Share via

Understanding Sysmon events

Sysmon events provide detailed, low-level telemetry about system activity on Windows devices. Each event represents a specific class of behavior—such as process execution, network communication, file modification, or configuration change—that can be used to understand how software operates on a system over time. 

This article explains what Sysmon events represent, how they relate to one another, and how to reason about them conceptually when investigating or hunting for malicious activity. 

Where Sysmon events are recorded

On modern versions of Windows, Sysmon events are written to: 

Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational   

Event timestamps are recorded in UTC. 

Because Sysmon is built into Windows, events are always written using the standard Windows Event Log infrastructure and can be collected using Windows Event Collection, Security Information and Event Management(SIEM) agents, or cloud-based log ingestion pipelines. 

What a Sysmon event represents

A Sysmon event is a structured record of an observed system action. It describes: 

  • What happened (event type) 

  • When it happened (timestamp) 

  • Which process was involved 

  • What context surrounded the action (command line, file paths, network details) 

Sysmon events are: 

  • Observational, not interpretive 

  • Deterministic, not probabilistic 

  • Composable, meaning they gain meaning when correlated 

No single event indicates malicious activity by itself. 

Events as behavioral building blocks

Sysmon events are most useful when viewed as behavioral signals that form sequences. 

For example: 

  • Process Create — something started 

  • DNS Query— it resolved infrastructure 

  • Network Connect — it communicated externally 

  • File Create — it wrote artifacts 

  • Registry Event — it persisted 

Understanding Sysmon means thinking in chains and timelines, not isolated events. 

Core event categories

Sysmon events can be grouped conceptually by the type of system behavior they describe. 

 

Process lifecycle and execution 

These events describe how processes start, run, and interact. 

Process Create (Event ID 1) 

Records detailed information about a newly created process, including: 

  • Full command line 

  • Parent process 

  • Cryptographic hashes 

  • A globally unique Process GUID for correlation 

This event is foundational for: 

  • Execution chain analysis 

  • Command-line inspection 

  • Threat hunting 

 

Process Terminated (Event ID 5) 

Records when a process exits. Useful for: 

  • Completing timelines 

  • Measuring execution duration 

  • Identifying short-lived processes 

 

Process Access (Event ID 10) 

Records when one process opens another process. This is commonly associated with: 

  • Credential theft 

  • Memory inspection 

  • Injection techniques 

Because this event can be noisy, it's typically used with targeted filtering. 

 

CreateRemoteThread (Event ID 8) 

Indicates that a process created a thread in another process—a classic code injection technique. 

This event is low-volume and high-signal. 

 

Process Tampering (Event ID 25) 

Generated when Sysmon detects process image manipulation techniques such as: 

  • Process hollowing 

  • Herpaderping 

This event indicates attempts to disguise or replace process contents and is strongly associated with advanced malware. 

 

Network and name resolution activity 

These events describe how processes interact with the network. 

 

Network Connect (Event ID 3) 

Records TCP and UDP connections initiated by processes, including: 

  • Source and destination addresses 

  • Ports 

  • Protocols 

  • Associated Process GUID 

This event is disabled by default due to volume and should be enabled selectively. 

 

DNS Query (Event ID 22) 

Records DNS queries issued by a process, regardless of whether the query succeeds. 

DNS events are especially useful for: 

  • Identifying external infrastructure 

  • Detecting beaconing behavior 

  • Spotting malware such as cryptocurrency miners 

DNS events often provide early indicators even when network traffic is encrypted. 

 

File system activity 

These events describe file creation, modification, and deletion. 

 

File Create (Event ID 11) 

Records when a file is created or overwritten. 

Common uses: 

  • Detecting dropped payloads 

  • Monitoring startup and persistence locations 

  • Investigating malware staging 

 

File Creation Time Change (Event ID 2) 

Records when a process explicitly modifies a file’s creation timestamp. 

Attackers may use this to obscure the true origin of malicious files, though legitimate software also performs this action. 

 

File Delete (Event ID 23 / 26) 

Records file deletion activity. 

  • Event ID 23 also archives the deleted file 

  • Event ID 26 records deletion without archiving 

These events are useful for ransomware and cleanup analysis. 

 

File Create Stream Hash (Event ID 15) 

Records named alternate data streams, including Zone.Identifier streams. 

This event helps detect files originating from the internet and browser download activity. 

 

Executable File Detection and Blocking (Events 27–29) 

These events record when executable files are detected or blocked during creation. 

They provide insight into executable staging behavior and defensive enforcement. 

 

Module and driver loading 

These events describe how code is introduced into memory. 

 

Image Load (Event ID 7) 

Records when a DLL or executable image is loaded into a process. 

This event is powerful for: 

  • DLL injection detection 

  • Side-loading analysis 

Because of its high volume, it should be configured carefully. 

 

Driver Load (Event ID 6) 

Records when a kernel driver is loaded, including signature and hash information. 

Driver loading is rare and high-impact, making this event valuable for detecting kernel-level threats. 

 

Configuration, persistence, and IPC 

These events describe system configuration changes and interprocess communication. 

 

Registry Events (Event IDs 12–14) 

Record registry key and value creation, modification, deletion, and renaming. 

they're essential for detecting: 

  • Persistence mechanisms 

  • Configuration tampering 

  • Malware setup behavior 

Sysmon uses abbreviated root key names (for example, HKLM, HKCU) to normalize data. 

 

Named Pipe Events (Event IDs 17–18) 

Record creation and connection to named pipes. 

Named pipes are frequently used for: 

  • Interprocess communication 

  • Malware coordination between components 

WMI Events (Event IDs 19–21) 

Record WMI filter, consumer, and binding registration. 

WMI is a common persistence and execution mechanism for fileless malware. 

Sysmon service and configuration events 

Service State Change (Event ID 4) 

Records when the Sysmon service starts or stops. 

Unexpected stops can indicate tampering attempts. 

 

Configuration Change (Event ID 16) 

Records when the Sysmon configuration is updated. 

This event provides auditability and change tracking for telemetry selection. 

Error handling 

Error (Event ID 255) 

Indicates internal Sysmon errors, such as: 

  • Resource exhaustion 

  • Failed operations 

  • Internal bugs 

These events should be monitored to ensure telemetry reliability. 

 

Events as evidence, not alerts 

A core principle of Sysmon is neutrality. 

  • Events don't indicate malicious intent 

  • Rare doesn't mean malicious 

  • Common doesn't mean safe 

Meaning emerges through: 

  • Correlation 

  • Context 

  • Behavioral patterns over time 

 

Summary 

Sysmon events provide the raw behavioral telemetry needed to understand how systems operate and how attacks unfold. Each event captures a specific class of activity, and their true value comes from correlating them into timelines and behavioral narratives. 

Well-configured and well-understood Sysmon events enable: 

  • Threat hunting 

  • Incident response 

  • Forensic analysis 

  • Long-term behavioral baselining 

 

 

  • Last updated on