Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate process, session GUIDs (Sysmon) #38

Open
hillu opened this issue Oct 17, 2021 · 1 comment
Open

Generate process, session GUIDs (Sysmon) #38

hillu opened this issue Oct 17, 2021 · 1 comment

Comments

@hillu
Copy link
Collaborator

hillu commented Oct 17, 2021

Sysmon calculates GUIDs (at least) for processes and sessions, this is a really useful idea for correlation.

The Sysmon implementation can be found at https://github.com/Sysinternals/SysmonCommon/blob/735085f7940bf68047f00e71e6583197381fb966/eventsCommon.cpp#L138. machineId is set from /etc/machine-id, cf. https://github.com/Sysinternals/SysmonForLinux/blob/9bca3734721a01cb2ac6e2e3adc40ecdcad3151e/linuxHelpers.cpp#L338
@hillu hillu changed the title Steal good idea from Sysmon: Generate process, session GUIDs Generate process, session GUIDs (Sysmon) Oct 19, 2021
@mschilt
Copy link

mschilt commented Dec 15, 2021

I lile that idea. Process GUID are very valuable to 'follow' what a specific process did. The process ID is prone to roll overs especially on very busy systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hillu @mschilt