What You'll Learn
- Explain what Sysmon is, why it exists, and what gap it fills that native Windows logging cannot
- Identify the key Sysmon Event IDs every SOC analyst must know (1, 3, 7, 8, 10, 11, 13, 22)
- Understand how Sysmon integrates with Wazuh to close the detection gaps identified in Lab 1.2
- Map Sysmon event types to MITRE ATT&CK techniques
- Compare before-and-after detection coverage with and without Sysmon
- Recognize real-world attack patterns through Sysmon telemetry
The Visibility Problem
In Lesson 2.1, you learned that Windows Event Logs are the most important log source in most enterprise SOCs. In Lab 1.2, you mapped APT29's 15 techniques to the ATT&CK framework and discovered that 7 were red gaps — techniques Wazuh couldn't detect with default log sources.
Let's revisit those gaps:
| Technique | Why Wazuh Missed It |
|---|---|
| T1027 — Obfuscated Files | No file content inspection |
| T1055.001 — DLL Injection | No process memory monitoring |
| T1003.001 — LSASS Memory Dump | No process access monitoring |
| T1560.001 — Archive Data | No endpoint file activity monitoring |
| T1071.001 — Web Protocols C2 | No per-process network monitoring |
| T1105 — Ingress Tool Transfer | No file download tracking per process |
| T1041 — Exfiltration Over C2 | No per-process network traffic analysis |
The common thread: Windows Security Event Logs don't tell you which process connects to which network endpoint, which DLLs a process loads, which process accessed LSASS memory, or what files a process creates. Native Windows logging tells you "someone logged in" and "a process was created" — but not the deep behavioral telemetry needed to detect modern attacks.
Sysmon fills that gap.
Industry Reality: According to multiple DFIR surveys, Sysmon is deployed in over 70% of enterprise environments that take endpoint detection seriously. It's free, maintained by Microsoft (Sysinternals), and is the single most impactful improvement you can make to Windows endpoint visibility. If your SOC doesn't have Sysmon, you're missing most of the attack chain.
What Is Sysmon?
System Monitor (Sysmon) is a free Windows system service and device driver from Microsoft's Sysinternals suite. Once installed, it:
- Monitors system activity at a deeper level than native Windows logging
- Logs events to the Windows Event Log under
Microsoft-Windows-Sysmon/Operational - Persists across reboots — once installed, it survives restarts and most tampering attempts
- Is configurable — you control exactly what gets logged through an XML configuration file
Sysmon doesn't block anything. It doesn't prevent attacks. It records what happened at a granularity that native Windows logging cannot match. It's a telescope, not a shield — and in the SOC, seeing the attack clearly is the first step to stopping it.
Sysmon vs. Native Windows Logging
| Capability | Windows Security Logs | Sysmon |
|---|---|---|
| Process creation | Event ID 4688 (basic) | Event ID 1 (with hashes, parent process, command line, user, current directory) |
| Network connections | Limited to firewall events | Event ID 3 (per-process: which process connected to which IP/port) |
| File creation | No native coverage | Event ID 11 (which process created which file) |
| DLL loading | No native coverage | Event ID 7 (which DLLs a process loaded) |
| Process memory access | No native coverage | Event ID 10 (which process accessed which other process — LSASS detection) |
| Registry changes | Limited via object auditing | Event ID 13 (registry value set with full detail) |
| DNS queries | No per-process tracking | Event ID 22 (which process queried which domain) |
| File hash | Not included in 4688 | Included in Event ID 1 (MD5, SHA256, IMPHASH) |
| Parent process chain | Parent PID in 4688 (basic) | Full chain (parent image, parent command line) |
The Hash Changes Everything. When a process starts, Sysmon records its file hash (MD5, SHA256, IMPHASH). This means you can check every executed binary against VirusTotal, MISP, or your own threat intelligence feeds. With native 4688 events, you only get the file name — which attackers easily change. Hashes don't lie.
