Sysmon is a great system monitoring tool provided by Windows which can be used for threat hunting and incident response. This tool is running as a Windows Service and is operating in Kernel Land via a driver. This blog article will be used to maintain a table describing the different Sysmon events available accross the different Sysmon versions.

Events Repartition

Statistics showing the count of the events generated over a monitoring period of 5h with all the Sysmon events being logged. The event IDs not displayed have simply not been seen during the sampling.

Start: 2017-09-20T23:15:04Z
Stop: 2017-09-21T04:04:19Z
TimeLastEvent: 2017-09-21T04:04:18Z
Duration (stop - start): 5h0m0.1474609s
EventCount: 1669855
Average EPS: 92.77 eps
EventIDs:
     1: 116 (0.01 eps)
     2: 6 (0.00 eps)
     3: 186 (0.01 eps)
     5: 115 (0.01 eps)
     6: 4 (0.00 eps)
     7: 5850 (0.32 eps)
     8: 1 (0.00 eps)
     9: 45 (0.00 eps)
     10: 1605725 (89.21 eps)
     11: 271 (0.02 eps)
     12: 50561 (2.81 eps)
     13: 3297 (0.18 eps)
     17: 10 (0.00 eps)
     18: 3668 (0.20 eps)

Events Table

EventID Type Available Since Example
1 CreateProcess - CommandLine: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding
CurrentDirectory: C:\\Windows\\system32\\
Hashes: SHA1=9F5A4796B58D8B104A1C0F5A63DAF0032B947966, MD5=619A67C9F617B7E69315BB28ECD5E1DF, SHA256=F34F231D117CCDFEBB9CB35C8D6FDFA7051DA27FDC1204FCCFF361FC0B13A0FF, IMPHASH=C1E65C7FF153F2C2E6A7E93706AE226A
Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe
IntegrityLevel: System
LogonGuid: 49F1AF32-4E56-59BD-0000-0020E4030000
LogonId: 0x000003e4
ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch
ParentImage: C:\\Windows\\System32\\svchost.exe
ParentProcessGuid: 49F1AF32-4E56-59BD-0000-00104E830000
ParentProcessId: 600
ProcessGuid: 49F1AF32-882C-59C1-0000-00108FA14600
ProcessId: 3204
TerminalSessionId: 0
User: NT AUTHORITY\\NETWORK SERVICE
UtcTime: 2017-09-19 21:12:12.727
2 FileCreateTime - CreationUtcTime: 2017-09-18 07:50:46.104
Image: C:\\Program Files\\Mozilla Firefox\\firefox.exe
PreviousCreationUtcTime: 2017-09-19 21:16:37.524
ProcessGuid: 49F1AF32-8663-59C1-0000-001062293400
ProcessId: 1396
TargetFilename: C:\\Users\\Gen Eric\\AppData\\Roaming\\Microsoft\\Windo ws\\Recent\\CustomDestinations\\BE2KF8TBMP786WCR1WSN.temp
UtcTime: 2017-09-19 21:16:37.540
3 NetworkConnect - DestinationHostname:
DestinationIp: 192.168.56.1
DestinationIsIpv6: false
DestinationPort: 8080
DestinationPortName:
Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
Initiated: true
ProcessGuid: 49F1AF32-8A4D-59C1-0000-001042F00A00
ProcessId: 3888
Protocol: tcp
SourceHostname: GenEric-PC
SourceIp: 192.168.56.101
SourceIsIpv6: false
SourcePort: 49252
SourcePortName:
User: NT AUTHORITY\\SYSTEM
UtcTime: 2017-09-19 21:25:51.846
4 - - SchemaVersion: 3.40
State: Started
UtcTime: 2017-09-19 21:17:08.820
Version: 6.10
5 ProcessTerminate - Image: C:\\Windows\\SysWOW64\\runonce.exe
ProcessGuid: 49F1AF32-8956-59C1-0000-001099830200
ProcessId: 2100
UtcTime: 2017-09-19 21:17:12.434
6 DriverLoad - Hashes: SHA1=706C6BB3AD9E24F148EE110984814897383BDC32, MD5=9B38580063D281A99E68EF5813022A5F, SHA256=D91676B0E0A8E2A090E3E5DD340ABCFC20AE0F55B4C82869D6CFB34239BD27DA, IMPHASH=6126B7C1BE78663C7C2231BA8607D577
ImageLoaded: C:\\Windows\\System32\\drivers\\dfsc.sys
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: true
UtcTime: 2017-09-19 21:17:01.171
7 ImageLoad - Hashes: SHA1=49D4F6E96FD4D810D26E5166991070CFC32298AB, MD5=FBE1086227040618A569C27F74A12F3D, SHA256=1631C78ED9C35EB62FC66ECBB536B251329134A866A783875AEE7D85C7DD0E02, IMPHASH=1EC347D133DF2FE4DA3E5F8944CAEAE8
Image: C:\\Windows\\System32\\CompatTelRunner.exe
ImageLoaded: C:\\Windows\\System32\\ws2_32.dll
ProcessGuid: 49F1AF32-884D-59C1-0000-001044E84800
ProcessId: 3236
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: true
UtcTime: 2017-09-19 21:12:45.821
8 CreateRemoteThread - NewThreadId: 3384
SourceImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe
SourceProcessGuid: 49F1AF32-8955-59C1-0000-00105DF90100
SourceProcessId: 1956
StartAddress: 0x0000000077533860
StartFunction:
StartModule: C:\\Windows\\SYSTEM32\\ntdll.dll
TargetImage: C:\\Windows\\System32\\wbem\\WmiApSrv.exe
TargetProcessGuid: 49F1AF32-89D7-59C1-0000-00106D100A00
