sysmon-event-codes-ids

Definition

Related Terms

Examples & Use Cases

Sysmon Event ID 1 - Process Creation:
Description: Logs when a process is created.
Usage: Useful for detecting abnormal parent-child process relationships, like those seen in Process Hacker and it can help identify suspicious process chains.

Sysmon Event ID 3 - Network Connection:
Description: Logs network connections.
Usage: While it can be noisy due to constant network activity, it can be advantageous because it can uncover network anomalies or help in detecing unusual network behavior.

Sysmon Event ID 11 - File Create:

Description: Records file creations.
Usage: Useful for correlating or identifying the origins of files which can be helpful for uncovering suspicious file creation activities.

How it's relevant to security investigations.

D	Name	Why it Matters (Concise)
1	Process Create	Shows what ran, the full command, and who started it.
3	Network Connect	Links a specific program to an IP/Port (C2 detection).
7	Image Loaded	Identifies DLLs being loaded; catches DLL sideloading.
8	Remote Thread	High-alert for Process Injection (malware hiding in apps).
10	Process Access	Detects Credential Dumping (e.g., Mimikatz attacking lsass).
11	File Create	Tracks malware drops and new executables in temp folders.
12-14	Registry Event	Monitors Persistence (changes to Autorun/Startup keys).
22	DNS Query	Logs domain lookups; spots malicious "phone home" traffic.
23	File Delete	Catches ransomware or attackers deleting their tools.
25	Process Tampering	Detects Process Hollowing (replacing good code with bad).

The table focuses on these specific IDs because they represent the lifecycle of an attack. In a security investigation, you aren't just looking for "bad files"; you are looking for behaviors that map to how hackers actually work.
Here is the "why" behind the categories:
Visibility into Intent (IDs 1 & 22): Standard Windows logs might tell you a user logged in, but ID 1 tells you they ran cmd.exe with a specific hidden script. ID 22 tells you that script tried to talk to a known malicious website.
Catching Stealth (IDs 8, 10, 25): Professional attackers don't just "run an exe." They hide inside legitimate programs like Chrome or Word. These IDs catch Process Injection and Credential Dumping—actions that are almost never done by normal users but are standard for hackers.
Tracking Persistence (IDs 11, 12-14): Hackers want to stay in your system even after a reboot. They do this by dropping files in hidden folders (ID 11) or changing Registry startup keys (IDs 12-14). These logs allow you to see exactly where they "dug in."
Connecting the Dots (The "Process GUID"): The biggest "why" for using Sysmon IDs is that they all share a Global Unique ID. This allows an investigator to link a file download (ID 11) to the process that downloaded it (ID 1) and the network IP it used (ID 3) into a single, clear story.
Essentially, these IDs turn fragmented computer noise into a chronological map of an intruder's movements.