Sysmon Versions and Events Repartition

Statistics showing the count of the events generated over a monitoring period of 5h with all the Sysmon events being logged. The event IDs not displayed have simply not been seen during the sampling.

Sysmon v6.x

Start: 2017-09-20T23:15:04Z
Stop: 2017-09-21T04:04:19Z
TimeLastEvent: 2017-09-21T04:04:18Z
Duration (stop - start): 5h0m0.1474609s
EventCount: 1669855
Average EPS: 92.77 eps
EventIDs:
     1: 116 (0.01 eps)
     2: 6 (0.00 eps)
     3: 186 (0.01 eps)
     5: 115 (0.01 eps)
     6: 4 (0.00 eps)
     7: 5850 (0.32 eps)
     8: 1 (0.00 eps)
     9: 45 (0.00 eps)
     10: 1605725 (89.21 eps)
     11: 271 (0.02 eps)
     12: 50561 (2.81 eps)
     13: 3297 (0.18 eps)
     17: 10 (0.00 eps)
     18: 3668 (0.20 eps)

Sysmon v7.x

Diff in Sysmon schemas between v7.0 and v6.1

diff sysmon-v6.1-schema.xml sysmon-v7.0-schema.xml
1,2c1
<
< <manifest schemaversion="3.4" binaryversion="1.01">
---
> <manifest schemaversion="4.0" binaryversion="1.01">
10a10
>       <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" />
17a18
>       <option switch="d" name="DriverName" argument="required" />
34a36,39
>       <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Description" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Product" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Company" inType="win:UnicodeString" outType="xs:string" />
101a107,110
>       <data name="FileVersion" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Description" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Product" inType="win:UnicodeString" outType="xs:string" />
>       <data name="Company" inType="win:UnicodeString" outType="xs:string" />
Start: 2018-01-03T18:59:55Z
Stop: 2018-01-03T19:04:46Z
TimeLastEvent: 2018-01-03T19:04:45Z
Duration (stop - start): 5m0.1181641s
EventCount: 264888
Average EPS: 882.61 eps
EventIDs:
     1: 17 (0.06 eps)
     2: 3 (0.01 eps)
     3: 4 (0.01 eps)
     5: 8 (0.03 eps)
     7: 252886 (842.62 eps)
     9: 6 (0.02 eps)
     10: 7673 (25.57 eps)
     11: 139 (0.46 eps)
     12: 3863 (12.87 eps)
     13: 212 (0.71 eps)
     17: 8 (0.03 eps)
     18: 69 (0.23 eps)

NB: We notice a big increase of ImageLoad events in the latest versions of Sysmon. This is due to the new feature introduced (i.e file information available in event IDs 1 and 7). Actually, the Sysmon process itself needs to load every single image loaded or image of process created in order to extract the file information. To prevent this huge amount of events to impact your workstation/infrastructure, those events need to be filtered out from your Sysmon configuration file.

<!-- Has to be adapted to reflect the path where Sysmon is installed -->
<ImageLoad onmatch="exclude">
            <!-- [...] -->
      <Image condition="is">C:\Windows\Sysmon.exe</Image>
            <!-- [...] -->
</ImageLoad>

