Sysmon

Advanced Threat Detection & SIEM Integration

Essential ToolAdvanced

System Monitor (Sysmon) provides detailed information about process creations, network connections, and file creation time changes. Critical for SIEM integration and advanced threat hunting.

Advanced Logging Capabilities

Process Monitoring

  • Process creation with command lines
  • Process termination logging
  • Parent-child process relationships
  • Process GUID correlation

Network & File Activity

  • Network connection tracking
  • File creation with hashes
  • DNS query logging
  • Registry modification tracking

Installation & Configuration

Basic Installation

# Install Sysmon with default configuration
sysmon64.exe -accepteula -i
# Install with custom configuration file
sysmon64.exe -accepteula -i config.xml
# Update existing configuration
sysmon64.exe -c config.xml

Essential Configuration Example

<Sysmon schemaversion="4.82">
<EventFiltering>
<ProcessCreate onmatch="exclude">
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
</ProcessCreate>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">443</DestinationPort>
</NetworkConnect>
</EventFiltering>
</Sysmon>

Event Log Analysis

# View Sysmon logs with PowerShell
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Select-Object -First 10
# Filter for specific Event ID (Process Creation)
Get-WinEvent -FilterHashtable @&lbrace;LogName="Microsoft-Windows-Sysmon/Operational"; ID=1&rbrace;
# Export logs to CSV
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Export-Csv sysmon.csv

Critical Event IDs for Cybersecurity

Event ID 1 - Process Creation

HIGH VALUE

Tracks process creation with command lines, parent processes, and file hashes

Use Cases: Malware execution detection, lateral movement, living-off-the-land techniques

Event ID 3 - Network Connection

CRITICAL

Logs network connections with source/destination IPs, ports, and process information

Use Cases: C2 communication detection, data exfiltration, unauthorized network access

Event ID 8 - CreateRemoteThread

ADVANCED

Monitors process injection techniques commonly used by malware

Use Cases: Process hollowing detection, DLL injection, advanced malware analysis

Event ID 11 - File Create

FORENSICS

Tracks file creation with MD5, SHA1, and SHA256 hashes for forensic analysis

Use Cases: Malware dropper analysis, IOC generation, timeline reconstruction

Event ID 22 - DNS Query

NETWORK

Monitors DNS queries to detect malicious domain communications

Use Cases: Domain reputation analysis, DNS tunneling detection, C2 infrastructure mapping

Enterprise SIEM Integration

Benefits for Enterprise Security

APT Detection

Comprehensive logging enables detection of advanced persistent threats through behavioral analysis and timeline correlation.

Living-off-the-Land Visibility

Tracks legitimate tools used maliciously, providing visibility into fileless attacks and PowerShell abuse.

Cross-System Correlation

Process GUIDs enable tracking attack progression across multiple systems in enterprise environments.

Threat Hunting

Rich event data supports proactive threat hunting and hypothesis-driven security investigations.

Popular SIEM Integrations

Splunk

Native Windows Event Log ingestion with Sysmon parsing

Elastic Stack

Winlogbeat for efficient Sysmon log forwarding

Microsoft Sentinel

Azure Monitor Agent with Sysmon data connectors

Quick Info

File Name:sysmon64.exe
Size:~2.1 MB
Requires Admin:Yes
Log Location:Event Viewer
Event IDs:1-29

Download

Official DownloadSysinternals Live

Key Parameters

-iInstall service
-uUninstall service
-cUpdate config
-sPrint schema
-accepteulaAccept license

Config Resources

→ SwiftOnSecurity Config→ Sysmon Modular→ Florian Roth Config

Related Tools

→ Process Monitor→ Process Explorer→ TCPView→ Sigcheck (Soon)

Pro Tips

  • 💡 Use community configurations as starting point
  • 💡 Tune filtering rules to reduce log volume
  • 💡 Enable Process GUID for correlation
  • 💡 Focus on high-value Event IDs (1,3,8,11,22)
  • 💡 Forward logs to centralized SIEM