Sysmon Cheat Sheet
Overview
Sysmon (System Monitor) is a Windows system service and device driver from the Sysinternals suite that logs detailed system activity to the Windows Event Log. It provides far more granular visibility than default Windows auditing, capturing process creation with full command lines, network connections with originating process information, file creation timestamps, registry modifications, WMI activity, named pipe operations, clipboard access, and DNS queries. Sysmon events are essential for threat detection, incident response, and forensic investigations across enterprise environments.
Sysmon operates as a kernel-mode driver that persists across reboots and loads early in the boot process to capture activity from the start. Its behavior is controlled by an XML configuration file that defines which events to log and which to filter out, allowing organizations to tune verbosity for their environment. The community-maintained Sysmon Modular and SwiftOnSecurity configurations provide excellent starting points. Sysmon events integrate with SIEM platforms (Splunk, Elastic, Sentinel), enabling detection rules based on MITRE ATT&CK techniques. It is widely considered the single most impactful free security tool for Windows endpoint visibility.
Installation
Basic Installation
# Download Sysmon from Sysinternals
# https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
# Install with default configuration
sysmon64.exe -accepteula -i
# Install with custom configuration
sysmon64.exe -accepteula -i sysmonconfig.xml
# Install with SHA256 hashing
sysmon64.exe -accepteula -i -h sha256 sysmonconfig.xml
# Install with network monitoring
sysmon64.exe -accepteula -i -n sysmonconfig.xmlUpdate Configuration
# Update running configuration
sysmon64.exe -c sysmonconfig-updated.xml
# Show current configuration
sysmon64.exe -c
# Reset to default configuration
sysmon64.exe -c --
# Uninstall Sysmon
sysmon64.exe -u
# Force uninstall
sysmon64.exe -u forceVerify Installation
# Check service status
Get-Service sysmon64
# Check driver
sc query sysmon64
# View current config
sysmon64.exe -c
# Check Event Log
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 5Event Types
Sysmon Event IDs
| Event ID | Description |
|---|---|
| 1 | Process creation |
| 2 | File creation time changed |
| 3 | Network connection |
| 4 | Sysmon service state changed |
| 5 | Process terminated |
| 6 | Driver loaded |
| 7 | Image loaded (DLL) |
| 8 | CreateRemoteThread |
| 9 | RawAccessRead |
| 10 | ProcessAccess |
| 11 | FileCreate |
| 12 | Registry key/value create or delete |
| 13 | Registry value set |
| 14 | Registry key/value rename |
| 15 | FileCreateStreamHash |
| 16 | Sysmon config changed |
| 17 | Pipe created |
| 18 | Pipe connected |
| 19 | WmiEventFilter activity |
| 20 | WmiEventConsumer activity |
| 21 | WmiEventConsumerToFilter activity |
| 22 | DNS query |
| 23 | FileDelete (archived) |
| 24 | Clipboard change |
| 25 | Process tampering |
| 26 | FileDeleteDetected (logged) |
| 27 | FileBlockExecutable |
| 28 | FileBlockShredding |
| 29 | FileExecutableDetected |
Configuration
Basic Configuration Template
<Sysmon schemaversion="4.90">
<HashAlgorithms>sha256,imphash</HashAlgorithms>
<CheckRevocation>false</CheckRevocation>
<EventFiltering>
<!-- Process Creation (Event ID 1) -->
<RuleGroup name="ProcessCreate" groupRelation="or">
<ProcessCreate onmatch="exclude">
<!-- Exclude noisy legitimate processes -->
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
<Image condition="is">C:\Windows\System32\taskhostw.exe</Image>
<ParentImage condition="is">C:\Windows\System32\services.exe</ParentImage>
</ProcessCreate>
</RuleGroup>
<!-- Network Connections (Event ID 3) -->
<RuleGroup name="NetworkConnect" groupRelation="or">
<NetworkConnect onmatch="include">
<!-- Log connections from suspicious locations -->
<Image condition="contains">\Users\</Image>
<Image condition="contains">\Temp\</Image>
<Image condition="contains">\AppData\</Image>
<DestinationPort condition="is">4444</DestinationPort>
<DestinationPort condition="is">8080</DestinationPort>
</NetworkConnect>
</RuleGroup>
<!-- File Creation (Event ID 11) -->
<RuleGroup name="FileCreate" groupRelation="or">
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Startup\</TargetFilename>
<TargetFilename condition="end with">.exe</TargetFilename>
<TargetFilename condition="end with">.dll</TargetFilename>
<TargetFilename condition="end with">.ps1</TargetFilename>
<TargetFilename condition="end with">.bat</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
</FileCreate>
</RuleGroup>
<!-- Registry Modifications (Event ID 12, 13, 14) -->
<RuleGroup name="RegistryEvent" groupRelation="or">
<RegistryEvent onmatch="include">
<TargetObject condition="contains">CurrentVersion\Run</TargetObject>
<TargetObject condition="contains">CurrentVersion\RunOnce</TargetObject>
<TargetObject condition="contains">\Services\</TargetObject>
