API - To -Event
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXY
1
API CallEventIDEvent NameLog ProviderATT&CK Data SourceScript ValidationMordor DatasetNotes
2
LogonUserA4624An account was successfully logged onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
3
LogonUserExA4624An account was successfully logged onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
4
LogonUserExW4624An account was successfully logged onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
5
LogonUserW4624An account was successfully logged onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
6
WNetAddConnection24624An account was successfully logged onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
7
LogonUserA4625An account failed to log onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
8
LogonUserExA4625An account failed to log onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
9
LogonUserExW4625An account failed to log onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
10
LogonUserW4625An account failed to log onMicrosoft-Windows-Security-Auditing
Windows event logs, Authentication logs
11
NtOpenProcess4656A handle to an object was requestedMicrosoft-Windows-Security-Auditingprocess monitoringSACL, Lsass monitoring is enabled by default for 0x10 (READ) access
12
OpenProcess4656A handle to an object was requestedMicrosoft-Windows-Security-Auditingprocess monitoringOpenProcess.ps1SACL, Lsass monitoring is enabled by default for 0x10 (READ) access
13
OpenSCManagerA4656A handle to an object was requestedMicrosoft-Windows-Security-Auditingfile monitoringFind Local Admin Access
14
OpenSCManagerW4656A handle to an object was requestedMicrosoft-Windows-Security-Auditingfile monitoringOpenSCManagerW.ps1Find Local Admin Access
15
RegOpenKeyA4656A handle to an object was requestedMicrosoft-Windows-Security-AuditingWindows RegistrySACL
16
RegOpenKeyExA4656A handle to an object was requestedMicrosoft-Windows-Security-AuditingWindows RegistrySACL
17
RegOpenKeyExA4656A handle to an object was requestedMicrosoft-Windows-Security-AuditingWindows RegistrySACL
18
RegOpenKeyExW4656A handle to an object was requestedMicrosoft-Windows-Security-AuditingWindows RegistrySACL
19
ZwOpenKey4656A handle to an object was requestedMicrosoft-Windows-Security-AuditingWindows RegistryNtOpenKey.ps1SACL
20
RegSetKeyValueA4657A registry value was modified.Microsoft-Windows-Security-AuditingWindows Registry
21
RegSetKeyValueW4657A registry value was modified.Microsoft-Windows-Security-AuditingWindows Registry
22
RegSetValueA4657A registry value was modified.Microsoft-Windows-Security-AuditingWindows Registry
23
RegSetValueExA4657A registry value was modified.Microsoft-Windows-Security-AuditingWindows Registry
24
RegSetValueExW4657A registry value was modified.Microsoft-Windows-Security-AuditingWindows Registry
25
ZwSetValueKey4657A registry value was modifiedMicrosoft-Windows-Security-AuditingWindows RegistryNtSetValueKey.ps1SACL
26
CloseServiceHandle4658The handle to an object was closedMicrosoft-Windows-Security-AuditingWindows event logs
27
MiniDumpWriteDump4663An attempt was made to access an objectMicrosoft-Windows-Security-Auditingfile monitoringOpenProcess.ps1Sysmon rule entry
28
NtOpenProcess4663An attempt was made to access an objectMicrosoft-Windows-Security-Auditingprocess monitoringSACL, Lsass monitoring is enabled by default for 0x10 (READ) access
29
OpenProcess4663An attempt was made to access an objectMicrosoft-Windows-Security-Auditingprocess monitoringOpenProcess.ps1Mimikatz LogonpasswordsSACL, Lsass monitoring is enabled by default for 0x10 (READ) access
30
ReadProcessMemory4663An attempt was made to access an objectMicrosoft-Windows-Security-Auditingfile monitoringReadProcessMemory.ps1SACL, Lsass monitoring is enabled by default for 0x10 (READ) access
31
RegQueryValueA4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
32
RegQueryValueExA4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
33
RegQueryValueExW4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
34
RegQueryValueW4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
35
RegSetKeyValueA4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows Registry
36
RegSetKeyValueW4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
37
RegSetValueA4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
38
RegSetValueExA4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
39
RegSetValueExW4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
40
ZwEnumerateKey4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistryNtEnumerateKey.ps1SACL
41
ZwEnumerateValueKey4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistryNtEnumerateValueKey.ps1SACL
42
ZwOpenKey4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistryNtOpenKey.ps1SACL
43
NtOpenFile4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistrySACL
44
ZwSetValueKey4663An attempt was made to access an objectMicrosoft-Windows-Security-AuditingWindows RegistryNtSetValueKey.ps1
45
OpenSCManagerA4674An operation was attempted on a privileged objectMicrosoft-Windows-Security-AuditingWindows event logsFind Local Admin Access
46
