# Excluding MSNT_SystemTrace from the results

In [2]:
from threat_hunting_toolkit import ThreatHunter
import json

# Load and filter
hunter = ThreatHunter('byovd_ss.json', auto_analyze=False)

filtered = [e for e in hunter.data 
            if hunter._extract_fields(e)['provider_name'] != 'MSNT_SystemTrace']

# Save
with open('BYOVD_SS_MSNT_SystemTrace_REMOVED.json', 'w') as f:
    for event in filtered:
        f.write(json.dumps(event, default=str) + '\n')

print(f"‚úì Saved {len(filtered):,} events (removed {len(hunter.data) - len(filtered):,})")

THREAT HUNTING TOOLKIT
[*] Loading: byovd_ss.json
[*] Loading as JSONL...
[+] Loaded JSONL: 3,063,819 records
‚úì Saved 5,322 events (removed 3,058,497)


---
**How many providers do we have?**

In [1]:


from threat_hunting_toolkit import ThreatHunter

hunter = ThreatHunter("BYOVD_SS_MSNT_SystemTrace_REMOVED.json")

"""
byovd_ss.json has all events and it is about 1.5 GB. So, we will be removing the kernel logs and investigating the rest. Please use this JSON file later for your research
"""

THREAT HUNTING TOOLKIT
[*] Loading: BYOVD_SS_MSNT_SystemTrace_REMOVED.json
[*] Loading as JSONL...
[+] Loaded JSONL: 5,322 records
[*] Building hierarchy...
[+] Hierarchy built: 6 providers

DATA OVERVIEW

Total Events:     5,322
Providers:        6
Unique Tasks:     26

--------------------------------------------------------------------------------
PROVIDERS (by event volume)
--------------------------------------------------------------------------------
  Microsoft-Windows-Kernel-Audit-API-Calls             3,570 ( 67.1%) | 1 tasks
  Microsoft-Windows-Kernel-Registry                      693 ( 13.0%) | 1 tasks
  Microsoft-Windows-Sysmon                               602 ( 11.3%) | 14 tasks
  Microsoft-Windows-CodeIntegrity                        245 (  4.6%) | 6 tasks
  Microsoft-Windows-Kernel-File                          199 (  3.7%) | 2 tasks
  Microsoft-Windows-Kernel-Process                        13 (  0.2%) | 2 tasks

Unique Process IDs: 62
Process IDs: [4, 92, 272, 440, 55

'\nbyovd_ss.json has all events and it is about 1.5 GB. So, we will be removing the kernel logs and investigating the rest. Please use this JSON file later for your research\n'

In [47]:
hunter._provider_hierarchy

defaultdict(<function threat_hunting_toolkit.ThreatHunter._build_hierarchy.<locals>.<lambda>()>,
            {'Microsoft-Windows-Kernel-File': defaultdict(<function threat_hunting_toolkit.ThreatHunter._build_hierarchy.<locals>.<lambda>.<locals>.<lambda>()>,
                         {'NameCreate': defaultdict(set,
                                      {'NO_EVENT_NAME': {0}}),
                          'NameDelete': defaultdict(set,
                                      {'NO_EVENT_NAME': {0}})}),
             'Microsoft-Windows-Kernel-Audit-API-Calls': defaultdict(<function threat_hunting_toolkit.ThreatHunter._build_hierarchy.<locals>.<lambda>.<locals>.<lambda>()>,
                         {'NO_TASK': defaultdict(set,
                                      {'NO_EVENT_NAME': {0}})}),
             'Microsoft-Windows-Sysmon': defaultdict(<function threat_hunting_toolkit.ThreatHunter._build_hierarchy.<locals>.<lambda>.<locals>.<lambda>()>,
                         {'File created (rule: FileCr

In [4]:
hunter.lookup_field('GrantedAccess')

[*] Discovering all fields in dataset...
[+] Discovered 8 header fields and 105 property fields

FIELD LOOKUP: GrantedAccess

üìç Location: properties (event-specific data)
Occurrences: 242 events (4.55% coverage)

Sample values:
  1. 00101000
  2. 00100000
  3. 00140000
  4. FFFF1F00
  5. 00001000

üí° How to search:
  hunter.search('GrantedAccess')  # Universal search
  hunter.unique_values('GrantedAccess', location='properties')

üîç Found in providers: Microsoft-Windows-Sysmon


{'location': 'properties',
 'field': 'GrantedAccess',
 'count': 242,
 'coverage': 4.547162720781661,
 'samples': ['00101000', '00100000', '00140000', 'FFFF1F00', '00001000'],
 'providers': ['Microsoft-Windows-Sysmon']}

In [3]:
# To discover all fields you can use below query. You can also use hunter.lookup_field('field_name'). Below is for GrantedAccess
print("Discovering GrantedAccess event structure...")
sample_events = hunter.search('GrantedAccess')
if sample_events:
    first = sample_events[0] if isinstance(sample_events, list) else next(iter(sample_events), None)
    if first:
        print(f"Provider: {first.get('header', {}).get('provider_name')}")
        print(f"Event ID: {first.get('header', {}).get('event_id')}")
        print(f"Task: {first.get('header', {}).get('task_name')}")
        print(f"Properties keys: {list(first.get('properties', {}).keys())}")

Discovering GrantedAccess event structure...

[*] Searching for 'GrantedAccess' across all fields...
[+] Found 242 events containing 'GrantedAccess'

Showing first 20 matches:

