API tools faq
paste
joemccray

Event Codes to monitor

joemccray
Apr 28th, 2021 (edited)
339
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.06 KB | None | 0 0
raw download clone embed print report
  1. ################################
  2. # Windows EVENT IDs To Monitor #
  3. ################################
  4. 1. NEW PROCESS STARTING: Event Code 4688 will capture when a process or executable starts.
  5.  
  6. 2. USER LOGON SUCCESS: Event Code 4624 will capture when a user successfully logons to the system.
  7.  
  8. 3. SHARE ACCESSED: Event Code 5140 will capture when a user connects to a file share.
  9.  
  10. 4. NEW SERVICE INSTALLED: Event Code 7045 will capture when a new service is installed.
  11.  
  12. 5. NETWORK CONNECTION MADE: Event Code 5156 will capture when a network connection is made from the source
  13. to the destination including the ports used and the process used to initiate the connection. Requires the use of the
  14. Windows Firewall
  15.  
  16. 6. FILE AUDITING: Event Code 4663 will capture when a new file is added, modified or deleted.
  17.  
  18. 7. REGISTRY AUDITING: Event Code 4657 will capture when a new registry item is added, modified or deleted
  19.  
  20. 8. WINDOWS POWERSHELL COMMAND LINE EXECUTION: Event Code 500 will capture when PowerShell is executed
  21. logging the command line used.
  22.  
  23. 9. WINDOWS FIREWALL CHANGES: Event Code 2004 will capture when new firewall rules are added.
  24.  
  25. 10. SCHEDULE TASKS ADDED: Event Code 106 will capture when a new scheduled task is added.
  26.  
  27.  
  28.  
  29. ###############################
  30. # Sysmon EVENT IDs To Monitor #
  31. ###############################
  32.  
  33. EventCode Event Description
  34. -------------------------------------------------
  35. 1 Process Create
  36. 2 File Create Time
  37. 3 Network Connect
  38. 4 Sysmon Start
  39. 5 Process Terminate
  40. 6 Driver Load
  41. 7 Image Load
  42. 8 Create Remote Thread
  43. 9 Raw Access Read
  44. 10 Process Access
  45. 11 File Created
  46. 12 Registry object added or deleted
  47. 13 Registry value set
  48. 14 Registry object renamed
  49. 15 File stream created
  50. 16 Sysmon Configuration Changed
  51. 17 Pipe Created
  52. 18 Pipe Connected
  53. 19 WmiEventFilter activity detected
  54. 20 WmiEventConsumer activity detected
  55. 21 WmiEventConsumerToFilter activity detected
  56. 22 DNS Query
  57. 23 File deleted
  58. 24 Clipboard
  59. 255 Error
  60. 4688 Process Create
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!