Please enable JavaScript.
Coggle requires JavaScript to display documents.
WINDOWS, Drive-by compromise - Coggle Diagram
WINDOWS
Sysmon
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
RegistryEvent
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 12: RegistryEvent (Object create and delete)
Event ID 15: FileCreateStreamHash
WMI Event
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Network Related
Event ID 22: DNSEvent (DNS query)
Event ID 3: Network connection
Sysmon
Event ID 4: Sysmon service state changed
Event ID 255: Error
16: mudança de cnof do sysmon
PipeEvent
Event ID 18: PipeEvent (Pipe Connected)
Event ID 17: PipeEvent (Pipe Created)
Event
Drive-by
compromise