sysmon.json

{
  "dataset": {
    "name": "EID Quick Reference - Sysmon",
    "version": "1.8.0",
    "generatedAt": "2026-05-10T00:00:00Z",
    "id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/sysmon.json",
    "schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
    "license": {
      "name": "Creative Commons Attribution 4.0 International",
      "spdx": "CC-BY-4.0",
      "notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
    },
    "sources": [
      {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
        "type": "primary"
      }
    ]
  },
  "entries": [
    {
      "id": 1,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Process created",
      "summary": "A new process was created.",
      "details": "Generated when a new process is created. This is one of the most forensically valuable Sysmon events, capturing the full process execution context including the executable path, command line arguments, parent process lineage, file hashes, and integrity level.",
      "category": "Process Execution",
      "tags": [
        "process-creation",
        "execution",
        "defense-evasion",
        "masquerading"
      ],
      "relatedEventIds": [
        {
          "id": 5,
          "log": "Sysmon"
        },
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059",
          "techniqueName": "Command and Scripting Interpreter",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        },
        {
          "techniqueId": "T1036",
          "techniqueName": "Masquerading",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Compare Image path against expected locations — system binaries should reside in System32 or SysWOW64",
          "Review CommandLine for encoded payloads (base64, -EncodedCommand), LOLBAS flags (e.g., certutil -decode, regsvr32 /s /u, wscript /b, rundll32 with a non-standard export), or unusual argument patterns",
          "Examine ParentImage to identify unexpected process parent-child relationships (e.g., Office apps spawning scripting engines)",
          "Hash lookups against threat intelligence feeds can confirm known-bad binaries",
          "IntegrityLevel of High or System for unexpected processes may indicate privilege escalation"
        ],
        "commonFalsePositives": [
          "Software installers and update mechanisms frequently spawn child processes",
          "Administrative scripts and scheduled tasks running legitimate management tools",
          "Development environments invoking compilers, interpreters, and build tools"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the newly created process executable"
        },
        {
          "name": "CommandLine",
          "xpath": "EventData/Data[@Name='CommandLine']",
          "description": "Full command line including all arguments passed to the process"
        },
        {
          "name": "ParentImage",
          "xpath": "EventData/Data[@Name='ParentImage']",
          "description": "Full path of the parent process that spawned this one"
        },
        {
          "name": "ParentCommandLine",
          "xpath": "EventData/Data[@Name='ParentCommandLine']",
          "description": "Command line of the parent process"
        },
        {
          "name": "User",
          "xpath": "EventData/Data[@Name='User']",
          "description": "Account context under which the process runs"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Configurable file hashes of the process executable (SHA256 recommended)"
        },
        {
          "name": "CurrentDirectory",
          "xpath": "EventData/Data[@Name='CurrentDirectory']",
          "description": "Working directory of the new process"
        },
        {
          "name": "IntegrityLevel",
          "xpath": "EventData/Data[@Name='IntegrityLevel']",
          "description": "Integrity level of the process (Low, Medium, High, System)"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the newly created process"
        },
        {
          "name": "ProcessGuid",
          "xpath": "EventData/Data[@Name='ProcessGuid']",
          "description": "Unique GUID for the process; use for cross-event correlation"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Suspicious Office Application Spawning Scripting Engine",
          "rule": "Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| parse EventData with * '<Data Name=\"ParentImage\">' ParentImage '</Data>' *\n| parse EventData with * '<Data Name=\"Image\">' Image '</Data>' *\n| where ParentImage has_any (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"OUTLOOK.EXE\", \"MSPUB.EXE\")\n| where Image has_any (\"cmd.exe\", \"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"rundll32.exe\")\n| project TimeGenerated, Computer, Image, ParentImage\n| order by TimeGenerated desc",
          "notes": "Adapt field parsing to your Sysmon ingestion method (Event table MMA, WindowsEvent AMA, or SysmonEvent custom table). Add CommandLine parsing for richer context."
        },
        {
          "platform": "Sigma",
          "title": "Suspicious Parent-Child Process Relationship",
          "rule": "title: Suspicious Process Created by Office Application\nstatus: stable\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith:\n      - '\\WINWORD.EXE'\n      - '\\EXCEL.EXE'\n      - '\\POWERPNT.EXE'\n      - '\\OUTLOOK.EXE'\n    Image|endswith:\n      - '\\cmd.exe'\n      - '\\powershell.exe'\n      - '\\wscript.exe'\n      - '\\cscript.exe'\n      - '\\mshta.exe'\n  condition: selection\nfalsepositives:\n  - Macros legitimately invoking scripts for business automation\nlevel: high"
        }
      ],
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 2,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "File creation time changed",
      "summary": "A process modified the creation timestamp of a file.",
      "details": "Generated when a process changes the creation timestamp of a file, a technique known as timestomping. Timestomping makes malicious files appear to have been present on the system long before they were actually dropped, undermining timeline-based forensics. Legitimate software rarely alters file creation times.",
      "category": "Timestomping",
      "tags": [
        "timestomping",
        "defense-evasion",
        "anti-forensics",
        "file-activity"
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070.006",