<TargetObject condition="contains">\Policies\</TargetObject>
</RegistryEvent>
</RuleGroup>
<!-- DNS Queries (Event ID 22) -->
<RuleGroup name="DnsQuery" groupRelation="or">
<DnsQuery onmatch="exclude">
<QueryName condition="end with">.microsoft.com</QueryName>
<QueryName condition="end with">.windows.com</QueryName>
<QueryName condition="end with">.windowsupdate.com</QueryName>
</DnsQuery>
</RuleGroup>
<!-- Process Access (Event ID 10) - LSASS protection -->
<RuleGroup name="ProcessAccess" groupRelation="or">
<ProcessAccess onmatch="include">
<TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
</ProcessAccess>
</RuleGroup>
<!-- CreateRemoteThread (Event ID 8) -->
<RuleGroup name="CreateRemoteThread" groupRelation="or">
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
</CreateRemoteThread>
</RuleGroup>
</EventFiltering>
</Sysmon>Community Configurations
# SwiftOnSecurity Sysmon Config (excellent starting point)
# https://github.com/SwiftOnSecurity/sysmon-config
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile sysmonconfig.xml
sysmon64.exe -c sysmonconfig.xml
# Olaf Hartong's Sysmon Modular (modular approach)
# https://github.com/olafhartong/sysmon-modular
git clone https://github.com/olafhartong/sysmon-modular.git
# Merge modules as neededQuerying Events
PowerShell Queries
# Get recent process creation events
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" |
Where-Object { $_.Id -eq 1 } |
Select-Object TimeCreated, @{N='CommandLine';E={$_.Properties[10].Value}} |
Select-Object -First 20
# Find PowerShell executions
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-Sysmon/Operational'
Id=1
} | Where-Object {
$_.Properties[4].Value -match 'powershell'
} | Select-Object TimeCreated, @{
N='CommandLine';E={$_.Properties[10].Value}
}
# Find network connections to non-standard ports
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-Sysmon/Operational'
Id=3
} | Where-Object {
$_.Properties[15].Value -notin @(80,443,53,8080)
} | Select-Object TimeCreated, @{
N='Process';E={$_.Properties[4].Value}
}, @{
N='DestIP';E={$_.Properties[14].Value}
}, @{
N='DestPort';E={$_.Properties[15].Value}
} | Select-Object -First 20
# Find LSASS access attempts
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-Sysmon/Operational'
Id=10
} | Where-Object {
$_.Properties[8].Value -match 'lsass.exe'
} | Select-Object TimeCreated, @{
N='Source';E={$_.Properties[4].Value}
}
# DNS queries to suspicious domains
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-Sysmon/Operational'
Id=22
} | Select-Object TimeCreated, @{
N='Query';E={$_.Properties[4].Value}
}, @{
N='Process';E={$_.Properties[3].Value}
} | Select-Object -First 50XPath Queries
# Find suspicious command-line patterns
$xpath = "*[System[EventID=1] and EventData[Data[@Name='CommandLine'] and contains(Data, 'encodedcommand')]]"
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -FilterXPath $xpath
# Find file creation in startup folder
$xpath = "*[System[EventID=11] and EventData[Data[@Name='TargetFilename'] and contains(Data, 'Startup')]]"
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -FilterXPath $xpathAdvanced Usage
MITRE ATT&CK Detection Rules
# T1059.001 - PowerShell execution with suspicious flags
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} |
Where-Object { $_.Properties[10].Value -match '(?i)(encodedcommand|bypass|hidden|noprofile|invoke-expression|iex|downloadstring)' }
# T1055 - Process Injection via CreateRemoteThread
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=8} |
Where-Object { $_.Properties[4].Value -notmatch '(csrss|svchost|services)\.exe$' }
# T1003.001 - LSASS credential dumping
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=10} |
Where-Object { $_.Properties[8].Value -match 'lsass\.exe' -and $_.Properties[4].Value -notmatch '(csrss|svchost|MsMpEng)\.exe$' }Log Forwarding to SIEM
<!-- Windows Event Forwarding subscription for Sysmon -->
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>Sysmon-Forward</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description>Forward Sysmon events to collector</Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<Query>
<![CDATA[
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
]]>
</Query>
</Subscription>Troubleshooting
| Issue | Solution |
|---|---|
| Events not logging | Verify service is running: Get-Service sysmon64 |
| Too many events | Tune config with exclude filters for noisy legitimate processes |
| Missing network events | Reinstall with -n flag: sysmon64 -c -n |
| Config not applying | Verify XML schema version matches Sysmon version |
| High disk usage | Add exclusions for known-good processes, increase Event Log max size |
| Event Log full | Increase log size: wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:1073741824 |
| Driver conflicts | Check for conflicts with AV/EDR kernel drivers |
| Installation fails | Run as Administrator, check Windows version compatibility |