Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Threat Hunting
›
sysmon-event-codes-ids
Sysmon-Event-Codes-Ids
Threat Hunting
Definition
Before, I start, I want to first breakdown what is Sysmon so that way you have a foundational understanding of what Sysmon is to better understand the event codes/IDs aspect. With that being said, System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. Sysmon (System Monitor) event codes are crucial for Windows threat hunting because they provide detailed logs on process creation, network connection and file changes as examples. Additionally, Sysmon offers detailed event IDs and descriptions which make these logs very powerful in identifying security threats, but also the main difference between Sysmon and Event Viewer logs and IDs is the level of detail in terms of logging.
Related Terms
Threat Hunting
Examples & Use Cases
Sysmon Event ID 1 - Process Creation: Description: Logs when a process is created. Usage: Useful for detecting abnormal parent-child process relationships, like those seen in Process Hacker and it can help identify suspicious process chains. Sysmon Event ID 3 - Network Connection: Description: Logs network connections. Usage: While it can be noisy due to constant network activity, it can be advantageous because it can uncover network anomalies or help in detecing unusual network behavior. Sysmon Event ID 11 - File Create: Description: Records file creations. Usage: Useful for correlating or identifying the origins of files which can be helpful for uncovering suspicious file creation activities. How it's relevant to security investigations. D Name Why it Matters (Concise) 1 Process Create Shows what ran, the full command, and who started it. 3 Network Connect Links a specific program to an IP/Port (C2 detection). 7 Image Loaded Identifies DLLs being loaded; catches DLL sideloading. 8 Remote Thread High-alert for Process Injection (malware hiding in apps). 10 Process Access Detects Credential Dumping (e.g., Mimikatz attacking lsass). 11 File Create Tracks malware drops and new executables in temp folders. 12-14 Registry Event Monitors Persistence (changes to Autorun/Startup keys). 22 DNS Query Logs domain lookups; spots malicious "phone home" traffic. 23 File Delete Catches ransomware or attackers deleting their tools. 25 Process Tampering Detects Process Hollowing (replacing good code with bad). The table focuses on these specific IDs because they represent the lifecycle of an attack. In a security investigation, you aren't just looking for "bad files"; you are looking for behaviors that map to how hackers actually work. Here is the "why" behind the categories: Visibility into Intent (IDs 1 & 22): Standard Windows logs might tell you a user logged in, but ID 1 tells you they ran cmd.exe with a specific hidden script. ID 22 tells you that script tried to talk to a known malicious website. Catching Stealth (IDs 8, 10, 25): Professional attackers don't just "run an exe." They hide inside legitimate programs like Chrome or Word. These IDs catch Process Injection and Credential Dumping—actions that are almost never done by normal users but are standard for hackers. Tracking Persistence (IDs 11, 12-14): Hackers want to stay in your system even after a reboot. They do this by dropping files in hidden folders (ID 11) or changing Registry startup keys (IDs 12-14). These logs allow you to see exactly where they "dug in." Connecting the Dots (The "Process GUID"): The biggest "why" for using Sysmon IDs is that they all share a Global Unique ID. This allows an investigator to link a file download (ID 11) to the process that downloaded it (ID 1) and the network IP it used (ID 3) into a single, clear story. Essentially, these IDs turn fragmented computer noise into a chronological map of an intruder's movements. Further Reading: Rebaleos's Sysmon Event ID: potential uses in detecting malicious activity: https://medium.com/@rebaleos0/sysmon-event-id-potential-uses-in-detecting-malicious-activity-bf8e48b50780 RoddyT3ch List of Sysmon Event IDs for Threat Hunting: https://systemweakness.com/list-of-sysmon-event-ids-for-threat-hunting-4250b47cd567 Ultimate IT Security's Encyclopedia: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001 Black Hills Information Security A Sysmon Event ID Breakdown Blog: https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/ r/askNetsec: What are the technical differences between Sysmon and Windows Event Viewer?: https://www.reddit.com/r/AskNetsec/comments/1ga8iz7/what_are_the_technical_differences_between_sysmon/
.png)
