Linux ProcessGUID

Author: darkoperator

.gitignore

@@ -0,0 +1,2 @@
+
+chapters/.DS_Store

chapters/media/image66.png

@@ -2,7 +2,7 @@
 Process Events
 ==============
 
-Sysmon can log process creation, process termination and process access events. The process events are captured via ObjRegisterCallbacks at the kernel level using its driver, and contain a unique, deterministically generated ProcessGuid and LogonGuid that are unique to their process instance and LSA logon session respectively. 
+Sysmon can log process creation, process termination and process access events. For Windows the process events are captured via ObjRegisterCallbacks at the kernel level using its driver, and contain a unique, deterministically generated ProcessGuid and LogonGuid that are unique to their process instance and LSA logon session respectively.
 
 The ProcessGuid and LoginGuid make tracking individual process and users much easier. The ProcessGuid attribute is used in all events associated with its process, and, unlike a ProcessID, will not be reused by the host system later.  The LogonGuid attribute similarly is assigned to a login session of a particular user, and will not be reused later as a LoginID would.
 
@@ -26,6 +26,12 @@ ProcessGUID is generated by Sysmon when Sysmon logs the event.  ProcessGUID
 specifically is not an attribute of the internal Windows process data structs
 (EPROCESS).  Sysmon keeps track of the GUID until the process exits.
 
+In Linux the process for generating the ProcessGuid is similar to Windows with the exception that the hexadecimal value in **/etc/machine-id**, this hexadecimal value is unique per host, it is usually generated from a random source during system installation or first boot and stays constant for all subsequent boots. Optionally, for stateless systems, it is generated during runtime during early boot if necessary.
+
+![Linux ProcessGUID Source](./media/image66.png)
+
+The ProcessGUIs is referenced in several events under different names.
+
 ![ProcessGUID Relation](./media/image32.png)
 
 The only Event Types that will not reference a ProcessGuid or one of its

chapters/media/image67.png

@@ -1,9 +1,11 @@
 Raw Access Read
 ===============
 
-Sysmon will log **EventID 9** for any process trying to read straight from a storage device by bypassing any filesystem restrictions that may be imposed by it. This information is logged by Sysmon leveraging its minifilter. This type of action is only done by drive imaging software or backup software in a normal operating environment.
+Sysmon will log **EventID 9** for any process trying to read straight from a storage device by bypassing any filesystem restrictions that may be imposed by it. This information is logged by Sysmon on Windows by leveraging its minifilter. This type of action is only done by drive imaging software or backup software in a normal operating environment.
 
-Attackers have been known to use this technique to copy NTDS.dit and SAM Registry Hives off host for the purpose of credential harvesting.
+On Linux this event is logged when a block device is directly accessed and eBPF is used to detect this type of action.
+
+Attackers have been known to use this technique on Windows to copy NTDS.dit and SAM Registry Hives off host for the purpose of credential harvesting. In the case of Linux it is the raw access to the device for similar purposes too access credentials, key material and binaries of the system.
 
 The fields for the event are:
 
@@ -19,7 +21,8 @@ The fields for the event are:
 
 * **Device**: Target device
 
-Given that no process should be performing this action normally, it is best to log all instances of it or, even better, to target the NTDS.dit file on domain controllers and SAM hive file on all systems. On systems with many file modifications, slightly higher resource usage may result if monitoring is enabled for all files.
+In the case of Windows given that no process should be performing this action normally, it is best to log all instances of it or, even better, to target the NTDS.dit file on domain controllers and SAM hive file on all systems. On systems with many file modifications, slightly higher resource usage may result if monitoring is enabled for all files.
+
 
 Example that captures all instances of this event