Tools
T1654Sysmon
Microsoft Sysinternals Sysmon — installation, configuration, Event IDs 1-29, common use cases, config files, and how analysts use Sysmon telemetry for endpoint detection and threat hunting.
View on Graph
What Sysmon Is and Why Every SOC Needs It
Sysmon is a Microsoft Sysinternals tool that installs as a Windows system service and device driver. Once installed, it logs system activity to the Windows Event Log with far more detail than the built-in Security log provides.
- Sysmon Event ID 1 (process creation) includes the SHA1, SHA256, and MD5 hash of every executable that runs — enabling immediate file reputation lookup without a separate EDR agent.
- Sysmon Event ID 3 (network connection) maps outbound connections to the specific process that made them — you see not just “connection on port 443” but “
powershell.execonnected to192.168.1.100:8443”. - Sysmon Event ID 22 (DNS query) logs every DNS query per-process — critical for detecting DGAs, DNS tunneling, and C2 domains.
- Sysmon does all of this without a reboot, without replacing Windows core components, and at minimal performance cost.
MITRE ATT&CK maps log enumeration to T1654. Sysmon does the enumerating — turning Windows endpoint activity into structured, searchable events.
Installation and Configuration
Installation
# Download Sysmon from Microsoft Sysinternals
curl -o C:\Tools\Sysmon.zip https://download.sysinternals.com/files/Sysmon.zip
expand C:\Tools\Sysmon.zip -F:* C:\Tools\Sysmon
# Install Sysmon with a configuration file
Sysmon64.exe -accepteula -i C:\Configs\sysmon-config.xml
# Check installed version and status
Sysmon64.exe -s
# Update Sysmon without rebooting
Sysmon64.exe -accepteula -u (uninstall current)
Sysmon64.exe -accepteula -i C:\Configs\sysmon-config.xml (reinstall with updated config)Recommended Configuration File Sources
| Config | Maintainer | Focus | Notes |
|---|---|---|---|
| SwiftOnSecurity sysmon-config | SwiftOnSecurity | Broad coverage — captures all high-value events with minimal noise | Most widely used. Good starting point for every SOC. |
| Olaf Hartong’s sysmon-modular | Olaf Hartong | Modular configs — choose per use case (process injection, network, file, registry) | More granular. Allows different configs for domain controllers, servers, workstations. |
| ION-Storm sysmon-config | ION-Storm | Detection-focused — tuned for threat hunting | Includes rules specific to Cobalt Strike, Meterpreter, and common post-exploitation frameworks. |
What a Good Sysmon Config Does
A well-tuned Sysmon configuration should:
- Enable all high-value Event IDs: 1 (ProcessCreate), 3 (NetworkConnect), 7 (ImageLoad), 8 (CreateRemoteThread), 10 (ProcessAccess), 11 (FileCreate), 15 (FileCreateStreamHash), 22 (DNSEvent)
- Exclude known-good noise:
svchost.exenetwork connections to Windows Update,SearchIndexer.exefile accesses,MsMpEng.exe(Defender) scanning activity - Include known-bad patterns as includes:
powershell.execommand-line logging,rundll32.exeimage loads,wmic.execommand-line logging
Configuration Syntax
Sysmon configs are XML files with rules per Event ID:
<Sysmon>
<EventFiltering>
<!-- Include all process creation events -->
<ProcessCreate onmatch="include">
<!-- No child rules = capture everything -->
</ProcessCreate>
<!-- Exclude known-good network connections -->
<NetworkConnect onmatch="exclude">
<DestinationIp condition="is">10.0.0.1</DestinationIp> <!-- Internal monitoring -->
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
</NetworkConnect>
<!-- Only capture specific DLL loads -->
<ImageLoad onmatch="include">
<Image condition="contains any">rundll32.exe</Image>
<Image condition="contains any">regsvr32.exe</Image>
</ImageLoad>
<!-- Include all file creation events but exclude known-good paths -->
<FileCreate onmatch="exclude">
<TargetFilename condition="begin with">C:\Windows\Temp\</TargetFilename>
</FileCreate>
</EventFiltering>
</Sysmon>Event ID Reference — The Full 1-29 Map
| Event ID | Name | What It Captures | Detection Use |