TargetProcessId: 3196
UtcTime: 2017-09-19 21:19:20.228
9 RawAccessRead - Device: \\Device\\HarddiskVolume2
Image: C:\\Windows\\System32\\smss.exe
ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000
ProcessId: 264
UtcTime: 2017-09-19 21:17:01.359
10 ProcessAccess - CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32 \\KERNELBASE.dll+189b7|C:\\Windows\\System32\\VBoxService.exe+1009d|C:\\Windows\ \System32\\VBoxService.exe+11374|C:\\Windows\\System32\\VBoxService.exe+1161e|C: \\Windows\\System32\\VBoxService.exe+e7fb|C:\\Windows\\System32\\VBoxService.exe +f27b|C:\\Windows\\System32\\VBoxService.exe+181e|C:\\Windows\\System32\\VBoxSer vice.exe+2d4af|C:\\Windows\\System32\\VBoxService.exe+30bd2|C:\\Windows\\System3 2\\VBoxService.exe+6c24b|C:\\Windows\\System32\\VBoxService.exe+6c2df|C:\\Window s\\system32\\kernel32.dll+159cd|C:\\Windows\\SYSTEM32\\ntdll.dll+2a561
GrantedAccess: 0x1400
SourceImage: C:\\Windows\\System32\\VBoxService.exe
SourceProcessGUID: 49F1AF32-4E56-59BD-0000-00108BCA0000
SourceProcessId: 664
SourceThreadId: 696
TargetImage: C:\\Windows\\system32\\csrss.exe
TargetProcessGUID: 49F1AF32-4E55-59BD-0000-0010FB560000
TargetProcessId: 340
UtcTime: 2017-09-19 21:14:34.790
11 FileCreate - CreationUtcTime: 2017-09-07 21:43:40.859
Image: C:\\Windows\\System32\\smss.exe
ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000
ProcessId: 264
TargetFilename: C:\\pagefile.sys
UtcTime: 2017-09-19 21:17:02.343
12 RegistryEvent - EventType: CreateKey
Image: C:\\Windows\\Sysmon.exe
ProcessGuid: 49F1AF32-4E59-59BD-0000-001021720100
ProcessId: 1332
TargetObject: HKU\\.DEFAULT\\SOFTWARE\\Policies\\Microsoft\\SystemCerti ficates\\Disallowed\\CRLs
UtcTime: 2017-09-19 21:14:42.915
13 RegistryEvent - Details: DWORD (0xffffffff)
EventType: SetValue
Image: C:\\Windows\\system32\\CompatTelRunner.exe
ProcessGuid: 49F1AF32-884D-59C1-0000-001093F04800
ProcessId: 616
TargetObject: \\REGISTRY\\A\\{5F82DC26-E525-476B-D7F4-86FAF0C848CE}\\Ro ot\\DeviceCensus\\WU\\AppStoreAutoUpdatePolicy
UtcTime: 2017-09-19 21:12:46.212
14 RegistryEvent - EventType: RenameKey
Image: C:\\Windows\\regedit.exe
NewName: \\REGISTRY\\MACHINE\\SOFTWARE\\Macromedia\\RegistryRenamed
ProcessGuid: 49F1AF32-22C3-59C2-0000-001085501200
ProcessId: 3800
TargetObject: HKLM\\SOFTWARE\\Macromedia\\FlashPlayerActiveX
UtcTime: 2017-09-20 08:14:21.370
15 FileCreateStreamHash - CreationUtcTime: 2017-09-20 08:06:11.801
Hash: SHA1=17DC34358A2BF7E7D6E78268B3CA7493915BB325, MD5=9D9D384EF6546192D60EFDBB8397CD2D, SHA256=3455A37D9006F5325AC6208E874AE8149FECD8631D981EE78B3AD5B06AD648AB, IMPHASH=00000000000000000000000000000000
Image: C:\\Windows\\system32\\cmd.exe
ProcessGuid: 49F1AF32-21E3-59C2-0000-00106B811000
ProcessId: 4000
TargetFilename: C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\test.txt:mal icious.txt
UtcTime: 2017-09-20 08:10:29.925
16 - - Not Seen
17 PipeEvent v6.0 Image: C:\\Windows\\system32\\svchost.exe
PipeName: \\PIPE_EVENTROOT\\CIMV2SCM EVENT PROVIDER
ProcessGuid: 49F1AF32-8952-59C1-0000-0010CAE70000
ProcessId: 920
UtcTime: 2017-09-19 21:17:20.970
18 PipeEvent v6.0 Image: C:\\Windows\\Explorer.EXE
PipeName: \\lsass
ProcessGuid: 49F1AF32-8955-59C1-0000-00106FEA0100
ProcessId: 1932
UtcTime: 2017-09-19 21:24:27.017
19 WmiEvent v6.10 EventNamespace: \root\\\\CimV2\
EventType: WmiFilterEvent
Name: \MaliciousSubscription\
Operation: Created
Query: \SELECT * FROM  __InstanceModificationEvent WITHIN 60 WHERE Targ etInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.System UpTime >= 240 AND TargetInstance.SystemUpTime < 325\
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:00.401
20 WmiEvent v6.10 Destination: \C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\ \\powershell.exe -NonI -W hidden -enc JABHAHIAbwBVAFAAUABvAGwAaQBjAHkAUwBlAFQAVA [...] AkAEsAKQApAHwASQBFAFgA\
EventType: WmiConsumerEvent
Name: \MaliciousSubscription\
Operation: Created
Type: Command Line
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:00.431
21 WmiEvent v6.10 Consumer: \CommandLineEventConsumer.Name=\\\MaliciousSubscription\\\\
EventType: WmiBindingEvent
Filter: \__EventFilter.Name=\\\MaliciousSubscription\\\\
Operation: Created
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:11.878

References

Sysmon Microsoft Page