Please enable JavaScript.
Coggle requires JavaScript to display documents.
ProcessCreate (ID1) UtcTime ProcessGuid ProcessID Image …
ProcessCreate (ID1)
UtcTime
ProcessGuid
ProcessID
Image
FileVersion
Description
Product
Company
CommandLine
CurrentDirectory
User
LogonGuid
LogonId
TerminalSessionId
IntegrityLevel
Hashes
ParentProcessGuid
ParentProcessId
ParentImage
ParentCommandLine #
#
#
FileCreateTime (ID2)
UtcTime
ProcessGuid
ProcessId
Image
TargetFilename
CreationUtcTime
PreviousCreationUtcTime
ProcessTerminate (ID5)
UtcTime
ProcessGuid
ProcessId
Image
NetworkConnect (ID3)
UtcTime
ProcessGuid
ProcessId
Image
User
Protocol
Initiated
SourceIsIpv6
SourceIp
SourceHostname
SourcePort
SourcePortName
DestinationIsIpV6
DestinationIp
DestinationHostname
DestinationPort
DestinationPortName
ImageLoad^ (ID7)
UtcTime
ProcessGuid
ProcessId
Image
ImageLoaded
Hashes
Signed
Signature
SignatureStatus
#
RawAccessRead^ (ID9)
UtcTime
ProcessGuid
ProcessId
Image
Device
FileCreate (ID11)
UtcTime
ProcessGuid
ProcessId
Image
TargetFilename
CreationUtcTime
PreviousCreationUtcTime
RegistryEvent (ID12,13 &14)
EventType
UtcTime
ProcessGuid
ProcessId
Image
TargetObject
Details
(can't filter on)
NewName (can't filter on)
#
FileCreateStreamHash (ID15)
UtcTime
ProcessGuid
ProcessId
Image
TargetFilename
CreationUtcTime
Hash
PipeEventCreate (ID17)
UtcTime
ProcessGuid
ProcessId
PipeName
Image
PipeEventConnected (ID18)
UtcTime
ProcessGuid
ProcessId
PipeName
Image
https://hackinparis.com/data/slides/2017/2017_Cohen_Gil_The_forgotten_interface_Windows_named_pipes.pdf
Process Tampering (ID25)
UtcTime
ProcessGuid
ProcessId
Image
Type
DNSEvent (ID22)
Status (ID4)
UtcTime
State
Version
SchemaVersion
DriverLoad (ID6)
UtcTime
ImageLoaded
Hashes
Signed
Signature
SignatureStatus
#
Bro/*Flow MetaData
#
^Event type disabled by default
CreateRemoteThread (ID8)
UtcTime
SourceProcessGuid
SourceProcessId
SourceImage
TargetProcessId
TargetImage
NewThreadId
StartAddress
StartModule
StartFunction
#
ProcessAccess^ (ID10)
UtcTime
SourceProcessGuid
SourceProcessId
SourceThreadId
SourceImage
TargetProcessGuid
TargetProcessId
TargetImage
GrantedAccess
CallTrace
#
ConfigChange (ID16)
UtcTime
Configuration
ConfigurationFileHash
WmiEvent (ID19,20 & 21)
EventType
UtcTime
Operation
User
Name
Type
Destination
Consumer
Filter
S2 - Run, Install Payload & External C2
S3 - Internal Reconn, Escalate Privilege & Abuse Credentials
S2 - Deliver Payload
S2 - External C2
S3 - Internal Reconn, C2
S4 - Tamper
S2 - Persistence or Install Backdoor
S2 - Run Payload
S3 - Capture Credentials