          "techniqueName": "Indicator Removal: Timestomp",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "PreviousCreationUtcTime more recent than CreationUtcTime confirms deliberate backdating",
          "Identify Image — timestomping by scripting engines, tools like touch.exe, or unknown binaries warrants investigation",
          "Correlate TargetFilename with EID 11 (FileCreate) to establish when the file was actually written to disk",
          "Check if the forged CreationUtcTime aligns with a date that would make the file appear pre-existing"
        ],
        "commonFalsePositives": [
          "Some archive extraction tools and installers set file timestamps to match the original packaged files",
          "Build systems and deployment tools may normalize timestamps"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that modified the file timestamp"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "Path of the file whose creation timestamp was changed"
        },
        {
          "name": "CreationUtcTime",
          "xpath": "EventData/Data[@Name='CreationUtcTime']",
          "description": "The new (forged) creation timestamp written to the file"
        },
        {
          "name": "PreviousCreationUtcTime",
          "xpath": "EventData/Data[@Name='PreviousCreationUtcTime']",
          "description": "The original creation timestamp before modification"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 3,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Network connection",
      "summary": "A process initiated or received a network connection.",
      "details": "Generated when a process makes or accepts a TCP/UDP network connection. This event captures the process identity along with full source and destination addressing, enabling detection of C2 beaconing, lateral movement, and data exfiltration at the process level.",
      "category": "Network Activity",
      "tags": [
        "network",
        "c2",
        "lateral-movement",
        "exfiltration",
        "beaconing"
      ],
      "relatedEventIds": [
        {
          "id": 22,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1071",
          "techniqueName": "Application Layer Protocol",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        },
        {
          "techniqueId": "T1571",
          "techniqueName": "Non-Standard Port",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Flag processes that do not ordinarily make network connections — this includes LOLBAS tools: LOLBins such as regsvr32.exe, mshta.exe, certutil.exe, and bitsadmin.exe; LOLBAS Scripts such as wscript.exe and cscript.exe; and libraries loaded via rundll32.exe",
          "Check DestinationIp against threat intelligence; newly registered domains and dynamic DNS providers are common C2 indicators",
          "Periodic beaconing patterns (regular intervals to the same IP) suggest C2 heartbeats",
          "Correlate with EID 22 to link DNS resolution to the subsequent connection"
        ],
        "commonFalsePositives": [
          "Software update checks and telemetry from installed applications",
          "Browsers, mail clients, and other network-facing applications making routine connections",
          "Security and endpoint management tools performing check-ins"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process initiating or receiving the connection"
        },
        {
          "name": "SourceIp",
          "xpath": "EventData/Data[@Name='SourceIp']",
          "description": "Source IP address of the connection"
        },
        {
          "name": "SourcePort",
          "xpath": "EventData/Data[@Name='SourcePort']",
          "description": "Source port number"
        },
        {
          "name": "DestinationIp",
          "xpath": "EventData/Data[@Name='DestinationIp']",
          "description": "Destination IP address of the connection"
        },
        {
          "name": "DestinationPort",
          "xpath": "EventData/Data[@Name='DestinationPort']",
          "description": "Destination port number"
        },
        {
          "name": "Protocol",
          "xpath": "EventData/Data[@Name='Protocol']",
          "description": "Network protocol used (tcp or udp)"
        },
        {
          "name": "User",
          "xpath": "EventData/Data[@Name='User']",
          "description": "Account context of the process making the connection"
        },
        {
          "name": "Initiated",
          "xpath": "EventData/Data[@Name='Initiated']",
          "description": "Whether the connection was initiated (true) or received (false) by the process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Unexpected Process Making Outbound Connection",
          "rule": "Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| parse EventData with * '<Data Name=\"Image\">' Image '</Data>' *\n| parse EventData with * '<Data Name=\"DestinationIp\">' DestinationIp '</Data>' *\n| parse EventData with * '<Data Name=\"DestinationPort\">' DestinationPort '</Data>' *\n| where Image has_any (\"notepad.exe\", \"mshta.exe\", \"regsvr32.exe\", \"wscript.exe\", \"cscript.exe\", \"certutil.exe\", \"bitsadmin.exe\")\n| project TimeGenerated, Computer, Image, DestinationIp, DestinationPort\n| order by TimeGenerated desc",
          "notes": "Expand the process list based on your environment's baseline. LOLBAS tools (binaries, scripts, and library loaders) making outbound connections on unusual ports are high-fidelity C2 indicators."
        },
        {
          "platform": "Sigma",
          "title": "LOLBAS Tool Making Network Connection",
          "rule": "title: LOLBAS Network Connection\nstatus: stable\nlogsource:\n  category: network_connection\n  product: windows\ndetection:\n  selection:\n    Initiated: 'true'\n    Image|endswith:\n      - '\\mshta.exe'\n      - '\\regsvr32.exe'\n      - '\\certutil.exe'\n      - '\\bitsadmin.exe'\n      - '\\wscript.exe'\n      - '\\cscript.exe'\n      - '\\msbuild.exe'\n      - '\\wmic.exe'\n      - '\\rundll32.exe'\n  condition: selection\nfalsepositives:\n  - certutil performing legitimate CRL checks\n  - bitsadmin performing authorized downloads\n  - msbuild during legitimate build pipeline tasks\nlevel: high",
          "notes": "Covers LOLBAS Binaries (mshta, regsvr32, certutil, bitsadmin, wmic, msbuild, rundll32) and Scripts (wscript, cscript). rundll32 and regsvr32 are also entry points for LOLBAS Libraries (malicious .dll side-loading)."
