity detected)
EventRecordID	integer		5102
EventType	string
FileVersion	string	Version of the image associated with the main process (child)	10.0.20348.469 (WinBuild.160101.0800)
Filter	string		"\\.\ROOT\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
IMPHASH	string		955E66E304B6220AAFAC380689F12689
Keywords	string		0x8000000000000000
Level	integer		4
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
Opcode	integer		0
Operation	string		Created
ProcessID	string		"2732"
ProcessId	integer	Process ID used by the os to identify the created process (child)	2732
ProcessPath	string		C:\Windows\System32\
Product	string	Product name the image associated with the main process (child) belongs to	Microsoft® Windows® Operating System
RecordNumber	integer		5102
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
SigmaEventCode	string		N/A
SystemTime	string		'2022-06-15 13:08:34.756272 UTC'
System_Props_Xml	string		21 3 4 21 0 0x8000000000000000 5102 Microsoft-Windows-Sysmon/Operational EC2AMAZ-NNKUICG
ThreadID	string		"3068"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-06-15 13:08:34.752
Version	integer		3
change_type	string		filesystem
dest	string		EC2AMAZ-NNKUICG
dvc	string		EC2AMAZ-NNKUICG
dvc_nt_host	string		EC2AMAZ-NNKUICG_8a39c206-b706-4fb1-b834-c8f8ce7c7c61
event_id	integer		5102
extracted_EventType	string		WmiBindingEvent
object	string		AtomicRedTeam-WMIPersistence-Example
object_category	string		wmi
registry_path	string		HKCR
result	string		created
severity_id	string		WmiBindingEvent
sigma_category	string		wmi_consumer_filter
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		WmiEvent (WmiEventConsumerToFilter activity detected)
signature_id	integer		21
src	string		EC2AMAZ-NNKUICG
timeendpos	integer		969
timestartpos	integer		946
user_id	string		"S-1-5-18"
user_name	string		user
vendor_product	string		Microsoft Sysmon

wmi_event

Field	Data Type	Description
Name	string	name of the consumer created
User	string	user that created the wmi filter
EventNamespace	string	event namespace where the wmi clas
EventType	string	wmievent type
Operation	string	wmievent filter operation
Query	string	wmi filter query
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID
UtcTime	date	Time in UTC when event was created

wmi_filter

Field	Data Type	Description	Example
Computer	string		EC2AMAZ-NNKUICG
EventID	integer		19
Image	string	File path of the process that conducted reading operations from the drive	C:\Windows\System32\poqexec.exe
ImageLoaded	string		C:\Windows\SysWOW64\advapi32.dll
Name	string		"Microsoft-Windows-Sysmon"
ProcessName	string		poqexec.exe
TargetObject	string		HKCR
Task	integer		19
User	string	Name of the account of the process that conducted reading operations from the drive	EC2AMAZ-NNKUICG\user
action	string		created
id	integer		4084
status	string		success
user	string		user
Channel	string		Microsoft-Windows-Sysmon/Operational
Company	string	Company name the image associated with the main process (child) belongs to	Microsoft Corporation
EventCode	integer		19
EventData_Xml	string		- WmiFilterEvent 2022-06-15 13:07:55.309 Created EC2AMAZ-NNKUICG\user "root\CimV2" "AtomicRedTeam-WMIPersistence-Example" "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
EventDescription	string		WmiEvent (WmiEventFilter activity detected)
EventNamespace	string		"root\CimV2"
EventRecordID	integer		4084
EventType	string
FileVersion	string	Version of the image associated with the main process (child)	10.0.20348.469 (WinBuild.160101.0800)
Guid	string		"5770385F-C22A-43E0-BF4C-06F5698FFBD9"
IMPHASH	string		955E66E304B6220AAFAC380689F12689
Keywords	string		0x8000000000000000
Level	integer		4
MD5	string		0701AABA3DE1DFFC5385B2932BA0777E
Opcode	integer		0
Operation	string		Created
ProcessID	string		"2732"
ProcessId	integer	Process ID used by the os to identify the process that conducted reading operations from the drive	2732
ProcessPath	string		C:\Windows\System32\
Product	string	Product name the image associated with the main process (child) belongs to	Microsoft® Windows® Operating System
Query	string		"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime
RecordNumber	integer		4084
RuleName	string	custom tag mapped to event. i.e ATT&CK technique ID	-
SHA1	string		8E96143B484920A932DF0397A6E147AE1FDB01B0
SHA256	string		A889672C0E63ADB99F4301DD3FB2E87B5F0C2F540B37223EEB35EA590942E824
SigmaEventCode	string		N/A
SystemTime	string		'2022-06-15 13:07:55.319606 UTC'
System_Props_Xml	string		19 3 4 19 0 0x8000000000000000 4084 Microsoft-Windows-Sysmon/Operational EC2AMAZ-NNKUICG
ThreadID	string		"3068"
UserID	string		"S-1-5-18"
UtcTime	string	Time in UTC when event was created	2022-06-15 13:07:55.309
Version	integer		3
change_type	string		filesystem
dest	string		EC2AMAZ-NNKUICG
dvc	string		EC2AMAZ-NNKUICG
dvc_nt_host	string		EC2AMAZ-NNKUICG_8a39c206-b706-4fb1-b834-c8f8ce7c7c61
event_id	integer		4084
extracted_EventType	string		WmiFilterEvent
object_category	string		wmi
registry_path	string		HKCR
result	string		created
severity_id	string		WmiFilterEvent
sigma_category	string		wmi_filter
sigma_product	string		windows
sigma_service	string		sysmon
signature	string		WmiEvent (WmiEventFilter activity detected)
signature_id	integer		19
src	string		EC2AMAZ-NNKUICG
timeendpos	integer		968
timestartpos	integer		945
user_id	string		"S-1-5-18"
user_name	string		user
vendor_product	string		Microsoft Sysmon