Sysmon
What is Sysmon?
SysmonA Microsoft Sysinternals Windows driver that emits rich event-log telemetry about process, network, file, registry, and image-load activity for security monitoring.
Sysmon (System Monitor) is a free Windows system service from Microsoft Sysinternals, written by Mark Russinovich and Thomas Garnier, that augments built-in Windows event logging with high-fidelity security telemetry. Once installed and configured via XML, Sysmon emits events for process creation with full command lines and hashes (event ID 1), network connections (ID 3), image loads (ID 7), DNS queries (ID 22), file create events (ID 11), registry changes (IDs 12-14), and more. Defenders feed Sysmon logs into SIEMs alongside Sigma rules to detect living-off-the-land techniques, credential dumping, and persistence. Community configurations like SwiftOnSecurity's sysmon-config and Olaf Hartong's modular config are widely adopted starting points.
● Examples
- 01
Detecting suspicious child processes of svchost.exe via Sysmon event ID 1 combined with a Sigma rule.
- 02
Hunting Cobalt Strike Beacon DLL injection through Sysmon event ID 7 (image load) and module hashes.
● Frequently asked questions
What is Sysmon?
A Microsoft Sysinternals Windows driver that emits rich event-log telemetry about process, network, file, registry, and image-load activity for security monitoring. It belongs to the Defense & Operations category of cybersecurity.
What does Sysmon mean?
A Microsoft Sysinternals Windows driver that emits rich event-log telemetry about process, network, file, registry, and image-load activity for security monitoring.
How does Sysmon work?
Sysmon (System Monitor) is a free Windows system service from Microsoft Sysinternals, written by Mark Russinovich and Thomas Garnier, that augments built-in Windows event logging with high-fidelity security telemetry. Once installed and configured via XML, Sysmon emits events for process creation with full command lines and hashes (event ID 1), network connections (ID 3), image loads (ID 7), DNS queries (ID 22), file create events (ID 11), registry changes (IDs 12-14), and more. Defenders feed Sysmon logs into SIEMs alongside Sigma rules to detect living-off-the-land techniques, credential dumping, and persistence. Community configurations like SwiftOnSecurity's sysmon-config and Olaf Hartong's modular config are widely adopted starting points.
How do you defend against Sysmon?
Defences for Sysmon typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Sysmon?
Common alternative names include: System Monitor.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 1041
Sigma Rule
A vendor-neutral, YAML-based detection signature for log events that can be converted into queries for SIEM, EDR, or XDR back-ends.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- forensics-ir№ 627
Log Analysis
The systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.
- attacks№ 862
Process Injection
A family of evasion techniques in which an attacker runs malicious code inside the address space of a legitimate process to inherit its trust and identity.