Sysmon is a great system monitoring tool provided by Microsoft which can be used for both threat hunting and incident response. This tool is running as a Windows Service and is operating in Kernel Land via a driver. This blog article will be used to maintain a table describing the different Sysmon events available across the different Sysmon versions.

Sysmon Versions and Events Repartition

Statistics showing the count of the events generated over a monitoring period of 5h with all the Sysmon events being logged. The event IDs not displayed have simply not been seen during the sampling.

Sysmon v6.x

Start: 2017-09-20T23:15:04Z
Stop: 2017-09-21T04:04:19Z
TimeLastEvent: 2017-09-21T04:04:18Z
Duration (stop - start): 5h0m0.1474609s
EventCount: 1669855
Average EPS: 92.77 eps
EventIDs:
     1: 116 (0.01 eps)
     2: 6 (0.00 eps)
     3: 186 (0.01 eps)
     5: 115 (0.01 eps)
     6: 4 (0.00 eps)
     7: 5850 (0.32 eps)
     8: 1 (0.00 eps)
     9: 45 (0.00 eps)
     10: 1605725 (89.21 eps)
     11: 271 (0.02 eps)
     12: 50561 (2.81 eps)
     13: 3297 (0.18 eps)
     17: 10 (0.00 eps)
     18: 3668 (0.20 eps)

Sysmon v7.x

Diff in Sysmon schemas between v7.0 and v6.1

diff sysmon-v6.1-schema.xml sysmon-v7.0-schema.xml
1,2c1
<
< <manifest schemaversion="3.4" binaryversion="1.01">
---
> <manifest schemaversion="4.0" binaryversion="1.01">
10a10
>       <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
17a18
>       <option switch="d" name="DriverName" argument="required" />
34a36,39
>       <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Description" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Product" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Company" inType="win:UnicodeString" outType="xs:string" />
101a107,110
>       <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Description" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Product" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Company" inType="win:UnicodeString" outType="xs:string" />
Start: 2018-01-03T18:59:55Z
Stop: 2018-01-03T19:04:46Z
TimeLastEvent: 2018-01-03T19:04:45Z
Duration (stop - start): 5m0.1181641s
EventCount: 264888
Average EPS: 882.61 eps
EventIDs:
     1: 17 (0.06 eps)
     2: 3 (0.01 eps)
     3: 4 (0.01 eps)
     5: 8 (0.03 eps)
     7: 252886 (842.62 eps)
     9: 6 (0.02 eps)
     10: 7673 (25.57 eps)
     11: 139 (0.46 eps)
     12: 3863 (12.87 eps)
     13: 212 (0.71 eps)
     17: 8 (0.03 eps)
     18: 69 (0.23 eps)

NB: We notice a big increase of ImageLoad events in the latest versions of Sysmon. This is due to the new feature introduced (i.e file information available in event IDs 1 and 7). Actually, the Sysmon process itself needs to load every single image loaded or image of process created in order to extract the file information. To prevent this huge amount of events to impact your workstation/infrastructure, those events need to be filtered out from your Sysmon configuration file.

<!-- Has to be adapted to reflect the path where Sysmon is installed -->
<ImageLoad onmatch="exclude">
            <!-- [...] -->
      <Image condition="is">C:\Windows\Sysmon.exe</Image>
            <!-- [...] -->
</ImageLoad>

