Sysmon is the single most valuable telemetry source an investigator can find on a Windows endpoint — but only if someone installed it first. Unlike native event logs that record fragments of activity, a properly configured Sysmon deployment captures process creation with cryptographic hashes, parent-child relationships, full command lines, network connections, DLL loads, registry modifications, and DNS queries. When Sysmon is present, it transforms the endpoint from a forensic puzzle into a detailed operational timeline.
What Is Sysmon?
System Monitor (Sysmon) is a Windows system service and device driver from the Sysinternals suite, originally written by Mark Russinovich and Thomas Garnier. It installs as a persistent service that survives reboots and begins logging immediately after installation. Sysmon writes events to the Microsoft-Windows-Sysmon/Operational event log channel, using standard EVTX format that integrates with Windows Event Forwarding, SIEM platforms, and forensic tools.
The critical distinction between Sysmon and native Windows auditing is depth and context. The native Security log (Event ID 4688) records process creation but requires advanced audit policy configuration to include command-line arguments, and it never includes file hashes, parent process GUIDs, or network connection details. Sysmon Event ID 1 provides all of this in a single event — process name, full command line, SHA256 hash, parent process GUID, parent command line, user SID, logon GUID, and the integrity level of the process.
Sysmon operates through a kernel-mode driver (SysmonDrv.sys) that hooks into Windows kernel callbacks for process creation, thread creation, image loading, registry operations, and network activity. The driver filters events against the XML configuration policy before writing to the event log, which means the policy determines both what is logged and what is excluded. A poorly tuned policy produces noise; a well-tuned policy produces a forensic goldmine.
Sysmon is NOT a default Windows component. It must be downloaded from Microsoft Sysinternals and explicitly installed by an administrator. If Sysmon was never deployed on the target system, the Microsoft-Windows-Sysmon/Operational log will not exist. Always verify Sysmon presence before relying on it as an evidence source.
Sysmon Event ID 1 (ProcessCreate) logs the SHA256 hash of every executed binary. This means you can match a process that ran six months ago to a known malware sample by hash alone — even if the binary has been deleted from disk. No other native Windows artifact provides this capability.
Location & Format
File Paths
| Component | Path | Notes |
|---|---|---|
| Event Log | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx | Primary telemetry log; standard EVTX format |
| Service Binary | C:\Windows\Sysmon64.exe (or Sysmon.exe) | Can be renamed during install with -d flag |
| Driver | C:\Windows\SysmonDrv.sys | Kernel-mode driver; name is configurable |
| Configuration | Stored in registry: HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters | XML config embedded in registry blob |
| Config File (reference) | Typically sysmonconfig.xml on admin share or deployment server | Not stored on endpoint after import |
Log Format
Sysmon events use the standard EVTX (Windows Event Log) binary XML format. Each event contains structured XML data with named fields that vary by Event ID. The log channel supports Windows Event Forwarding (WEF), Event Log subscriptions, and direct SIEM ingestion. Default maximum log size is 64 MB with circular overwrite, but this is configurable via wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:<bytes>.
To verify Sysmon is installed on a target system, check for the service: sc query Sysmon64 (or the renamed service name). Alternatively, look for the Sysmon driver: fltMC.exe will list SysmonDrv as a registered minifilter. The presence of Microsoft-Windows-Sysmon%4Operational.evtx in the winevt\Logs directory is itself confirmation.
