Sysmon: Extract ProcessGUIDs, ParentProcessGUIDs, LogonGUIDs BEST

Sysmon: Extract ProcessGUIDs, ParentProcessGUIDs, LogonGUIDs BEST

CLICK HERE >> https://urlca.com/2twkUC

How to Use Sysmon to Extract ProcessGUIDs, ParentProcessGUIDs, and LogonGUIDs

Sysmon is a powerful tool that can monitor and log system activity on Windows machines. It can provide detailed information about process creations, network connections, and changes to file creation time. One of the features of Sysmon is that it can generate unique identifiers for processes, parent processes, and logon sessions. These identifiers are called ProcessGUIDs, ParentProcessGUIDs, and LogonGUIDs respectively.

ProcessGUIDs are useful for tracking the lineage of a process across system reboots. ParentProcessGUIDs are useful for identifying the parent-child relationship between processes. LogonGUIDs are useful for correlating processes with logon sessions. These identifiers can help analysts and investigators to trace malicious activities and identify suspicious behaviors on a system.

In this article, we will show you how to use Sysmon to extract ProcessGUIDs, ParentProcessGUIDs, and LogonGUIDs from the Windows event log. We will also explain how these identifiers are derived and what they mean.

Installing Sysmon

The first step is to download and install Sysmon from the Microsoft website[^2^]. Sysmon is a command-line tool that can be installed as a system service and device driver. To install Sysmon, run the following command as an administrator:

sysmon.exe -i

This will install Sysmon with the default configuration file, which enables all the events that Sysmon can capture. You can also specify a custom configuration file with the -c option. For example:

sysmon.exe -i config.xml

This will install Sysmon with the configuration file config.xml. You can find examples of configuration files on the Sysmon website[^2^]. You can also modify the configuration of Sysmon after installation with the -c option.

Extracting ProcessGUIDs, ParentProcessGUIDs, and LogonGUIDs

Once Sysmon is installed, it will start logging system activity to the Windows event log. You can view the events using the Event Viewer or any other tool that can read the event log. The events that contain ProcessGUIDs, ParentProcessGUIDs, and LogonGUIDs are:

Event ID 1: Process creation

Event ID 5: Process terminated

Event ID 7: Image loaded

Event ID 8: CreateRemoteThread

Event ID 9: RawAccessRead

Event ID 10: ProcessAccess

Event ID 11: FileCreate

Event ID 12: RegistryEvent (Object create and delete)

Event ID 13: RegistryEvent (Value Set)

Event ID 14: RegistryEvent (Key and Value Rename)

Event ID 15: FileCreateStreamHash

Event ID 17: PipeEvent (Pipe Created)

Event ID 18: PipeEvent (Pipe Connected)

Event ID 19: WmiEvent (WmiEventFilter activity detected)

Event ID 20: WmiEvent (WmiEventConsumer activity detected)

Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)

Event ID 22: DNSEvent (DNS query)

Event ID 23: FileDelete (A file delete was detected)

In each of these events, you can find the ProcessGUID, ParentProcessGUID, and LogonGUID in the XML data of the event. For example, here is an event with ID 1 that shows a process creation:

<System>

...

<Provider Name=\"Microsoft-Windows-Sysmon\" Guid=\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\" />

<EventID>1</EventID>

<Version>5</Version>

<Level>4</Level>

<Task>1</Task>

<Opcode>0</Opcode>

<Keywords>0x aa16f39245