Sysmon
Author: Roger C.B. Johnsen
Introduction
Sysmon event IDs are a powerful tool for threat hunters, offering detailed insights into system activities that help detect malicious behavior and abnormal patterns. By capturing critical events like process creation, network connections, and registry modifications, Sysmon enhances visibility into Windows environments. These logs are crucial for identifying persistence mechanisms, lateral movement, and other tactics outlined in the MITRE ATT&CK framework. By leveraging Sysmon event IDs, security teams can proactively hunt for threats, investigate incidents, and strengthen their organization’s security posture.
Sysmon Event IDs
| Event ID | Name | Description | MITRE ATT&CK Technique |
|---|---|---|---|
| 1 | Process Creation | Logs the creation of new processes | T1059: Command and Scripting Interpreter , T1204: User Execution |
| 2 | File Creation Time Changed | Detects changes to file creation timestamps | T1070.006: Timestomp |
| 3 | Network Connection | Records network connections and related processes | T1071: Application Layer Protocol , T1021: Remote Services |
| 4 | Sysmon Service State Changed | Logs changes to the Sysmon service state | N/A |
| 5 | Process Terminated | Records when a process ends | T1480: Execution Guardrails , T1562: Impair Defenses |
| 6 | Driver Loaded | Detects when a driver is loaded on the system | T1547.006: Boot or Logon Autostart Execution: Kernel Modules and Extensions , T1014: Rootkit |
| 7 | Image Loaded | Logs when a module is loaded in a process | T1574: Hijack Execution Flow , T1129: Shared Modules |
| 8 | CreateRemoteThread | Detects when a process creates a thread in another process | T1055: Process Injection , T1056.004: Credential API Hooking |
| 9 | RawAccessRead | Detects when a process conducts raw reading of a drive | T1006: Direct Volume Access , T1003: OS Credential Dumping |
| 10 | ProcessAccess | Logs when a process opens another process | T1057: Process Discovery , T1003: OS Credential Dumping |
| 11 | FileCreate | Records file creation events | T1105: Ingress Tool Transfer , T1078: Valid Accounts |
| 12 | RegistryEvent (Object create and delete) | Detects registry key and value create and delete operations | T1112: Modify Registry , T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| 13 | RegistryEvent (Value Set) | Logs registry value modifications | T1112: Modify Registry , T1546.001: Event Triggered Execution: Change Default File Association |
| 14 | RegistryEvent (Key and Value Rename) | Records registry key and value rename operations | T1112: Modify Registry , T1070: Indicator Removal on Host |
| 15 | FileCreateStreamHash | Logs the creation of alternate data streams | T1564.004: Hide Artifacts: NTFS File Attributes , T1027: Obfuscated Files or Information |
| 16 | ServiceConfigurationChange | Detects changes to service configurations | T1543: Create or Modify System Process , T1569.002: System Services: Service Execution |
| 17 | PipeEvent (Pipe Created) | Logs when named pipes are created | T1559: Inter-Process Communication , T1021.002: Remote Services: SMB/Windows Admin Shares |
| 18 | PipeEvent (Pipe Connected) | Records when a named pipe connection is made | T1559: Inter-Process Communication , T1570: Lateral Tool Transfer |
| 19 | WmiEvent (WmiEventFilter activity detected) | Detects WMI event filter creation | T1047: Windows Management Instrumentation , T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| 20 | WmiEvent (WmiEventConsumer activity detected) | Logs WMI event consumer creation | T1047: Windows Management Instrumentation , T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | Records WMI filter to consumer bindings | T1047: Windows Management Instrumentation , T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription |
| 22 | DNSEvent (DNS query) | Logs DNS queries and responses | T1071.004: Application Layer Protocol: DNS , T1568: Dynamic Resolution |
| 23 | FileDelete (File Delete archived) | Records file deletion events | T1070.004: Indicator Removal on Host: File Deletion , T1485: Data Destruction |
| 24 | ClipboardChange | Detects changes to the system clipboard | T1115: Clipboard Data , T1056.001: Input Capture: Keylogging |
| 25 | ProcessTampering | Logs attempts to tamper with process memory | T1562: Impair Defenses , T1055: Process Injection |
| 26 | FileDeleteDetected | Detects file deletion operations | T1070.004: Indicator Removal on Host: File Deletion , T1107: File Deletion |
| 27 | FileBlockExecutable | Logs when an executable file is blocked from running | T1562: Impair Defenses , T1036: Masquerading |
| 28 | FileBlockShredding | Detects attempts to securely delete files | T1070.004: Indicator Removal on Host: File Deletion , T1561: Disk Wipe |
| 29 | FileExecutableDetected | Records when an executable file is detected | T1204: User Execution , T1569: System Services |
| 255 | Error | Indicates an error condition in Sysmon | N/A |
Revision
| Revised Date | Author | Comment |
|---|---|---|
| 21.03.2025 | Roger Johnsen | Article added |