Column U: User-Mode
Description: Observables associated with user-mode OS activity.
The OS kernel (ring 0) is typically invoked using C wrapper functions running in user mode (ring 3). In Windows, these system wrapper functions usually start with Nt or Zw 1. In other operating systems, these C wrapper functions are usually included in libc. In either case, the wrapper functions switch into kernel mode using a predefined calling convention such as setting specific register flags and calling a certain interrupt. The attacker may bypass these wrapper functions by writing their own code to switch to kernel mode.
Observables
Category |
Observables |
|---|---|
Process |
Sysmon ID 1 (Process creation)
Sysmon ID 5 (Process termination)
Sysmon ID 10 (Process access)
Event ID 7045 (New service installed)
|
File |
Sysmon ID 2 (File creation time changed)
Sysmon ID 11 (File create)
Sysmon ID 15 (File create stream hash)
Sysmon ID 23 (File deletion)
|
Driver |
Sysmon ID 6 (Driver loaded)
|
Registry Key |
Sysmon ID 13 (Registry value set)
Sysmon ID 14 (Registry object renamed)
|
Useful resources:
Roberto Rodriguez’s API - To - Event
Jonny Johnson’s TelemetrySource
UltimateWindowsSecurity Event ID Glossary
References