Sysmon 11.0 mapping
inmadria opened this issue · comments
Sysmon 11.0
On April 28th, Sysinternals upgrade its tool to version 11.0. This contribution is an update for the Sysmon sensor (https://github.com/mitre-attack/car/blob/master/sensors/sysmon_10.4.yaml).
Related to #59 pull request.
Mapping
Here is the mapping for this sensor, based on your 10.4 version.
Please note that I only fill fields that are present in logs without needing any transformation. For example, the field fqdn
is present as Computer
but the field hostname
could be extracted from this value. Same thing for file_name
, exe
, hive
, etc.
I also upload on my GitHub the full mapping, if you want to check it: https://github.com/inmadria/sysmon-11-examples/blob/master/CAR_MAPPING.md
registry
data |
fqdn |
hive |
hostname |
image_path |
key |
pid |
type |
user |
value |
|
---|---|---|---|---|---|---|---|---|---|---|
add |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
edit |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
remove |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
module
base_address |
fqdn |
hostname |
image_path |
md5_hash |
module_name |
module_path |
pid |
sha1_hash |
sha256_hash |
signer |
|
---|---|---|---|---|---|---|---|---|---|---|---|
load |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
unload |
process
command_line |
current_working_directory |
exe |
fqdn |
hostname |
image_path |
integrity_level |
md5_hash |
parent_command_line |
parent_exe |
parent_image_path |
pid |
ppid |
sha1_hash |
sha256_hash |
sid |
signer |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
terminate |
✓ | ✓ | ✓ |
thread
hostname |
src_pid |
src_tid |
stack_base |
stack_limit |
start_address |
start_function |
start_module |
start_module_name |
tgt_pid |
tgt_tid |
user |
user_stack_base |
user_stack_limit |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
remote_create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
suspend |
||||||||||||||
terminate |
driver
base_address |
fqdn |
hostname |
image_path |
md5_hash |
module_name |
sha1_hash |
sha256_hash |
signer |
|
---|---|---|---|---|---|---|---|---|---|
load |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
unload |
file
company |
creation_time |
file_name |
file_path |
fqdn |
hostname |
image_path |
md5_hash |
pid |
ppid |
previous_creation_time |
sha1_hash |
sha256_hash |
signer |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
create |
✓ | ✓ | ✓ | ✓ | ✓ | ||||||||||
delete |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
modify |
|||||||||||||||
read |
|||||||||||||||
timestomp |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||||
write |
flow
content |
dest_fqdn |
dest_hostname |
dest_ip |
dest_port |
end_time |
exe |
flags |
fqdn |
hostname |
image_path |
packet_count |
pid |
ppid |
proto_info |
protocol |
src_fqdn |
src_hostname |
src_ip |
src_port |
start_time |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
end |
||||||||||||||||||||||
message |
||||||||||||||||||||||
start |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
@inmadria thanks - this is much appreciated! We also had the same question around fqdn/hostname
for earlier Sysmon mappings and took a similar approach. We'll do a quick review and merge this in shortly.
Sysmon 11 was merged in; thanks again for the PR.