Sysmon Playbook Event ID 3

Posted on by relativesecurity

Sysmon Event ID: 3

Sysmon Event Title: Network Connection Detected

Network Connection Attributes:

When any machines with Sysmon installed makes a network connection many details about the network connection are captured and logged under the event id 3. We will briefly discuss all the fields captured under the event id 3.

  •     RuleName: %1!s!
  •     UtcTime: %2!s!
  •     ProcessGuid: %3!s!
  •     ProcessId: %4!s!
  •     Image: %5!s!
  •     User: %6!s!
  •     Protocol: %7!s!
  •     Initiated: %8!s!
  •     SourceIsIpv6: %9!s!
  •     SourceIp: %10!s!
  •     SourceHostname: %11!s!
  •     SourcePort: %12!s!
  •     SourcePortName: %13!s!
  •     DestinationIsIpv6: %14!s!
  •     DestinationIp: %15!s!
  •     DestinationHostname: %16!s!
  •     DestinationPort: %17!s!
  •     DestinationPortName: %18!s!

How to Investigate:

This event Id will occur when there is a network connection detected by the sysmon. The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

Pivots:

Information about the process ID is very critical here since it can provides process binary name which is making the connection. From this point process id can be searched further to check how this binary was created and commands used. (Process ID -> User – > ….

  1. Check the source IP and port to identify the machine which is making the connection. If not sure, search the IP in your assets sheet list.
  2. Check the destination IP and port to identify the machine where connection is being made. If not sure, search the IP in your assets sheet list or if it is an external IP check it on VT or other CTI sources.
  3. Point 1 & Point 2 can be done using source host name or destination host name.
  4. Image field provides the detail on the process which is making the internet connections. This should be checked closely to see if it is a normal process making connections or is it malicious. We can pivot to Process Creation events to see further how this binary started and made network connections.
  5. User field can also be used to compare with our user lists and identify if this user should be able to run such binaries which are making connections.

Leave a Reply

Your email address will not be published. Required fields are marked *