        }
      ],
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 4,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Sysmon service state changed",
      "summary": "The Sysmon service started or stopped.",
      "details": "Generated when the Sysmon service itself starts or stops. An unexpected stop outside planned maintenance or updates may indicate an adversary attempting to disable telemetry as part of defense evasion.",
      "category": "Service Activity",
      "tags": [
        "sysmon",
        "defense-evasion",
        "tamper",
        "service"
      ],
      "relatedEventIds": [
        {
          "id": 16,
          "log": "Sysmon"
        },
        {
          "id": 7036,
          "log": "System"
        },
        {
          "id": 4697,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685",
          "techniqueName": "Disable or Modify Tools",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Unexpected State: Stopped outside of maintenance windows warrants immediate investigation",
          "Correlate with Security EID 4688 to identify what process stopped the Sysmon service",
          "Check for preceding EID 16 events indicating a configuration change before the stop",
          "Review for sc.exe, net.exe, or PowerShell Stop-Service invocations in EID 1"
        ],
        "commonFalsePositives": [
          "Planned Sysmon updates or reconfigurations by IT or security teams",
          "System reboots will produce a Stopped event followed by a Running event on startup"
        ]
      },
      "keyFields": [
        {
          "name": "State",
          "xpath": "EventData/Data[@Name='State']",
          "description": "Service state: Running or Stopped"
        },
        {
          "name": "Version",
          "xpath": "EventData/Data[@Name='Version']",
          "description": "Sysmon driver version"
        },
        {
          "name": "SchemaVersion",
          "xpath": "EventData/Data[@Name='SchemaVersion']",
          "description": "Schema version of the Sysmon event format"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 5,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Process terminated",
      "summary": "A process exited.",
      "details": "Generated when a monitored process terminates. The time delta between EID 1 (process creation) and EID 5 for the same ProcessId indicates process lifetime duration. Short-lived processes that spawn and terminate within seconds are commonly used to execute payloads while avoiding prolonged visibility.",
      "category": "Process Execution",
      "tags": [
        "process-termination",
        "execution",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 1,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059",
          "techniqueName": "Command and Scripting Interpreter",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Calculate process lifetime by correlating ProcessId across EID 1 and EID 5 — very short-lived processes are a detection signal",
          "Repeated rapid creation and termination of the same Image may indicate a dropper or loader pattern",
          "Correlate with EID 3 and EID 11 to see what network connections or files were created during the process lifetime"
        ],
        "commonFalsePositives": [
          "Short-lived system processes (e.g., conhost.exe, WMI providers) are normal",
          "Scripting engines invoked for single commands terminate quickly by design"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the terminated process executable"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the terminated process"
        },
        {
          "name": "ProcessGuid",
          "xpath": "EventData/Data[@Name='ProcessGuid']",
          "description": "Unique GUID for correlation with the corresponding EID 1 creation event"
        },
        {
          "name": "UtcTime",
          "xpath": "EventData/Data[@Name='UtcTime']",
          "description": "UTC timestamp of process termination"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-03-30"
    },
    {
      "id": 6,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Driver loaded",
      "summary": "A driver was loaded into the kernel.",
      "details": "Generated when a driver is loaded into the kernel. Kernel-mode drivers have unrestricted system access, making malicious driver loading (BYOVD -- Bring Your Own Vulnerable Driver) a high-severity technique. Modern systems enforce Driver Signature Enforcement (DSE), so unsigned or invalidly signed drivers are notable on production endpoints.",
      "category": "Driver Load",
      "tags": [
        "driver",
        "kernel",
        "byovd",
        "defense-evasion",
        "privilege-escalation"
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1014",
          "techniqueName": "Rootkit",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1543",
          "techniqueName": "Create or Modify System Process",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Signed: false or SignatureStatus not Valid on a production system is a critical finding",
          "Check ImageLoaded path — drivers should load from System32\\drivers or a known vendor path",
          "Hash the driver and check against known BYOVD databases (e.g., loldrivers.io)",
          "Correlate with EID 1 to identify what process initiated the driver load"
        ],
        "commonFalsePositives": [
          "Legitimate security software, virtualization platforms, and hardware vendor drivers",
          "Windows updates loading new or updated drivers"
        ]
      },
      "keyFields": [
        {
          "name": "ImageLoaded",
          "xpath": "EventData/Data[@Name='ImageLoaded']",
          "description": "Full path of the loaded driver file"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Configurable hashes of the driver file"
        },
        {
          "name": "Signed",
          "xpath": "EventData/Data[@Name='Signed']",
          "description": "Whether the driver has a valid digital signature (true/false)"
        },
        {
          "name": "SignatureStatus",
          "xpath": "EventData/Data[@Name='SignatureStatus']",
          "description": "Signature validation result (Valid, Expired, Revoked, etc.)"
