// What is Sysmon?
System Monitor (Sysmon) is a free Windows system service and driver from Microsoft Sysinternals that logs detailed process, network, file, and registry activity to the Windows Event Log. Unlike native Windows Security events, Sysmon provides significantly richer context � including full command-line arguments, parent process names, file hashes, and network connection details.
Sysmon events land in Applications and Services Logs\Microsoft\Windows\Sysmon\Operational and can be forwarded to SIEM platforms like Splunk or Microsoft Sentinel for centralised analysis.
Sysmon is not a detection tool on its own � it is a telemetry source. Detection logic lives in your SIEM or EDR. The value is the quality and consistency of the data Sysmon provides.
// Installation
Download Sysmon from the Microsoft Sysinternals page. Run the installer as administrator with a configuration file.
Install with a config file
sysmon64.exe -accepteula -i sysmonconfig.xml
# Update an existing configuration
sysmon64.exe -c sysmonconfig.xml
# Uninstall
sysmon64.exe -u
Use the SwiftOnSecurity or olafhartong/sysmon-modular config as a starting point. These are community-maintained configs covering the most important detection use cases without generating excessive noise.
Verify it's running
Get-Service Sysmon64
# View recent Sysmon events in PowerShell
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 20
// Configuration File
Sysmon's XML configuration controls which events are captured and which are excluded. The basic structure uses include/exclude rules per event type.
<Sysmon schemaversion="4.90">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
</ProcessCreate>
</RuleGroup>
</EventFiltering>
</Sysmon>
A misconfigured Sysmon config can generate millions of events per day on a busy endpoint. Always filter noisy, low-value events at the source rather than in the SIEM to control ingestion costs.
// Key Event IDs
Sysmon event IDs are distinct from native Windows event IDs and each maps to a specific category of activity. These are the most important for threat hunting.
| Event ID | Name | Key Fields | Why It Matters |
|---|---|---|---|
1 | Process Create | Image, CommandLine, ParentImage, Hashes, User | Execution detection � command line, hashes, parent context |
2 | File Creation Time Changed | Image, TargetFilename, CreationUtcTime | Timestomping � attackers modifying file timestamps |
3 | Network Connection | Image, DestinationIp, DestinationPort, Protocol | C2 detection, unusual outbound connections |
5 | Process Terminated | Image, ProcessId | Short-lived processes � malware that cleans up |
6 | Driver Loaded | ImageLoaded, Signature, Hashes | Malicious driver / rootkit detection |
7 | Image Loaded | Image, ImageLoaded, Hashes, Signed | DLL sideloading, unsigned DLL injection |
8 | CreateRemoteThread | SourceImage, TargetImage, StartAddress | Process injection detection |
10 | Process Access | SourceImage, TargetImage, GrantedAccess | LSASS access � credential dumping |
11 | File Created | Image, TargetFilename, CreationUtcTime | Dropped payloads, suspicious file writes |
12 | Registry Object Added/Deleted | EventType, TargetObject, Image | Persistence via Run keys, COM hijacking |
13 | Registry Value Set | EventType, TargetObject, Details, Image | Persistence detection � value changes |
15 | File Create Stream Hash | Image, TargetFilename, Hash | Alternate data streams � hidden payloads |
17 | Pipe Created | PipeName, Image | Named pipes � Cobalt Strike, Metasploit C2 |
22 | DNS Query | QueryName, Image, QueryResults | C2 domains, DGA, DNS tunneling |
23 | File Delete Archived | Image, TargetFilename, Hashes | Ransomware file deletion, evidence cleanup |
25 | Process Tampering | Image, Type | Process hollowing, process herpaderping |
// Threat Hunting with Sysmon
These queries use Sysmon data in Microsoft Sentinel (SysmonEvent or Event table) and Splunk. Adjust field names to your ingest pipeline.
LSASS access (credential dumping) � Event ID 10
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 10
| where RenderedDescription contains "lsass.exe"
| where RenderedDescription contains "0x1010" or RenderedDescription contains "0x1410"
| project TimeGenerated, Computer, RenderedDescription
Suspicious network connections from Office apps � Event ID 3
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| where RenderedDescription has_any ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
| project TimeGenerated, Computer, RenderedDescription
Named pipe creation matching known C2 � Event ID 17
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 17
| where RenderedDescription has_any ("mojo", "msagent", "postex", "status_", "MSSE-", "spoolss")
| project TimeGenerated, Computer, RenderedDescription
CreateRemoteThread injection � Event ID 8
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 8
| where RenderedDescription !has_any ("C:\\Windows\\System32\\csrss.exe", "C:\\Windows\\System32\\wininit.exe")
| project TimeGenerated, Computer, RenderedDescription
// Common Detections
| Technique | Event ID(s) | Key Indicator |
|---|---|---|
| Credential Dumping (Mimikatz) | 1, 10 | sekurlsa in CommandLine; lsass.exe target with high GrantedAccess |
| Process Injection | 8, 10 | CreateRemoteThread into unusual targets; OpenProcess on remote PID |
| Process Hollowing | 1, 25 | Suspended child process; Process Tampering event type |
| DLL Sideloading | 7 | Unsigned DLL loaded from user-writable path |
| Persistence (Run Key) | 12, 13 | HKCU\Software\Microsoft\Windows\CurrentVersion\Run modified |
| Lateral Movement (PsExec) | 1, 17 | psexesvc.exe spawned; ADMIN$ share pipe created |
| C2 Beaconing | 3, 22 | Regular outbound connections to single IP; DGA-pattern DNS queries |
| Timestomping | 2 | CreationUtcTime changed to historic date; Image is not a trusted system tool |
| Script Execution | 1 | wscript.exe / cscript.exe with .js, .vbs, or .ps1 arguments |
| Alternate Data Streams | 15 | File written with Zone.Identifier or custom stream name |
// Tips & Tuning
Hash every process. Enable MD5, SHA256, and IMPHASH in your config. IMPHASH in particular is useful for grouping malware families � the import hash stays the same even if the binary is repacked.
Log network connections selectively. Event ID 3 can be extremely noisy on servers. Use the config to exclude common browser processes and focus on alerting on unusual initiating processes (e.g. Word, Excel, svchost with an unusual parent).
Baseline before hunting. Run summarize count() by Image over a week's worth of Event ID 1 data to understand your normal process landscape. Anomalies become much easier to spot once you know what's normal.
Sysmon can be killed or tampered with. Attackers with admin rights can stop or uninstall the service. Monitor for sysmon64.exe -u or the Sysmon service stopping � this is a high-confidence detection.