  1. [2025-10-30 03:47:28Z] PID:3856

  2. [2025-10-30 03:47:28Z] PID:3856

  3. [2025-10-30 03:47:28Z] PID:3856

  4. [2025-10-30 03:47:28Z] PID:3856

  5. [2025-10-30 03:47:28Z] PID:3856

  6. [2025-10-30 03:47:28Z] PID:3856

  7. [2025-10-30 03:47:28Z] PID:3856

  8. [2025-10-30 03:47:28Z] PID:3856

  9. [2025-10-30 03:47:28Z] PID:3856

  10. [2025-10-30 03:47:28Z] PID:3856

  11. [2025-10-30 03:47:28Z] PID:3856

  12. [2025-10-30 03:47:28Z] PID:3856

  13. [2025-10-30 03:47:28Z] PID:3856

  14. [2025-10-30 03:47:28Z] PID:3856

  15. [2025-10-30 03:47:28Z] PID:3856

  16. [2025-10-30 03:47:28Z] PID:3856

  17. [2025-10-30 03:47:28Z] PID:3856

  18. [2025-10-30 03:47:33Z] PID:3856

  19. [2025-10-30 03:47:33Z] PID:3856

  20. [2025-10-30 03:47:33Z] PID:3856

... and 222 more results not displayed
üí° Tip: All

---
**How many different events do we have for each provider?**


In [5]:
from collections import defaultdict

event_catalog = defaultdict(lambda: defaultdict(lambda: defaultdict(set)))

for provider, tasks in hunter._event_counts.items():
    for task_name, events in tasks.items():
        for event_name, details in events.items():
            event_ids = details if isinstance(details, set) else {details.get('event_id')}
            event_catalog[provider][task_name][event_name].update(event_ids)

for provider in sorted(event_catalog.keys()):
    print(f"\n{provider}")
    for task_name in sorted(event_catalog[provider].keys()):
        rule = task_name.split('(rule:')[1].split(')')[0].strip() if '(rule:' in task_name else '-'
        for event_name, event_ids in event_catalog[provider][task_name].items():
            ids = sorted([e for e in event_ids if e is not None])
            event_str = f"Event: {event_name}" if event_name != 'NO_EVENT_NAME' else ""
            print(f"  Task: {task_name:<50} Rule: {rule:<25} IDs: {ids} {event_str}")


Microsoft-Windows-CodeIntegrity
  Task: FileHashFoundInImageCertificate                    Rule: -                         IDs: [3009] Event: ID:3009|Name:NO_EVENT_NAME|Op:0
  Task: GetFileCache                                       Rule: -                         IDs: [3040] Event: ID:3040|Name:NO_EVENT_NAME|Op:1
  Task: GetFileCache                                       Rule: -                         IDs: [3041] Event: ID:3041|Name:NO_EVENT_NAME|Op:2
  Task: PageHashFoundInImageCertificate                    Rule: -                         IDs: [3007] Event: ID:3007|Name:NO_EVENT_NAME|Op:0
  Task: ValidateFileHash                                   Rule: -                         IDs: [3015] Event: ID:3015|Name:NO_EVENT_NAME|Op:1
  Task: ValidateFileHash                                   Rule: -                         IDs: [3016] Event: ID:3016|Name:NO_EVENT_NAME|Op:2
  Task: ValidateImageHeader                                Rule: -                         IDs: [3038] Event: ID:30

---
## Can you find signs of suspicious driver or service activity? Where? Which logs?

In [58]:
print("--- Investigating Driver Loads (Sysmon EID 6) ---")
driver_loads = hunter.search(
    provider_name="Microsoft-Windows-Sysmon",
    event_id=6,
)

--- Investigating Driver Loads (Sysmon EID 6) ---

[*] Found 2 matching events
  1. [2025-10-30 03:47:34Z] PID:3856 - Driver loaded (rule: DriverLoad) 
  2. [2025-10-30 03:48:20Z] PID:3856 - Driver loaded (rule: DriverLoad) 


In [61]:
"""
Registry events with Kernel level Drivers
"""
hunter.search(Details="0x00000001")


[*] Found 4 matching events
  1. [2025-10-30 03:47:33Z] PID:3856 - Registry value set (rule: RegistryEvent) 
  2. [2025-10-30 03:47:33Z] PID:3856 - Registry value set (rule: RegistryEvent) 
  3. [2025-10-30 03:48:09Z] PID:3856 - Registry value set (rule: RegistryEvent) 
  4. [2025-10-30 03:48:09Z] PID:3856 - Registry value set (rule: RegistryEvent) 


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 13,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 2,
   'process_id': 3856,
   'provider_name': 'Microsoft-Windows-Sysmon',
   'task_name': 'Registry value set (rule: RegistryEvent) ',
   'thread_id': 5992,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'codeintegrity'},
  'properties': {'Details': 'DWORD (0x00000001)',
   'EventType': 'SetValue',
   'Image': 'C:\\Windows\\system32\\services.exe',
   'ProcessGuid': '{39898580-DB6A-6902-0B00-000000000300}',
   'ProcessId': 652,
   'RuleName': '-',
   'TargetObject': 'HKLM\\System\\CurrentControlSet\\Services\\NSecKrnl\\Type',
   'User': 'NT AUTHORITY\\SYSTEM',
   'UtcTime': '2025-10-30 03:47:33.765'},
  'property_types': {'Details': 'STRINGW',
   'EventType': 'STRINGW',
   'Image': 'STRINGW',
   'ProcessGuid': 'GUID',
   'ProcessId': 'UINT32',
   'RuleName': 'STRINGW',
   'TargetObject': 'STRINGW',
   'U

 ---
 **What are the logs associated with that driver?**

The two most important logs associated with NSecKrnl.sys are the registry event that created it (above) and the Sysmon Event 6 log that shows the kernel successfully loading it into memory.

In [8]:
print("--- Investigating Driver Loads (Sysmon EID 6) ---")
driver_loads = hunter.search(provider_name="Microsoft-Windows-Sysmon", event_id=6, display_limit=10)
discovered_driver_log = driver_loads[0]  # Store the suspicious log
print("\n--- Investigating 'NSecKrnl.sys' ---")
driver_service_events = hunter.registry_key("NSecKrnl") # Uses regiatry_key to get all events related to that service

--- Investigating Driver Loads (Sysmon EID 6) ---

[*] Found 2 matching events
  1. [2025-10-30 03:47:34Z] PID:3856 - Driver loaded (rule: DriverLoad) 
  2. [2025-10-30 03:48:20Z] PID:3856 - Driver loaded (rule: DriverLoad) 

--- Investigating 'NSecKrnl.sys' ---

REGISTRY OPERATIONS
Filtered by: NSecKrnl
Total operations: 699
Unique registry keys: 6

Top 10 Most Accessed Keys:
       1x - HKLM\System\CurrentControlSet\Services\NSecKrnl
       1x - HKLM\System\CurrentControlSet\Services\NSecKrnl\Type
       1x - HKLM\System\CurrentControlSet\Services\NSecKrnl\Start
       1x - HKLM\System\CurrentControlSet\Services\NSecKrnl\ErrorControl
       1x - HKLM\System\CurrentControlSet\Services\NSecKrnl\ImagePath
       1x - HKLM\System\CurrentControlSet\Services\NSecKrnl\DisplayName

Processes accessing registry: [652, 756, 2648, 3528, 3856]



The log above shows the main key being created: **HKLM\System\CurrentControlSet\Services\NSecKrnl**.

