The description of Sysmon - Play With New Friends
Sysmon is an official Microsoft app for monitoring the system's status and events. With it, you can keep detailed control of system events, such as process creation, network connections, file creation and deletion, etc.The program is installed via command line. To install it, you'll need to open CMD.exe as an administrator on the path where you've installed the program. After that, enter the command sysmon -i to install it.From there, go to the Windows Event Viewer. Then go to the path Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. There, you can see all the events occurring on the system. The process events that the program is capable of recording are as follows:1 ProcessCreate - Creation process2 FileCreateTime - Time of file creation3 NetworkConnect - Network connection detected4 Changed service status of Sysmon (cannot be filtered)5 ProcessTerminate - Process terminated6 DriverLoad - Loaded driver7 ImageLoad - Image uploaded - 8 CreateRemoteThread - CreateRemoteThread detected9 RawAccessRead - RawAccessRead detected10 ProcessAccess - Process accessed11 FileCreate - File created12 RegistryEvent - Registry object added or deleted13 RegistryEvent - Registry value set14 RegistryEvent - Changed name of the registry object15 FileCreateStreamHash - Created file stream16 Changed Sysmon settings (cannot be filtered)17 PipeEvent - Named pipeline created18 PipeEvent - Connected to named pipeline19 WmiEvent - WMI filter20 WmiEvent - WMI consumer21 WmiEvent - WMI consumer filter22 DNSQuery - DNS queried23 FileDelete - Deleted archived files24 ClipboardChange - New content added to the clipboard25 ProcessTampering - Process image changed26 FileDeleteDetected - Recorded file deleted
)
