自前EDR その7

Posted at 2020-12-13

#概要

vistaにedrを構築する。
時系列で取得なsysmonを入れた。
sysmonのlogを取得してみた。

#環境

windows vista 32bit

#取得コマンド

wevtutil qe "Microsoft-Windows-Sysmon/Operational" /f:text > log.txt

#結果

Event[27]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:04:01.922
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
Process terminated:
UtcTime: 2020-12-12 11:04:01.922
ProcessGuid: {13165805-A35E-5FD4-0000-0010B83F6600}
ProcessId: 3820
Image: C:\Windows\System32\SearchFilterHost.exe

Event[28]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:07.219
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
Process Create:
UtcTime: 2020-12-12 11:07:07.204
ProcessGuid: {13165805-A45B-5FD4-0000-001070506600}
ProcessId: 2224
Image: C:\Windows\System32\SearchProtocolHost.exe
CommandLine: "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMs
sGthrPipe18_ Global\UsGthrCtrlFltPipeMssGthrPipe18 1 -2147483646 "Software\Micro
soft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4
.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemo
n"
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-4374-5FD4-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=101E95B1C84DB8923D1C6D7F85331F986C820D88
ParentProcessGuid: {13165805-437C-5FD4-0000-0010A96E0200}
ParentProcessId: 2092
ParentImage: C:\Windows\System32\SearchIndexer.exe
ParentCommandLine: C:\Windows\system32\SearchIndexer.exe /Embedding

Event[29]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:08.888
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:08.888
ProcessGuid: {13165805-A45B-5FD4-0000-001070506600}
ProcessId: 2224
Image: C:\Windows\System32\SearchProtocolHost.exe
Device: \Device\HarddiskVolume1??????

Event[30]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:08.904
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
Process Create:
UtcTime: 2020-12-12 11:07:08.904
ProcessGuid: {13165805-A45C-5FD4-0000-00106C526600}
ProcessId: 2256
Image: C:\Windows\System32\dllhost.exe
CommandLine: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D
-A8F59079A8D5}
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-4383-5FD4-0000-00204CB50300}
LogonId: 0x3b54c
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=58C379B077944D2BA79C0251977E8EDE3DFBC829
ParentProcessGuid: {13165805-4375-5FD4-0000-0010A5050100}
ParentProcessId: 836
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch

Event[31]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:08.920
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:08.920
ProcessGuid: {13165805-A45C-5FD4-0000-00106C526600}
ProcessId: 2256
Image: C:\Windows\System32\dllhost.exe
Device: \Device\HarddiskVolume1??????

Event[32]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:08.966
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
Process Create:
UtcTime: 2020-12-12 11:07:08.951
ProcessGuid: {13165805-A45C-5FD4-0000-0010EB586600}
ProcessId: 2556
Image: C:\Windows\System32\SearchFilterHost.exe
CommandLine: "C:\Windows\system32\SearchFilterHost.exe" 0 620 624 632 65536 628

CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-4374-5FD4-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: Medium
Hashes: SHA1=8784A4CED5BE17DAA69FC4CF1C25762B481900A2
ParentProcessGuid: {13165805-437C-5FD4-0000-0010A96E0200}
ParentProcessId: 2092
ParentImage: C:\Windows\System32\SearchIndexer.exe
ParentCommandLine: C:\Windows\system32\SearchIndexer.exe /Embedding

Event[33]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:08.966
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:08.966
ProcessGuid: {13165805-A45C-5FD4-0000-0010EB586600}
ProcessId: 2556
Image: C:\Windows\System32\SearchFilterHost.exe
Device: \Device\HarddiskVolume1??????

Event[34]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:13.958
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
Process terminated:
UtcTime: 2020-12-12 11:07:13.958
ProcessGuid: {13165805-A45C-5FD4-0000-00106C526600}
ProcessId: 2256
Image: C:\Windows\System32\dllhost.exe

Event[35]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:28.700
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
Process Create:
UtcTime: 2020-12-12 11:07:28.685
ProcessGuid: {13165805-A470-5FD4-0000-0010AD626600}
ProcessId: 524
Image: C:\Windows\System32\wevtutil.exe
CommandLine: wevtutil  qe "Microsoft-Windows-Sysmon/Operational" /f:text /q:"*[S
ystem[Provider[@Name='Microsoft-Windows-Sysmon'] and EventRecordID > 9345]]"
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-4383-5FD4-0000-00201BB50300}
LogonId: 0x3b51b
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=5BA5D9E2BE30D3C52A9E618B5DC5E210408B3A17
ParentProcessGuid: {13165805-9AAE-5FD4-0000-0010EB156300}
ParentProcessId: 1496
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe"

Event[36]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:28.763
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
RawAccessRead detected:
UtcTime: 2020-12-12 11:07:28.763
ProcessGuid: {13165805-A470-5FD4-0000-0010AD626600}
ProcessId: 524
Image: C:\Windows\System32\wevtutil.exe
Device: \Device\HarddiskVolume1??????

Event[37]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-12T20:07:29.200
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description:
Process terminated:
UtcTime: 2020-12-12 11:07:29.200
ProcessGuid: {13165805-A470-5FD4-0000-0010AD626600}
ProcessId: 524
Image: C:\Windows\System32\wevtutil.exe

以上。

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up