Other Sysmon Event 13 logs from the same process (PID 652) show the creation of its associated values, such as:

HKLM\System\CurrentControlSet\Services\NSecKrnl\ImagePath 

HKLM\System\CurrentControlSet\Services\NSecKrnl\Type (set to 1, meaning kernel driver)

HKLM\System\CurrentControlSet\Services\NSecKrnl\Start (set to 2, meaning auto-start)

HKLM\System\CurrentControlSet\Services\NSecKrnl\DisplayName

---
**Can you identify the driver registered by Nsec-Killer.exe?**

The NSec-Killer.exe tool did not register the driver directly. It used the Windows Service Manager (services.exe, PID 652) to register a driver located at c:\Users\cyb3r\Downloads\NSecKrnl.sys.
This can be confirmed by the Sysmon Event 13 log, which shows services.exe setting the ImagePath (the path to the driver file) for the new service.

**Crude way:**

**event_id:1**
    Nsec-Killer.exe, note the ProcessGuid and ProcessId
    cmd.exe --> nsec-killer.exe (we can get the parent) event id:7
    Image (nsec-killer.exe) - ProcessGuid will be same as above and you should be able to find driver name in ImageLoaded(nseckrnl) To confirm by -
**event_id:12** 
    Image (services.exe) adds registry TargetObject (nseckrnl)
**event_id:10** - soruceimage (services.exe)({39898580-DB6A-6902-0B00-000000000300}) accessing targetimage (nsec-killer.exe)

In [86]:
print("\n[Link 1] Finding the attacker process (Sysmon EID 1)...")
attacker_log = hunter.search(provider_name="Microsoft-Windows-Sysmon", event_id=1, Image="NSec-Killer.exe")[0]
hunter.show(attacker_log)
attacker_pid, attacker_guid = attacker_log.get("properties", {}).get("ProcessId"), attacker_log.get("properties", {}).get("ProcessGuid")
print(f"--- [+] Artifact Discovered: ProcessGuid = {attacker_guid} ---")


[Link 1] Finding the attacker process (Sysmon EID 1)...

[*] Found 1 matching events
  1. [2025-10-30 03:47:33Z] PID:3856 - Process Create (rule: ProcessCreate) 

EVENT DETAILS
Timestamp:    2025-10-30 03:47:33Z
Provider:     Microsoft-Windows-Sysmon
Task:         Process Create (rule: ProcessCreate) 
Event ID:     1 | Opcode: 0
Process ID:   3856 | Thread ID: 5992

Properties:
  CommandLine               : NSec-Killer.exe  -n msmpeng.exe
  Company                   : -
  CurrentDirectory          : c:\Users\cyb3r\Downloads\
  Description               : -
  FileVersion               : -
  Hashes                    : SHA1=736230F44614A33720C3D60E35B2E314DE0C9E8C,MD5=858505745A6AB5D5C3516FC007895476,SHA256=889A707...
  Image                     : C:\Users\cyb3r\Downloads\NSec-Killer.exe
  IntegrityLevel            : High
  LogonGuid                 : {39898580-DB88-6902-2284-030000000000}
  LogonId                   : 2284030000000000
  OriginalFileName          : -
  ParentCommandLine

In [62]:
"""
We are checking for the SourceProcessGUID

"""

hunter.search(SourceProcessGUID = '{39898580-DB6A-6902-0B00-000000000300}',
              event_id =10)


[*] Found 4 matching events
  1. [2025-10-30 03:47:33Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  2. [2025-10-30 03:48:09Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  3. [2025-10-30 03:48:34Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  4. [2025-10-30 03:48:34Z] PID:3856 - Process accessed (rule: ProcessAccess) 


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 10,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 3,
   'process_id': 3856,
   'provider_name': 'Microsoft-Windows-Sysmon',
   'task_name': 'Process accessed (rule: ProcessAccess) ',
   'thread_id': 5992,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'codeintegrity'},
  'properties': {'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+9d524|C:\\Windows\\SYSTEM32\\KERNELBASE.dll+308ee|C:\\Windows\\system32\\services.exe+3643f|C:\\Windows\\system32\\services.exe+25774|C:\\Windows\\system32\\services.exe+254df|C:\\Windows\\system32\\services.exe+5a03a|C:\\Windows\\system32\\services.exe+5a851|C:\\Windows\\SYSTEM32\\RPCRT4.dll+7b253|C:\\Windows\\SYSTEM32\\RPCRT4.dll+7a022|C:\\Windows\\SYSTEM32\\RPCRT4.dll+1e09a|C:\\Windows\\SYSTEM32\\RPCRT4.dll+5dd7a|C:\\Windows\\SYSTEM32\\RPCRT4.dll+58f88|C:\\Windows\\SYSTEM32\\RPCRT4.dll+3a1a6|C:\\Windows\\SYSTEM32\\RPCRT4.d

---
**How does the process spawned by the driver(Nsec-Killer) and Registry logs correlate?**

This is an indirect correlation. The NSec-Killer.exe process (PID 6872) does not write the registry logs itself. It uses the legitimate Windows Service Manager (services.exe, PID 652) to do the work.

In [89]:
from collections import defaultdict
target_data = defaultdict(lambda: {'count': 0, 'guids': set(), 'pids': set(), 'guid_counts': defaultdict(int)})
for e in hunter.search(provider_name='Microsoft-Windows-Sysmon', event_id=10):
    p = e.get('properties', {}); img, guid, pid = p.get('TargetImage'), p.get('TargetProcessGUID'), p.get('TargetProcessId')
    if img and guid and pid: target_data[img]['count'] += 1; target_data[img]['guids'].add(guid); target_data[img]['pids'].add(pid); target_data[img]['guid_counts'][guid] += 1


[*] Found 242 matching events
[*] Showing first 20 of 242 results
  1. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  2. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  3. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  4. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  5. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  6. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  7. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  8. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  9. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  10. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  11. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  12. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule

---
Bonus: NotifyRoutineAddress refers to a kernel-mode callback function address. Usually, this means a driver (often a legitimate or malicious one) has registered a function to be notified of specific events such as process creation, image loading, thread creation, registry changes, or other OS internals.

