EVENT ID 8

Another event that is useful for monitoring for malware. This event will monitor anytime a process injects a process into another process. This is used by many different types of malware.


EVENT ID 9

Identifies any raw access reads of files that are locked for reading, which is another technique that is often seen with malicious actors.


EVENT ID 11

This event will capture anytime a file is created or modified, which can help in identifying the initial source of malware when attempting to diagnose where the point of infection began.


All three of these event's monitor any registry changes. Depending on the size of your environment, you may or may not know when applications are being installed or when changes are being made on workstations/servers so this is a good way to monitor types of things are happening on your network that you may or may not know.

 

EVENT ID 12,13,14