sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard
verified publisher icon SwiftOnSecurity

Related proccess tree - have you any idea?

Open kont45 opened this issue 6 years ago • 0 comments

Hello guys. A new version of Sysmon 10 with DNS resposnes is awsome. I have some idea to create related proccess tree between proccess and treads. But can you help me, what kind of informations should be interesting from these logs?

I mean for example some potential related and corelated information like ProccessGUID:

<Data Name="ProcessGuid">{1afd9578-9ff5-5d04-0000-0010561d0901}</Data>

<Event>
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"/>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-06-15T07:36:24.435858500Z"/><EventRecordID>2469</EventRecordID>
<Correlation/>
<Execution ProcessID="2492" ThreadID="3668"/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC1</Computer>
<Security UserID="S-1-5-18"/></System>
<EventData><Data Name="RuleName"/>
<Data Name="UtcTime">2019-06-15 07:36:22.146</Data>
<Data Name="ProcessGuid">{1afd9578-9ff5-5d04-0000-0010561d0901}</Data>
<Data Name="ProcessId">7084</Data>
<Data Name="Image">C:\Users\perun\Downloads\cycki.exe</Data>
<Data Name="User">PC1\perun</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">192.168.75.128</Data>
<Data Name="SourceHostname">PC1.localdomain</Data>
<Data Name="SourcePort">50669</Data>
<Data Name="SourcePortName"/>
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">217.8.117.24</Data>
<Data Name="DestinationHostname"/>
<Data Name="DestinationPort">80</Data>
<Data Name="DestinationPortName">http</Data></EventData></Event>

We can see in same event logs that ProccessGUID for malware cycki.exe is the same:

<Event>
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"/><EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-06-15T07:36:24.209491000Z"/><EventRecordID>2465</EventRecordID>
<Correlation/>
<Execution ProcessID="2492" ThreadID="3908"/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC1</Computer>
<Security UserID="S-1-5-18"/></System>
<EventData><Data Name="RuleName"/>
<Data Name="UtcTime">2019-06-15 07:36:24.185</Data>
<Data Name="ProcessGuid">{1afd9578-9ff5-5d04-0000-0010561d0901}</Data>
<Data Name="ProcessId">7084</Data>
<Data Name="Image">C:\Users\perun\Downloads\cycki.exe</Data>
<Data Name="TargetFilename">C:\Users\perun\AppData\Local\Temp\D6421E87\ucrtbase.dll</Data>
<Data Name="CreationUtcTime">2019-06-15 07:36:24.185</Data></EventData></Event>

Also, what does mean the numbers and tags below?

<Version>5</Version>
<Level>4</Level>
<Task>3</Task>

kont45 avatar Jun 24 '19 18:06 kont45