Sysmon (13)

• Manufacturer: Microsoft
• Version: 13
• Website: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Description

Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.

Data Model Coverage

registry

	data	fqdn	hive	hostname	image_path	key	new_content	pid	type	user	value
add	✓	✓	✓		✓	✓		✓			✓
key_edit		✓	✓		✓	✓	✓	✓			✓
remove		✓	✓		✓	✓		✓			✓
value_edit		✓	✓		✓	✓	✓	✓			✓

flow

	application_protocol	content	dest_fqdn	dest_hostname	dest_ip	dest_port	end_time	exe	fqdn	hostname	image_path	in_bytes	network_direction	out_bytes	packet_count	pid	ppid	proto_info	src_fqdn	src_hostname	src_ip	src_port	start_time	tcp_flags	transport_protocol	uid	user
end
message
start			✓		✓	✓			✓		✓					✓			✓		✓	✓	✓			✓	✓

module

	base_address	fqdn	hostname	image_path	md5_hash	module_name	module_path	pid	sha1_hash	sha256_hash	signature_valid	signer	tid
load		✓		✓	✓		✓	✓	✓		✓	✓	✓
unload

driver

	base_address	fqdn	hostname	image_path	md5_hash	module_name	pid	sha1_hash	sha256_hash	signature_valid	signer
load		✓		✓	✓			✓	✓	✓	✓
unload

process

	access_level	call_trace	command_line	current_working_directory	env_vars	exe	fqdn	guid	hostname	image_path	integrity_level	md5_hash	parent_command_line	parent_exe	parent_guid	parent_image_path	pid	ppid	sha1_hash	sha256_hash	sid	signature_valid	signer	target_address	target_guid	target_name	target_pid	uid	user
access
create			✓	✓			✓			✓	✓	✓	✓			✓	✓	✓		✓	✓								✓
terminate							✓			✓							✓

thread

	hostname	src_pid	src_tid	stack_base	stack_limit	start_address	start_function	start_module	start_module_name	tgt_pid	tgt_tid	uid	user	user_stack_base	user_stack_limit
create	✓	✓				✓	✓	✓		✓	✓	✓
remote_create	✓	✓				✓	✓	✓		✓	✓	✓
suspend
terminate

file

	company	content	creation_time	extension	file_name	file_path	fqdn	gid	group	hostname	image_path	link_target	md5_hash	mime_type	mode	owner	owner_uid	pid	ppid	previous_creation_time	sha1_hash	sha256_hash	signature_valid	signer	uid	user
acl_modify
create			✓			✓	✓				✓							✓
delete						✓	✓				✓		✓					✓			✓	✓			✓	✓
modify
read
timestomp			✓			✓	✓				✓							✓		✓
write

Analytic Coverage

• CAR-2013-03-001: Reg.exe called from Command Shell
• CAR-2013-04-002: Quick execution of a series of suspicious commands
• CAR-2013-05-002: Suspicious Run Locations
• CAR-2013-05-004: Execution with AT
• CAR-2013-05-005: SMB Copy and Execution
• CAR-2013-05-009: Running executables with same hash and different names
• CAR-2013-07-001: Suspicious Arguments
• CAR-2013-07-002: RDP Connection Detection
• CAR-2013-07-005: Command Line Usage of Archiving Software
• CAR-2013-08-001: Execution with schtasks
• CAR-2013-09-005: Service Outlier Executables
• CAR-2013-10-002: DLL Injection via Load Library
• CAR-2014-02-001: Service Binary Modifications
• CAR-2014-03-001: SMB Write Request - NamedPipes
• CAR-2014-03-005: Remotely Launched Executables via Services
• CAR-2014-03-006: RunDLL32.exe monitoring
• CAR-2014-05-001: RPC Activity
• CAR-2014-07-001: Service Search Path Interception
• CAR-2014-11-003: Debuggers for Accessibility Applications
• CAR-2014-11-006: Windows Remote Management (WinRM)
• CAR-2014-12-001: Remotely Launched Executables via WMI
• CAR-2016-03-001: Host Discovery Commands
• CAR-2016-03-002: Create Remote Process via WMIC
• CAR-2016-04-002: User Activity from Clearing Event Logs
• CAR-2019-04-001: UAC Bypass
• CAR-2019-04-002: Generic Regsvr32
• CAR-2019-04-003: Squiblydoo
• CAR-2019-04-004: Credential Dumping via Mimikatz
• CAR-2019-07-002: Lsass Process Dump via Procdump
• CAR-2019-08-001: Credential Dumping via Windows Task Manager
• CAR-2019-08-002: Active Directory Dumping via NTDSUtil
• CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities
• CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS
• CAR-2020-09-001: Scheduled Task - FileAccess
• CAR-2020-09-002: Component Object Model Hijacking
• CAR-2020-09-003: Indicator Blocking - Driver Unloaded
• CAR-2020-09-004: Credentials in Files & Registry
• CAR-2020-09-005: AppInit DLLs
• CAR-2020-11-001: Boot or Logon Initialization Scripts
• CAR-2020-11-003: DLL Injection with Mavinject
• CAR-2020-11-005: Clear Powershell Console Command History
• CAR-2020-11-006: Local Permission Group Discovery
• CAR-2020-11-007: Network Share Connection Removal
• CAR-2020-11-008: MSBuild and msxsl
• CAR-2020-11-011: Registry Edit from Screensaver
• CAR-2021-01-001: Identifying Port Scanning Activity
• CAR-2021-01-002: Unusually Long Command Line Strings
• CAR-2021-01-003: Clearing Windows Logs with Wevtutil
• CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe
• CAR-2021-01-006: Unusual Child Process spawned using DDE exploit
• CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt
• CAR-2021-01-008: Disable UAC
• CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize
• CAR-2021-02-002: Get System Elevation
• CAR-2021-04-001: Common Windows Process Masquerading
• CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store
• CAR-2021-05-002: Batch File Write to System32
• CAR-2021-05-003: BCDEdit Failure Recovery Modification
• CAR-2021-05-004: BITS Job Persistence
• CAR-2021-05-005: BITSAdmin Download File
• CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments
• CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments
• CAR-2021-05-008: Certutil exe certificate extraction
• CAR-2021-05-009: CertUtil With Decode Argument
• CAR-2021-05-010: Create local admin accounts using net exe
• CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0
• CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify
• CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths
• CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key ‘Common Startup’
• CAR-2022-03-001: Disable Windows Event Logging