Critical Event IDs
Sysmon generates 29 distinct event types (as of Sysmon 15.x). The following are the most forensically significant:
| Event ID | Name | Key Fields | Forensic Value |
|---|---|---|---|
1 | ProcessCreate | Image, CommandLine, Hashes (SHA256), ParentImage, ParentCommandLine, User, LogonGuid, IntegrityLevel, ParentProcessGuid | Full process lineage with cryptographic hashes; proves execution with exact command line and parent chain |
3 | NetworkConnect | Image, User, Protocol, SourceIp, SourcePort, DestinationIp, DestinationPort, DestinationHostname | Process-to-network attribution; maps executables to C2 IPs, lateral movement destinations, exfiltration endpoints |
7 | ImageLoad | Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus | DLL side-loading and injection detection; identifies unsigned or tampered modules loaded into legitimate processes |
8 | CreateRemoteThread | SourceImage, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction | Process injection detection; captures cross-process thread creation used by Cobalt Strike, Metasploit, and credential dumpers |
10 | ProcessAccess | SourceImage, TargetImage, GrantedAccess, CallTrace | LSASS credential harvesting detection; any process accessing lsass.exe with 0x1010 or 0x1FFFFF flags Mimikatz-style |
11 | FileCreate | Image, TargetFilename, CreationUtcTime | Malware staging, tool drops, ransomware note creation; proves which process wrote which file |
13 | RegistryEvent (SetValue) | Image, TargetObject, Details | Persistence mechanism detection (Run keys, services, scheduled tasks via registry); tracks which process modified which key |
22 | DNSEvent (query) | Image, QueryName, QueryStatus, QueryResults | DNS-based C2 detection, DGA domain identification, data exfiltration over DNS; maps DNS queries to specific processes |
Additional Forensically Relevant Event IDs
| Event ID | Name | Use Case |
|---|---|---|
2 | FileCreationTimeChanged | Timestomping detection — process changed a file’s creation time (T1070.006) |
5 | ProcessTerminated | Process lifetime calculation; correlate with Event ID 1 for full execution window |
6 | DriverLoaded | Rootkit and vulnerable driver (BYOVD) detection |
12/14 | RegistryEvent (Create/Delete, Rename) | Registry key lifecycle tracking for persistence mechanisms |
15 | FileCreateStreamHash | Alternate data stream (ADS) detection; Mark-of-the-Web bypass tracking |
17/18 | PipeEvent (Create/Connect) | Named pipe usage for lateral movement (PsExec, Cobalt Strike SMB beacon) |
23 | FileDelete (archived) | Captures deleted files with content — malware self-deletion recovery |
25 | ProcessTampering | Process hollowing and herpaderping detection |
Event ID 10 with TargetImage containing lsass.exe and GrantedAccess values of 0x1010 (PROCESS_QUERY_LIMITED_INFORMATION + PROCESS_VM_READ) or 0x1FFFFF (PROCESS_ALL_ACCESS) are strong indicators of credential dumping. Legitimate processes rarely request these access levels against LSASS. The CallTrace field further reveals whether the access came through ntdll.dll directly (Mimikatz-style) or through dbgcore.dll (MiniDump-based).
What It Reveals
Sysmon answers investigative questions that no other single Windows artifact can address comprehensively:
- What exact binary ran, and what was its hash? — Event ID 1 provides SHA256/MD5/SHA1/IMPHASH for every executed process, enabling direct comparison against threat intelligence databases and malware repositories.
- What was the full command line? — Unlike native 4688 events (which require advanced audit configuration), Sysmon always logs full command lines including arguments, encoded payloads, and file paths.
- What was the parent process chain? — The
ParentProcessGuidandParentImagefields enable reconstruction of the complete process tree, from initial access through privilege escalation to lateral movement. - Which process connected to which external IP? — Event ID 3 directly attributes network connections to specific executables, eliminating the guesswork required when correlating firewall logs with process execution.
- Which process loaded which DLL? — Event ID 7 reveals DLL side-loading, injection, and malicious module loading with hash verification and signature status.
- Was LSASS accessed for credential theft? — Event ID 10 captures every process that opened a handle to lsass.exe, including the specific access rights requested and the call stack.
- What DNS queries were made by which process? — Event ID 22 maps DNS resolution to specific executables, identifying C2 beacon domains, DGA patterns, and DNS tunneling per process.
- What files were created, and by which process? — Event ID 11 provides process-to-file attribution for staging, tool drops, and ransomware note creation.
- Were any registry persistence mechanisms installed? — Event IDs 12/13/14 track registry key creation, value modification, and deletion with full process attribution.
- Was process injection used? — Event ID 8 (CreateRemoteThread) and Event ID 25 (ProcessTampering) detect cross-process manipulation techniques used by advanced implants.
Forensic Use Cases
1. Cobalt Strike Beacon Reconstruction
An attacker delivers a Cobalt Strike stager via a phishing document. Sysmon Event ID 1 captures winword.exe spawning rundll32.exe with a suspicious command line. Event ID 3 shows rundll32.exe connecting to the team server IP on port 443. Event ID 8 records rundll32.exe creating a remote thread in svchost.exe (process migration). Event ID 10 shows the migrated beacon accessing lsass.exe for credential harvesting. Event ID 22 reveals DNS queries to the C2 domain. The entire attack chain — from initial execution through credential theft — is reconstructable from Sysmon alone.
2. DLL Side-Loading Detection
A legitimate signed application (Teams.exe) loads a malicious DLL from a non-standard path. Sysmon Event ID 7 logs the ImageLoaded path as C:\ProgramData\update\version.dll with Signed: false. The hash does not match any known legitimate module. By correlating with Event ID 1 (process creation) and Event ID 11 (file creation showing when the DLL was dropped), investigators can determine exactly when the malicious DLL was planted and which process delivered it.