        },
        {
          "name": "Signature",
          "xpath": "EventData/Data[@Name='Signature']",
          "description": "Name of the signer"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10",
      "relatedEventIds": [
        {
          "id": 3001,
          "log": "CodeIntegrity"
        },
        {
          "id": 3033,
          "log": "CodeIntegrity"
        }
      ]
    },
    {
      "id": 7,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Image loaded",
      "summary": "A DLL or executable image was loaded into a process.",
      "details": "Generated when a module (DLL or EXE) is loaded into a process. This event is high-volume and typically requires targeted filtering to be operationally useful. Primary detection scenarios include DLL side-loading (a legitimate process loading a malicious DLL from an unexpected path), reflective DLL injection, and unsigned modules loaded into processes that should only load signed code.",
      "category": "DLL Load",
      "tags": [
        "dll",
        "dll-sideloading",
        "injection",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 1,
          "log": "Sysmon"
        },
        {
          "id": 10,
          "log": "Sysmon"
        },
        {
          "id": 316,
          "log": "PrintSpooler"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1574.001",
          "techniqueName": "Hijack Execution Flow: DLL",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1055",
          "techniqueName": "Process Injection",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Flag unsigned DLLs (Signed: false) loaded by security-sensitive processes like lsass.exe, winlogon.exe",
          "DLLs loaded from user-writable paths (AppData, Temp, Downloads) by system or trusted processes indicate side-loading",
          "Compare ImageLoaded name against known DLL hijacking targets (e.g., version.dll, winhttp.dll in application directories)",
          "Hash lookups can identify known malicious or vulnerable modules"
        ],
        "commonFalsePositives": [
          "High-volume event — most loads are legitimate; effective detection requires tight scoping to sensitive processes",
          "Legitimate software loading unsigned third-party DLLs for plugins or add-ons"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process loading the module"
        },
        {
          "name": "ImageLoaded",
          "xpath": "EventData/Data[@Name='ImageLoaded']",
          "description": "Full path of the loaded DLL or module"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Configurable hashes of the loaded module"
        },
        {
          "name": "Signed",
          "xpath": "EventData/Data[@Name='Signed']",
          "description": "Whether the module has a valid digital signature (true/false)"
        },
        {
          "name": "SignatureStatus",
          "xpath": "EventData/Data[@Name='SignatureStatus']",
          "description": "Signature validation result (Valid, Expired, Revoked, etc.)"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Unsigned DLL Loaded by Sensitive Process",
          "rule": "Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 7\n| parse EventData with * '<Data Name=\"Image\">' Image '</Data>' *\n| parse EventData with * '<Data Name=\"ImageLoaded\">' ImageLoaded '</Data>' *\n| parse EventData with * '<Data Name=\"Signed\">' Signed '</Data>' *\n| where Signed == \"false\"\n| where Image has_any (\"lsass.exe\", \"winlogon.exe\", \"csrss.exe\", \"svchost.exe\")\n| project TimeGenerated, Computer, Image, ImageLoaded, Signed\n| order by TimeGenerated desc",
          "notes": "This event is very high-volume. Scope tightly to sensitive processes. For DLL side-loading, additionally filter ImageLoaded for paths outside System32."
        },
        {
          "platform": "Sigma",
          "title": "Unsigned DLL Loaded from User-Writable Path",
          "rule": "title: Unsigned DLL Loaded from Suspicious Path\nstatus: experimental\nlogsource:\n  category: image_load\n  product: windows\ndetection:\n  selection:\n    Signed: 'false'\n    ImageLoaded|contains:\n      - '\\AppData\\'\n      - '\\Temp\\'\n      - '\\Users\\'\n  condition: selection\nfalsepositives:\n  - Development builds and unsigned test DLLs\nlevel: medium"
        }
      ],
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 8,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "CreateRemoteThread",
      "summary": "A process created a thread in another process.",
      "details": "Generated when a process creates a thread in a different process using the CreateRemoteThread API, a primary mechanism for classic code injection. This technique allows an attacker to execute arbitrary code within the address space of another process, often targeting sensitive system processes.",
      "category": "Code Injection",
      "tags": [
        "injection",
        "createremotethread",
        "execution",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 10,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1055.003",
          "techniqueName": "Process Injection: Thread Execution Hijacking",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1055",
          "techniqueName": "Process Injection",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetImage of lsass.exe, winlogon.exe, or explorer.exe is high-priority — these are common injection targets",
          "StartAddress outside the address space of known loaded modules indicates shellcode",
          "Correlate SourceImage with EID 1 to understand the origin of the injecting process",
          "Correlate with EID 10 on the same TargetImage in the same time window to confirm the full injection sequence",
          "StartAddress pointing outside known module boundaries (heap or stack memory rather than mapped DLL space) indicates shellcode execution"
        ],
        "commonFalsePositives": [
          "Some legitimate security products and debuggers use CreateRemoteThread for inspection or instrumentation",
          "JIT compilers and some virtualization tools may use cross-process thread creation"
        ]
      },
      "keyFields": [
        {
          "name": "SourceImage",
          "xpath": "EventData/Data[@Name='SourceImage']",
          "description": "Full path of the process that created the remote thread (the injector)"
        },
        {
          "name": "TargetImage",
          "xpath": "EventData/Data[@Name='TargetImage']",
          "description": "Full path of the process that received the injected thread"
        },
        {
          "name": "NewThreadId",
          "xpath": "EventData/Data[@Name='NewThreadId']",
          "description": "Thread ID of the newly created remote thread"
        },
        {
          "name": "StartAddress",
          "xpath": "EventData/Data[@Name='StartAddress']",
          "description": "Memory address where the remote thread begins execution"
        },
        {
          "name": "StartModule",
          "xpath": "EventData/Data[@Name='StartModule']",
          "description": "Module containing the start address, if mapped to a known module"
        },
        {
          "name": "StartFunction",
          "xpath": "EventData/Data[@Name='StartFunction']",
