none
Sysmon V8.0 - enhancement request - Inclusion of Image/Fileh hash for EventCode=3 & EventCode=11 & EventCode=5 RRS feed

  • Question


  • EventCode=3

    Hi,

    Could you log hash values for the fields in the events mentioned below .  Inclusion of these hashes will help us in threat hunting with the help app's such as virus total etc..  one can make a resemble as genuine by renaming the files/image as known once  and hide from plain sight so inclusion of hashes will help detect such programs/files with the help of hash validation app's

    EventCode=3

    TaskCategory=Network connection detected (rule: NetworkConnect)

    Field that require Hash : Image

    EventCode=11

    TaskCategory=File created (rule: FileCreate)

    Field that require Hash : TargetFilename

    EventCode =5

    TaskCategory=Process terminated (rule: ProcessTerminate)

    Filed that require Hash : Image

    Regards,

    Prasad


    Prasad MS

    Thursday, October 4, 2018 6:46 AM