| 1 |
Process creation |
| 2 |
File creation time changes |
| (defense evasion aka time stomping) |
|
| 3 |
Network connections |
| 4 |
Sysmon service state change |
| 5 |
Process termination |
| 6 |
Driver loaded |
| 7 |
Image loaded |
| 8 |
Create Remote Thread detected |
| 9 |
Raw disk access detected |
| 10 |
Process access (can detect credential dumping attempts, e.g., via Lsass.exe.) |
| 11 |
File created |
| 12 |
Registry object added/modified |
| 13 |
Detects renaming of registry keys/values |
| 14 |
File creation hashes |
| 15 |
File stream created |
| (It is commonly produced when a browser finishes a download and the system writes the Zone.Identifier stream) |
|
| 16 |
Logs changes to Sysmon configuration |
| 17 |
Pipe creation |
| 18 |
Pipe connection |
| 19 |
WMI filter creation |
| 20 |
WMI consumer creation |
| 21 |
WMI consumer binding creation |
| 22 |
DNS query detected |
| 23 |
File deletion detected |
| 24 |
Clipboard change detected |
| 25 |
Process tampering detected (hollowing) |
| 26 |
File network share event detected |
| 29 |
File Executable Detected (logs when a file becomes executable via file extension or script change) |
| 30 |
File executable detected from newly created file (logs when a new executable file is created and run) (more detailed than 29) |
