What can a process do?
Connect to a network (NetworkConnect)Create and connect to a pipe (PipeEventCreate/PipeEventConnected)Register WMI event filter (WmiEvent)Executes a DNS query (DNSEvent)Create a file (FileCreate/FileCreateStreamHash/FileCreateTime)Load an image (ImageLoad)Create/Delete registry key and value (RegistryEvent)Load driver (DriverLoad)Tamper process (ProcessTempering)Access another process (ProcessAccess)Create remote thread (CreateRemoteThread)From this goal, we can see that there are many things that a process can do. There are many ways that an attacker can use to deliver malicious payload which leads to Code-Execution on the victim's machine. Fortunately, Sysmon is able to log all these events, meaning that we can detect/gather information from the logs.
Jym's Comments
Windows Audit Equivalent
Have a look at https://www.ultimatewindowssecurity.com if one ever tried to find the equivalent of Sysmon events from Windows audit events, one would realise it is quite an onerous task. Not just from the perspective of data equivalence & availability, but also the configurations of GPO just to get some of these audit events. By the time you see typical SIEM 1.0 (glorified IDS of which you write your own) rules flagged based on Windows audit events like suspicious user account created & you spend your time manually figuring out..., it's probably too late.
Event Transport Considerations
Sysmon can be easily deployed with centralised deployment tools like SCCM or non-Microsoft equivalent with ease. Collect-&-transport of events, however, can be a pain. I say this because I tried. Google large-scale WEF configuration & you may appreciate the complexity.
https://github.com/jymcheong/OneWaySFTP#comparison in order to investigate, one must have evidence. The comparison tables shown in the OneWaySFTP link highlights various considerations related to event transport. So when we pay for products, we should look out for secured, reliable & scalable design.
Repeatable Evaluation Process
YJ looked at a set of event types from Sysmon, he then worked his way to find the benign processes that are emitting them. And how do we know they are benign? Well, I would assume his VM is relatively "new/clean", downloaded from MS developer site for the sake of studying these events, not some warez or pirated torrents ;P But what if the tools are already tainted?
We should do this exercises with any EDR brand to know the equivalent event types & expect even more useful attributes since a freeware can tell us quite a fair bit!
Th other important aspect of observability is the evasion techniques that make certain Code-Execution invisible. Have a look at links below to prep yourself for the next track...
https://github.com/jthuraisamy/SysWhispers ← this you will try & see if you can evade Sysmon