3. Lateral Movement via PsExec
On the source host, Event ID 17 records the creation of a named pipe matching the PsExec pattern (\PSEXESVC-*). On the destination host, Event ID 1 captures PSEXESVC.exe spawning the attacker’s payload with the parent being services.exe. Event ID 3 shows the network connection between the two hosts on port 445/SMB. The combination of pipe creation, service execution, and network connection provides a complete lateral movement evidence chain.
4. Ransomware Process Tree Reconstruction
During a ransomware incident, the encryption binary has been deleted. Sysmon Event ID 1 preserves the full path, command line, SHA256 hash, and parent process chain. Event ID 11 records the creation of ransom notes (readme.txt in every directory). Event ID 13 captures registry modifications disabling Windows Defender (HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1). Event ID 5 records when the ransomware process terminated. The hash from Event ID 1 can be submitted to VirusTotal for family attribution even though the binary no longer exists on disk.
5. DNS-Based C2 and Data Exfiltration
A process in C:\ProgramData generates high-frequency DNS queries to subdomains of a single parent domain with encoded data in the subdomain labels (e.g., aGVsbG8gd29ybGQ.evil-c2.com). Sysmon Event ID 22 maps every query to the specific process, providing both the DNS exfiltration channel and the responsible executable. Native Windows DNS Client logging records queries but does not attribute them to a process.
Configuration & the SwiftOnSecurity Baseline
Sysmon’s value is entirely dependent on its configuration. Without an XML policy, Sysmon uses default settings that log almost everything — creating massive noise that overwhelms both the event log and any downstream SIEM. The community standard baseline is the SwiftOnSecurity Sysmon configuration, a curated XML policy that enables high-value event types while excluding known-benign noise sources.
<!-- SwiftOnSecurity sysmon-config excerpt --> <!-- https://github.com/SwiftOnSecurity/sysmon-config --> <Sysmon schemaversion="4.90"> <HashAlgorithms>SHA256,IMPHASH</HashAlgorithms> <EventFiltering> <!-- Event ID 1: ProcessCreate - Log all, exclude known-benign --> <RuleGroup groupRelation="or"> <ProcessCreate onmatch="exclude"> <Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image> <Image condition="is">C:\Windows\System32\SearchProtocolHost.exe</Image> </ProcessCreate> </RuleGroup> <!-- Event ID 10: ProcessAccess - Focus on LSASS --> <RuleGroup groupRelation="or"> <ProcessAccess onmatch="include"> <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage> </ProcessAccess> </RuleGroup> <!-- Event ID 22: DNSQuery - Log all DNS, exclude noise --> <RuleGroup groupRelation="or"> <DnsQuery onmatch="exclude"> <QueryName condition="end with">.microsoft.com</QueryName> <QueryName condition="end with">.windowsupdate.com</QueryName> </DnsQuery> </RuleGroup> </EventFiltering> </Sysmon>
:: Install Sysmon with configuration sysmon64.exe -accepteula -i sysmonconfig-export.xml :: Update configuration on running Sysmon sysmon64.exe -c sysmonconfig-export.xml :: Export current configuration sysmon64.exe -c :: Install with renamed binary and driver (evasion-resistant naming) sysmon64.exe -i sysmonconfig.xml -d SysMon2Drv
Even if the Sysmon configuration XML file has been deleted from the deployment share, the active configuration is embedded in the registry at HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters. Use sysmon64.exe -c on a live system or parse the SYSTEM hive offline to recover the XML blob. This reveals exactly what was being logged and what was excluded — critical for understanding evidence gaps.
Acquisition Methods
The Sysmon event log is subject to the same file lock as all EVTX files on a live system. Use Volume Shadow Copy, KAPE, or a forensic imaging tool. Also collect the SYSTEM registry hive to recover the Sysmon configuration (important for understanding what was and was not being logged).