The System process (PID 4), which is where kernel code sets a NotifyRoutineAddress (**0xFFFFF80487D91000**). This is the driver, NSecKrnl.sys, registering its callback function to "hook" into the operating system. This hook allows it to be notified of events, such as when a process is created.

In [67]:
hunter.search('NotifyRoutineAddress')


[*] Searching for 'NotifyRoutineAddress' across all fields...
[+] Found 2 events containing 'NotifyRoutineAddress'

Showing all 2 matches:

  1. [2025-10-30 03:47:33Z] PID:4

  2. [2025-10-30 03:48:20Z] PID:4


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 1,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 0,
   'process_id': 4,
   'provider_name': 'Microsoft-Windows-Kernel-Audit-API-Calls',
   'task_name': '',
   'thread_id': 5204,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'AuditAPITrace01'},
  'properties': {'NotifyRoutineAddress': '0xFFFFF80487D91000',
   'ReturnCode': 0},
  'property_types': {'NotifyRoutineAddress': 'POINTER',
   'ReturnCode': 'UINT32'}},
 {'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 1,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 0,
   'process_id': 4,
   'provider_name': 'Microsoft-Windows-Kernel-Audit-API-Calls',
   'task_name': '',
   'thread_id': 5188,
   'timestamp': '2025-10-30 03:48:20Z',
   'trace_name': 'AuditAPITrace01'},
  'properties': {'NotifyRoutineAddress': '0xFFFFF80487DA3DD8',
   'Retu

---
**List providers and associated events related to nsec-killer.exe name alone?**

In [85]:
provider_event_pairs = set()
for event in hunter.search('nsec-killer.exe'):
    provider, event_id = event.get('header', {}).get('provider_name'), event.get('header', {}).get('event_id')
    if provider and event_id:
        provider_event_pairs.add((provider, event_id))
for pair in sorted(list(provider_event_pairs)):
    print(f"  Provider: {pair[0]:<40} Event ID: {pair[1]}")


[*] Searching for 'nsec-killer.exe' across all fields...
[+] Found 29 events containing 'nsec-killer.exe'

Showing first 20 matches:

  1. [2025-10-30 03:47:33Z] PID:2176
     Found in: properties.FileNameBuffer=\Users\cyb3r\Downloads\NSec-Killer.exe

  2. [2025-10-30 03:47:33Z] PID:2176
     Found in: properties.ImageName=\Device\HarddiskVolume2\Users\cyb3r\Downloads\NSec

  3. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.TargetImage=c:\Users\cyb3r\Downloads\NSec-Killer.exe

  4. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.TargetImage=c:\Users\cyb3r\Downloads\NSec-Killer.exe

  5. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.CommandLine=NSec-Killer.exe  -n msmpeng.exe
     Also in: properties.Image=C:\Users\cyb3r\Downloads\NSec-Killer.exe

  6. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.TargetImage=c:\Users\cyb3r\Downloads\NSec-Killer.exe

  7. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.Image=C:\Users\cyb3r\Downloa

----
**What DLLs did the Nsec-Killer.exe process load?**

In [93]:
loaded_dlls = set()
events = hunter.search(
    provider_name="Microsoft-Windows-Sysmon",
    event_id=7,
    Image="Nsec-Killer.exe"
)

for event in events:
    dll = event.get('properties', {}).get('ImageLoaded')
    if dll:
        loaded_dlls.add(dll)

print(f"\nFound {len(loaded_dlls)} unique DLLs loaded by 'Nsec-Killer.exe':\n")
for dll in sorted(list(loaded_dlls)):
    print(dll)


[*] Found 12 matching events
  1. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  2. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  3. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  4. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  5. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  6. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  7. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  8. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  9. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  10. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  11. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 
  12. [2025-10-30 03:47:33Z] PID:3856 - Image loaded (rule: ImageLoad) 

Found 12 unique DLLs loaded by 'Nsec-Killer.exe':

C:\Users\cyb3r\Downloads\NSec-Killer.exe
C:\Windows\System32\Ke

----
**What DLLs did the msmpeng.exe process load?**

In [None]:
loaded_dlls = set()
events = hunter.search(
    provider_name="Microsoft-Windows-Sysmon",
    event_id=7,
    Image="msmpeng.exe"
)

for event in events:
    dll = event.get('properties', {}).get('ImageLoaded')
    if dll:
        loaded_dlls.add(dll)

print(f"\nFound {len(loaded_dlls)} unique DLLs loaded by 'msmpeng.exe':\n")
for dll in sorted(list(loaded_dlls)):
    print(dll)

---
**Bonus: What Integrity level Nsec-Killer.exe invoked with?**

In [3]:
hunter.search(provider_name = 'Microsoft-Windows-Kernel-Process',task_name = 'ProcessStart', ImageName = 'Nsec')


[*] Found 1 matching events
  1. [2025-10-30 03:47:33Z] PID:2176 - ProcessStart


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 1,
   'event_name': '',
   'event_opcode': 1,
   'event_version': 3,
   'process_id': 2176,
   'provider_name': 'Microsoft-Windows-Kernel-Process',
   'task_name': 'ProcessStart',
   'thread_id': 7552,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'ProcTrace01'},
  'properties': {'CreateTime': '2025-10-30 03:47:33Z',
   'Flags': 0,
   'ImageChecksum': 0,
   'ImageName': '\\Device\\HarddiskVolume2\\Users\\cyb3r\\Downloads\\NSec-Killer.exe',
   'MandatoryLabel': 'Mandatory Label\\High Mandatory Level',
   'PackageFullName': '',
   'PackageRelativeAppId': '',
   'ParentProcessID': 2176,
   'ParentProcessSequenceNumber': 179,
   'ProcessID': 6872,
   'ProcessSequenceNumber': 256,
   'ProcessTokenElevationType': 2,
   'ProcessTokenIsElevated': 1,
   'SessionID': 1,
   'TimeDateStamp': 1761536540},
  'property_types': {'CreateTime': 'FILETIME',
   'Flags': 'UINT32',
   'Imag

---
**Environmental Knowledge**


1. Baseline which drivers are present using registry logs at \\Registry\\Machine\\System\\CurrentControlSet\\Control\\Compatibility\\Driver\\. Many EDR killers will check for if the driver/service is present or not and most definitely get (STATUS_OBJECT_NAME_NOT_FOUND).  Unfortunately, not all logs are captured in sysmon. Few that do exists need extensive baseline. apphelp.dll will be loaded by a process to check for Application Compatibility.

