Skip to content
Site logo Site logo ucch45

Sysmon

Endpoint visibility is paramount for us analysts. Although logging is automatically enabled by default on Windows endpoints, they are not enough. They do not track important events such as process creations. We could manually configure the auditing settings to enable these events. But more often than not, we use a tool called sysmon to monitor for events which is helpful during an investigation.

What is sysmon?

Sysmon is a microsoft tool that is part of the sysinternals suite. It provides us with a lot of telemetry which increases the chance for us to catch evil. Sysmon has the capability to monitor events such as:

  • process creations
  • network connections
  • file creations etc.

It is quite customizable as all we need is a configuration file to determine which events should be logged. Process GUID is a useful field which can be used to correlate events. Logging of network connections is disabled by default. It must be enabled via the configuration file. There are 30 different types of event ids that sysmon offers as of sysmon v15.15.

Event ID 1: Process creation

This event ID track any new processes along with it’s command line on an endpoint. If an attacker were to execute a malware, sysmon event ID 1 gets generated which tracks the activity. This event ID also tracks the file hashes which we can later OSINT to obtain context.

Event ID 3: Network Connections

This event ID is disabled by default and must be enabled in the configuration file. It can track the network connections that stem from a process which can be really helpful. It tracks source and destination IPs and their ports. If we were to notice an odd binary under the temp directory while looking for event id 1, we could then search the process GUID and if the odd binary had established a network connection, we would see that activity under event id 3.

Event ID 6/7/8: Driver/Image Load & Create Remote Thread

These event ids could identify potential defense evasion techniques such as process injection (An attacker injects their code into a separate process to help achieve their objectives. It is a common technique used to bypass antiviruses and EDRs). These event ids can be noisy and a lot of false positives might show up. This is where a process GUID of an interesting event could help us see the bigger picture. Event ID 7: Image Load is disabled by default.

Event ID 10: Process Access

It is a common event id when looking for potential credential access toward the Lsass.exe(Local Security Authority subsystem service) process. Attackers love to tamper with this process and attempt to read it’s memory. Because it can contain credentials which can be used to move laterally within the environment.

Event ID 22: DNSEvent (DNS Query)

A lot of interesting activity can be found by looking at what domain and endpoint is being requested. A compromised endpoint can be identified by simply searching for this event ID. If a suspicious activity is found(i.e. querying for DGA- Domain Generated Algorithm domain), we can look at the chain of events by using the process GUID and determine whether the endpoint is compromised or not.

There are various other Event IDs that sysmon let’s us explore. We can refer to the Sysmon Documentation to research further.



© 2020-2025 Ucchas Muhury