Live System Collection
:: Export Sysmon log using wevtutil wevtutil epl Microsoft-Windows-Sysmon/Operational C:\Evidence\Sysmon.evtx :: Using KAPE for Sysmon collection kape.exe --tsource C: --tdest C:\Evidence --target Sysmon :: Using PowerShell to export (alternative) Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Export-Clixml C:\Evidence\Sysmon_Events.xml :: Copy via VSS for locked file vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx C:\Evidence\
Forensic Image Extraction
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy Sysmon log cp "/mnt/evidence/Windows/System32/winevt/Logs/Microsoft-Windows-Sysmon%4Operational.evtx" /analysis/sysmon/ # Also collect the SYSTEM hive for config recovery cp /mnt/evidence/Windows/System32/config/SYSTEM /analysis/sysmon/
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| EvtxECmd | Eric Zimmerman | Free | CSV/JSON | Fast CLI parsing; supports Sysmon event maps for structured output |
| Chainsaw | WithSecure | Open source (Rust) | CSV/JSON | Sigma rule-based hunting; excellent for rapid triage of Sysmon logs |
| Hayabusa | Yamato Security | Open source (Rust) | CSV/JSON | Sigma-compatible; generates timelines and detection summaries |
| SysmonView | Nasreddine Bencherchali | Free | GUI | Visual process tree reconstruction from Sysmon events |
| Sysmon Tools | nshalabi | Open source | GUI | Sysmon Shell (config builder) + Sysmon View (event analyzer) |
| Timeline Explorer | Eric Zimmerman | Free | GUI | Opens EvtxECmd CSV output; column filtering and timeline analysis |
Parsing with Chainsaw
# Hunt for Sigma detections in Sysmon log chainsaw hunt /analysis/sysmon/Sysmon.evtx \ --rules sigma/rules/ \ --mapping mappings/sigma-event-logs-all.yml \ --output /analysis/sysmon/chainsaw_results.csv # Search for specific process by hash chainsaw search /analysis/sysmon/Sysmon.evtx \ -s "a1b2c3d4e5f6..." \ --output /analysis/sysmon/hash_search.json
Analysis Script — LSASS Access Detection
# Identify processes that accessed LSASS (potential credential theft) import pandas as pd # Load EvtxECmd output for Sysmon Event ID 10 df = pd.read_csv('/analysis/sysmon/EvtxECmd_Output.csv') # Filter for ProcessAccess events targeting LSASS lsass = df[ (df['EventId'] == 10) & (df['TargetImage'].str.contains('lsass.exe', case=False, na=False)) ].copy() # Flag high-privilege access patterns suspicious_access = ['0x1010', '0x1FFFFF', '0x1F1FFF', '0x143A'] lsass['Suspicious'] = lsass['GrantedAccess'].isin(suspicious_access) # Exclude known legitimate accessors legit = ['svchost.exe', 'csrss.exe', 'MsMpEng.exe', 'lsm.exe'] alerts = lsass[ (lsass['Suspicious']) & (~lsass['SourceImage'].str.lower().str.endswith(tuple(legit))) ] print(f"Suspicious LSASS access events: {len(alerts)}") print(alerts[['TimeCreated', 'SourceImage', 'GrantedAccess', 'CallTrace']].to_string())
Retention & Persistence
| Property | Default | Configurable? | Notes |
|---|---|---|---|
| Max log size | 64 MB | Yes — via wevtutil | Circular overwrite when full; high-activity servers may lose events in hours |
| Survives reboot | Yes | N/A | EVTX persists on disk; Sysmon service restarts automatically |
| Survives Sysmon uninstall | Yes — log file remains | N/A | Uninstalling Sysmon stops new events but does not delete the existing log |
| Event forwarding | Supported | Yes — via WEF/WEC | Best practice: forward Sysmon to SIEM for long-term retention |
| Effective retention | Hours to weeks | Depends on volume | A domain controller with default 64 MB may retain only 2-4 hours; increase to 1+ GB for IR readiness |
The default 64 MB log size is critically insufficient for servers and domain controllers. A domain controller generating 10,000+ events per hour may retain only 2–4 hours of Sysmon history. Best practice is to increase log size to 1–4 GB and forward events to a central SIEM for long-term retention. Without centralized forwarding, Sysmon evidence is ephemeral.
Anti-Forensics Resilience
Sysmon is a high-value target for adversaries because of the visibility it provides. Sophisticated threat actors actively attempt to disable, blind, or evade Sysmon. Understanding these techniques is critical for assessing evidence integrity.
