Sysmon (13)
- Manufacturer: Microsoft
- Version: 13
- Website: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Description
Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.
Data Model Coverage
registry
data |
fqdn |
hive |
hostname |
image_path |
key |
new_content |
pid |
type |
user |
value |
|
---|---|---|---|---|---|---|---|---|---|---|---|
add |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
key_edit |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
remove |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
value_edit |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
flow
application_protocol |
content |
dest_fqdn |
dest_hostname |
dest_ip |
dest_port |
end_time |
exe |
fqdn |
hostname |
image_path |
in_bytes |
network_direction |
out_bytes |
packet_count |
pid |
ppid |
proto_info |
src_fqdn |
src_hostname |
src_ip |
src_port |
start_time |
tcp_flags |
transport_protocol |
uid |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
end |
|||||||||||||||||||||||||||
message |
|||||||||||||||||||||||||||
start |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
module
base_address |
fqdn |
hostname |
image_path |
md5_hash |
module_name |
module_path |
pid |
sha1_hash |
sha256_hash |
signature_valid |
signer |
tid |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
load |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
unload |
driver
base_address |
fqdn |
hostname |
image_path |
md5_hash |
module_name |
pid |
sha1_hash |
sha256_hash |
signature_valid |
signer |
|
---|---|---|---|---|---|---|---|---|---|---|---|
load |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
unload |
process
access_level |
call_trace |
command_line |
current_working_directory |
env_vars |
exe |
fqdn |
guid |
hostname |
image_path |
integrity_level |
md5_hash |
parent_command_line |
parent_exe |
parent_guid |
parent_image_path |
pid |
ppid |
sha1_hash |
sha256_hash |
sid |
signature_valid |
signer |
target_address |
target_guid |
target_name |
target_pid |
uid |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
access |
|||||||||||||||||||||||||||||
create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||||||||||||
terminate |
✓ | ✓ | ✓ |
thread
hostname |
src_pid |
src_tid |
stack_base |
stack_limit |
start_address |
start_function |
start_module |
start_module_name |
tgt_pid |
tgt_tid |
uid |
user |
user_stack_base |
user_stack_limit |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
remote_create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
suspend |
|||||||||||||||
terminate |
file
company |
content |
creation_time |
extension |
file_name |
file_path |
fqdn |
gid |
group |
hostname |
image_path |
link_target |
md5_hash |
mime_type |
mode |
owner |
owner_uid |
pid |
ppid |
previous_creation_time |
sha1_hash |
sha256_hash |
signature_valid |
signer |
uid |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
acl_modify |
||||||||||||||||||||||||||
create |
✓ | ✓ | ✓ | ✓ | ✓ | |||||||||||||||||||||
delete |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||||||||||||
modify |
||||||||||||||||||||||||||
read |
||||||||||||||||||||||||||
timestomp |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||||||||||||||||
write |
Analytic Coverage
- CAR-2013-03-001: Reg.exe called from Command Shell
- CAR-2013-04-002: Quick execution of a series of suspicious commands
- CAR-2013-05-002: Suspicious Run Locations
- CAR-2013-05-004: Execution with AT
- CAR-2013-05-005: SMB Copy and Execution
- CAR-2013-05-009: Running executables with same hash and different names
- CAR-2013-07-001: Suspicious Arguments
- CAR-2013-07-002: RDP Connection Detection
- CAR-2013-07-005: Command Line Usage of Archiving Software
- CAR-2013-08-001: Execution with schtasks
- CAR-2013-09-005: Service Outlier Executables
- CAR-2013-10-002: DLL Injection via Load Library
- CAR-2014-02-001: Service Binary Modifications
- CAR-2014-03-001: SMB Write Request - NamedPipes
- CAR-2014-03-005: Remotely Launched Executables via Services
- CAR-2014-03-006: RunDLL32.exe monitoring
- CAR-2014-05-001: RPC Activity
- CAR-2014-07-001: Service Search Path Interception
- CAR-2014-11-003: Debuggers for Accessibility Applications
- CAR-2014-11-006: Windows Remote Management (WinRM)
- CAR-2014-12-001: Remotely Launched Executables via WMI
- CAR-2016-03-001: Host Discovery Commands
- CAR-2016-03-002: Create Remote Process via WMIC
- CAR-2016-04-002: User Activity from Clearing Event Logs
- CAR-2019-04-001: UAC Bypass
- CAR-2019-04-002: Generic Regsvr32
- CAR-2019-04-003: Squiblydoo
- CAR-2019-04-004: Credential Dumping via Mimikatz
- CAR-2019-07-002: Lsass Process Dump via Procdump
- CAR-2019-08-001: Credential Dumping via Windows Task Manager
- CAR-2019-08-002: Active Directory Dumping via NTDSUtil
- CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities
- CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS
- CAR-2020-09-001: Scheduled Task - FileAccess
- CAR-2020-09-002: Component Object Model Hijacking
- CAR-2020-09-003: Indicator Blocking - Driver Unloaded
- CAR-2020-09-004: Credentials in Files & Registry
- CAR-2020-09-005: AppInit DLLs
- CAR-2020-11-001: Boot or Logon Initialization Scripts
- CAR-2020-11-003: DLL Injection with Mavinject
- CAR-2020-11-005: Clear Powershell Console Command History
- CAR-2020-11-006: Local Permission Group Discovery
- CAR-2020-11-007: Network Share Connection Removal
- CAR-2020-11-008: MSBuild and msxsl
- CAR-2020-11-011: Registry Edit from Screensaver
- CAR-2021-01-001: Identifying Port Scanning Activity
- CAR-2021-01-002: Unusually Long Command Line Strings
- CAR-2021-01-003: Clearing Windows Logs with Wevtutil
- CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe
- CAR-2021-01-006: Unusual Child Process spawned using DDE exploit
- CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt
- CAR-2021-01-008: Disable UAC
- CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize
- CAR-2021-02-002: Get System Elevation
- CAR-2021-04-001: Common Windows Process Masquerading
- CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store
- CAR-2021-05-002: Batch File Write to System32
- CAR-2021-05-003: BCDEdit Failure Recovery Modification
- CAR-2021-05-004: BITS Job Persistence
- CAR-2021-05-005: BITSAdmin Download File
- CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments
- CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments
- CAR-2021-05-008: Certutil exe certificate extraction
- CAR-2021-05-009: CertUtil With Decode Argument
- CAR-2021-05-010: Create local admin accounts using net exe
- CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0
- CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify
- CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths
- CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key ‘Common Startup’
- CAR-2022-03-001: Disable Windows Event Logging