Column K: Kernel-Mode
Description: Interfacing directly with ring 0 in the OS. Observables are in kernel mode.
As defined by Microsoft, the kernel, “implements the core functionality that everything
else in the operating system depends upon.” 1 This is the heart of the Operating
System, as it provides the services for everything, including managing threads,
conflicts and errors, and system memory 2. Some of the kernel library support
routines available start with Ke within the Windows Operating System. Defenders can
monitor kernel activity through observables including registry modification, some event
IDs, and network protocols. Kernel observables are usually the hardest to evade and
represent the most robust events and fields in the framework.
Observables
Category |
Observable Fields |
|---|---|
Process |
Event ID 4688 (Process creation)
Event ID 4689 (Process exited)
Sysmon ID 8 (Create remote thread)
|
File |
Event ID 4663 (Attempt was made to access object)
|
Registry Keys |
Event ID 4656 (Handle to object requested)
Sysmon ID 12 (Registry object added/deleted)
Event ID 4660 (Object deleted)
Event ID 4657 (Registry value modified)
|
Objects |
Event ID 5136 (A directory service object was modified)
|
Pipes |
Sysmon ID 17 (Pipe created)
|
Useful resources:
Roberto Rodriguez’s API - To - Event
Jonny Johnson’s TelemetrySource
UltimateWindowsSecurity Event ID Glossary
References