Sysmon V8.0 - enhancement request - Inclusion of Image/Fileh hash for EventCode=3 & EventCode=11 & EventCode=5 RRS feed

  • Question

  • EventCode=3


    Could you log hash values for the fields in the events mentioned below .  Inclusion of these hashes will help us in threat hunting with the help app's such as virus total etc..  one can make a resemble as genuine by renaming the files/image as known once  and hide from plain sight so inclusion of hashes will help detect such programs/files with the help of hash validation app's


    TaskCategory=Network connection detected (rule: NetworkConnect)

    Field that require Hash : Image


    TaskCategory=File created (rule: FileCreate)

    Field that require Hash : TargetFilename

    EventCode =5

    TaskCategory=Process terminated (rule: ProcessTerminate)

    Filed that require Hash : Image



    Prasad MS

    Thursday, October 4, 2018 6:46 AM