Events Table

EventID Type Available Since Revised In Example
1 CreateProcess - v7.0
v10
CommandLine: C:\\Windows\\system32\\svchost.exe -k appmodel -p -s camsvc
Company: Microsoft Corporation
CurrentDirectory: C:\\Windows\\system32\\
Description: Host Process for Windows Services
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Hashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
Image: C:\\Windows\\System32\\svchost.exe
IntegrityLevel: System
LogonGuid: {515cd0d1-df83-5d00-0000-0020e7030000}
LogonId: 0x3e7
OriginalFileName: svchost.exe
ParentCommandLine: C:\\Windows\\system32\\services.exe
ParentImage: C:\\Windows\\System32\\services.exe
ParentProcessGuid: {515cd0d1-df83-5d00-0000-0010d6620000}
ParentProcessId: 608
ProcessGuid: {515cd0d1-33b8-5d01-0000-001024046a00}
ProcessId: 10244
Product: Microsoft® Windows® Operating System
RuleName:
TerminalSessionId: 0
User: NT AUTHORITY\\SYSTEM
UtcTime: 2019-06-12 20:17:44.014
2 FileCreateTime - - CreationUtcTime: 2017-09-18 07:50:46.104
Image: C:\\Program Files\\Mozilla Firefox\\firefox.exe
PreviousCreationUtcTime: 2017-09-19 21:16:37.524
ProcessGuid: 49F1AF32-8663-59C1-0000-001062293400
ProcessId: 1396
TargetFilename: C:\\Users\\Gen Eric\\AppData\\Roaming\\Microsoft\\Windo ws\\Recent\\CustomDestinations\\BE2KF8TBMP786WCR1WSN.temp
UtcTime: 2017-09-19 21:16:37.540
3 NetworkConnect - - DestinationHostname:
DestinationIp: 192.168.56.1
DestinationIsIpv6: false
DestinationPort: 8080
DestinationPortName:
Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
Initiated: true
ProcessGuid: 49F1AF32-8A4D-59C1-0000-001042F00A00
ProcessId: 3888
Protocol: tcp
SourceHostname: GenEric-PC
SourceIp: 192.168.56.101
SourceIsIpv6: false
SourcePort: 49252
SourcePortName:
User: NT AUTHORITY\\SYSTEM
UtcTime: 2017-09-19 21:25:51.846
4 - - - SchemaVersion: 3.40
State: Started
UtcTime: 2017-09-19 21:17:08.820
Version: 6.10
5 ProcessTerminate - - Image: C:\\Windows\\SysWOW64\\runonce.exe
ProcessGuid: 49F1AF32-8956-59C1-0000-001099830200
ProcessId: 2100
UtcTime: 2017-09-19 21:17:12.434
6 DriverLoad - - Hashes: SHA1=706C6BB3AD9E24F148EE110984814897383BDC32, MD5=9B38580063D281A99E68EF5813022A5F, SHA256=D91676B0E0A8E2A090E3E5DD340ABCFC20AE0F55B4C82869D6CFB34239BD27DA, IMPHASH=6126B7C1BE78663C7C2231BA8607D577
ImageLoaded: C:\\Windows\\System32\\drivers\\dfsc.sys
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: true
UtcTime: 2017-09-19 21:17:01.171
7 ImageLoad - v7.0
v10
Company: Microsoft Corporation
Description: Win32u
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Hashes: SHA1=F6826F19BB585A1F52F6D2D2B063BFA175AA5B19,MD5=6D9F4B6D13442736A901BF455355AA8A,SHA256=E2F6F0021EFBBFDA3597DCD4F778BC1954138A6289BA9C0EBED360F37E5FAC9B,IMPHASH=00000000000000000000000000000000
Image: C:\\Windows\\System32\\svchost.exe
ImageLoaded: C:\\Windows\\System32\\win32u.dll
OriginalFileName: ?
ProcessGuid: {515cd0d1-33b8-5d01-0000-001024046a00}
ProcessId: 10244
Product: Microsoft® Windows® Operating System
RuleName:
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: true
UtcTime: 2019-06-12 17:17:44.440
8 CreateRemoteThread - - NewThreadId: 3384
SourceImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe
SourceProcessGuid: 49F1AF32-8955-59C1-0000-00105DF90100
SourceProcessId: 1956
StartAddress: 0x0000000077533860
StartFunction:
StartModule: C:\\Windows\\SYSTEM32\\ntdll.dll
TargetImage: C:\\Windows\\System32\\wbem\\WmiApSrv.exe
TargetProcessGuid: 49F1AF32-89D7-59C1-0000-00106D100A00
TargetProcessId: 3196
UtcTime: 2017-09-19 21:19:20.228
9 RawAccessRead - - Device: \\Device\\HarddiskVolume2
Image: C:\\Windows\\System32\\smss.exe
ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000
ProcessId: 264
UtcTime: 2017-09-19 21:17:01.359
10 ProcessAccess - - CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32 \\KERNELBASE.dll+189b7|C:\\Windows\\System32\\VBoxService.exe+1009d|C:\\Windows\ \System32\\VBoxService.exe+11374|C:\\Windows\\System32\\VBoxService.exe+1161e|C: \\Windows\\System32\\VBoxService.exe+e7fb|C:\\Windows\\System32\\VBoxService.exe +f27b|C:\\Windows\\System32\\VBoxService.exe+181e|C:\\Windows\\System32\\VBoxSer vice.exe+2d4af|C:\\Windows\\System32\\VBoxService.exe+30bd2|C:\\Windows\\System3 2\\VBoxService.exe+6c24b|C:\\Windows\\System32\\VBoxService.exe+6c2df|C:\\Window s\\system32\\kernel32.dll+159cd|C:\\Windows\\SYSTEM32\\ntdll.dll+2a561