          "description": "Function name at the start address, if resolved"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "CreateRemoteThread into Sensitive Process",
          "rule": "Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 8\n| parse EventData with * '<Data Name=\"SourceImage\">' SourceImage '</Data>' *\n| parse EventData with * '<Data Name=\"TargetImage\">' TargetImage '</Data>' *\n| where TargetImage has_any (\"lsass.exe\", \"winlogon.exe\", \"explorer.exe\", \"svchost.exe\", \"csrss.exe\")\n| where SourceImage !has \"\\\\Windows\\\\\"\n| project TimeGenerated, Computer, SourceImage, TargetImage\n| order by TimeGenerated desc"
        },
        {
          "platform": "Sigma",
          "title": "CreateRemoteThread into lsass.exe",
          "rule": "title: CreateRemoteThread into lsass.exe\nstatus: stable\nlogsource:\n  category: create_remote_thread\n  product: windows\ndetection:\n  selection:\n    TargetImage|endswith: '\\lsass.exe'\n  filter:\n    SourceImage|startswith: 'C:\\Windows\\'\n  condition: selection and not filter\nfalsepositives:\n  - Security products using thread injection for monitoring\nlevel: critical"
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 9,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "RawAccessRead",
      "summary": "A process read from a disk device using raw access.",
      "details": "Generated when a process reads directly from a disk volume using raw access (bypassing the filesystem), detected via \\\\.\\PhysicalDrive or \\\\.\\HarddiskVolume handles. Raw disk access is used by credential harvesting tools (to read NTDS.dit or hibernation/page files directly), disk imaging utilities, rootkits, and destructive wipers. Legitimate consumers are narrow: backup software, disk management utilities, and forensic tools.",
      "category": "Disk Access",
      "tags": [
        "raw-access",
        "credential-access",
        "defense-evasion",
        "collection"
      ],
      "relatedEventIds": [
        {
          "id": 1,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1003.003",
          "techniqueName": "OS Credential Dumping: NTDS",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        },
        {
          "techniqueId": "T1561.001",
          "techniqueName": "Disk Wipe: Disk Content Wipe",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify Image — raw disk access by anything other than known backup or forensic tools is suspicious",
          "Correlate with EID 1 to inspect the full command line of the accessing process",
          "Raw access targeting PhysicalDrive0 or the system volume may indicate credential harvesting or disk wiping"
        ],
        "commonFalsePositives": [
          "Enterprise backup agents (e.g., Veeam, Veritas) performing volume-level backups",
          "Disk diagnostic and defragmentation utilities",
          "Windows VSS (Volume Shadow Copy Service) during snapshot operations"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process performing raw disk access"
        },
        {
          "name": "Device",
          "xpath": "EventData/Data[@Name='Device']",
          "description": "The disk device path being read (e.g., \\Device\\HarddiskVolume2)"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the reading process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 10,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "ProcessAccess",
      "summary": "A process opened a handle to another process.",
      "details": "Generated when a process opens a handle to another process. The GrantedAccess value indicates the access rights requested, and the CallTrace captures the call stack at the time of access. This event is critical for detecting credential dumping (access to lsass.exe) and process injection preparation.",
      "category": "Code Injection",
      "tags": [
        "credential-dumping",
        "lsass",
        "injection",
        "process-access"
      ],
      "relatedEventIds": [
        {
          "id": 8,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1003.001",
          "techniqueName": "OS Credential Dumping: LSASS Memory",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        },
        {
          "techniqueId": "T1055",
          "techniqueName": "Process Injection",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetImage of lsass.exe with GrantedAccess containing VM_READ rights (0x10) is the primary credential dumping signal",
          "Review CallTrace for entries outside known module ranges (unknown or unbacked memory regions indicate syscall abuse or injection)",
          "SourceImage that is unexpected (e.g., cmd.exe, PowerShell, a dropped binary) accessing lsass.exe requires immediate triage",
          "Correlate with EID 8 on the same target to detect combined ProcessAccess + CreateRemoteThread injection patterns"
        ],
        "commonFalsePositives": [
          "AV, EDR, and DLP agents legitimately access lsass.exe for security monitoring",
          "Windows Error Reporting (WerFault.exe) may open lsass.exe for crash reporting"
        ]
      },
      "keyFields": [
        {
          "name": "SourceImage",
          "xpath": "EventData/Data[@Name='SourceImage']",
          "description": "Full path of the process opening the handle"
        },
        {
          "name": "TargetImage",
          "xpath": "EventData/Data[@Name='TargetImage']",
          "description": "Full path of the process being accessed"
        },
        {
          "name": "GrantedAccess",
          "xpath": "EventData/Data[@Name='GrantedAccess']",
          "description": "Hex bitmask of access rights granted (e.g., 0x1010 = PROCESS_VM_READ + PROCESS_QUERY_INFORMATION)"
        },
        {
          "name": "CallTrace",
          "xpath": "EventData/Data[@Name='CallTrace']",
          "description": "Call stack at the time of access; entries from unbacked memory indicate injection or direct syscalls"
        },
        {
          "name": "SourceProcessId",
          "xpath": "EventData/Data[@Name='SourceProcessId']",
          "description": "Process ID of the source (accessing) process"
        },
        {
          "name": "TargetProcessId",
          "xpath": "EventData/Data[@Name='TargetProcessId']",
          "description": "Process ID of the target (accessed) process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "LSASS Memory Access — Credential Dumping GrantedAccess",
          "rule": "Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 10\n| parse EventData with * '<Data Name=\"TargetImage\">' TargetImage '</Data>' *\n| parse EventData with * '<Data Name=\"SourceImage\">' SourceImage '</Data>' *\n| parse EventData with * '<Data Name=\"GrantedAccess\">' GrantedAccess '</Data>' *\n| where TargetImage has \"lsass.exe\"\n| where GrantedAccess in (\"0x1010\", \"0x1410\", \"0x143A\", \"0x1438\", \"0x1FFFFF\")\n| where SourceImage !has_any (\"WerFault.exe\", \"MsMpEng.exe\")\n| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess\n| order by TimeGenerated desc",
          "notes": "GrantedAccess values 0x1010 and 0x1410 are the most common credential dumping access patterns. Allowlist your EDR/AV process. 0x1FFFFF (full access) is always suspicious."