The Essential Sysmon Event IDs
Sysmon generates 29 event types (Event IDs 1-29). In practice, SOC analysts spend 95% of their time with 8 key Event IDs. Here are the ones that close the detection gaps from Lab 1.2:
Event ID 1: Process Creation
The single most valuable Sysmon event. Logs every new process with unprecedented detail.
| Field | What It Tells You | Attack Detection |
|---|---|---|
Image | Full path of the new process | Executables in \Temp\, \ProgramData\ = suspicious |
CommandLine | Exact command line used | Encoded PowerShell (-enc), LOLBin abuse |
ParentImage | What process launched it | Word.exe → PowerShell.exe = macro execution |
ParentCommandLine | Parent's command line | Full execution chain |
Hashes | MD5, SHA256, IMPHASH | Compare against threat intel |
User | Account that ran the process | SYSTEM running user tools = privilege escalation |
CurrentDirectory | Working directory | \Temp\ or \Downloads\ = recently dropped file |
OriginalFileName | PE header filename | If Image says "svchost.exe" but OriginalFileName says "mimikatz.exe" → renamed binary |
ATT&CK Coverage: T1059 (Command and Scripting), T1204 (User Execution), T1036 (Masquerading)
The Parent-Child Relationship Is Gold. If you see winword.exe → cmd.exe → powershell.exe, that's a classic macro execution chain. Normal Word documents don't spawn command prompts. This parent-child analysis is impossible with native Windows 4688 events, which only record the parent PID (not the parent's full path and command line).
Event ID 3: Network Connection
Logs network connections per process — which executable connected to which remote IP and port.
| Field | What It Tells You | Attack Detection |
|---|---|---|
Image | Which process initiated the connection | notepad.exe making outbound connections = malware |
DestinationIp | Remote IP address | Known C2 IPs, TOR exit nodes |
DestinationPort | Remote port | 4444 (Meterpreter), 8080 (common C2), 443 (encrypted C2) |
Protocol | TCP or UDP | UDP to unusual ports = tunneling |
ATT&CK Coverage: T1071 (Application Layer Protocol), T1041 (Exfiltration Over C2), T1105 (Ingress Tool Transfer)
This directly closes the Lab 1.2 gaps for T1071.001 (Web Protocols C2), T1105 (Ingress Tool Transfer), and T1041 (Exfiltration Over C2). Without Sysmon, you can't see which process is talking to the C2 server — you only see network traffic at the firewall level without process attribution.
Event ID 7: Image Loaded (DLL Loading)
Logs every DLL loaded by a process — critical for detecting DLL injection and DLL side-loading.
| Field | What It Tells You | Attack Detection |
|---|---|---|
Image | Which process loaded the DLL | svchost.exe loading unusual DLLs |
ImageLoaded | Full path of the loaded DLL | DLLs from \Temp\ or \AppData\ = suspicious |
Hashes | DLL file hashes | Compare against known malicious DLL hashes |
Signed | Whether the DLL is digitally signed | Unsigned DLLs in system processes = anomalous |
ATT&CK Coverage: T1055.001 (DLL Injection), T1574 (DLL Side-Loading)
This closes the Lab 1.2 gap for T1055.001 (DLL Injection). In the APT29 scenario, the attacker injected code into svchost.exe via DLL injection. With Sysmon Event ID 7, you would see svchost.exe loading an unsigned DLL from an unusual path — a clear detection opportunity that native Windows logging completely misses.
Event ID 8: CreateRemoteThread
Logs when a process creates a thread in another process — a direct indicator of code injection.
| Field | What It Tells You |
|---|---|
SourceImage | Process performing the injection |
TargetImage | Process being injected into |
ATT&CK Coverage: T1055 (Process Injection — all sub-techniques)
Event ID 10: Process Access
Logs when a process opens a handle to another process — the key detection for credential dumping.
| Field | What It Tells You | Attack Detection |
|---|---|---|
SourceImage | Which process accessed the target | mimikatz.exe, procdump.exe accessing lsass.exe |
TargetImage | Which process was accessed | lsass.exe = credential access attempt |
GrantedAccess | Access rights requested | 0x1010, 0x1FFFFF = full access to memory (credential dump) |
ATT&CK Coverage: T1003.001 (LSASS Memory Dump)
This closes the Lab 1.2 gap for T1003.001. In the APT29 scenario, the attacker used Mimikatz to dump LSASS memory. With Sysmon Event ID 10, you would see an unusual process (the renamed Mimikatz binary) accessing lsass.exe with memory read permissions — regardless of what the tool is named.
LSASS Access Is the Crown Jewel Detection. If any process other than a known security tool accesses lsass.exe with memory read rights, assume credential theft is occurring. This is one of the highest-confidence detections in all of endpoint security. Without Sysmon Event ID 10, you have zero visibility into this attack.
