| EventID | Description |
|---|---|
| 1 | Process creation (logs executed processes, command lines, and parent-child relationships). |
| 10 | Process access (detects when a process opens another process, e.g., LSASS credential dumping). |
| 11 | File creation (tracks files written to disk, e.g., malware drops in %Temp%). |
| 12 | Registry key/value creation/deletion (monitors persistence mechanisms like Run keys). |
| 13 | Registry value modification (logs changes to existing registry entries). |
| 16 | Sysmon service configuration change (alerts if someone modifies Sysmon rules/config). |
| 22 | DNS query (records domain lookups, e.g., beaconing to C2 servers). |
| 3 | Network connection (logs TCP/UDP connections, including source/destination IPs and ports). |
| 4 | Sysmon service state change (e.g., Sysmon starts/stops or crashes). |
| 6 | Driver loaded (tracks kernel-mode drivers, often abused by rootkits). |
Created
August 15, 2025 04:45
-
-
Save ErKiran/1bc3f84903ca4b5d5e98ee6d056f9c3c to your computer and use it in GitHub Desktop.
Markdown
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment