Detecting Advanced Threats with Sysmon: Use Cases and Hunt Queries
Introduction
Sysmon (Microsoft Sysinternals System Monitor) provides high-fidelity endpoint telemetry—process creation, network connections, image loads, registry changes, inter-process activity and more—that closes visibility gaps left by standard Windows logs. Properly configured and paired with a SIEM or hunting toolkit, Sysmon enables timely detection of advanced techniques across the attack lifecycle. Below are practical use cases, detection rationales, and ready-to-run hunt queries (Splunk, EQL/Sigma-style guidance, and Elastic/KQL examples) you can adopt immediately.
Key Sysmon events to prioritize
- Event ID 1 — Process Create (command line, parent process)
- Event ID 3 — Network Connection (remote IP/port, process)
- Event ID 7 — Image Load (DLL loads, code injection indicators)
- Event ID 8 — CreateRemoteThread (process injection)
- Event ID 10 / 11 — Process Access / File Create (LSASS reads, suspicious file drops)
- Event ID 13 — Registry Value Set (persistence keys)
- Event ID 22 — DNS Query (C2 via DNS)
- Event ID 25 — Process Tampering (hollowing/injection)
Use these as primary sources; combine with Windows Security events (e.g., ⁄4689), PowerShell logs, and EDR telemetry for richer context.
Use case 1 — Detect living-off-the-land (LOLBin) execution
Why: Attackers abuse signed system binaries (svchost, regsvr32, mshta, rundll32, wscript, cscript) to run payloads or one-liners that evade controls.
Signals: uncommon parent-child relationships, long/encoded command lines, signed binary spawning network activity.
Splunk SPL
Code
index=sysmon EventID=1 | where Image IN (“C:\Windows\System32\mshta.exe”,“C:\Windows\System32\rundll32.exe”,“C:\Windows\System32\regsvr32.exe”,“C:\Windows\System32\svchost.exe”) | where CommandLine!=“” | eval cmdlen=len(CommandLine) | where cmdlen>200 OR CommandLine LIKE “%-enc%” OR CommandLine LIKE “%Base64%” OR CommandLine LIKE “%Invoke-Expression%” | stats count by Host, User, Image, ParentImage, CommandLine time
Elastic/KQL
Code
event.dataset:sysmon.process and event.action:“process_start” and process.executable:(“C:\Windows\System32\mshta.exe”,“C:\Windows\System32\rundll32.exe”,“C:\Windows\System32\regsvr32.exe”) and process.command_line : ““and len(process.commandline) > 200
Sigma (concept)
- Detect process execution of LOLBins with unusually long or encoded command lines; map to your backend.
Use case 2 — Process injection and in-memory attacks
Why: Injection (CreateRemoteThread, Reflective DLL, Process Hollowing) avoids disk artifacts. Sysmon events 8, 7, 25 and process access events reveal these behaviors.
Signals: CreateRemoteThread events, image loads from unusual paths, process tampering, parent/child mismatches.
Splunk SPL
Code
index=sysmon (EventID=8 OR EventID=25 OR EventID=7) | eval suspicious = case(EventID==8,“CreateRemoteThread”,EventID==25,“ProcessTamper”,EventID==7,“ImageLoad”) | where (EventID==8) OR (EventID==25) OR (EventID==7 AND ImageLoaded NOT LIKE “C:\Windows%”) | table _time, Host, ProcessGuid, ParentImage, Image, ImageLoaded, TargetProcessName, EventID
EQL (concept)
- sequence by host within 1m [ process where process.name==“powershell.exe” ] -> [ process where process.create_remote_thread==true or process.image_loaded:string matches “/suspicious.dll” ]
Use case 3 — Credential dumping (LSASS access)
Why: Tools and techniques (procdump/comsvcs, mimikatz, NTDS export) read LSASS memory or extract NTDS.dit. Sysmon logs process access (EventID ⁄8) and file creation events when dumps are written.
Signals: non-admin tools accessing lsass.exe, lsass memory read, creation of dump files in nonstandard locations, PowerShell spawning NTDSUtil or procdump.
Splunk SPL
Code
index=sysmon (EventID=10 OR EventID=8 OR EventID=11) | where TargetImage LIKE “%lsass.exe” OR Image LIKE “%procdump%” | stats values(Image) as Process, values(CommandLine) as CommandLine, values(TargetImage) by Host, time
KQL
Code
SysmonEvent | where EventID in (8,10,11) | where TargetImage contains “lsass.exe” or CommandLine contains “procdump”
Hunt tip: correlate with process token manipulation, new service creation, and NTDS file access from domain controllers.
