Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g

Cyb3rWard0g/sysmon-ksql-processcreate-event

Last active December 18, 2018 23:35
Show Gist options
  • Save Cyb3rWard0g/9cc3f2bef2d5c1d0ea6cce94e28cf988 to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/9cc3f2bef2d5c1d0ea6cce94e28cf988 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sysmon-ksql-processcreate-event
12/18/18 10:42:32 PM UTC , NULL ,
{
"@timestamp":"2018-12-18T22:42:32.841Z",
"@metadata":
{
"beat":"winlogbeat",
"type":"doc",
"version":"6.5.3",
"topic":"winlogbeat"
},
"opcode":"Info",
"message":"Process Create:\x5CnRuleName: \x5CnUtcTime: 2018-12-18 22:42:32.826\x5CnProcessGuid: {1C9FDC81-77D8-5C19-0000-0010A8182800}\x5CnProcessId: 2620\x5CnImage: C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Ctaskhostw.exe\x5CnFileVersion: 10.0.17134.1 (WinBuild.160101.0800)\x5CnDescription: Host Process for Windows Tasks\x5CnProduct: Microsoft\xC2\xAE Windows\xC2\xAE Operating System\x5CnCompany: Microsoft Corporation\x5CnCommandLine: taskhostw.exe Logon\x5CnCurrentDirectory: C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5C\x5CnUser: RIVENDELL\x5C\x5Ccbrown\x5CnLogonGuid: {1C9FDC81-76A7-5C19-0000-00205D8E0900}\x5CnLogonId: 0x98E5D\x5CnTerminalSessionId: 1\x5CnIntegrityLevel: Medium\x5CnHashes: SHA1=2A594345FBCAAD453C72BD0937CBF67FB43A74DF,MD5=CE95E236FC9FE2D6F16C926C75B18BAF,SHA256=740122D338FFD2CBB0877F8AC17B28218EAD02F08A9B28D5266C94E33F938085,IMPHASH=3627BE269990D67CF76A03FA55EF9A08\x5CnParentProcessGuid: {1C9FDC81-7677-5C19-0000-00104A420100}\x5CnParentProcessId: 988\x5CnParentImage: C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Csvchost.exe\x5CnParentCommandLine: C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5Csvchost.exe -k netsvcs -p",
"thread_id":3100,
"computer_name":"DESKTOP-LFD11QP.RIVENDELL.local",
"version":5,
"task":"Process Create (rule: ProcessCreate)",
"event_data":
{
"Hashes":"SHA1=2A594345FBCAAD453C72BD0937CBF67FB43A74DF,MD5=CE95E236FC9FE2D6F16C926C75B18BAF,SHA256=740122D338FFD2CBB0877F8AC17B28218EAD02F08A9B28D5266C94E33F938085,IMPHASH=3627BE269990D67CF76A03FA55EF9A08",
"ProcessGuid":"{1C9FDC81-77D8-5C19-0000-0010A8182800}",
"IntegrityLevel":"Medium",
"UtcTime":"2018-12-18 22:42:32.826",
"LogonId":"0x98e5d",
"Description":"Host Process for Windows Tasks",
"TerminalSessionId":"1",
"CommandLine":"taskhostw.exe Logon",
"ParentImage":"C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Csvchost.exe",
"LogonGuid":"{1C9FDC81-76A7-5C19-0000-00205D8E0900}",
"User":"RIVENDELL\x5C\x5Ccbrown",
"FileVersion":"10.0.17134.1 (WinBuild.160101.0800)",
"ParentProcessId":"988",
"ParentCommandLine":"C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5Csvchost.exe -k netsvcs -p",
"Product":"Microsoft\xC2\xAE Windows\xC2\xAE Operating System",
"Image":"C:\x5C\x5CWindows\x5C\x5CSystem32\x5C\x5Ctaskhostw.exe",
"ProcessId":"2620",
"CurrentDirectory":"C:\x5C\x5CWINDOWS\x5C\x5Csystem32\x5C\x5C",
"Company":"Microsoft Corporation",
"ParentProcessGuid":"{1C9FDC81-7677-5C19-0000-00104A420100}"
},
"host":
{
"name":"DESKTOP-LFD11QP"
},
"type":"wineventlog",
"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"level":"Information",
"event_id":1,
"log_name":"Microsoft-Windows-Sysmon/Operational",
"source_name":"Microsoft-Windows-Sysmon",
"record_number":"3040257",
"process_id":2160,
"user":
{
"name":"SYSTEM",
"domain":"NT AUTHORITY",
"type":"User",
"identifier":"S-1-5-18"
},
"beat":
{
"name":"DESKTOP-LFD11QP",
"hostname":"DESKTOP-LFD11QP",
"version":"6.5.3"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment