EVENT ID 4

This event only lets us know the state of Sysmon running, or if Sysmon has been stopped. You will always want to monitor this event in the event that someone turns it off.


EVENT ID 5

In addition to a process creation, Event ID 5 will generate a terminated process. This can be useful when doing forensic work on an infected machine to identify normal malware activity such as killing processes that malware will create to help cover it's tracks.

 


EVENT ID 6

Another useful event in detecting malware, Event ID 6 will identify loaded DLL's along with the signature of that DLL and whether the DLL was removed after executing, as well as generating a hash which can again be loaded into a site like Virustotal.com.