Sysmon Event ID 9
9: RawAccessRead
This is an event from
Sysmon.
On this page
The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.
This event can help you detect theft of ntds.dit which is a file located on your Domain Controllers. This file contains the hashes from your AD Domain.
For more information on ntds.dit and protecting it you can view this webinar, "Three Modern Active Directory Attack Scenarios and How to Detect Them".
Free Security Log Resources by Randy
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- RawAccessRead
- UtcTime: Time event occurred
- ProcessGuid: The GUID of the process that generated the event
- ProcessID: ID of the process that generated the event
- Image: File used to generate the event
- Device
-
Supercharger Free Edition
Your entire Windows Event Collection environment on a single pane of glass.
Free.
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 3/22/2018 1:32:22 PM
Event ID: 9
Task Category: RawAccessRead detected (rule: RawAccessRead)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsH.lab.local
Description:
RawAccessRead detected:
UtcTime: 2018-03-22 20:32:22.332
ProcessGuid: {a23eae89-c65f-5ab2-0000-0010eb030000}
ProcessId: 4
Image: System
Device: \Device\HarddiskVolume2
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>9</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-03-22T20:32:22.333778700Z" />
<EventRecordID>1944686</EventRecordID>
<Correlation />
<Execution ProcessID="19572" ThreadID="21888" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
<Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection