IoCs
For the emulation of IOCs, there are twenty-six different options of indicators that can be tested, which are described below.
Process creation: A new process will be created.
A process changed a file creation time: A process will explicitly change a file creation time.
Network Connection: A new network connection event will be created.
Disable firewall: The firewall will be disabled.
Process terminated: A process is ended. It is necessary to specify the PID of the process to be stopped.
Driver Loaded: A driver is loaded in the system.
Image Loaded: A module is loaded into a process.
CreateRemoteThread: A process will create a thread in another process.
RawAccessRead: A process will perform read operations from the unit using the denotation.
ProcessAccess: A process will open another process.
FileCreate: A new file is created.
RegistryEvent (Object create and remove): An operation of creation or deletion of Registry key and value is performed.
RegistryEvent (Value Set): The modification of a Registry value is performed.
RegistryEvent (Key and Value Rename: The renaming of a registry value is performed.
FileCreateStreamHash: A named file stream is created.
ServiceConfigurationChange: A configuration change is made.
PipeEvent - Pipe Created: A named pipe is created.
Pipe Connected: A connection of a named pipe is made.
WmiEvent - WmiEventFilter activity detected: A WMI filter event will be registered.
WmiEventConsumer activity detected: A WMI consumer will be logged.
WmiEvent - WmiEventConsumerToFilter activity detected: A WMI consumer shall join a filter.
DNSEvent - DNS query: A process will execute a DNS query.
File Deletion Event: A file will be removed.
ClipboardChange - New content in the clipboard: Changes will be made to the contents of the system clipboard.
For more information:
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Last updated