Understanding Sysmon Event IDs for Improved Security Monitoring
Effective security monitoring is vital to creating and maintaining a safe IT environment. Sysmon Event IDs offer invaluable insight into any potentially malicious activity on your network; in this post we explore this subject further and suggest using them for enhanced monitoring purposes.
What is Sysmon (System Monitor)?
Sysmon is a Windows service and device driver which remains active after system reboots to track process creation, network connections and other system activities. Sysmon is widely used by security professionals and IT administrators for investigating suspicious activities on networks.
Sysmon Capabilities Overview
Sysmon is a Windows system monitoring tool designed to give administrators an overall picture of events happening on their systems. It gathers data from multiple sources such as Windows Event Log, Registry, and network connections and stores it in one centralized log file for later reference.
Sysmon allows administrators to monitor system activity, detect malicious activities and troubleshoot system issues quickly.
Furthermore, its detailed process information includes process creation/termination events as well as network connection details – giving administrators valuable insights into their system’s performance and security posture.
Event IDs from Sysmon: the key to understanding your security monitoring
Sysmon stores its data as events in the Windows Event Log. Each event is identified by a unique Sysmon Event ID to easily recognize what type of activity is being reported – this knowledge is key for effective security monitoring.
What are Sysmon event ID's?
Sysmon event ID’s are numerical identifiers used by Windows Sysmon service to log events that help system administrators analyze system behavior and detect potentially harmful activities on their networks.
Microsoft assigns event ID numbers, which can be used to filter certain types of events out from log files and search for specific activities or errors that have taken place on a system. By understanding what each event means, system administrators can more closely monitor their systems and quickly respond to any potential security risks that might arise.
Unleashing the Power of Sysmon Logs: A Guide for Effective Threat Hunting
Sysmon (System Monitor) is an invaluable Windows utility for gathering detailed system activity reports, giving security analysts the information necessary to identify threats and malicious activities on a network. In this blog post, we’ll cover how Sysmon logs can be effectively utilized as threat hunting tools by focusing on specific event IDs that help detect suspicious behavior.
Here are some of the most important Sysmon Event ID’s:
Event ID 1: Process Creation Event
This event tracks the creation of new processes. This information about newly created process includes their name, command line options, parent processes and user accounts. Tracking this event may help identify suspicious processes and uncover potential security risks.
Hunting with Event ID 1: Process Creation Event logs
Logs that track process creation are invaluable tools for spotting malicious processes on a system. Event ID 1 logs contain useful data like command line parameters, parent processes and process GUIDs that may reveal potential threats.
Example: A suspicious process creation event could include PowerShell execution with encoded commands or scripts used by attackers to remain undetected:
<Event>
<System>
<EventID>1</EventID>
</System>
<EventData>
<CommandLine>powershell.exe -enc SQBFAFMA...</CommandLine>
<ParentImage>C:\Windows\System32\cmd.exe</ParentImage>
</EventData>
</Event>
Event ID 3: Network Connections
This event log records network connections created by processes on your system. It includes details regarding source and destination IP addresses, port numbers, and the process responsible for making each connection. Analyzing this data may help detect unwelcome network connections as well as attempts at data exfiltration.
Hunting with Event ID 3: Network Connections event logs
Monitoring network connections is crucial to detecting communication with command-and-control (C2) servers or other suspicious activities, and Event ID 3 logs provide essential details like source and destination IP addresses, port numbers and process info.
Example of an anomalous network connection event may involve a process connecting to an IP address of a known C2 server:
<Event>
<System>
<EventID>3</EventID>
</System>
<EventData>
<SourceIp>192.168.1.10</SourceIp>
<DestinationIp>203.0.113.5</DestinationIp>
<SourcePort>54321</SourcePort>
<DestinationPort>80</DestinationPort>
<ProcessId>1234</ProcessId>
</EventData>
</Event>
Event ID 6: Driver Loaded
Monitoring driver loading events can help identify potentially malicious drivers that threaten system security. This event logs any driver that was loaded.
Hunting with Event ID 6: Driver Loaded events
Rootkits or other kernel-level threats require malicious drivers to operate. Event ID 6 logs provide details about each driver, such as its image path and file version number.
Example: An incident of driver loading could involve an individual who is known to be deceptive and criminal:
<Event>
<System>
<EventID>6</EventID>
</System>
<EventData>
<ImageLoaded>C:\Windows\System32\Drivers\malicious-driver.sys</ImageLoaded>
<FileVersion>1.0.0.1</FileVersion>
</EventData>
</Event>
Event ID 7: Image Loaded
Event ID Image Loaded is used to record when executable images such as DLLs are loaded by processes, providing details about file path, size and hash values for these executable images. Tracking this event can help detect suspicious or compromised executable images loaded by processes.
Hunting with Event ID 7: Image Loaded event logs
Image Loaded Events can assist analysts in quickly detecting any potentially malicious DLLs or libraries installed into a process. Event ID 7 logs provide details about each loaded image such as filepath and digital signature information.