2. We do know (I'm hoping) which EDR we have, where adversary might not (I say might not as sometime there are targeted like cases in Sophos). We can use this to our advantage to check any queries to EDR software other than yours

In [23]:
"""
Unique GrantedAccess per SourceProcessId, and TargetProcessId
"""

from collections import defaultdict
access_map = defaultdict(set)
for event in hunter.search('GrantedAccess'):
    pid, target_pid = event.get('properties', {}).get('SourceProcessId'), event.get('properties', {}).get('TargetProcessId')
    access = event.get('properties', {}).get('GrantedAccess')
    if pid is not None and target_pid is not None and access is not None and pid != target_pid:
        access_map[(pid, target_pid)].add(access)
print(f"\nFound {len(access_map)} unique (SourceProcessId -> TargetProcessID) pairs (where source != target):\n")
for (pid, target_pid), accesses in sorted(access_map.items()):
    print(f"  PID: {pid:<6} -> Target PID: {target_pid:<6} -> Access Codes: {sorted(list(accesses))}")


[*] Searching for 'GrantedAccess' across all fields...
[+] Found 242 events containing 'GrantedAccess'

Showing first 20 matches:

  1. [2025-10-30 03:47:28Z] PID:3856

  2. [2025-10-30 03:47:28Z] PID:3856

  3. [2025-10-30 03:47:28Z] PID:3856

  4. [2025-10-30 03:47:28Z] PID:3856

  5. [2025-10-30 03:47:28Z] PID:3856

  6. [2025-10-30 03:47:28Z] PID:3856

  7. [2025-10-30 03:47:28Z] PID:3856

  8. [2025-10-30 03:47:28Z] PID:3856

  9. [2025-10-30 03:47:28Z] PID:3856

  10. [2025-10-30 03:47:28Z] PID:3856

  11. [2025-10-30 03:47:28Z] PID:3856

  12. [2025-10-30 03:47:28Z] PID:3856

  13. [2025-10-30 03:47:28Z] PID:3856

  14. [2025-10-30 03:47:28Z] PID:3856

  15. [2025-10-30 03:47:28Z] PID:3856

  16. [2025-10-30 03:47:28Z] PID:3856

  17. [2025-10-30 03:47:28Z] PID:3856

  18. [2025-10-30 03:47:33Z] PID:3856

  19. [2025-10-30 03:47:33Z] PID:3856

  20. [2025-10-30 03:47:33Z] PID:3856

... and 222 more results not displayed
üí° Tip: All 242 results are stored in your variable.
   

----
**Hunt Package 1: Process + File + Registry**

This package hunts the core of the attack: a suspicious process (NSec-Killer.exe) is launched, a driver file (NSecKrnl.sys) is loaded, and a registry key (ImagePath) is created to link them.

Correlation:

(Process) Sysmon Event 1 shows NSec-Killer.exe (PID 6872) is created.

(Registry) Sysmon Event 13 shows services.exe (PID 652) creating an ImagePath for a service named NSecKrnl.

(File) Sysmon Event 6 shows the kernel loading the driver NSecKrnl.sys from the exact path specified in the registry log.

---
**Package 2: Registry + Service Process + Registry + Image**

High-fidelity chain, showing the complete service installation and driver load sequence.

Correlation:

(Registry - CreateKey): Sysmon Event 12 shows a new service key NSecKrnl being created.

(Service Process): The same log identifies the actor: Image: C:\\Windows\\system32\\services.exe (PID 652).

(Registry - Configure): Sysmon Event 13 shows the same process (PID 652) setting the ImagePath to NSecKrnl.sys.

(Image - Load): Sysmon Event 6 shows the kernel loading the exact file from the ImagePath: ImageLoaded: ...NSecKrnl.sys.

----
**Package 3: Registry + Service (Cleanup)**
The creation of a service registry key followed by a sc.exe (Service Control) command targeting the same service name. The delete command is deliberately not included in the log but you should see that.

Correlation:

(Registry): Sysmon Event 12 shows the creation of the service key HKLM\\...\\NSecKrnl.

(Service): A Sysmon Event 1 log shows sc.exe being used to interact with a service named nseckrnl (the CommandLine field).

---
**Check the logic of Package 2:**

A Registry Event (Sysmon 12 or 13) from the Service Process (services.exe, PID 652) creates or modifies a service's ImagePath.

An Image Load Event (Sysmon 6) occurs where the ImageLoaded file path matches the ImagePath from the registry.

Using this exact logic, we find another suspicious driver load in the logs but has not performed full BYOVD.

**A Registry Event**

We find a log where services.exe (PID 652) sets a new, suspicious ImagePath.

The new service name (changed_to_exe) and the new file (Sysnom.exe).

Image: C:\Windows\System32\sc.exe

CommandLine: sc create changed_to_exe type = kernel binpath=C:\Users\cyb3r\Downloads\Sysnom.exe


Image: C:\Windows\System32\sc.exe

CommandLine: sc create changed_to_exe type=kernel binpath=C:\Users\cyb3r\Downloads\Sysnom.exe

**The Image Load Event**
The kernel loads the exact file specified in the ImagePath from Step 1.

This is not a BYOVD attack performing to kill Defender, but rather a successful hunt of a suspicious driver load using the same pattern. The fact that an .exe file (Sysnom.exe) is being loaded as a driver proves that the driver need not be .sys, but the PE structure needs to be intact.