        },
        {
          "platform": "Sigma",
          "title": "LSASS Memory Access with Credential Dumping Rights",
          "rule": "title: LSASS Memory Access with Credential Dumping Rights\nstatus: stable\nlogsource:\n  category: process_access\n  product: windows\ndetection:\n  selection:\n    TargetImage|endswith: '\\lsass.exe'\n    GrantedAccess:\n      - '0x1010'\n      - '0x1410'\n      - '0x143A'\n      - '0x1438'\n      - '0x1FFFFF'\n  filter:\n    SourceImage|endswith:\n      - '\\WerFault.exe'\n      - '\\MsMpEng.exe'\n  condition: selection and not filter\nfalsepositives:\n  - EDR and AV products performing memory inspection\nlevel: critical"
        }
      ],
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 11,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "FileCreate",
      "summary": "A file was created or overwritten.",
      "details": "Generated when a file is created or overwritten. This event records when a file first appears on disk, complementing EID 2 which records subsequent timestamp manipulation. High-value monitoring targets include startup folders, Run key paths, scheduled task XML directories, web server document roots, user temp/AppData directories, and system binary paths.",
      "category": "File Activity",
      "tags": [
        "file-creation",
        "persistence",
        "dropper",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 2,
          "log": "Sysmon"
        },
        {
          "id": 15,
          "log": "Sysmon"
        },
        {
          "id": 23,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1105",
          "techniqueName": "Ingress Tool Transfer",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        },
        {
          "techniqueId": "T1547",
          "techniqueName": "Boot or Logon Autostart Execution",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Files written to Startup folders, Temp, AppData\\Roaming, or system binary paths by unexpected processes are high-priority",
          "Executable or script extensions (.exe, .dll, .ps1, .bat, .vbs, .js) created by Office applications or browsers indicate delivery",
          "Correlate TargetFilename with EID 1 to see if the created file was subsequently executed",
          "Files created immediately before a suspicious EID 1 process may be the dropped payload"
        ],
        "commonFalsePositives": [
          "Software installers and patch processes create large numbers of files",
          "Log and temp file creation by legitimate applications is very high volume — filter by extension and path"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that created the file"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "Full path of the newly created or overwritten file"
        },
        {
          "name": "CreationUtcTime",
          "xpath": "EventData/Data[@Name='CreationUtcTime']",
          "description": "UTC timestamp of file creation"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the creating process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Executable Dropped to Suspicious Path",
          "rule": "Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 11\n| parse EventData with * '<Data Name=\"Image\">' Image '</Data>' *\n| parse EventData with * '<Data Name=\"TargetFilename\">' TargetFilename '</Data>' *\n| where TargetFilename matches regex @'(?i)\\.(exe|dll|ps1|bat|vbs|js|hta|msi)$'\n| where TargetFilename has_any (\"\\\\AppData\\\\\", \"\\\\Temp\\\\\", \"\\\\Downloads\\\\\", \"\\\\Public\\\\\")\n| project TimeGenerated, Computer, Image, TargetFilename\n| order by TimeGenerated desc",
          "notes": "Focus on executable/script file extensions in user-writable directories. Pair with Sysmon EID 1 to see if the dropped file was subsequently executed."
        },
        {
          "platform": "Sigma",
          "title": "Executable Dropped in User-Writable Directory",
          "rule": "title: Executable Dropped in User-Writable Directory\nstatus: stable\nlogsource:\n  category: file_creation\n  product: windows\ndetection:\n  selection:\n    TargetFilename|contains:\n      - '\\AppData\\'\n      - '\\Temp\\'\n      - '\\Downloads\\'\n    TargetFilename|endswith:\n      - '.exe'\n      - '.dll'\n      - '.ps1'\n      - '.bat'\n      - '.vbs'\n  condition: selection\nfalsepositives:\n  - Software installers unpacking to temp directories\n  - Browser download of legitimate executables\nlevel: medium"
        }
      ],
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 12,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "RegistryEvent — object created or deleted",
      "summary": "A registry key or value was created or deleted.",
      "details": "Generated when a registry key or value is created or deleted. Registry persistence mechanisms rely on key and value creation under well-known autorun locations (Run, RunOnce, Services, scheduled task entries). Deletions can indicate cleanup activity where an attacker removes autorun keys after execution.",
      "category": "Registry Activity",
      "tags": [
        "registry",
        "persistence",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 13,
          "log": "Sysmon"
        },
        {
          "id": 14,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1112",
          "techniqueName": "Modify Registry",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1547.001",
          "techniqueName": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetObject paths under Run, RunOnce, Services, or Winlogon are the highest-priority persistence locations",
          "DeleteKey or DeleteValue events covering previously created suspicious keys indicate cleanup activity",
          "Image performing registry writes should match the expected owner of that key (e.g., scripting engines modifying Run keys are suspicious)",
          "Correlate with EID 13 to inspect the value data written under a newly created key"
        ],
        "commonFalsePositives": [
          "Software installers and updaters make extensive registry changes",
          "Group Policy application and Windows configuration management create and delete keys frequently"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process performing the registry operation"
        },
        {
          "name": "EventType",
          "xpath": "EventData/Data[@Name='EventType']",
          "description": "Type of registry operation: CreateKey, DeleteKey, or DeleteValue"
        },
        {
          "name": "TargetObject",
          "xpath": "EventData/Data[@Name='TargetObject']",
          "description": "Full registry path of the affected key or value"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 13,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "RegistryEvent — value set",
      "summary": "A registry value was set.",
      "details": "Generated when a registry value is written. This is the most forensically rich registry event because the Details field captures the actual data written, revealing exactly what command, path, or payload was stored in a persistence key. Complements EID 12 (key/value creation) and EID 14 (key/value rename).",
      "category": "Registry Activity",
      "tags": [
        "registry",
        "persistence",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 12,
          "log": "Sysmon"
        },
        {
          "id": 14,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1112",
          "techniqueName": "Modify Registry",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1547.001",
