With Sysmon View 1.1, I was able to view Sysmon logs visually, however, this drawn image was incomplete (maybe because I was busy laying down the foundation), for example, what if I wanted to track the hierarchy of a (interesting) process, although the tool will show the details of a “process create” event, and among those details I will find the parent process (if being reported), I would still have to dig for that process back again (by it’s name) and try to find the session (Parent process GUID) that created that child process, and from there track all the events associated with that parent process session. Another example… in the map view of Sysmon View, I can list all the network events associated with a certain destination country, what if I found a network event worth investigating and wanted to track all other events associated with it’s process (through process GUID).
With version 1.2, following a process through it’s hierarchy is now possible, also, when investigating an event, it is easy now to get all the other events related to the same session.
An example might help… in the following image, I selected “AcroRd32.exe” to investigate
Double-clicking on the “process create” event reveals the details of this event (notice that the “Parent process GUID” is being highlighted as a hyperlink), the “event details” is showing “Explorer.exe” as the parent process…
New to Sysmon View 1.2: Before proceeding further, lets talk about the new events details window, from this window, you can view all the events data, do copy and paste, and query virus total (You will have to get an API key to enable virus total queries), in addition, some windows has additional special features, for example, the network events can query Virus Total for IP and domains information, including whois data, the registry events allows for jumping to the registry key in regedit.
Following image shows what happens when I click on the “MD5” value for example
Now back to our topic, clicking “Parent process GUID” link will bring up the parent process session (in this example, Explorer.exe) and all events associated with it, this tracking is hard to follow by viewing the logs in event viewer, since the “process create” event of child process is associated with that child process (Child process GUID), and not with it’s parent (if you look closely at the next image, where it is showing all parent process events, you won’t find an event “create child process”, this is just how Sysmon logs data)
And if you want to go deeper, you can repeat the same steps recursively, lets go to the details of the process create event of “Explorer.exe”, which shows the parent process as “userinit.exe”
Again… lets get the details of it’s parent process though the details of the process create event details
Which reveals “winlogon.exe” as the parent, lets further dig behind the parent process “winlogon.exe” details…
You got the idea…
Now you might be asking what the hyperlink of “Process GUID” does, well, it will re-draw the same session under investigation…again, so why the duplication? well, its not, this is related to the Map view and the second case mentioned earlier (and future Sysmon views that will be added hopefully), lets visit the map view…
When selecting a destination country (Map View will be available if you enabled geo ip setting when importing the XML log data, by the way, thanks to http://freegeoip.net for their free API), then all network events related to that “destination” will be listed, and choosing any “Process GUID” will show all the events related to that network event (just another way to track Sysmon events)
And from there, it’s easy to track that process hierarchy or any other event associated with it.
Sysmon View can be downloaded (32 & 64 builds) from Github @ this link (Password is “password” without “”):
For any questions or suggestions, please contact me by email.