OpenSCManagerW4674An operation was attempted on a privileged objectMicrosoft-Windows-Security-AuditingWindows event logsOpenSCManagerW.ps1Find Local Admin Access
47
CreateProcessA4688A new process has been createdMicrosoft-Windows-Security-AuditingProcess monitoring
48
CreateProcessAsUserA4688A new process has been createdMicrosoft-Windows-Security-AuditingProcess monitoring
49
CreateProcessAsUserW4688A new process has been createdMicrosoft-Windows-Security-AuditingProcess monitoring
50
CreateProcessWithLogonW4688A new process has been createdMicrosoft-Windows-Security-AuditingProcess monitoring
51
CreateProcessWithTokenW4688A new process has been createdMicrosoft-Windows-Security-AuditingProcess monitoring
52
CreateProcessW4688A new process has been createdMicrosoft-Windows-Security-AuditingProcess monitoring
53
CreateServiceW4697A service was installed in the systemMicrosoft-Windows-Security-AuditingWindows event logs
54
NetUserAdd4720A user account was createdMicrosoft-Windows-Security-AuditingWindows event logs
55
NetUserChangePassword4724
An attempt was made to reset an account's password
Microsoft-Windows-Security-AuditingWindows event logs
56
NetUserDel4726A user account was deletedMicrosoft-Windows-Security-AuditingWindows event logs
57
LogonUserA4776
The computer attempted to validate the credentials for an account
Microsoft-Windows-Security-Auditing
Windows event logs, Authentication logs
58
LogonUserExA4776
The computer attempted to validate the credentials for an account
Microsoft-Windows-Security-Auditing
Windows event logs, Authentication logs
59
LogonUserExW4776
The computer attempted to validate the credentials for an account
Microsoft-Windows-Security-Auditing
Windows event logs, Authentication logs
60
LogonUserW4776
The computer attempted to validate the credentials for an account
Microsoft-Windows-Security-Auditing
Windows event logs, Authentication logs
61
NetShareEnum5140A network share object was accessed.Microsoft-Windows-Security-AuditingWindows event logs
62
CreateProcessA1Process CreationMicrosoft-Windows-SysmonProcess monitoringSysmon rule entry
63
CreateProcessAsUserA1Process CreationMicrosoft-Windows-SysmonProcess monitoringSysmon rule entry
64
CreateProcessAsUserW1Process CreationMicrosoft-Windows-SysmonProcess monitoringSysmon rule entry
65
CreateProcessW1Process CreationMicrosoft-Windows-SysmonProcess monitoringSysmon rule entry
66
CreateProcessWithLogonW1Process CreationMicrosoft-Windows-SysmonProcess monitoringSysmon rule entry
67
CreateProcessWithTokenW1Process CreationMicrosoft-Windows-SysmonProcess monitoringCreateProcessWithTokenSysmon rule entry
68
OpenProcess10ProcessAccessMicrosoft-Windows-Sysmonprocess monitoringOpenProcess.ps1Mimikatz LogonpasswordsSysmon rule entry
69
NtOpenProcess10ProcessAccessMicrosoft-Windows-Sysmonprocess monitoringSysmon rule entry
70
CopyFile11FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
71
CopyFile211FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
72
CopyFileEx11FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
73
CreateFile211FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
74
CreateFileA11FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
75
CreateFileW11FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
76
MoveFile11FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
77
NtCreateFile11FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
78
NtWriteFile11FileCreateMicrosoft-Windows-Sysmonfile monitoringSysmon rule entry
79
RegCreateKeyA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
80
RegCreateKeyExA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
81
RegCreateKeyExW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
82
RegCreateKeyTransactedA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
83
RegCreateKeyTransactedW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
84
RegCreateKeyW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
85
RegDeleteKeyA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
86
RegDeleteKeyExA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
87
RegDeleteKeyExW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
88
RegDeleteKeyTransactedA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
89
RegDeleteKeyTransactedW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
90
RegDeleteKeyW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
91
RegDeleteTreeA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
92
RegDeleteTreeW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
93
RegDeleteValueA12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
94
RegDeleteValueW12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
95
ZwCreateKey12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistryNtCreateKey.ps1Sysmon rule entry
96
ZwDeleteKey12RegistryEvent (Object create and delete)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
97
RegSetKeyValueA13RegistryEvent (Value Set)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
98
RegSetKeyValueW13RegistryEvent (Value Set)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
99
RegSetValueA13RegistryEvent (Value Set)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
100
RegSetValueExA13RegistryEvent (Value Set)Microsoft-Windows-SysmonWindows RegistrySysmon rule entry
Loading...