Events Table

EventID Type Available Since Revised In Example
1 CreateProcess - v7.0: (added File Information fields) CommandLine: C:\\Windows\\system32\\browser_broker.exe -Embedding
Company: Microsoft Corporation
CurrentDirectory: C:\\Windows\\system32\\
Description: Browser_Broker
FileVersion: 11.00.14393.1613 (rs1_release_d.170807-1806)
Hashes: SHA1=6DE17BCCF7CE2BDD7BB522F93DF59902B9B4289E, MD5=7435CF2078F70C16D98F2F41F9AF89F7, SHA256=76311583EE819736D7D993C6436E9D704024EC224850A83635925A21A2D8843D, IMPHASH=C10FCE37778B30FFD19A78206994C100
Image: C:\\Windows\\System32\\browser_broker.exe
ImageSize: 26976
IntegrityLevel: Medium
LogonGuid: {B2796A13-6212-5B29-0000-002049322B00}
LogonId: 0x2b3249
ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch
ParentImage: C:\\Windows\\System32\\svchost.exe
ParentProcessGuid: {B2796A13-E025-5B29-0000-0010CAAF0000}
ParentProcessId: 672
ProcessGuid: {B2796A13-FF6B-5B29-0000-0010E50F1202}
ProcessId: 5316
Product: Microsoft® Windows® Operating System
TerminalSessionId: 1
User: DESKTOP-5SUA567\\Gen Eric
UtcTime: 2018-06-16 07:16:59.799
2 FileCreateTime - - CreationUtcTime: 2017-09-18 07:50:46.104
Image: C:\\Program Files\\Mozilla Firefox\\firefox.exe
PreviousCreationUtcTime: 2017-09-19 21:16:37.524
ProcessGuid: 49F1AF32-8663-59C1-0000-001062293400
ProcessId: 1396
TargetFilename: C:\\Users\\Gen Eric\\AppData\\Roaming\\Microsoft\\Windo ws\\Recent\\CustomDestinations\\BE2KF8TBMP786WCR1WSN.temp
UtcTime: 2017-09-19 21:16:37.540
3 NetworkConnect - - DestinationHostname:
DestinationIp: 192.168.56.1
DestinationIsIpv6: false
DestinationPort: 8080
DestinationPortName:
Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
Initiated: true
ProcessGuid: 49F1AF32-8A4D-59C1-0000-001042F00A00
ProcessId: 3888
Protocol: tcp
SourceHostname: GenEric-PC
SourceIp: 192.168.56.101
SourceIsIpv6: false
SourcePort: 49252
SourcePortName:
User: NT AUTHORITY\\SYSTEM
UtcTime: 2017-09-19 21:25:51.846
4 - - - SchemaVersion: 3.40
State: Started
UtcTime: 2017-09-19 21:17:08.820
Version: 6.10
5 ProcessTerminate - - Image: C:\\Windows\\SysWOW64\\runonce.exe
ProcessGuid: 49F1AF32-8956-59C1-0000-001099830200
ProcessId: 2100
UtcTime: 2017-09-19 21:17:12.434
6 DriverLoad - - Hashes: SHA1=706C6BB3AD9E24F148EE110984814897383BDC32, MD5=9B38580063D281A99E68EF5813022A5F, SHA256=D91676B0E0A8E2A090E3E5DD340ABCFC20AE0F55B4C82869D6CFB34239BD27DA, IMPHASH=6126B7C1BE78663C7C2231BA8607D577
ImageLoaded: C:\\Windows\\System32\\drivers\\dfsc.sys
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: true
UtcTime: 2017-09-19 21:17:01.171
7 ImageLoad - v7.0: (added File Information fields) Company: Microsoft Corporation
Description: Crypto Network Related API
FileVersion: 10.0.14393.2035 (rs1_release_inmarket.180110-1910)
Hashes: SHA1=B97250F58E978639B7976DA7CF2856BC5F1887DE, MD5=C826D7EA2E1A6884120676A0A3CBC714, SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0, IMPHASH=1277B5BCF0437BEA5158FFB1086840B6
Image: C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe
ImageLoaded: C:\\Windows\\System32\\cryptnet.dll
ImageLoadedSize: 170496
ProcessGuid: {B2796A13-FF71-5B29-0000-0010D4DA1202}
ProcessId: 4088
Product: Microsoft® Windows® Operating System
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: true
UtcTime: 2018-06-16 07:17:07.880
8 CreateRemoteThread - - NewThreadId: 3384
SourceImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe
SourceProcessGuid: 49F1AF32-8955-59C1-0000-00105DF90100
SourceProcessId: 1956
StartAddress: 0x0000000077533860
StartFunction:
StartModule: C:\\Windows\\SYSTEM32\\ntdll.dll
TargetImage: C:\\Windows\\System32\\wbem\\WmiApSrv.exe
TargetProcessGuid: 49F1AF32-89D7-59C1-0000-00106D100A00
TargetProcessId: 3196
UtcTime: 2017-09-19 21:19:20.228
9 RawAccessRead - - Device: \\Device\\HarddiskVolume2
Image: C:\\Windows\\System32\\smss.exe
ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000
ProcessId: 264
UtcTime: 2017-09-19 21:17:01.359