| Technique | Method | Detectable? |
|---|---|---|
| Service stop | sc stop Sysmon64 or net stop Sysmon64 | Yes — Event ID 4 (ServiceStateChange) in Sysmon log; Event ID 7036 in System log |
| Driver unload | fltMC unload SysmonDrv | Yes — requires admin; detectable via Sysmon Event ID 255 (DriverCommunication error) and kernel audit logs |
| Config swap | Replace config with one that excludes attacker tools | Yes — Sysmon Event ID 16 (ConfigurationChange) logs every config update |
| Log clearing | wevtutil cl Microsoft-Windows-Sysmon/Operational | Yes — Event ID 1102 in Security log records log clearing; 104 in System log |
| Process name masking | Rename malicious binary to match exclusion list entries | Partial — hash-based exclusions catch this; path-only exclusions are vulnerable |
| Direct kernel patching | Unhook Sysmon ETW callbacks at kernel level | Difficult — requires kernel-level access; leaves no Sysmon event; may leave ETW trace |
| CCleaner / Eraser | Standard cleanup tools | N/A — these tools do not target Sysmon logs; events persist through standard cleanup |
When Sysmon events exist for the pre-incident and post-incident periods but show a gap during the incident window, check for Event ID 4 (service state change) and Event ID 16 (configuration change) around the gap boundaries. A gap preceded by a config change or service stop is itself evidence of adversary awareness of Sysmon and active countermeasures — which implies a higher level of sophistication than a typical opportunistic attack.
MITRE ATT&CK Detection Mapping
Sysmon provides detection coverage across more MITRE ATT&CK techniques than any other single Windows telemetry source:
| Technique | Name | Sysmon Event ID | Detection Logic |
|---|---|---|---|
T1059 T1059 | Command and Scripting Interpreter | 1 | Process creation for cmd.exe, powershell.exe, wscript.exe, cscript.exe, mshta.exe with suspicious command lines |
T1055 T1055 | Process Injection | 8, 10, 25 | CreateRemoteThread into non-child processes; ProcessAccess with injection-level rights; ProcessTampering events |
T1003 T1003 | OS Credential Dumping | 10 | ProcessAccess to lsass.exe with GrantedAccess 0x1010 or 0x1FFFFF |
T1071 T1071 | Application Layer Protocol | 3, 22 | NetworkConnect to known-bad IPs/ports; DNSQuery for C2 domains or DGA patterns |
T1547 T1547 | Boot or Logon Autostart Execution | 13 | Registry SetValue on Run/RunOnce keys, Winlogon, or service creation keys |
T1574 T1574 | Hijack Execution Flow | 7 | ImageLoad of unsigned DLLs by signed executables from non-standard paths |
T1070 T1070 | Indicator Removal | 1, 2, 23 | Execution of log-clearing commands; FileCreationTimeChanged (timestomping); FileDelete for tool cleanup |
T1021 T1021 | Remote Services | 1, 3, 17 | PsExec/SMB named pipe creation; RDP-related process creation; WMI provider host spawning commands |
Related Artifacts & Cross-References
Corroborating Artifacts
| Artifact | Relationship to Sysmon | Cross-Correlation Value |
|---|---|---|
| Security.evtx (4688) | Native process creation events; less detail than Sysmon EID 1 | Fills gaps if Sysmon was not yet installed or was disabled during an attack phase |
| PowerShell Operational | ScriptBlock logging provides script content; Sysmon provides process context | Sysmon shows powershell.exe command line; PS logs show the full decoded script block |
| Prefetch | Confirms execution; provides first/last run timestamps and run counts | Prefetch proves a binary ran even if Sysmon was not installed at the time |
| Amcache.hve | Records SHA1 hash and full path for executed binaries | Provides hash evidence for time periods before Sysmon was deployed |
| $MFT / $UsnJrnl | File creation timestamps for dropped tools and malware | $MFT timestamps corroborate Sysmon EID 11 (FileCreate) and EID 23 (FileDelete) |
| SRUM.db | Hourly network transfer volumes per application | SRUM provides aggregate network volume; Sysmon EID 3 provides individual connections |
References
- Microsoft, “Sysmon — Sysinternals” — https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- SwiftOnSecurity, “sysmon-config — Sysmon Configuration File Template” — https://github.com/SwiftOnSecurity/sysmon-config
- olafhartong, “sysmon-modular — Modular Sysmon Configuration” — https://github.com/olafhartong/sysmon-modular
- WithSecure, “Chainsaw — EVTX Hunter” — https://github.com/WithSecureLabs/chainsaw
- Eric Zimmerman, “EvtxECmd — EVTX Parser” — https://ericzimmerman.github.io/
- SANS Institute, “Sysmon — The Best Free Windows Monitoring Tool” — https://www.sans.org/blog/
- TrustedSec, “Sysmon Community Guide” — https://github.com/trustedsec/SysmonCommunityGuide
- Yamato Security, “Hayabusa — Windows Event Log Analyzer” — https://github.com/Yamato-Security/hayabusa
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in Sysmon analysis, process tree reconstruction, and advanced threat hunting across enterprise deployments.
mjolnirsecurity.com — 24/7: +1 833 403 5875