|---|---|---|---|
| 1 | Process creation | Executable path, command line, SHA1/SHA256/MD5 hash, parent process, user | Malware execution, LOLBin abuse, suspicious command lines |
| 2 | File creation time changed | Original file creation time (timestomp detection) | Timestomping (T1070.006) — attacker modifying file timestamps |
| 3 | Network connection | Source/destination IP, port, protocol, process that made connection | C2 beaconing, data exfiltration, lateral movement |
| 4 | Sysmon service state changed | Service started or stopped | Attacker disabling Sysmon — immediate escalation |
| 5 | Process terminated | Process exit time | Process lifetime analysis, forensic timeline |
| 6 | Driver loaded | Kernel driver loaded into the OS | Malicious kernel driver, vulnerable driver exploitation |
| 7 | Image loaded (DLL) | DLL loaded into a process | DLL sideloading, process injection, reflective DLL loading |
| 8 | CreateRemoteThread | One process creates a thread in another process | Process injection (T1055) — the golden event for injection detection |
| 9 | RawAccessRead | Direct disk read | Credential dumping (Mimikatz lsadump) — LSASS raw read |
| 10 | Process accessed | One process opens a handle to another | Credential dumping — lsass.exe accessed by non-SYSTEM process |
| 11 | FileCreate | File creation | Malware drops, persistence via startup folder, scheduled task scripts |
| 12 | RegistryEvent (create/delete) | Registry key creation or deletion | Persistence via Run keys, service entries |
| 13 | RegistryEvent (value set) | Registry value modification | Persistence configuration, startup modification |
| 14 | RegistryEvent (rename) | Registry key renamed | Evasion technique — renaming to avoid detection |
| 15 | FileCreateStreamHash | Alternate Data Stream creation | ADS hiding — malware stored in NTFS streams |
| 16 | Sysmon config change | Config updated or changed | Config tampering — compare against approved baseline |
| 17 | Pipe created | Named pipe creation | Lateral movement tools (PsExec creates named pipes, T1572) |
| 18 | Pipe connected | Named pipe connection | Lateral movement confirmed — which process connected to which pipe |
| 19 | WmiEventFilter | WMI filter created | WMI persistence (T1546.003) |
| 20 | WmiEventConsumer | WMI consumer created | WMI persistence |
| 21 | WmiEventConsumerToFilter | WMI filter bound to consumer | WMI persistence — the actual trigger binding |
| 22 | DNSEvent | DNS query per process | DNS tunneling, DGA detection, C2 domain lookup |
| 23 | FileDelete | File deletion with volume shadow copy info | Log clearing, evidence destruction (T1070.004) |
| 24 | Clipboard change | Clipboard content change | Clipboard monitoring — data exfiltration |
| 25 | Process tampering | Process image change (hollowing detection) | Process hollowing (T1055.012) |
| 26 | FileDeleteDetected | File deletion logged (file already deleted) | Retrospective file deletion detection |
| 27 | FileBlockExecutable | Executable blocked | Malicious executable blocked by Sysmon |
| 28 | FileBlockShredding | File shredding detected | Forensic evidence destruction |
| 29 | FileExecutableDetected | Executable file written | New executable creation on disk |
Top Detection Queries Using Sysmon
Event 1 — Process Creation with Hashes
SPL query — find processes with high-entropy command lines (likely encoded/encrypted):
index=windows sourcetype=WinEventLog:Sysmon EventCode=1
| eval cmd_len = len(CommandLine)
| where cmd_len > 500
| eval alert = "HIGH — Long command line (" . cmd_len . " chars): " . CommandLine
| table _time, Computer, Image, CommandLine, Hashes, alert
| sort - cmd_lenEvent 3 — Network Connection
SPL query — find beaconing patterns (consistent outbound connections):
index=windows sourcetype=WinEventLog:Sysmon EventCode=3
| stats earliest(_time) as first, latest(_time) as last, count as total_connections by Computer, Image, DestinationIp, DestinationPort
| eval duration_hours = (last - first) / 3600