Event ID 11: File Created
Logs file creation events — which process created which file.
| Field | What It Tells You | Attack Detection |
|---|---|---|
Image | Which process created the file | PowerShell.exe creating .exe files = dropper |
TargetFilename | Full path of the new file | Files in \Temp\, \ProgramData\ with .exe, .dll, .bat |
ATT&CK Coverage: T1105 (Ingress Tool Transfer), T1560.001 (Archive Collected Data)
Event ID 13: Registry Value Set
Logs registry modifications — critical for detecting persistence mechanisms.
| Field | What It Tells You | Attack Detection |
|---|---|---|
Image | Which process modified the registry | PowerShell.exe modifying Run keys |
TargetObject | Registry key/value changed | HKLM\Software\Microsoft\Windows\CurrentVersion\Run = persistence |
Details | New value content | Path to the persisted malware |
ATT&CK Coverage: T1547.001 (Registry Run Keys), T1112 (Modify Registry)
Event ID 22: DNS Query
Logs DNS queries per process — the per-process DNS visibility that no other Windows log source provides.
| Field | What It Tells You | Attack Detection |
|---|---|---|
Image | Which process made the DNS query | PowerShell.exe resolving suspicious domains |
QueryName | Domain queried | C2 domains, DGA-generated domains |
QueryResults | Resolved IP addresses | IPs matching known threat intel |
ATT&CK Coverage: T1071.004 (DNS C2), T1568 (Dynamic Resolution)
Sysmon + Wazuh Integration
Sysmon generates events into the Windows Event Log. Wazuh's Windows agent can read these events and forward them to the Wazuh manager for processing. The integration requires two things:
1. Sysmon Configuration
Sysmon's behavior is controlled by an XML configuration file. The community-standard configuration is SwiftOnSecurity's sysmon-config — a well-maintained, production-ready configuration that balances visibility with noise reduction.
Key configuration decisions:
- Which Event IDs to enable — Event IDs 1, 3, 7, 10, 11, 13, 22 are essential
- Exclusion filters — Suppress known-good processes to reduce noise (e.g., Windows Update, antivirus)
- Hash algorithms — MD5 + SHA256 for maximum threat intel compatibility
2. Wazuh Agent Configuration
The Wazuh agent needs to be configured to read the Sysmon channel:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
Once configured, Sysmon events flow through the standard Wazuh pipeline: Agent → Manager → Decoder → Rules → Dashboard. Wazuh includes built-in decoders and rules for Sysmon events, so detection starts working immediately.
Closing the Lab 1.2 Gaps: Before and After
Let's revisit the APT29 detection coverage from Lab 1.2 and see how Sysmon changes the picture:
| Technique | Without Sysmon | With Sysmon | Detection Method |
|---|---|---|---|
| T1027 — Obfuscated Files | Red (Gap) | Yellow (Partial) | Event ID 1: encoded command lines, suspicious hashes |
| T1055.001 — DLL Injection | Red (Gap) | Green (Detected) | Event ID 7: unsigned DLLs in system processes + Event ID 8: CreateRemoteThread |
| T1003.001 — LSASS Memory Dump | Red (Gap) | Green (Detected) | Event ID 10: process access to lsass.exe |
| T1560.001 — Archive Data | Red (Gap) | Yellow (Partial) | Event ID 11: zip/rar file creation by suspicious processes |
| T1071.001 — Web Protocols C2 | Red (Gap) | Green (Detected) | Event ID 3: process-to-IP network connections |
| T1105 — Ingress Tool Transfer | Red (Gap) | Green (Detected) | Event ID 11: file creation + Event ID 3: download connections |
| T1041 — Exfiltration Over C2 | Red (Gap) | Yellow (Partial) | Event ID 3: outbound data volume from specific processes |
Result: From 3 Green / 5 Yellow / 7 Red → 7 Green / 5 Yellow / 3 Red
Sysmon alone closes 4 gaps completely and partially addresses 3 more. Combined with the existing Wazuh detection (Lesson 2.1-2.5), you now have meaningful coverage across the majority of the APT29 kill chain.
The Remaining Gaps. Even with Sysmon, some techniques remain partially detected (yellow). Full obfuscation analysis requires sandboxing and YARA rules (Module 7). Complete exfiltration detection requires network traffic analysis (Suricata, Module 3). Sysmon dramatically improves visibility but doesn't replace the need for a layered defense strategy.
