How can we extract the data obtained by Sysmon like ProcessGUIDs, ParentProcessGUIDs, LogonGUIDs? Someone wrote a small PowerShell script. Perhaps interesting for one or the other reader.
Well, it’s a little esoteric that I just came across. In the Sysinternals tools there is the program Sysmon, which even received an update a few days ago (see Sysinternals: Sysmon V8.0, Autoruns V13.90).
System Monitor (Sysmon) is a Windows system service and device driver that remains resident on a system through system reboots after installation to monitor system activity and write it in the Windows event log. The tool provides detailed information about process creation, network connections and file creation time changes. Administrators can collect and analyze events created using Windows Event Collection or SIEM agents. This makes it possible to detect and understand malicious or anomalous activities.
Extract Parent-/ProcessGUIDs, LogonGUIDs
Matt Graeber, a security expert, wanted to know a bit more about Sysmon and it’s log capabilities to fetch ProcessGUIDs, ParentProcessGUIDs and LogonGUIDs, as he wrote on Twitter .
I always wanted to know how Sysmon ProcessGUIDs, ParentProcessGUIDs, and LogonGUIDs were derived. I did some reversing and figured it out. Here’s a quick and dirty parser to extract the embedded data within the GUIDs. Enjoy! #DFIR https://t.co/C7sqz0Hg35 pic.twitter.com/e7v06MFEen
— Matt Graeber (@mattifestation) 8. Juli 2018
His motivation for this was that he needed the data outside sysmon for correlation purposes. He wanted to assess to what extent an attacker could influence the GUIDs.
So he dug a little and, as he writes, developed a fast and dirty parser to extract the embedded data within the GUIDs. The PowerShell code is available on GitHub. This gives some insights into the Windows internals. And as he adds, he now also knows that the first part of the GUID contains personally identifiable information.