In [95]:
from collections import defaultdict

# This function creates a new, empty dictionary for our defaultdict
def new_target_entry():
    return {'count': 0, 'target_process_guids': set(), 'target_process_ids': set(), 'target_process_guid_count': defaultdict(int)}

target_data = defaultdict(new_target_entry)

# --- 1. Process the Data ---
for event in processaccess:
    props = event.get('properties', {})
    target_image, target_guid, target_pid = props.get('TargetImage'), props.get('TargetProcessGUID'), props.get('TargetProcessId')
    if not (target_image and target_guid and target_pid): continue
    stats = target_data[target_image]
    stats['count'] += 1; stats['target_process_guids'].add(target_guid); stats['target_process_ids'].add(target_pid); stats['target_process_guid_count'][target_guid] += 1

In [3]:
"""
Checking the Nsec-Killer.exe using the TargetProcessGUID. It shows, MsmpEng.exe is "scanning" Nsec-Killer.exe" when it is invoked by cmd.exe
with ParentProcessGuid': '{39898580-DC27-6902-B300-000000000300}' and 'properties': {'CommandLine': 'NSec-Killer.exe  -n msmpeng.exe'. 
Nsec-Killer then loads DLLs it suppose to, invokes service.exe to register the system driver
"""
hunter.search('{39898580-DFD5-6902-0001-000000000300}')


[*] Searching for '{39898580-DFD5-6902-0001-000000000300}' across all fields...
[+] Found 24 events containing '{39898580-DFD5-6902-0001-000000000300}'

Showing first 20 matches:

  1. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.TargetProcessGUID={39898580-DFD5-6902-0001-000000000300}

  2. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.TargetProcessGUID={39898580-DFD5-6902-0001-000000000300}

  3. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.ProcessGuid={39898580-DFD5-6902-0001-000000000300}

  4. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.TargetProcessGUID={39898580-DFD5-6902-0001-000000000300}

  5. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.ProcessGuid={39898580-DFD5-6902-0001-000000000300}

  6. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.ProcessGuid={39898580-DFD5-6902-0001-000000000300}

  7. [2025-10-30 03:47:33Z] PID:3856
     Found in: properties.ProcessGuid={39898580-DFD5-6902-0001-00000000030

[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 10,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 3,
   'process_id': 3856,
   'provider_name': 'Microsoft-Windows-Sysmon',
   'task_name': 'Process accessed (rule: ProcessAccess) ',
   'thread_id': 5992,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'codeintegrity'},
  'properties': {'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+9d524|C:\\Windows\\SYSTEM32\\KERNELBASE.dll+308ee|C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\mpengine.dll+35d597|C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\mpengine.dll+298796|C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\mpengine.dll+29b60b|C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\mpengine.dll+29c323|C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\mpengine.dll+3052a6|C:\\Pr

In [49]:
hunter.search(TargetProcessId = 2648)


[*] Found 9 matching events
  1. [2025-10-30 03:47:33Z] PID:2648 - 
  2. [2025-10-30 03:47:33Z] PID:2648 - 
  3. [2025-10-30 03:47:33Z] PID:2648 - 
  4. [2025-10-30 03:47:33Z] PID:2648 - 
  5. [2025-10-30 03:47:33Z] PID:2648 - 
  6. [2025-10-30 03:47:33Z] PID:2648 - 
  7. [2025-10-30 03:47:34Z] PID:2648 - 
  8. [2025-10-30 03:47:34Z] PID:2648 - 
  9. [2025-10-30 03:47:34Z] PID:2648 - 


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 5,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 0,
   'process_id': 2648,
   'provider_name': 'Microsoft-Windows-Kernel-Audit-API-Calls',
   'task_name': '',
   'thread_id': 5600,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'AuditAPITrace01'},
  'properties': {'DesiredAccess': 2147483648,
   'ReturnCode': 0,
   'TargetProcessId': 2648},
  'property_types': {'DesiredAccess': 'UINT32',
   'ReturnCode': 'UINT32',
   'TargetProcessId': 'UINT32'}},
 {'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 5,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 0,
   'process_id': 2648,
   'provider_name': 'Microsoft-Windows-Kernel-Audit-API-Calls',
   'task_name': '',
   'thread_id': 5600,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'AuditAPITrace01'},
  'properties': {'DesiredAcces

In [91]:
import json
VICTIM_PID, ATTACKER_PID_STR = 2648, "6872"
print(f"--- Part 1: Searching for all events targeting PID {VICTIM_PID} ---")
victim_access_events = hunter.search(TargetProcessId=VICTIM_PID, display_limit=None)
print(f"\n--- Part 2: Correlating logs for attacker PID '{ATTACKER_PID_STR}' ---")
correlating_logs = [log for log in victim_access_events if ATTACKER_PID_STR in json.dumps(log).lower()]
for log in correlating_logs: hunter.show(log)

--- Part 1: Searching for all events targeting PID 2648 ---

[*] Found 128 matching events
[*] Showing first 20 of 128 results
  1. [2025-10-30 03:47:33Z] PID:2648 - 
  2. [2025-10-30 03:47:33Z] PID:2648 - 
  3. [2025-10-30 03:47:33Z] PID:2648 - 
  4. [2025-10-30 03:47:33Z] PID:2648 - 
  5. [2025-10-30 03:47:33Z] PID:2648 - 
  6. [2025-10-30 03:47:33Z] PID:704 - 
  7. [2025-10-30 03:47:33Z] PID:704 - 
  8. [2025-10-30 03:47:33Z] PID:704 - 
  9. [2025-10-30 03:47:33Z] PID:704 - 
  10. [2025-10-30 03:47:33Z] PID:968 - 
  11. [2025-10-30 03:47:33Z] PID:968 - 
  12. [2025-10-30 03:47:33Z] PID:968 - 
  13. [2025-10-30 03:47:33Z] PID:968 - 
  14. [2025-10-30 03:47:33Z] PID:2648 - 
  15. [2025-10-30 03:47:33Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  16. [2025-10-30 03:47:33Z] PID:2648 - 
  17. [2025-10-30 03:47:33Z] PID:2648 - 
  18. [2025-10-30 03:47:33Z] PID:2648 - 
  19. [2025-10-30 03:47:33Z] PID:2648 - 
  20. [2025-10-30 03:47:33Z] PID:704 - 

... and 108 more results not di

In [21]:
"""
NSec-Killer sending an API call to MsmpENG.exe. we will not know what API call is it though
"""
hunter.search(process_id = 6872,TargetProcessId = 2648)