Example: An unusual image-load event may involve the loading of an unsigned DLL:
<Event>
<System>
<EventID>7</EventID>
</System>
<EventData>
<ImageLoaded>C:\Windows\Temp\unsigned-dll.dll</ImageLoaded>
<Signed>false</Signed>
</EventData>
</Event>
Event ID 11: File Creation
This event logs the creation of new files on your system. It provides details such as file name, path location and who created them – helping you detect potentially malicious files created by untrustworthy processes. Analyzing this data may provide clues to identifying potentially harmful ones.
Hunting with Event ID 11: File Creation event logs
File creation events play a critical role in detecting malicious files or temporary files used during an attack. Logs with Event ID 11 provide crucial details about their file creation time event such as time stamp and target filename.
Example of suspicious file creation event: Generating of known malware executable.
<Event>
<System>
<EventID>11</EventID>
</System>
<EventData>
<TargetFilename>C:\Users\User\AppData\Local\malware.exe</TargetFilename>
<CreationUtcTime>2023-04-14T12:34:56.789Z</CreationUtcTime>
</EventData>
</Event>
Event ID 12, 13, 14: Registry Events
Sysmon Event ID 12, 13, and 14 are registry events that provide information on any changes made to Windows registry files, such as adding or changing accounts or system settings. Organizations can monitor these registry events to detect suspicious activities in real-time and take preventive steps against potential threats to their systems; additionally these events offer valuable insight into changes made either by users or administrators.
Hunting with Event ID 12, 13, 14: Registry Event logs
Registry event logs provide invaluable evidence of any changes or suspicious access made to Windows Registry. Logs with Event IDs 12 (Object Create/Delete), 13 (Value Set/Delete), and 14 (Key/Value Rename) provide detailed information about all key and value changes occurring within a registry key/value pair, along with details regarding which process caused each key and value rename or modification.
Example of a process creates suspicious registry event: Creation of registry key for persistence by process.
<Event>
<System>
<EventID>12</EventID>
</System>
<EventData>
<TargetObject>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MaliciousStartup</TargetObject>
<EventType>CreateKey</EventType>
<ProcessId>1234</ProcessId>
</EventData>
</Event>
Another example could be a process modifying a registry value, potentially to disable security features:
<Event>
<System>
<EventID>13</EventID>
</System>
<EventData>
<TargetObject>HKLM\SYSTEM\CurrentControlSet\Services\SomeSecurityService\Start</TargetObject>
<EventType>SetValue</EventType>
<Details>4</Details>
<ProcessId>1234</ProcessId>
</EventData>
</Event>
Understanding the Role of Sysmon Events in System and Network Security
System and network security is an integral component of any organization’s IT infrastructure. To protect their systems from potential threats, organizations need to monitor system activity and detect malicious activities quickly. Windows 10’s Sysmon Events provide an ideal way of doing just this with its set of logs that allow organizations to effectively keep an eye on system activity while quickly detecting potential security threats.
These events provide organizations with vital details regarding system processes, network connections, registry changes and other activities that may indicate suspicious activities. With Sysmon Events as their tool to keep an eye on their systems and networks from external threats.
Benefits of Utilizing Sysmon Event ID's for Security Analysis
Sysmon Event ID’s are an indispensable asset in security analysis. They enable security teams to detect and investigate malicious activity quickly on networks or systems; security teams can quickly spot suspicious traffic using them while also gaining valuable insights into what type of attack may have taken place.
Additionally, they can identify potential vulnerabilities within a system and take corrective actions to safeguard against future attacks.
With Sysmon Event ID’s, security teams can create an effective intrusion detection system which alerts them when suspicious activity is detected – making it easier to defend against cyberattacks and other forms of malign activity.
How to utilize Sysmon Event ID's for enhanced security monitoring
Follow these steps to effectively use Sysmon Event ID’s for security monitoring:
Install Sysmon: Download Sysmon from the Microsoft Sysinternals website and install it on your Windows system.
Configure Sysmon: Create a Sysmon configuration file to define what events or filters or rules you would like to track, as well as any filters or rules to apply. There are multiple pre-built Sysmon configuration files online that will help you, or you can create your own.
Monitor Sysmon Events: Utilizing Windows Event Viewer or an additional log management application, monitor and analyze Sysmon events using alerts based on Event IDs or criteria to stay informed about potential security threats.
Investigate and Respond: Upon discovering suspicious activity with Sysmon events, investigate it thoroughly before responding accordingly – such as blocking network connections or terminating malicious processes.
Check the Post below to learn how to Threat Hunt with Sysmon in Splunk
Common Errors in Sysmon Event ID Management
Sysmon is an effective security audit tool for monitoring and analyzing system activity. It creates Event IDs which can detect malicious activity on any given system.
However, people must correct common mistakes when using Sysmon Event ID’s for security analysis purposes – understanding these missteps and how to avoid them is key for successful security auditing and analysis using Sysmon’s Event IDs as the source.
