Sysmon EventCode

• Sysmon Event ID 1 - Process Creation: Useful for hunts targeting abnormal parent-child process hierarchies, as illustrated in the first lesson with Process Hacker. This is an event we can use later.

• Sysmon Event ID 2 - A process changed the creation time of a file: Useful for detecting "time stomp" attacks, in which attackers change file creation times. Keep in mind that not all of these actions signal malicious intent.

• Sysmon Event ID 3 - Network Connection: A source of abundant noise, as machines are perpetually establishing network connections. We may discover anomalies, but let's consider other, quieter areas first.

• Sysmon Event ID 4 - Sysmon Service State Changed: This could be a useful search if attackers attempt to disrupt Sysmon, although most of these events are likely benign and informative, given Sysmon's frequent legitimate starts and stops.

• Sysmon Event ID 5 - Process Terminated: This can help us detect when attackers kill key processes or use sacrificial processes. For example, Cobalt Strike frequently spawns temporary processes like werfault, whose termination would be logged here, as well as the creation in ID 1.

• Sysmon Event ID 6 - Driver Loaded: A potential red flag for BYOD (bring your own driver) attacks, although this is less common. Before we delve into this, let's eliminate more conspicuous threats first.

• Sysmon Event ID 7 - Image Loaded: Allows us to trace DLL loads, which is useful for detecting DLL hijackings.

• Sysmon Event ID 8 - CreateRemoteThread: Potentially aids in identifying injected threads. While remote threads can be created legitimately, if an attacker misuses this API, we can potentially trace their rogue process and what they injected.

• Sysmon Event ID 10 - ProcessAccess: Useful for detecting remote code injection and memory dumps, as it records when process handles are created.

• Sysmon Event ID 11 - FileCreate: With many files being created frequently due to updates, downloads, etc., it can be challenging to target our hunt directly here. However, these events can be beneficial for correlating or identifying a file's origins later.

• Sysmon Event ID 12 - RegistryEvent (Object Creation and Deletion) and Sysmon Event ID 13 - RegistryEvent (Value Set): While numerous events occur here, many registry events can be malicious, and with a good idea of ​​what to look for, searching here can be fruitful.

• Sysmon Event ID 15 - FileCreateStreamHash: This refers to file streams and the "Web Mark" for external downloads, but we'll leave that aside for now.

• Sysmon Event ID 16 - Sysmon Configuration State Changed: This logs changes to the Sysmon configuration, useful for detecting tampering.

• Sysmon Event ID 17 - Pipe Created and Sysmon Event ID 18 - Pipe Connected: Records pipe creations and connections. These can help you observe the malware's inter-process communication attempts, the use of PsExec, and SMB lateral movement.

• Sysmon Event ID 22 - DNSEvent: Tracks DNS queries, which can be beneficial to monitor

• Sysmon Event ID 23 - FileDelete: Monitors file deletions, which can provide insight into whether a threat actor has cleaned up their malware, deleted crucial files, or possibly attempted a ransomware attack.

• Sysmon Event ID 25 - ProcessTampering: Alerts you to behaviors such as process tampering, acting as a mini AV alert filter.