10 ProcessAccess - - CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32 \\KERNELBASE.dll+189b7|C:\\Windows\\System32\\VBoxService.exe+1009d|C:\\Windows\ \System32\\VBoxService.exe+11374|C:\\Windows\\System32\\VBoxService.exe+1161e|C: \\Windows\\System32\\VBoxService.exe+e7fb|C:\\Windows\\System32\\VBoxService.exe +f27b|C:\\Windows\\System32\\VBoxService.exe+181e|C:\\Windows\\System32\\VBoxSer vice.exe+2d4af|C:\\Windows\\System32\\VBoxService.exe+30bd2|C:\\Windows\\System3 2\\VBoxService.exe+6c24b|C:\\Windows\\System32\\VBoxService.exe+6c2df|C:\\Window s\\system32\\kernel32.dll+159cd|C:\\Windows\\SYSTEM32\\ntdll.dll+2a561
GrantedAccess: 0x1400
SourceImage: C:\\Windows\\System32\\VBoxService.exe
SourceProcessGUID: 49F1AF32-4E56-59BD-0000-00108BCA0000
SourceProcessId: 664
SourceThreadId: 696
TargetImage: C:\\Windows\\system32\\csrss.exe
TargetProcessGUID: 49F1AF32-4E55-59BD-0000-0010FB560000
TargetProcessId: 340
UtcTime: 2017-09-19 21:14:34.790
11 FileCreate - - CreationUtcTime: 2017-09-07 21:43:40.859
Image: C:\\Windows\\System32\\smss.exe
ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000
ProcessId: 264
TargetFilename: C:\\pagefile.sys
UtcTime: 2017-09-19 21:17:02.343
12 RegistryEvent - - EventType: CreateKey
Image: C:\\Windows\\Sysmon.exe
ProcessGuid: 49F1AF32-4E59-59BD-0000-001021720100
ProcessId: 1332
TargetObject: HKU\\.DEFAULT\\SOFTWARE\\Policies\\Microsoft\\SystemCerti ficates\\Disallowed\\CRLs
UtcTime: 2017-09-19 21:14:42.915
13 RegistryEvent - - Details: DWORD (0xffffffff)
EventType: SetValue
Image: C:\\Windows\\system32\\CompatTelRunner.exe
ProcessGuid: 49F1AF32-884D-59C1-0000-001093F04800
ProcessId: 616
TargetObject: \\REGISTRY\\A\\{5F82DC26-E525-476B-D7F4-86FAF0C848CE}\\Ro ot\\DeviceCensus\\WU\\AppStoreAutoUpdatePolicy
UtcTime: 2017-09-19 21:12:46.212
14 RegistryEvent - - EventType: RenameKey
Image: C:\\Windows\\regedit.exe
NewName: \\REGISTRY\\MACHINE\\SOFTWARE\\Macromedia\\RegistryRenamed
ProcessGuid: 49F1AF32-22C3-59C2-0000-001085501200
ProcessId: 3800
TargetObject: HKLM\\SOFTWARE\\Macromedia\\FlashPlayerActiveX
UtcTime: 2017-09-20 08:14:21.370
15 FileCreateStreamHash - - CreationUtcTime: 2017-09-20 08:06:11.801
Hash: SHA1=17DC34358A2BF7E7D6E78268B3CA7493915BB325, MD5=9D9D384EF6546192D60EFDBB8397CD2D, SHA256=3455A37D9006F5325AC6208E874AE8149FECD8631D981EE78B3AD5B06AD648AB, IMPHASH=00000000000000000000000000000000
Image: C:\\Windows\\system32\\cmd.exe
ProcessGuid: 49F1AF32-21E3-59C2-0000-00106B811000
ProcessId: 4000
TargetFilename: C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\test.txt:mal icious.txt
UtcTime: 2017-09-20 08:10:29.925
16 - - - Not Seen
17 PipeEvent v6.0 - Image: C:\\Windows\\system32\\svchost.exe
PipeName: \\PIPE_EVENTROOT\\CIMV2SCM EVENT PROVIDER
ProcessGuid: 49F1AF32-8952-59C1-0000-0010CAE70000
ProcessId: 920
UtcTime: 2017-09-19 21:17:20.970
18 PipeEvent v6.0 - Image: C:\\Windows\\Explorer.EXE
PipeName: \\lsass
ProcessGuid: 49F1AF32-8955-59C1-0000-00106FEA0100
ProcessId: 1932
UtcTime: 2017-09-19 21:24:27.017
19 WmiEvent v6.10 - EventNamespace: \root\\\\CimV2\
EventType: WmiFilterEvent
Name: \MaliciousSubscription\
Operation: Created
Query: \SELECT * FROM  __InstanceModificationEvent WITHIN 60 WHERE Targ etInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.System UpTime >= 240 AND TargetInstance.SystemUpTime < 325\
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:00.401
20 WmiEvent v6.10 - Destination: \C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\ \\powershell.exe -NonI -W hidden -enc JABHAHIAbwBVAFAAUABvAGwAaQBjAHkAUwBlAFQAVA [...] AkAEsAKQApAHwASQBFAFgA\
EventType: WmiConsumerEvent
Name: \MaliciousSubscription\
Operation: Created
Type: Command Line
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:00.431
21 WmiEvent v6.10 - Consumer: \CommandLineEventConsumer.Name=\\\MaliciousSubscription\\\\
EventType: WmiBindingEvent
Filter: \__EventFilter.Name=\\\MaliciousSubscription\\\\
Operation: Created
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:11.878

References

Sysmon Microsoft Page