Sysmon

Sysmon Overview:

Critical tool for hunting on Windows machines and should be installed. Documentation that includes each event type detail provided below.

Alert Types:

Tag

Event

ProcessCreate

Process Create

FileCreateTime

File creation time

NetworkConnect

Network connection detected

n/a

Sysmon service state change (cannot be filtered)

ProcessTerminate

Process terminated

DriverLoad

Driver Loaded

ImageLoad

Image loaded

CreateRemoteThread

CreateRemoteThread detected

RawAccessRead

RawAccessRead detected

ProcessAccess

Process accessed

FileCreate

File created

RegistryEvent

Registry object added or deleted

RegistryEvent

Registry value set

RegistryEvent

Registry object renamed

FileCreateStreamHash

File stream created

n/a

Sysmon configuration change (cannot be filtered)

PipeEvent

Named pipe created

PipeEvent

Named pipe connected

WmiEvent

WMI filter

WmiEvent

WMI consumer

WmiEvent

WMI consumer filter

DNSQuery

DNS query

FileDelete

File Delete archived

ClipboardChange

New content in the clipboard

ProcessTampering

Process image change

FileDeleteDetected

File Delete logged

FileBlockExecutable

File Block Executable

FileBlockShredding

File Block Shredding

FileExecutableDetected

File Executable Detected

Sysmon - Sysinternalsdocsmsft

Last updated 2 months ago