| eval connections_per_hour = total_connections / duration_hours
| where connections_per_hour > 1 AND connections_per_hour < 60
| eval interval_seconds = round(3600 / connections_per_hour, 1)
| table Computer, Image, DestinationIp, DestinationPort, total_connections, duration_hours, interval_seconds
| sort interval_secondsEvent 8 — CreateRemoteThread (Process Injection)
SPL query — detect all process injection events:
index=windows sourcetype=WinEventLog:Sysmon EventCode=8
| stats count by Computer, SourceImage, TargetImage, StartAddress
| eval alert = "CRITICAL — " . SourceImage . " injected a thread into " . TargetImage
| table Computer, SourceImage, TargetImage, count, alert
| sort - countEvent 10 — Process Access (LSASS Access)
SPL query — detect LSASS process access from non-standard processes:
index=windows sourcetype=WinEventLog:Sysmon EventCode=10
| search TargetImage="*lsass.exe"
| search SourceImage!="*svchost.exe" AND SourceImage!="*csrss.exe" AND SourceImage!="*wininit.exe"
| stats count by Computer, SourceImage, TargetImage, GrantedAccess
| eval alert = "CRITICAL — " . SourceImage . " accessed lsass.exe (GrantedAccess: " . GrantedAccess . ")"
| table _time, Computer, SourceImage, GrantedAccess, count, alertEvent 22 — DNS Query
SPL query — detect DGA domains (high entropy subdomains):
index=windows sourcetype=WinEventLog:Sysmon EventCode=22
| eval subdomain = mvindex(split(QueryName, "."), 0)
| eval entropy = len(subdomain) / log(36) * count
| where len(subdomain) > 15
| stats count by Computer, Image, QueryName
| eval alert = "MEDIUM — High-entropy subdomain: " . QueryName . " from " . Image
| table _time, Computer, Image, QueryName, count, alertSysmon Data Flow
Windows Endpoint
│
├── Sysmon driver → Sysmon Event Log (Applications and Services Logs > Microsoft > Windows > Sysmon/Operational)
│
├── Windows Event Forwarding (WEF) → Centralized collector → SIEM (Splunk/Sentinel/Elastic)
│
└── Direct forwarding via WinRM → SIEM forwarder
Analyst → SIEM search → Sysmon Event IDs → Correlation → AlertKey Integration Points
| Integration | How It Works | Value |
|---|---|---|
| WEF + Sysmon | WEF subscription collects Sysmon Operational log from all endpoints | Centralized Sysmon telemetry without a SIEM agent |
| Splunk Universal Forwarder | Reads Sysmon event log, forwards to Splunk indexer | Full Sysmon telemetry in SIEM with correlation |
| Microsoft Sentinel | Azure Monitor Agent collects Sysmon events | Cloud SIEM with KQL query support |
| Elastic Security | Elastic Agent or Winlogbeat collects Sysmon events | Open-source SIEM with Sysmon integration |
| YARA + Sysmon | Sysmon file create/capture events trigger YARA scans | Automated malware detection on file drops |
Common Deployment Mistakes
| Mistake | Symptom | Fix |
|---|---|---|
| No configuration file | Sysmon logs everything — 100,000+ events/hour per endpoint | Deploy with a tuned config (SwiftOnSecurity as baseline) |
| No Event ID 3 | No per-process network connection data | Ensure NetworkConnect is in the config |
| No Event ID 22 | No per-process DNS queries | Ensure DNSEvent is enabled (requires Sysmon 13+) |
| Config overly restrictive | Missing telemetry for LOLBins, WMI, PowerShell | Start with SwiftOnSecurity, then tune |
| Not forwarding to SIEM | Telemetry exists but cannot be searched | Configure WEF, Splunk UF, or Elastic Agent |
| Installing without -accepteula | Sysmon fails to install silently | Include -accepteula in deployment script |
| No periodic config review | Config out of date with new techniques | Review monthly against MITRE ATT&CK and new tools |
Related
- Azure Sentinel — detection and response for T1654 techniques
- Cobalt Strike — Detection and Beacon Analysis — detection and response for T1055, T1572, T1071 techniques
- Common Ports and Protocols — covers the common ports and protocols concepts
- DNS — detection and response for T1572, T1568 techniques
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques