1 | Process Creation | Logs the creation of new processes | T1059: Command and Scripting Interpreter
, T1204: User Execution |
2 | File Creation Time Changed | Detects changes to file creation timestamps | T1070.006: Timestomp |
3 | Network Connection | Records network connections and related processes | T1071: Application Layer Protocol
, T1021: Remote Services |
4 | Sysmon Service State Changed | Logs changes to the Sysmon service state | N/A |
5 | Process Terminated | Records when a process ends | T1480: Execution Guardrails
, T1562: Impair Defenses |
6 | Driver Loaded | Detects when a driver is loaded on the system | T1547.006: Boot or Logon Autostart Execution: Kernel Modules and Extensions
, T1014: Rootkit |
7 | Image Loaded | Logs when a module is loaded in a process | T1574: Hijack Execution Flow
, T1129: Shared Modules |
8 | CreateRemoteThread | Detects when a process creates a thread in another process | T1055: Process Injection
, T1056.004: Credential API Hooking |
9 | RawAccessRead | Detects when a process conducts raw reading of a drive | T1006: Direct Volume Access
, T1003: OS Credential Dumping |
10 | ProcessAccess | Logs when a process opens another process | T1057: Process Discovery
, T1003: OS Credential Dumping |
11 | FileCreate | Records file creation events | T1105: Ingress Tool Transfer
, T1078: Valid Accounts |
12 | RegistryEvent (Object create and delete) | Detects registry key and value create and delete operations | T1112: Modify Registry
, T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
13 | RegistryEvent (Value Set) | Logs registry value modifications | T1112: Modify Registry
, T1546.001: Event Triggered Execution: Change Default File Association |
14 | RegistryEvent (Key and Value Rename) | Records registry key and value rename operations | T1112: Modify Registry
, T1070: Indicator Removal on Host |
15 | FileCreateStreamHash | Logs the creation of alternate data streams | T1564.004: Hide Artifacts: NTFS File Attributes
, T1027: Obfuscated Files or Information |
16 | ServiceConfigurationChange | Detects changes to service configurations | T1543: Create or Modify System Process
, T1569.002: System Services: Service Execution |
17 | PipeEvent (Pipe Created) | Logs when named pipes are created | T1559: Inter-Process Communication
, T1021.002: Remote Services: SMB/Windows Admin Shares |
18 | PipeEvent (Pipe Connected) | Records when a named pipe connection is made | T1559: Inter-Process Communication
, T1570: Lateral Tool Transfer |
19 | WmiEvent (WmiEventFilter activity detected) | Detects WMI event filter creation | T1047: Windows Management Instrumentation
, T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription |
20 | WmiEvent (WmiEventConsumer activity detected) | Logs WMI event consumer creation | T1047: Windows Management Instrumentation
, T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription |
21 | WmiEvent (WmiEventConsumerToFilter activity detected) | Records WMI filter to consumer bindings | T1047: Windows Management Instrumentation
, T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription |
22 | DNSEvent (DNS query) | Logs DNS queries and responses | T1071.004: Application Layer Protocol: DNS
, T1568: Dynamic Resolution |
23 | FileDelete (File Delete archived) | Records file deletion events | T1070.004: Indicator Removal on Host: File Deletion
, T1485: Data Destruction |
24 | ClipboardChange | Detects changes to the system clipboard | T1115: Clipboard Data
, T1056.001: Input Capture: Keylogging |
25 | ProcessTampering | Logs attempts to tamper with process memory | T1562: Impair Defenses
, T1055: Process Injection |
26 | FileDeleteDetected | Detects file deletion operations | T1070.004: Indicator Removal on Host: File Deletion
, T1107: File Deletion |
27 | FileBlockExecutable | Logs when an executable file is blocked from running | T1562: Impair Defenses
, T1036: Masquerading |
28 | FileBlockShredding | Detects attempts to securely delete files | T1070.004: Indicator Removal on Host: File Deletion
, T1561: Disk Wipe |
29 | FileExecutableDetected | Records when an executable file is detected | T1204: User Execution
, T1569: System Services |
255 | Error | Indicates an error condition in Sysmon | N/A |