          "techniqueName": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Review Details field for suspicious values: encoded commands, paths to temp/user-writable directories, LOLBAS invocations (e.g., certutil, wscript, mshta, rundll32 with a .dll argument)",
          "TargetObject pointing to Run, RunOnce, Winlogon, AppInit_DLLs, or services parameters are high-value targets",
          "Image that is a scripting engine or dropped binary writing to persistence keys is a strong signal",
          "Correlate TargetObject value path with EID 11 to see if the referenced file was recently dropped"
        ],
        "commonFalsePositives": [
          "Application configuration updates writing to their own registry keys",
          "Software licensing and activation mechanisms"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process writing the registry value"
        },
        {
          "name": "TargetObject",
          "xpath": "EventData/Data[@Name='TargetObject']",
          "description": "Full registry path including the value name"
        },
        {
          "name": "Details",
          "xpath": "EventData/Data[@Name='Details']",
          "description": "The data written to the registry value (command, path, binary data, etc.)"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 14,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "RegistryEvent — key or value renamed",
      "summary": "A registry key or value was renamed.",
      "details": "Generated when a registry key or value is renamed. Renaming can be used to obscure malicious entries by blending in with legitimate registry values, to impersonate a Windows component, or as part of cleanup before deletion.",
      "category": "Registry Activity",
      "tags": [
        "registry",
        "defense-evasion",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 12,
          "log": "Sysmon"
        },
        {
          "id": 13,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1112",
          "techniqueName": "Modify Registry",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1036",
          "techniqueName": "Masquerading",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "NewName that closely mimics a legitimate Windows key or value (typosquatting) indicates masquerading",
          "Renaming within Run or Services key paths warrants review of the renamed entry's data via EID 13",
          "Correlate with preceding EID 12 and EID 13 events on the same TargetObject to understand what was written before renaming"
        ],
        "commonFalsePositives": [
          "Software installers renaming temporary configuration keys during setup",
          "Windows component updates may rename registry entries"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process performing the rename"
        },
        {
          "name": "TargetObject",
          "xpath": "EventData/Data[@Name='TargetObject']",
          "description": "Original registry key or value path before renaming"
        },
        {
          "name": "NewName",
          "xpath": "EventData/Data[@Name='NewName']",
          "description": "New name assigned to the registry key or value"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 15,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "FileCreateStreamHash",
      "summary": "A file was created with an alternate data stream.",
      "details": "Generated when a file is created with an Alternate Data Stream (ADS), with the hash of the stream content. ADS has two primary security contexts: the Zone.Identifier stream added by Windows to downloaded files (Mark of the Web / MOTW), and adversarial use of ADS to hide payloads, executables, or scripts within innocent-looking files. MOTW bypass is a common initial access technique.",
      "category": "Alternate Data Stream",
      "tags": [
        "ads",
        "motw",
        "defense-evasion",
        "file-activity"
      ],
      "relatedEventIds": [
        {
          "id": 11,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1564.004",
          "techniqueName": "Hide Artifacts: NTFS File Attributes",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1553.005",
          "techniqueName": "Subvert Trust Controls: Mark-of-the-Web Bypass",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Stream names other than Zone.Identifier on executable or script files are suspicious",
          "Review Contents field for embedded executables (MZ header), scripts, or encoded payloads",
          "Absence of Zone.Identifier creation after a file arrives via browser or email client may indicate MOTW stripping",
          "Image that is not a browser or email client writing Zone.Identifier streams is unusual"
        ],
        "commonFalsePositives": [
          "Browsers (Chrome, Edge, Firefox) and email clients routinely write Zone.Identifier ADS to downloaded files",
          "Some backup and sync tools preserve ADS metadata"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process creating the alternate data stream"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "File path including the stream name (e.g., file.txt:Zone.Identifier)"
        },
        {
          "name": "Hash",
          "xpath": "EventData/Data[@Name='Hash']",
          "description": "Hash of the ADS content"
        },
        {
          "name": "Contents",
          "xpath": "EventData/Data[@Name='Contents']",
          "description": "Content of the stream if small enough to be captured inline"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 16,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Sysmon configuration changed",
      "summary": "The Sysmon configuration was updated.",
      "details": "Generated when the Sysmon configuration file is updated. An adversary with administrative access may update the Sysmon configuration to reduce or eliminate logging coverage before executing their next stage. Unexpected configuration changes outside known change management windows are a defense evasion indicator.",
      "category": "Service Activity",
      "tags": [
        "sysmon",
        "defense-evasion",
        "tamper",
        "configuration"
      ],
      "relatedEventIds": [
        {
          "id": 4,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685",
          "techniqueName": "Disable or Modify Tools",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 1 to identify what process (sysmon.exe invocation) applied the configuration change",
          "Compare ConfigurationFileHash against the known-good hash of the authorized config",
          "Unexpected reconfiguration followed by reduced event volume is a strong tamper signal",
          "Review EID 4 in the same time window — reconfiguration often accompanies a service restart"
        ],
        "commonFalsePositives": [
          "Planned configuration updates deployed by the security team or via endpoint management tooling",
          "Sysmon version upgrades that reload the configuration"
        ]
      },
      "keyFields": [
        {
          "name": "Configuration",
          "xpath": "EventData/Data[@Name='Configuration']",
          "description": "Path to the new Sysmon configuration file"
        },
        {
          "name": "ConfigurationFileHash",
          "xpath": "EventData/Data[@Name='ConfigurationFileHash']",
          "description": "Hash of the new configuration file; compare against the known-good authorized config hash"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 17,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Pipe created",
      "summary": "A named pipe was created.",
