Sysmon Event ID 9

Source

9: RawAccessRead

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.

This event can help you detect theft of ntds.dit which is a file located on your Domain Controllers. This file contains the hashes from your AD Domain.

For more information on ntds.dit and protecting it you can view this webinar, "Three Modern Active Directory Attack Scenarios and How to Detect Them".

Free Security Log Resources by Randy

Description Fields in 9

Log Name
Source
Date
Event ID
Task Category
Level
Keywords
User
Computer
Description
RawAccessRead
UtcTime: Time event occurred
ProcessGuid: The GUID of the process that generated the event
ProcessID: ID of the process that generated the event
Image: File used to generate the event
Device

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

Examples of 9

Log Name:      Microsoft-Windows-Sysmon/Operational
Source:        Microsoft-Windows-Sysmon
Date:          3/22/2018 1:32:22 PM
Event ID:      9
Task Category: RawAccessRead detected (rule: RawAccessRead)
Level:         Information
Keywords:
User:          SYSTEM
Computer:      rfsH.lab.local
Description:
RawAccessRead detected:
UtcTime: 2018-03-22 20:32:22.332
ProcessGuid: {a23eae89-c65f-5ab2-0000-0010eb030000}
ProcessId: 4
Image: System
Device: \Device\HarddiskVolume2
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>9</EventID>
    <Version>2</Version>
    <Level>4</Level>
    <Task>9</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-03-22T20:32:22.333778700Z" />
    <EventRecordID>1944686</EventRecordID>
    <Correlation />
    <Execution ProcessID="19572" ThreadID="21888" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>rfsH.lab.local</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
    <Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
    <Data Name="ProcessId">4</Data>
    <Data Name="Image">System</Data>
    <Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 9

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.