Project is now deprecated. Please visit TelemetrySource for a supported version of this project.

Windows APIs To Sysmon-Events

A repository that maps API calls to Sysmon Event ID's.

API Mapping:

Mapping process flow is as follows:

API mapping sheet:

API Data Relationships Google Sheet

API Mapping Images:

These images can be found in within the API-Mapping-Images directory.

Research Notes:

• API(A) - API accepts ASCII character strings. API(W) - API accepts wide character strings.
• Nt(API) - User mode. Zw(API) called from kernel. If Nt(API) Zw is implied.
• API's listed are ones that were seen within the stack during a breakpoint of the event registration mechanism.

Comments:

Credit:

A big thanks and credit goes out to the following individuals for the help and insight they had on this project:

• Matt Graeber - Guiding me through the Reverse Engineering, with walking me through multiple function calls, and verifying many of these call back functions.
• Brian Reitz - Helping me understand function calls and interprocess communication.
• Jared Atkinson - Helping me understand function calls and interprocess communication.

Resources:

• Microsoft Documentation and various function calls and API's.
• Subverting Sysmon by Matt Graeber
• Eveading Sysmon DNS Monitoring
• OSSEM Sysmon

Feedback:

Feedback or thoughts are always welcome!