Event ID 1 — Process Create

Windows Internals

• Triggered via PsCreateProcessNotifyRoutine
• Occurs after the process object is created but before full execution
• Captures both user-mode and system processes

Advanced Fields

• ProcessGuid: Sysmon-generated GUID (unique across reboots)
• ParentProcessGuid: More reliable than PID
• UtcTime: Creation timestamp
• CurrentDirectory
• TerminalSessionId
• IntegrityLevel: Low / Medium / High / System
• Imphash: Useful for malware clustering
• OriginalFileName: From PE metadata (often spoofed)

Common Abuse

• Living-off-the-land binaries (LOLBins)
• Parent spoofing via process injection
• Masquerading (e.g., svchost.exe in user directory)

Detection Notes

• Prefer parent-child baselining
• Hashes are expensive but extremely valuable
• Command-line parsing is critical

---

Event ID 2 — File Creation Time Changed

Windows Internals

• Uses SetFileTime
• Often follows file write or copy operations

Abuse

• Timestomping to blend malware with system files
• Defense evasion post-compromise

Detection Notes

• Correlate with Event ID 11 (File Create)
• Rare in legitimate workflows → high signal

---

Event ID 3 — Network Connection

Windows Internals

• Hooks TCP/IP stack
• Only captures outbound connections

Advanced Fields

• Initiated: True = outbound
• DestinationHostname: Reverse DNS (if enabled)
• SourceIsIpv6, DestinationIsIpv6

Abuse

• C2 beacons
• Lateral movement
• Data exfiltration

Detection Notes

• Filter browsers aggressively
• Focus on:
  • Rare destinations
  • Non-standard ports
  • LOLBins initiating traffic

---

Event ID 4 — Sysmon Service State Changed

Meaning

• Sysmon service started or stopped

Abuse

• Attackers attempting to blind telemetry
• Often paired with admin privilege escalation

Detection Notes

• Any unexpected stop = critical alert

---

Event ID 5 — Process Terminated

Internals

• Triggered when process object exits

Use

• Timeline reconstruction
• Ransomware kill chains

Detection Notes

• Low standalone value
• Use for correlation only

---

Event ID 6 — Driver Loaded

Windows Internals

• Kernel-mode driver load (NtLoadDriver)

Advanced Fields

• ImageLoaded
• SignatureStatus
• Signed
• Signature

Abuse

• BYOVD attacks
• Rootkits
• Kernel credential theft

Detection Notes

• Unsigned drivers = high severity
• Watch for known vulnerable drivers

---

Event ID 7 — Image Loaded (DLL Load)

Windows Internals

• Captures LoadLibrary events
• Includes user-mode DLLs only

Abuse

• DLL search order hijacking
• Side-loading
• Reflective DLL injection

Detection Notes

• Extremely noisy
• Filter by:
  • Unsigned DLLs
  • User-writable paths
  • LOLBins loading DLLs

---

Event ID 8 — CreateRemoteThread

Windows Internals

• Triggered on CreateRemoteThread or NtCreateThreadEx

Advanced Fields

• StartAddress
• StartFunction
• TargetProcessId

Abuse

• Classic code injection
• Post-exploitation frameworks

Detection Notes

• High-confidence malicious signal
• Rare in normal environments

---

Event ID 9 — RawAccessRead

Meaning

• Direct disk reads bypassing filesystem APIs

Abuse

• Reading SAM / NTDS.dit
• Credential dumping
• Anti-forensics

Detection Notes

• Very rare legitimately
• Almost always malicious

---

Event ID 10 — Process Access

Windows Internals

• Captures OpenProcess calls with access masks

Key Field

• GrantedAccess: Bitmask of permissions

Abuse

• LSASS memory access
• Injection staging
• Debugging abuse

Detection Notes

• Focus on:
  • LSASS target
  • High-access masks
  • Unexpected source processes

---

Event ID 11 — File Create

Meaning

• File created or overwritten

Abuse

• Malware dropping payloads
• Persistence artifacts

Detection Notes

• Combine with directory context
• User-writable + executable = suspicious

---

Event ID 12 — Registry Key Create/Delete

Abuse

• Persistence setup
• Configuration tampering

Detection Notes

• Monitor:
  • Run keys
  • Services
  • Security settings

---

Event ID 13 — Registry Value Set

Abuse

• Autoruns
• Defender exclusions
• UAC bypass

Detection Notes

• Very high detection value
• Track value data, not just key

---

Event ID 14 — Registry Object Renamed

Abuse

• Stealth persistence
• Evasion of simple key monitoring

Detection Notes

• Rare → high signal

---

Event ID 15 — FileCreateStreamHash (ADS)

Windows Internals

• NTFS Alternate Data Streams

Abuse

• Hidden payload storage
• Living-off-the-land attacks

Detection Notes

• Any ADS creation should be reviewed

---

Event ID 16 — Sysmon Config Change

Abuse

• Disabling or weakening telemetry

Detection Notes

• Treat as security incident

---

Windows Internals

• Named pipe IPC

Abuse

• C2 channels
• Lateral movement
• Credential harvesting tools

Detection Notes

• Monitor known malicious pipe names
• Correlate with SMB traffic

---

Abuse

• Fileless persistence
• Highly stealthy

Detection Notes

• Any WMI persistence is suspicious
• Rare in legitimate software

---

Event ID 22 — DNS Query

Windows Internals

• Captures DNS API calls per process

Abuse

• DGA
• DNS tunneling
• C2 discovery

Detection Notes

• Focus on:
  • High entropy domains
  • Rare TLDs
  • LOLBins querying DNS

---

Event ID 23 — File Delete

Abuse

• Evidence removal
• Ransomware cleanup

Detection Notes

• Correlate with ransomware behaviors

---

Event ID 24 — Clipboard Change

Abuse

• Credential harvesting
• Crypto address hijacking

Detection Notes

• Very niche but high value

---

Event ID 25 — Process Tampering

Windows Internals

• Detects:
  • Process hollowing
  • Image replacement
  • Memory manipulation

Detection Notes

• One of Sysmon’s highest-fidelity events
• Rare false positives

---

Event ID 26 — File Delete Detected

Meaning

• Async detection of file deletion

Use

• Complements Event ID 23
• Useful for fast malware cleanup

---

Final Notes

Highest Signal Events

• 8, 9, 10, 19–21, 25

Noisiest Events

• 3, 7, 11

Core Detection Baseline

• 1, 3 (filtered), 10, 11, 13, 22, 25