Back to Blog
WindowsSysmon

Sysmon Guide for Beginners

Nikhil Tank·July 12, 2026·8 min read

What Is Sysmon?

Sysmon, short for System Monitor, is a powerful Windows system service and driver developed by Microsoft as part of the Sysinternals suite. It installs as a kernel-mode driver that hooks deep into the operating system to capture high-fidelity telemetry that standard Windows Event Logging misses. Once installed, Sysmon logs detailed activity to the Windows Event Log under Applications and Services Logs / Microsoft / Windows / Sysmon / Operational.

Unlike the native Windows Security log, Sysmon provides rich context: process hashes (SHA1, MD5, SHA256, IMPHASH), signed versus unsigned status, parent process GUIDs for process tree reconstruction, full command-line arguments, network connection details, file creation and deletion events, registry modifications, and driver loading. It is effectively the gold standard for Windows endpoint visibility.

Sysmon vs. Native Windows Event Logging

Why run Sysmon when Windows already has Event ID 4688 (Process Creation) and 5156 (Network Connection)? The short answer: depth and reliability.

  • Hashes: Sysmon Event ID 1 includes SHA256, MD5, and IMPHASH of every process image. This allows you to cross-reference executables against VirusTotal, known-bad hash lists, and internal baselines. Native 4688 does not include hashes unless PowerShell transcription or AppLocker is in play.
  • Parent Process GUID: Sysmon assigns a unique GUID to every process. When Process A spawns Process B, Sysmon records the parent GUID, making process tree reconstruction trivial. Native logging relies on brittle PID values that are reused and collide over time.
  • Filtering: Sysmon's configuration file lets you include or exclude events with surgical precision — for example, only log network connections for specific processes, or suppress noise from trusted software update tools.
  • Event Types: Sysmon covers domains that native logging does not: driver loading (Event ID 6), image loading (Event ID 7), file creation (Event ID 11), registry events (Event IDs 12-14), named pipe creation (Event ID 17), and WMI events (Event IDs 19-21).

Installation and Configuration

Installing Sysmon is straightforward. Download it from the Microsoft Sysinternals page and run:

# Install Sysmon with a default config
Sysmon64.exe -accepteula -i

# Install with a custom config file
Sysmon64.exe -accepteula -i sysmon-config.xml

# Update config on a running system
Sysmon64.exe -c sysmon-config.xml

# Uninstall
Sysmon64.exe -u

The -accepteula flag accepts the EULA silently. The -i flag installs the driver and service. Sysmon starts automatically on boot and logs to the Operational event channel. The binary must run with administrative privileges.

Example Sysmon Configuration

Sysmon's power comes from its XML configuration file. A well-tuned config excludes known-good activity to reduce noise while catching malicious behavior. Here is a minimal example:

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <!-- Log all process creation -->
    <ProcessCreate onmatch="include">
      <CommandLine condition="exclude">"\Device\HarddiskVolume?\Windows\System32\svchost.exe"</CommandLine>
    </ProcessCreate>

    <!-- Log all network connections -->
    <NetworkConnect onmatch="include"/>

    <!-- Log file creation in sensitive locations -->
    <FileCreate onmatch="include">
      <TargetFilename condition="contains">Temp</TargetFilename>
      <TargetFilename condition="contains">Users</TargetFilename>
      <TargetFilename condition="contains">Windows\Temp</TargetFilename>
    </FileCreate>

    <!-- Log registry modifications in autostart locations -->
    <RegistryEvent onmatch="include">
      <TargetObject condition="contains">CurrentVersion\Run</TargetObject>
      <TargetObject condition="contains">Windows\CurrentVersion\RunOnce</TargetObject>
    </RegistryEvent>

    <!-- Log all image loads (high volume, use with caution) -->
    <ImageLoad onmatch="exclude"/>
  </EventFiltering>
</Sysmon>

The community-maintained sysmon-config by SwiftOnSecurity is an excellent starting point. It includes comprehensive event filtering tuned for enterprise deployment.

Key Sysmon Event IDs

Event ID 1 — Process Creation

The workhorse of Sysmon telemetry. Every process spawn generates an Event ID 1 with the image path, command line, parent PID, parent GUID, user, logon ID, process hash (SHA256, MD5, SHA1, IMPHASH), and whether the binary is signed. This is the data source for detecting T1059 (Command and Scripting Interpreter), T1055 (Process Injection), and T1218 (Signed Binary Proxy Execution).

Event ID 3 — Network Connect

Logs outbound TCP and UDP connections initiated by processes. Includes the source IP, destination IP, destination port, protocol, and process GUID. This is critical for detecting beaconing, data exfiltration, and command-and-control communication. Combine with threat intelligence feeds for IP/domain enrichment.

Event ID 7 — Image Loaded

Records every DLL loaded by a process. This is high-volume but immensely useful for detecting DLL sideloading, process hollowing, and reflective loading attacks. For example, notepad.exe loading wininet.dll is abnormal and may indicate code injection.

Event ID 11 — FileCreate

Logs file creation events with the full path. Configure it to monitor temporary directories (%TEMP%, C:\Windows\Temp), startup folders, download directories, and sensitive locations (C:\Users\Public). Attackers dropping payloads to these directories is a common pattern.

Event ID 13 — Registry Value Set

Captures modifications to the Windows Registry. This is the primary data source for detecting persistence via Run keys, services, COM objects, scheduled tasks, and boot execute modifications. Each event includes the registry path, the process that made the change, and the new value.

Event ID 15 — FileCreateStreamHash

Detects the creation of NTFS alternate data streams (ADS). Attackers frequently hide payloads in ADS because they do not show up in a normal directory listing. This event logs the main file path, the stream name, and the SHA256 hash of the stream content.

Sysmon + SIEM Integration

Sysmon is only as powerful as your ability to collect, correlate, and alert on its events. Deploy Sysmon on every Windows endpoint, forward its Operational events to a central log collector (via Windows Event Forwarding, WinRM, or an agent), and ingest them into your SIEM.

Shieldlix SIEM includes native Sysmon parsing and detection rules out of the box. Event ID 1 maps to 4688 enrichment, Event ID 3 correlates with network flow logs, and Event ID 13 triggers registry persistence alerts. Shieldlix also maintains an updated library of Sigma rules optimized for Sysmon events, so you can start hunting the moment Sysmon data arrives.

For organizations just getting started, the recommendation is simple: deploy Sysmon with a community config, forward the logs to Shieldlix, and begin triaging the alerts. Within days, you will see endpoint activity you never knew existed.


Written by
Nikhil Tank
Founder & CEO, Shieldlix
← Back to Blog