Use case 4 — C2 discovery: suspicious DNS and network connections
Why: C2 channels often use irregular DNS queries, uncommon ports, and failed/rare remote connections. Sysmon EventID 22 (DNS) and 3 (Network Connection) show process-level network behavior.
Signals: DNS queries for dynamically generated domains, TXT/NULL record usage, outbound connections to rare countries or high-entropy domains, parentless network-initiating processes.
Splunk SPL
Code
index=sysmon (EventID=22 OR EventID=3) | eval q=if(EventID==22,QueryName,DestinationIp) | stats count by Host, ProcessName, q, DestinationIp, DestinationPort, QueryType | where (QueryType==“TXT” OR QueryType==“NULL”) OR (DestinationPort NOT IN (80,443,53,53)) | lookup geoiplookup DestinationIp OUTPUT Country | where Country NOT IN (“US”,“CA”,“GB”) // adjust baseline to your org
Sigma (concept)
- Alert when a process makes DNS queries with high-entropy domain labels or when a desktop process initiates outbound connections to rarely-seen IPs.
Entropy check (example pseudocode)
- flag domains where Shannon entropy(domain label) > 4.0
Use case 5 — Persistence discovery (registry, scheduled tasks, WMI)
Why: Attackers register run keys, scheduled tasks, WMI filters/consumers. Sysmon event IDs 13 (Registry Value Set), 1 (process create spawned by schtasks), and WMI events (⁄20) show these activities.
Signals: new/modified Run/RunOnce keys, services installed with odd names, scheduled tasks created by non-admin users or unusual processes.
Splunk SPL
Code
index=sysmon (EventID=13 OR EventID=1) | where (EventID==13 AND RegistryKey LIKE “%\Run\%”) OR (EventID==1 AND ParentImage LIKE “%schtasks.exe%”) | table time, Host, User, RegistryKey, RegistryValue, Image, CommandLine
Hunt tip: track the first seen time of persistence artifacts and look for process trees launched from those artifacts.
Use case 6 — Lateral movement (PsExec, SMB, WMI)
Why: Adversaries move laterally using PsExec, SMB file copy, WMI, RDP. Sysmon records process launches, network connections, and named-pipe usage (Event IDs 1, 3, ⁄18).
Signals: cmd/psexec spawning remote commands, suspicious use of SMB to copy executables, creation of named pipes between unexpected processes.
Splunk SPL
Code
index=sysmon EventID=1 | where CommandLine LIKE “%psexec%” OR CommandLine LIKE “%wmic%” OR CommandLine LIKE “%schtasks /s%” | stats count by Host, User, Image, CommandLine, time
KQL
Code
SysmonEvent | where EventID==3 and DestinationPort==445 | summarize count() by InitiatingProcessFileName, DestinationIp
Practical hunt queries: quick copy-paste (3 high-fidelity rules)
- Parent mismatch (suspicious child process parent)
Code
index=sysmon EventID=1 | where NOT (ParentImage IN (“C:\Windows\System32\services.exe”,“C:\Windows\explorer.exe”,“C:\Windows\System32\svchost.exe”)) | where Image IN (“C:\Windows\System32\cmd.exe”,“C:\Windows\System32\powershell.exe”,“C:\Windows\System32\wscript.exe”) | stats count by Host, User, ParentImage, Image, CommandLine
- Encoded PowerShell
Code
index=sysmon EventID=1 Image=“*\powershell.exe” | where CommandLine LIKE “%-Enc%” OR CommandLine LIKE “%-EncodedCommand%” | table time, Host, User, CommandLine, ParentImage
- CreateRemoteThread followed by unusual network
Code
index=sysmon EventID=8 | join type=left ProcessGuid [ search index=sysmon EventID=3 | fields ProcessGuid, DestinationIp, DestinationPort ] | where isnotnull(DestinationIp) AND DestinationPort NOT IN (80,443) | table _time, Host, ProcessGuid, Image, TargetProcessName, DestinationIp, DestinationPort
Triage and investigation playbook (3-step)
- Contain: isolate host(s) with confirmed process injection, credential dumping, or C2.
- Collect: export Sysmon logs, Windows Security logs, PowerShell logs, memory dump (if safe), and relevant artifacts (dropped files, registry keys).
- Hunt laterals: pivot on Accounts, hostnames, and file hashes; run timeline of EventIDs 1/3/7/8/10/13/22 across environment.
Configuration & noise reduction tips
- Enable full command line capture and process GUIDs.
- Use filtering rules carefully—don’t drop events needed for detection.
- Tame noise by whitelisting known benign parent-child combos and common developer tools (e.g., Visual Studio, Intune installers).
- Deploy a well-curated Sysmon config (e.g., Swift
Leave a Reply