Sysmon

Revised DateAuthorComment
21.03.2025Roger JohnsenArticle added

Introduction

Sysmon event IDs are a powerful tool for threat hunters, offering detailed insights into system activities that help detect malicious behavior and abnormal patterns. By capturing critical events like process creation, network connections, and registry modifications, Sysmon enhances visibility into Windows environments. These logs are crucial for identifying persistence mechanisms, lateral movement, and other tactics outlined in the MITRE ATT&CK framework. By leveraging Sysmon event IDs, security teams can proactively hunt for threats, investigate incidents, and strengthen their organization’s security posture.


Sysmon Event IDs

Event IDNameDescriptionMITRE ATT&CK Technique
1Process CreationLogs the creation of new processesT1059: Command and Scripting Interpreter , T1204: User Execution
2File Creation Time ChangedDetects changes to file creation timestampsT1070.006: Timestomp
3Network ConnectionRecords network connections and related processesT1071: Application Layer Protocol , T1021: Remote Services
4Sysmon Service State ChangedLogs changes to the Sysmon service stateN/A
5Process TerminatedRecords when a process endsT1480: Execution Guardrails , T1562: Impair Defenses
6Driver LoadedDetects when a driver is loaded on the systemT1547.006: Boot or Logon Autostart Execution: Kernel Modules and Extensions , T1014: Rootkit
7Image LoadedLogs when a module is loaded in a processT1574: Hijack Execution Flow , T1129: Shared Modules
8CreateRemoteThreadDetects when a process creates a thread in another processT1055: Process Injection , T1056.004: Credential API Hooking
9RawAccessReadDetects when a process conducts raw reading of a driveT1006: Direct Volume Access , T1003: OS Credential Dumping
10ProcessAccessLogs when a process opens another processT1057: Process Discovery , T1003: OS Credential Dumping
11FileCreateRecords file creation eventsT1105: Ingress Tool Transfer , T1078: Valid Accounts
12RegistryEvent (Object create and delete)Detects registry key and value create and delete operationsT1112: Modify Registry , T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
13RegistryEvent (Value Set)Logs registry value modificationsT1112: Modify Registry , T1546.001: Event Triggered Execution: Change Default File Association
14RegistryEvent (Key and Value Rename)Records registry key and value rename operationsT1112: Modify Registry , T1070: Indicator Removal on Host
15FileCreateStreamHashLogs the creation of alternate data streamsT1564.004: Hide Artifacts: NTFS File Attributes , T1027: Obfuscated Files or Information
16ServiceConfigurationChangeDetects changes to service configurationsT1543: Create or Modify System Process , T1569.002: System Services: Service Execution
17PipeEvent (Pipe Created)Logs when named pipes are createdT1559: Inter-Process Communication , T1021.002: Remote Services: SMB/Windows Admin Shares
18PipeEvent (Pipe Connected)Records when a named pipe connection is madeT1559: Inter-Process Communication , T1570: Lateral Tool Transfer
19WmiEvent (WmiEventFilter activity detected)Detects WMI event filter creationT1047: Windows Management Instrumentation , T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription
20WmiEvent (WmiEventConsumer activity detected)Logs WMI event consumer creationT1047: Windows Management Instrumentation , T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription
21WmiEvent (WmiEventConsumerToFilter activity detected)Records WMI filter to consumer bindingsT1047: Windows Management Instrumentation , T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription
22DNSEvent (DNS query)Logs DNS queries and responsesT1071.004: Application Layer Protocol: DNS , T1568: Dynamic Resolution
23FileDelete (File Delete archived)Records file deletion eventsT1070.004: Indicator Removal on Host: File Deletion , T1485: Data Destruction
24ClipboardChangeDetects changes to the system clipboardT1115: Clipboard Data , T1056.001: Input Capture: Keylogging
25ProcessTamperingLogs attempts to tamper with process memoryT1562: Impair Defenses , T1055: Process Injection
26FileDeleteDetectedDetects file deletion operationsT1070.004: Indicator Removal on Host: File Deletion , T1107: File Deletion
27FileBlockExecutableLogs when an executable file is blocked from runningT1562: Impair Defenses , T1036: Masquerading
28FileBlockShreddingDetects attempts to securely delete filesT1070.004: Indicator Removal on Host: File Deletion , T1561: Disk Wipe
29FileExecutableDetectedRecords when an executable file is detectedT1204: User Execution , T1569: System Services
255ErrorIndicates an error condition in SysmonN/A