概要
vistaにedrを構築する。
時系列で取得なsysmonを入れた。
sysmonのlogを取得してみた。
環境
windows vista 32bit
取得コマンド
wevtutil qe "Microsoft-Windows-Sysmon/Operational" /f:text > log.txt
結果
Event[27]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:04:01.922
Event ID: 5
Task: Process terminated (rule: ProcessTerminate)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
Process terminated:
UtcTime: 2020-12-12 11:04:01.922
ProcessGuid: {13165805-A35E-5FD4-0000-0010B83F6600}
ProcessId: 3820
Image: C:\Windows\System32\SearchFilterHost.exe
Event[28]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:07.219
Event ID: 1
Task: Process Create (rule: ProcessCreate)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
Process Create:
UtcTime: 2020-12-12 11:07:07.204
ProcessGuid: {13165805-A45B-5FD4-0000-001070506600}
ProcessId: 2224
Image: C:\Windows\System32\SearchProtocolHost.exe
CommandLine: "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMs
sGthrPipe18_ Global\UsGthrCtrlFltPipeMssGthrPipe18 1 -2147483646 "Software\Micro
soft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4
.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemo
n"
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-4374-5FD4-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=101E95B1C84DB8923D1C6D7F85331F986C820D88
ParentProcessGuid: {13165805-437C-5FD4-0000-0010A96E0200}
ParentProcessId: 2092
ParentImage: C:\Windows\System32\SearchIndexer.exe
ParentCommandLine: C:\Windows\system32\SearchIndexer.exe /Embedding
Event[29]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:08.888
Event ID: 9
Task: RawAccessRead detected (rule: RawAccessRead)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:08.888
ProcessGuid: {13165805-A45B-5FD4-0000-001070506600}
ProcessId: 2224
Image: C:\Windows\System32\SearchProtocolHost.exe
Device: \Device\HarddiskVolume1??????
Event[30]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:08.904
Event ID: 1
Task: Process Create (rule: ProcessCreate)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
Process Create:
UtcTime: 2020-12-12 11:07:08.904
ProcessGuid: {13165805-A45C-5FD4-0000-00106C526600}
ProcessId: 2256
Image: C:\Windows\System32\dllhost.exe
CommandLine: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D
-A8F59079A8D5}
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-4383-5FD4-0000-00204CB50300}
LogonId: 0x3b54c
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=58C379B077944D2BA79C0251977E8EDE3DFBC829
ParentProcessGuid: {13165805-4375-5FD4-0000-0010A5050100}
ParentProcessId: 836
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch
Event[31]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:08.920
Event ID: 9
Task: RawAccessRead detected (rule: RawAccessRead)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:08.920
ProcessGuid: {13165805-A45C-5FD4-0000-00106C526600}
ProcessId: 2256
Image: C:\Windows\System32\dllhost.exe
Device: \Device\HarddiskVolume1??????
Event[32]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:08.966
Event ID: 1
Task: Process Create (rule: ProcessCreate)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
Process Create:
UtcTime: 2020-12-12 11:07:08.951
ProcessGuid: {13165805-A45C-5FD4-0000-0010EB586600}
ProcessId: 2556
Image: C:\Windows\System32\SearchFilterHost.exe
CommandLine: "C:\Windows\system32\SearchFilterHost.exe" 0 620 624 632 65536 628
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-4374-5FD4-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: Medium
Hashes: SHA1=8784A4CED5BE17DAA69FC4CF1C25762B481900A2
ParentProcessGuid: {13165805-437C-5FD4-0000-0010A96E0200}
ParentProcessId: 2092
ParentImage: C:\Windows\System32\SearchIndexer.exe
ParentCommandLine: C:\Windows\system32\SearchIndexer.exe /Embedding
Event[33]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:08.966
Event ID: 9
Task: RawAccessRead detected (rule: RawAccessRead)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:08.966
ProcessGuid: {13165805-A45C-5FD4-0000-0010EB586600}
ProcessId: 2556
Image: C:\Windows\System32\SearchFilterHost.exe
Device: \Device\HarddiskVolume1??????
Event[34]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:13.958
Event ID: 5
Task: Process terminated (rule: ProcessTerminate)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
Process terminated:
UtcTime: 2020-12-12 11:07:13.958
ProcessGuid: {13165805-A45C-5FD4-0000-00106C526600}
ProcessId: 2256
Image: C:\Windows\System32\dllhost.exe
Event[35]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:28.700
Event ID: 1
Task: Process Create (rule: ProcessCreate)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
Process Create:
UtcTime: 2020-12-12 11:07:28.685
ProcessGuid: {13165805-A470-5FD4-0000-0010AD626600}
ProcessId: 524
Image: C:\Windows\System32\wevtutil.exe
CommandLine: wevtutil qe "Microsoft-Windows-Sysmon/Operational" /f:text /q:"*[S
ystem[Provider[@Name='Microsoft-Windows-Sysmon'] and EventRecordID > 9345]]"
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-4383-5FD4-0000-00201BB50300}
LogonId: 0x3b51b
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=5BA5D9E2BE30D3C52A9E618B5DC5E210408B3A17
ParentProcessGuid: {13165805-9AAE-5FD4-0000-0010EB156300}
ParentProcessId: 1496
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe"
Event[36]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:28.763
Event ID: 9
Task: RawAccessRead detected (rule: RawAccessRead)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:28.763
ProcessGuid: {13165805-A470-5FD4-0000-0010AD626600}
ProcessId: 524
Image: C:\Windows\System32\wevtutil.exe
Device: \Device\HarddiskVolume1??????
Event[37]:
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 2020-12-12T20:07:29.200
Event ID: 5
Task: Process terminated (rule: ProcessTerminate)
Level: 情報
Opcode: 情報
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: ore-PC0
Description:
Process terminated:
UtcTime: 2020-12-12 11:07:29.200
ProcessGuid: {13165805-A470-5FD4-0000-0010AD626600}
ProcessId: 524
Image: C:\Windows\System32\wevtutil.exe
以上。