GrantedAccess: 0x1400
SourceImage: C:\\Windows\\System32\\VBoxService.exe
SourceProcessGUID: 49F1AF32-4E56-59BD-0000-00108BCA0000
SourceProcessId: 664
SourceThreadId: 696
TargetImage: C:\\Windows\\system32\\csrss.exe
TargetProcessGUID: 49F1AF32-4E55-59BD-0000-0010FB560000
TargetProcessId: 340
UtcTime: 2017-09-19 21:14:34.790
11 FileCreate - - CreationUtcTime: 2017-09-07 21:43:40.859
Image: C:\\Windows\\System32\\smss.exe
ProcessGuid: 49F1AF32-894D-59C1-0000-0010002E0000
ProcessId: 264
TargetFilename: C:\\pagefile.sys
UtcTime: 2017-09-19 21:17:02.343
12 RegistryEvent - - EventType: CreateKey
Image: C:\\Windows\\Sysmon.exe
ProcessGuid: 49F1AF32-4E59-59BD-0000-001021720100
ProcessId: 1332
TargetObject: HKU\\.DEFAULT\\SOFTWARE\\Policies\\Microsoft\\SystemCerti ficates\\Disallowed\\CRLs
UtcTime: 2017-09-19 21:14:42.915
13 RegistryEvent - - Details: DWORD (0xffffffff)
EventType: SetValue
Image: C:\\Windows\\system32\\CompatTelRunner.exe
ProcessGuid: 49F1AF32-884D-59C1-0000-001093F04800
ProcessId: 616
TargetObject: \\REGISTRY\\A\\{5F82DC26-E525-476B-D7F4-86FAF0C848CE}\\Ro ot\\DeviceCensus\\WU\\AppStoreAutoUpdatePolicy
UtcTime: 2017-09-19 21:12:46.212
14 RegistryEvent - - EventType: RenameKey
Image: C:\\Windows\\regedit.exe
NewName: \\REGISTRY\\MACHINE\\SOFTWARE\\Macromedia\\RegistryRenamed
ProcessGuid: 49F1AF32-22C3-59C2-0000-001085501200
ProcessId: 3800
TargetObject: HKLM\\SOFTWARE\\Macromedia\\FlashPlayerActiveX
UtcTime: 2017-09-20 08:14:21.370
15 FileCreateStreamHash - - CreationUtcTime: 2017-09-20 08:06:11.801
Hash: SHA1=17DC34358A2BF7E7D6E78268B3CA7493915BB325, MD5=9D9D384EF6546192D60EFDBB8397CD2D, SHA256=3455A37D9006F5325AC6208E874AE8149FECD8631D981EE78B3AD5B06AD648AB, IMPHASH=00000000000000000000000000000000
Image: C:\\Windows\\system32\\cmd.exe
ProcessGuid: 49F1AF32-21E3-59C2-0000-00106B811000
ProcessId: 4000
TargetFilename: C:\\Users\\GENERI~1\\AppData\\Local\\Temp\\test.txt:mal icious.txt
UtcTime: 2017-09-20 08:10:29.925
16 - - - Not Seen
17 PipeEvent v6.0 v10
EventType: CreatePipe
Image: C:\\Program Files\\Whids\\Whids.exe
PipeName: <Anonymous Pipe>
ProcessGuid: {515cd0d1-33b1-5d01-0000-0010286f6900}
ProcessId: 10004
RuleName:
UtcTime: 2019-06-12 20:19:19.517
18 PipeEvent v6.0 v10
EventType: ConnectPipe
Image: C:\\Windows\\System32\\RuntimeBroker.exe
PipeName: \\MsFteWds
ProcessGuid: {515cd0d1-dfb4-5d00-0000-001013af0900}
ProcessId: 5012
RuleName:
UtcTime: 2019-06-12 20:17:53.895
19 WmiEvent v6.10 - EventNamespace: \root\\\\CimV2\
EventType: WmiFilterEvent
Name: \MaliciousSubscription\
Operation: Created
Query: \SELECT * FROM  __InstanceModificationEvent WITHIN 60 WHERE Targ etInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.System UpTime >= 240 AND TargetInstance.SystemUpTime < 325\
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:00.401
20 WmiEvent v6.10 - Destination: \C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\ \\powershell.exe -NonI -W hidden -enc JABHAHIAbwBVAFAAUABvAGwAaQBjAHkAUwBlAFQAVA [...] AkAEsAKQApAHwASQBFAFgA\
EventType: WmiConsumerEvent
Name: \MaliciousSubscription\
Operation: Created
Type: Command Line
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:00.431
21 WmiEvent v6.10 - Consumer: \CommandLineEventConsumer.Name=\\\MaliciousSubscription\\\\
EventType: WmiBindingEvent
Filter: \__EventFilter.Name=\\\MaliciousSubscription\\\\
Operation: Created
User: GenEric-PC\\Gen Eric
UtcTime: 2017-09-19 21:10:11.878
22 DNSQuery v10 - Image: C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdge.exe
ProcessGuid: {515cd0d1-31d1-5d01-0000-001066414800}
ProcessId: 5188
QueryName: rawsec.lu
QueryResults: ::ffff:62.210.16.62;
QueryStatus: 0
RuleName:
UtcTime: 2019-06-12 19:08:38.387

References

Sysmon Microsoft Page