Skip to content
A repository that maps API calls to Sysmon Event ID's.
Branch: master
Clone or download
Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
API-Mapping-Images
README.md

README.md

Windows APIs To Sysmon-Events

A repository that maps API calls to Sysmon Event ID's.

API Mapping:

Mapping process flow is as follows:

Mapping

API mapping sheet:

API Data Relationships Google Sheet

API Mapping Images:

These images can be found in within the API-Mapping-Images directory.

Research Notes:

  • API(A) - API accepts ASCII character strings. API(W) - API accepts wide character strings.
  • Nt(API) - User mode. Zw(API) called from kernel. If Nt(API) Zw is implied.
  • API's listed are ones that were seen within the stack during a breakpoint of the event registration mechanism.

Comments:

Credit:

A big thanks and credit goes out to the following individuals for the help and insight they had on this project:

  • Matt Graeber - Guiding me through the Reverse Engineering, with walking me through multiple function calls, and verifying many of these call back functions.
  • Brian Reitz - Helping me understand function calls and interprocess communication.
  • Jared Atkinson - Helping me understand function calls and interprocess communication.

Resources:

Feedback:

Feedback or thoughts are always welcome!

You can’t perform that action at this time.