Real-World Detection Patterns with Sysmon
Here are five high-value detection patterns that Sysmon enables, each mapped to attack techniques you studied in Module 1:
Pattern 1: Macro Execution Chain
Event ID 1: ParentImage = WINWORD.EXE → Image = cmd.exe → powershell.exe
Detects: T1566.001 (Spearphishing) → T1059.001 (PowerShell)
Pattern 2: Credential Dumping
Event ID 10: SourceImage = unknown.exe → TargetImage = lsass.exe, GrantedAccess = 0x1010
Detects: T1003.001 (LSASS Memory Dump)
Pattern 3: C2 Beaconing
Event ID 3: Image = svchost.exe → DestinationIp = external_ip, repeated every 4 hours
Detects: T1071.001 (Web Protocols C2)
Pattern 4: Persistence via Registry
Event ID 13: TargetObject = HKLM\Software\Microsoft\Windows\CurrentVersion\Run, Image = powershell.exe
Detects: T1547.001 (Registry Run Keys)
Pattern 5: Renamed Binary Detection
Event ID 1: Image = C:\Temp\svchost.exe, OriginalFileName = mimikatz.exe
Detects: T1036 (Masquerading) — binary renamed to look like a legitimate Windows process
Sysmon Limitations
Sysmon is powerful but not perfect. Understanding its limitations prevents overconfidence:
| Limitation | Impact | Mitigation |
|---|---|---|
| Windows only | No coverage for Linux, macOS, network devices | Combine with Wazuh native agents, Auditd (Linux) |
| Can be bypassed | Advanced attackers can unload the Sysmon driver | Monitor for Sysmon service stop events (Event ID 4) |
| High log volume | Event ID 7 (DLL loading) can generate thousands of events/minute | Careful configuration with exclusion filters |
| No prevention | Sysmon only observes — it doesn't block | Combine with EDR for response capability |
| Kernel-level trust | Runs as a driver — a compromised kernel can tamper with it | Defense in depth — don't rely on a single telemetry source |
Key Takeaways
- Sysmon fills the critical visibility gap that native Windows Event Logs cannot cover: per-process network connections, DLL loading, process memory access, file creation tracking, and DNS queries per process
- The 8 essential Sysmon Event IDs (1, 3, 7, 8, 10, 11, 13, 22) cover process creation, network, DLLs, injection, credential dumping, files, registry, and DNS
- Event ID 10 (Process Access) is the key detection for LSASS credential dumping (T1003.001) — the highest-value gap from Lab 1.2
- Sysmon + Wazuh integration works through the standard agent configuration — Wazuh has built-in decoders and rules for all Sysmon event types
- Adding Sysmon to the Lab 1.2 scenario improves detection coverage from 3 Green / 5 Yellow / 7 Red to 7 Green / 5 Yellow / 3 Red
- Sysmon's OriginalFileName field catches renamed binaries (masquerading), and process hash fields enable threat intel matching
- Sysmon is Windows-only, observation-only, and can be bypassed by advanced attackers — it's a powerful layer, not a complete solution
Knowledge Check: Sysmon Endpoint Telemetry
10 questions · 70% to pass
What is the fundamental visibility gap that Sysmon fills compared to native Windows Security Event Logs?
Which Sysmon Event ID is the key detection for LSASS credential dumping (T1003.001)?
In Sysmon Event ID 1 (Process Creation), the OriginalFileName field shows 'mimikatz.exe' but the Image field shows 'C:\Temp\svchost.exe'. What attack technique does this indicate?
Which Sysmon Event IDs would detect the DLL injection attack (T1055.001) used by APT29 in the Lab 1.2 scenario?
If you see Sysmon Event ID 3 showing svchost.exe making outbound HTTPS connections to an unknown external IP every 4 hours, what does this likely indicate?
How does Sysmon Event ID 1 improve on native Windows Event ID 4688 for process creation monitoring?
After adding Sysmon to the Lab 1.2 APT29 scenario, how does the detection coverage change?
In Lab 1.2, you identified T1003.001 (LSASS Memory Dump) as a red gap — Wazuh had no coverage. With Sysmon deployed, what specific event would you look for to detect this technique?
In Lab 1.2's APT29 scenario, the initial compromise used spearphishing with a malicious Word document that executed PowerShell. Which Sysmon detection pattern would catch this?
What is the most important limitation of Sysmon that prevents it from being a complete endpoint security solution?
0/10 answered