[*] Found 1 matching events
  1. [2025-10-30 03:47:33Z] PID:6872 - 


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 2,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 0,
   'process_id': 6872,
   'provider_name': 'Microsoft-Windows-Kernel-Audit-API-Calls',
   'task_name': '',
   'thread_id': 2856,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'AuditAPITrace01'},
  'properties': {'ReturnCode': 0, 'TargetProcessId': 2648},
  'property_types': {'ReturnCode': 'UINT32', 'TargetProcessId': 'UINT32'}}]

In [19]:
"""
we can check the processid is indeed a Msmpeng.exe along with its process terminate event
"""
hunter.search(ProcessId =  '2648')



[*] Found 11 matching events
  1. [2025-10-30 03:47:33Z] PID:3856 - Registry object added or deleted (rule: RegistryEvent) 
  2. [2025-10-30 03:47:33Z] PID:3856 - Registry value set (rule: RegistryEvent) 
  3. [2025-10-30 03:47:33Z] PID:3856 - Registry value set (rule: RegistryEvent) 
  4. [2025-10-30 03:47:33Z] PID:3856 - File Delete logged (rule: FileDeleteDetected) 
  5. [2025-10-30 03:47:33Z] PID:3856 - File created (rule: FileCreate) 
  6. [2025-10-30 03:47:33Z] PID:3856 - Registry object added or deleted (rule: RegistryEvent) 
  7. [2025-10-30 03:47:33Z] PID:3856 - File created (rule: FileCreate) 
  8. [2025-10-30 03:47:33Z] PID:3856 - File created (rule: FileCreate) 
  9. [2025-10-30 03:47:33Z] PID:3856 - RawAccessRead detected (rule: RawAccessRead) 
  10. [2025-10-30 03:47:33Z] PID:3856 - File Block Executable (rule: FileBlockExecutable) 
  11. [2025-10-30 03:47:34Z] PID:3856 - Process terminated (rule: ProcessTerminate) 


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 12,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 2,
   'process_id': 3856,
   'provider_name': 'Microsoft-Windows-Sysmon',
   'task_name': 'Registry object added or deleted (rule: RegistryEvent) ',
   'thread_id': 5992,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'codeintegrity'},
  'properties': {'EventType': 'CreateKey',
   'Image': 'C:\\Program Files\\Windows Defender\\MsMpEng.exe',
   'ProcessGuid': '{39898580-DB72-6902-3F00-000000000300}',
   'ProcessId': 2648,
   'RuleName': '-',
   'TargetObject': 'HKLM\\System\\CurrentControlSet\\Control\\Hvsi',
   'User': 'NT AUTHORITY\\SYSTEM',
   'UtcTime': '2025-10-30 03:47:33.672'},
  'property_types': {'EventType': 'STRINGW',
   'Image': 'STRINGW',
   'ProcessGuid': 'GUID',
   'ProcessId': 'UINT32',
   'RuleName': 'STRINGW',
   'TargetObject': 'STRINGW',
   'User': 'STRINGW',
   'UtcTime': 'STRINGW'}},

In [34]:
hunter.search(provider_name =  'Microsoft-Windows-Sysmon',event_id = 12,EventType = 'CreateKey',ProcessGuid = '{39898580-DB6A-6902-0B00-000000000300}')


[*] Found 2 matching events
  1. [2025-10-30 03:47:33Z] PID:3856 - Registry object added or deleted (rule: RegistryEvent) 
  2. [2025-10-30 03:48:09Z] PID:3856 - Registry object added or deleted (rule: RegistryEvent) 


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 12,
   'event_name': '',
   'event_opcode': 0,
   'event_version': 2,
   'process_id': 3856,
   'provider_name': 'Microsoft-Windows-Sysmon',
   'task_name': 'Registry object added or deleted (rule: RegistryEvent) ',
   'thread_id': 5992,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'codeintegrity'},
  'properties': {'EventType': 'CreateKey',
   'Image': 'C:\\Windows\\system32\\services.exe',
   'ProcessGuid': '{39898580-DB6A-6902-0B00-000000000300}',
   'ProcessId': 652,
   'RuleName': '-',
   'TargetObject': 'HKLM\\System\\CurrentControlSet\\Services\\NSecKrnl',
   'User': 'NT AUTHORITY\\SYSTEM',
   'UtcTime': '2025-10-30 03:47:33.765'},
  'property_types': {'EventType': 'STRINGW',
   'Image': 'STRINGW',
   'ProcessGuid': 'GUID',
   'ProcessId': 'UINT32',
   'RuleName': 'STRINGW',
   'TargetObject': 'STRINGW',
   'User': 'STRINGW',
   'UtcTime': 'STRINGW'}},
 {'heade

In [36]:
hunter.search(provider_name = 'Microsoft-Windows-Kernel-Process',task_name = 'ProcessStart')


[*] Found 6 matching events
  1. [2025-10-30 03:47:33Z] PID:2176 - ProcessStart
  2. [2025-10-30 03:47:38Z] PID:7224 - ProcessStart
  3. [2025-10-30 03:48:09Z] PID:7224 - ProcessStart
  4. [2025-10-30 03:48:19Z] PID:7224 - ProcessStart
  5. [2025-10-30 03:48:34Z] PID:652 - ProcessStart
  6. [2025-10-30 03:49:07Z] PID:5000 - ProcessStart


[{'header': {'activity_id': '{00000000-0000-0000-0000-000000000000}',
   'event_flags': 576,
   'event_id': 1,
   'event_name': '',
   'event_opcode': 1,
   'event_version': 3,
   'process_id': 2176,
   'provider_name': 'Microsoft-Windows-Kernel-Process',
   'task_name': 'ProcessStart',
   'thread_id': 7552,
   'timestamp': '2025-10-30 03:47:33Z',
   'trace_name': 'ProcTrace01'},
  'properties': {'CreateTime': '2025-10-30 03:47:33Z',
   'Flags': 0,
   'ImageChecksum': 0,
   'ImageName': '\\Device\\HarddiskVolume2\\Users\\cyb3r\\Downloads\\NSec-Killer.exe',
   'MandatoryLabel': 'Mandatory Label\\High Mandatory Level',
   'PackageFullName': '',
   'PackageRelativeAppId': '',
   'ParentProcessID': 2176,
   'ParentProcessSequenceNumber': 179,
   'ProcessID': 6872,
   'ProcessSequenceNumber': 256,
   'ProcessTokenElevationType': 2,
   'ProcessTokenIsElevated': 1,
   'SessionID': 1,
   'TimeDateStamp': 1761536540},
  'property_types': {'CreateTime': 'FILETIME',
   'Flags': 'UINT32',
   'Imag