However, when using Event IDs for security analysis there are a few key aspects that need to be corrected in order to be successful in auditing and analysis. Acknowledging common mistakes and learning how to prevent them is vital for accurate security auditing and analysis.
Understanding what Sysmon is collecting: Monitoring of systems using Sysmon results in two separate types of events being created when monitoring occurs – these events contain both application-generated events (such as file modification) as well as process activity events such as file creation.
Due to multiple events being monitored simultaneously, it may be hard to pinpoint exactly which ones Sysmon is monitoring – leading to auditing problems. When Sysmon collects information on activities like file creation or modification, however, an event is generated which provides helpful details of such activity.
However, when such events are collected it may only be possible for an individual to audit some of the files created or modified during a certain time frame.
As certain processes may be too extensive for human review and auditing; there could therefore be gaps in auditing certain files (i.e. files created by processes which took place within that specific timeframe).
Sysmon will generate an audit-only event whenever file creation or modification occurs to notify users about this activity.
While this event provides valuable data to auditors within your organization, it cannot be used to detect vulnerabilities within files as can normal events which return much more useful data than audit-only events do.
Best Practices for Automating Alerts Based on System Monitor Events
Automated alerts based on system monitor events can help organizations quickly address any system issues by setting up automated alerts. By being informed whenever an event takes place, organizations can take the necessary steps to address it before it escalates further.
Best practices for setting up automated alerts based on system monitor events include monitoring all critical events, setting appropriate thresholds for each one, testing the alert system regularly, and making sure all alerts reach their respective recipients in an organization.
With such safeguards in place, businesses can ensure they can quickly react to any system issues which arise.
Expanded List of Sysmon Event IDs
Event ID 1 – Process Creation: Records process creation with command line arguments, parent process name and associated hashes. This event logs the creation of processes along with their command line arguments, parent process name and associated hashes; useful in detecting potentially malicious processes.
Event ID 2 – File Creation Time: This event records any changes to file creation timestamps caused by specific processes, which can help detect attempts at altering file metadata.
Event ID 3 – Network Connection: Logs all network connections initiated by processes, including source and destination IP addresses, hostnames and port numbers. This data can help detect communication with malicious servers or any nefarious network activity.
Event ID 4 – Sysmon Service State Change: Reports any change in the state of Sysmon services such as when they start, stop, or are updated.
Event ID 5 – Process Terminated: Logs when a process has been terminated unexpectedly or maliciously, providing an easy way to track this action and detect its causes.
Event ID 6 – Driver Loaded: Logs when a driver has been loaded into the kernel, including its name, hashes, and signature information. This data can help detect potentially malicious drivers.
Event ID 7 – Image Loaded: This event records DLLs or executable images loaded into a process, along with their hashes and digital signatures; it can help detect potentially malicious libraries or executables.
Event ID 8 – CreateRemoteThread: Logs the creation of remote threads within another process, often associated with code injection or other malicious activities.
Event ID 9 – Raw Access Read: Records when one process accesses another process’s memory, often related to dumping process memory for analysis or exfiltration purposes.
Event ID 10 – Process Access: Logs whenever a process accesses another process for purposes such as reading memory or injecting malicious code, among other activities.
Event ID 11 – File Create: Records the file creation events with details like its name, path and hash hashes.
Event ID 12 – Registry Event (CreateKey, SetValue): Logs registry key creation and value setting events associated with software installations or malware persistence.
Event ID 13 – Registry Event (DeleteKey and DeleteValue): Logs all Registry key and Value deletion events associated with software uninstallation or malware cleanup.
Event ID 14 – Registry Event (KeyRename, SetValue): Logs registry key renaming and value setting events associated with software installation or malware persistence.
Event ID 15 – File Stream Create: Logs all file stream creation events, often associated with alternative data streams (ADS) used for hiding data or malware.
Event ID 16 – Sysmon Configuration Change: Records changes made to the Sysmon configuration, such as additions, deletions or modifications.
Event ID 17 – Pipe Creation: Logs named pipe creation events that may be used for interprocess communication (IPC).
Event ID 18 – Pipe Connected: Logs when a process connects to a named pipe, providing useful insights into potential IPC activity.
Event 19 (WmiEventFilter Activity Detected): Logs when WMI event filters are created or modified – often used by attackers for persistence or lateral movement.
Event ID 20 – WmiEvent (WmiEventConsumer Activity Detected): Logs when WMI event consumers are created or modified; often used by attackers for persistence or lateral movement.
Event 21 (WmiEventConsumerToFilter Activity Detected): Records binding between WMI event filters and consumers to detect any malicious WMI activity.
Conclusion: Understanding Sysmon Event IDs to Increase Security Monitoring
Sysmon Event ID offer security professionals vital insight into what’s taking place on their networks. By comprehending these events produced by Sysmon, IT specialists can detect suspicious activity on the network and take steps to safeguard it against threats such as hackers. With this knowledge in hand, organizations can better monitor their sysmon environment.
