Appendix 2 – List of Activities (Events)
Download PDF
| Event Name | Activity Parameters |
|---|---|
| Autostart | Registry Section |
| Key Name | |
| Path to Executable Program | |
| Autostart Initiator Process | |
| New Process | New Process File |
| Command Line | |
| Parent Process | |
| New Service | Service Name |
| Path to Service Program | |
| Initiator Process | |
| Code Injection | Target Process for Injection |
| Initiator Process (Injector) | |
| Keylogger | Spy Process |
| Victim Program | |
| Keystroke Log File (Credential File) | |
| Code Injection Access | Opened Process |
| Source Process | |
| Access to Autostart Registry | Initiator Process |
| Registry Key Name | |
| Executable File Extraction | File Creator Process (Dropper) |
| Created File | |
| Internet Connection Established | Connection Initiator Process |
| Remote Address | |
| Remote Port | |
| Local Port | |
| Protocol Type | |
| Waiting for Incoming Connection | Initiator Process Waiting for Connection |
| Local Port | |
| Protocol Type | |
| Internet Connection Attempt (Failed) | Connection Initiator Process |
| Remote Address | |
| Remote Port | |
| Local Port | |
| Protocol Type | |
| Moving an Important File | Important File Initiator Process |
| New File Name | |
| Old File Name | |
| Opening Another Executable File | Initiator Process |
| Opened File | |
| Opening Multiple Executable Files | Initiator Process |
| Number of Files | |
| File Types | |
| Directories | |
| Writing to Another Executable File (Modification) | Initiator Process |
| Modified File | |
| Writing to Multiple Executable Files (Mass Modification) | Initiator Process |
| Number of Files | |
| File Types | |
| Directories | |
| Infecting Another Executable File (Code Injection into File) | Initiator Process |
| Infected File | |
| Infecting Multiple Executable Files (Mass Code Injection into Files) | Initiator Process |
| Number of Files | |
| File Types | |
| Directories | |
| Creating a New System Task for Task Scheduler | Initiator Process |
| Task Name in Scheduler | |
| Setting an Executable File for Autostart (via Task Scheduler) | Initiator Process |
| Object Set for Autostart | |
| Task Name in Scheduler | |
| Execution Date and Time | |
| Username for the Task | |
| Suspicious Process Invaded a Legitimate Process (DLL Injection) | Target Process for Injection |
| Initiator Process (Injector) | |
| Injected DLL File | |
| Untrusted Process Delays Execution (Possibly to Evade Detection) | Initiator Process |
| Execution Delay Time | |
| Delay Method | |
| System Object Name Used for Delay | |
| Low-Level Disk Access | Initiator Process |
| Access Type | |
| Disk Name | |
| Low-Level Access to Multiple Disks | Initiator Process |
| Access Type | |
| Disk Types | |
| Number of Disks | |
| Low-Level Disk Management | Initiator Process |
| Disk Name | |
| Disk Operation Type | |
| Driver Control Code | |
| Registry Key Monitoring | Initiator Process |
| Registry Key Name | |
| Event Filter Value | |
| Registry Key Operation Type | |
| Windows Installation Identification | Initiator Process |
| Registry Key Name | |
| Windows Attribute Used for Identification | |
| Unique Computer Identification | Initiator Process |
| Registry Key Name | |
| Computer Attribute (Used for Identification) | |
| Reads Internet Settings | Initiator Process |
| Registry Key Name | |
| Setting | |
| Attempts to Establish Multiple Internet Connections (IP Address Scanning) | Connection Initiator Process |
| Number of Network Connections | |
| Remote Address Subnet | |
| List of Remote Ports | |
| List of Local Ports | |
| Protocol Types | |
| Low-Level Disk Write | Initiator Process |
| Disk Name | |
| Write Start Position (Offset) | |
| Number of Bytes Written | |
| Written Text (Characters) | |
| Written Raw Buffer (Bytes) |