---
# Multiple events for NsecKrnl that you can use in your investigation 

In [1]:
hunter.search(provider_name = 'Microsoft-Windows-Kernel-Process',task_name = 'ProcessStart', ImageName = 'Nsec')

NameError: name 'hunter' is not defined

---
# Process Tree

In [10]:
from collections import defaultdict

print("="*70)
print("Process VIEW")
print("="*70)

# Collect ALL Sysmon events and group by ProcessGuid
process_data = defaultdict(lambda: {
    'events': [],
    'pid': None,
    'parent_guid': None,
    'parent_pid': None,
    'image': None,
    'cmdline': None,
    'user': None,
    'integrity': None,
    'timestamps': [],
    'terminated': False,
    'exit_code': None,
    'children': []
})

# Gather all Sysmon events
for event in hunter.search(provider_name='Microsoft-Windows-Sysmon'):
    props = event.get('properties', {})
    header = event.get('header', {})
    
    # Process as source
    src_guid = props.get('ProcessGuid') or props.get('SourceProcessGUID')
    if src_guid:
        process_data[src_guid]['events'].append(header.get('task_name'))
        process_data[src_guid]['pid'] = process_data[src_guid]['pid'] or props.get('ProcessId')
        process_data[src_guid]['parent_guid'] = process_data[src_guid]['parent_guid'] or props.get('ParentProcessGuid')
        process_data[src_guid]['parent_pid'] = process_data[src_guid]['parent_pid'] or props.get('ParentProcessId')
        process_data[src_guid]['image'] = process_data[src_guid]['image'] or props.get('Image', '').split('\\')[-1]
        process_data[src_guid]['cmdline'] = process_data[src_guid]['cmdline'] or props.get('CommandLine')
        process_data[src_guid]['user'] = process_data[src_guid]['user'] or props.get('User')
        process_data[src_guid]['integrity'] = process_data[src_guid]['integrity'] or props.get('IntegrityLevel')
        
        timestamp = props.get('UtcTime') or header.get('timestamp')
        if timestamp and timestamp not in process_data[src_guid]['timestamps']:
            process_data[src_guid]['timestamps'].append(timestamp)
    
    # Target processes (for terminated events)
    target_guid = props.get('TargetProcessGUID')
    if target_guid:
        process_data[target_guid]['events'].append(f"Target: {header.get('task_name')}")
    
    # Check for termination event (Event ID 5)
    if 'ProcessTerminate' in header.get('task_name', ''):
        term_guid = props.get('ProcessGuid')
        if term_guid:
            process_data[term_guid]['terminated'] = True

# Convert to regular dict with GUIDs as keys
processes = {guid: data for guid, data in process_data.items() if data['image']}

print(f"Collected {len(processes)} unique processes from Sysmon events")

# Link children
for guid, info in processes.items():
    parent_guid = info['parent_guid']
    if parent_guid and parent_guid in processes:
        processes[parent_guid]['children'].append(guid)

# Print tree
def print_tree(guid, indent=0, visited=set()):
    if guid in visited or guid not in processes:
        return
    visited.add(guid)
    info = processes[guid]
    
    term_flag = "üíÄ" if info['terminated'] else ""
    event_count = len(set(info['events']))
    
    print(f"{'  ' * indent}‚îú‚îÄ {info['image']} (PID: {info['pid']}, {info['user']}, {info['integrity']}) {term_flag}")
    if info['cmdline']:
        print(f"{'  ' * indent}‚îÇ  ‚îî‚îÄ {info['cmdline'][:100]}")
    print(f"{'  ' * indent}‚îÇ  ‚îî‚îÄ Events: {event_count} types | Timestamps: {len(info['timestamps'])}")
    
    for child_guid in info['children']:
        print_tree(child_guid, indent + 1, visited)

# Find roots
roots = [g for g, info in processes.items() if info['parent_guid'] not in processes]

print(f"\nProcess Tree ({len(processes)} processes, {len(roots)} roots):")
print("Legend: üíÄ = Terminated\n")

for root in sorted(roots, key=lambda g: min(processes[g]['timestamps']) if processes[g]['timestamps'] else ''):
    print_tree(root)

# Statistics
print(f"\n{'='*70}")
print("STATISTICS")
print(f"{'='*70}")
print(f"Total processes:     {len(processes)}")
print(f"Terminated:          {sum(1 for p in processes.values() if p['terminated'])}")
print(f"Avg events/process:  {sum(len(set(p['events'])) for p in processes.values()) / len(processes):.1f}")

SYSMON COMPLETE VIEW (Multi-Event Consolidation)

[*] Found 602 matching events
[*] Showing first 20 of 602 results
  1. [2025-10-30 03:47:28Z] PID:3856 - File created (rule: FileCreate) 
  2. [2025-10-30 03:47:28Z] PID:3856 - File created (rule: FileCreate) 
  3. [2025-10-30 03:47:28Z] PID:3856 - Image loaded (rule: ImageLoad) 
  4. [2025-10-30 03:47:28Z] PID:3856 - Image loaded (rule: ImageLoad) 
  5. [2025-10-30 03:47:28Z] PID:3856 - Image loaded (rule: ImageLoad) 
  6. [2025-10-30 03:47:28Z] PID:3856 - Registry object added or deleted (rule: RegistryEvent) 
  7. [2025-10-30 03:47:28Z] PID:3856 - Registry object added or deleted (rule: RegistryEvent) 
  8. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  9. [2025-10-30 03:47:28Z] PID:3856 - Process accessed (rule: ProcessAccess) 
  10. [2025-10-30 03:47:28Z] PID:3856 - Image loaded (rule: ImageLoad) 
  11. [2025-10-30 03:47:28Z] PID:3856 - Image loaded (rule: ImageLoad) 
  12. [2025-10-30 03:47:28Z] PID:38