      "details": "Generated when a named pipe is created. Named pipes are used for inter-process communication and are a common C2 communication channel and lateral movement mechanism. Well-known malicious pipe name patterns are associated with frameworks such as Cobalt Strike, Metasploit, Sliver, and Brute Ratel.",
      "category": "Named Pipe",
      "tags": [
        "named-pipe",
        "c2",
        "lateral-movement",
        "cobaltstrike"
      ],
      "relatedEventIds": [
        {
          "id": 18,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1559.001",
          "techniqueName": "Inter-Process Communication: Component Object Model",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        },
        {
          "techniqueId": "T1021.002",
          "techniqueName": "Remote Services: SMB/Windows Admin Shares",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "PipeName matching known C2 framework patterns (Cobalt Strike, Metasploit, Sliver, Brute Ratel) is a high-confidence indicator",
          "Pipes created by LOLBAS tools (scripting engines such as wscript.exe/cscript.exe, LOLBins such as mshta.exe/rundll32.exe, or unsigned executables) are suspicious regardless of name",
          "Correlate with EID 18 to identify the connecting process and map the full IPC channel",
          "Random or GUID-formatted pipe names are atypical for legitimate software"
        ],
        "commonFalsePositives": [
          "SQL Server, IIS, and other server software use named pipes for inter-process communication",
          "Chrome and other browsers create numerous pipes for renderer/broker communication"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that created the named pipe"
        },
        {
          "name": "PipeName",
          "xpath": "EventData/Data[@Name='PipeName']",
          "description": "Name of the created pipe (e.g., \\msagent_*, \\postex_*)"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 18,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Pipe connected",
      "summary": "A process connected to a named pipe.",
      "details": "Generated when a process connects to an existing named pipe. In lateral movement scenarios, a pipe may be created on a remote system and connected to locally via SMB. Correlating with EID 17 maps the full named pipe channel: which process created the pipe and which process connected to it.",
      "category": "Named Pipe",
      "tags": [
        "named-pipe",
        "c2",
        "lateral-movement"
      ],
      "relatedEventIds": [
        {
          "id": 17,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1559.001",
          "techniqueName": "Inter-Process Communication: Component Object Model",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        },
        {
          "techniqueId": "T1021.002",
          "techniqueName": "Remote Services: SMB/Windows Admin Shares",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 17 to identify the pipe creator and map the full IPC relationship",
          "Image connecting to a suspicious PipeName (e.g., known C2 pipe names) is a high-fidelity alert",
          "Connections from unexpected or scripting-engine processes to any named pipe warrants review"
        ],
        "commonFalsePositives": [
          "Same as EID 17 — many legitimate applications use named pipe IPC",
          "Windows system components and services communicate over named pipes extensively"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process connecting to the named pipe"
        },
        {
          "name": "PipeName",
          "xpath": "EventData/Data[@Name='PipeName']",
          "description": "Name of the pipe being connected to"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-03-30"
    },
    {
      "id": 19,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "WMI event filter registered",
      "summary": "A WMI event filter was registered.",
      "details": "Generated when a WMI event filter is registered. This is the first of three events that together document a WMI permanent event subscription (EID 20 for the consumer, EID 21 for the binding). The Query field contains the trigger condition, commonly targeting process creation, user logon, or timer events.",
      "category": "WMI Subscription",
      "tags": [
        "wmi",
        "subscription",
        "persistence",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 20,
          "log": "Sysmon"
        },
        {
          "id": 21,
          "log": "Sysmon"
        },
        {
          "id": 5861,
          "log": "WMI"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1546.003",
          "techniqueName": "Event Triggered Execution: Windows Management Instrumentation Event Subscription",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Query targeting Win32_Process creation or system startup events is a common persistence trigger pattern",
          "Correlate Name across EID 19, 20, and 21 to reconstruct the full subscription",
          "User context reveals whether the subscription was created under a user or system account",
          "Correlate with WMI EID 5861 for additional subscription detail"
        ],
        "commonFalsePositives": [
          "SCCM, monitoring agents, and some AV products use WMI subscriptions for legitimate purposes"
        ]
      },
      "keyFields": [
        {
          "name": "User",
          "xpath": "EventData/Data[@Name='User']",
          "description": "Account that created the WMI event filter"
        },
        {
          "name": "EventNamespace",
          "xpath": "EventData/Data[@Name='EventNamespace']",
          "description": "WMI namespace for the filter (e.g., root\\cimv2)"
        },
        {
          "name": "Name",
          "xpath": "EventData/Data[@Name='Name']",
          "description": "Name identifier of the event filter"
        },
        {
          "name": "Query",
          "xpath": "EventData/Data[@Name='Query']",
          "description": "WQL query defining the trigger condition"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-03-30"
    },
    {
      "id": 20,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "WMI event consumer registered",
      "summary": "A WMI event consumer was registered.",
      "details": "Generated when a WMI event consumer is registered. The Type field indicates the consumer class: CommandLineEventConsumer (executes a command line) and ActiveScriptEventConsumer (executes VBScript or JScript) are the two types capable of code execution. The Destination field contains the command or payload to be run. Complements EID 19 (filter) and EID 21 (binding).",
      "category": "WMI Subscription",
      "tags": [
        "wmi",
        "subscription",
        "persistence",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 19,
          "log": "Sysmon"
        },
        {
          "id": 21,
          "log": "Sysmon"
        },
        {
          "id": 5861,
          "log": "WMI"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1546.003",
          "techniqueName": "Event Triggered Execution: Windows Management Instrumentation Event Subscription",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Type of CommandLineEventConsumer or ActiveScriptEventConsumer indicates code execution capability — investigate immediately",
          "Destination reveals the payload: examine for encoded commands, paths to dropped files, or LOLBAS invocations (e.g., cmd.exe, wscript.exe, mshta.exe, certutil.exe, or rundll32.exe with a .dll path)",
          "Correlate Name with EID 19 filter and EID 21 binding to reconstruct the complete subscription"
        ],
        "commonFalsePositives": [
          "SCCM and endpoint management tools may use CommandLineEventConsumers for legitimate tasks"
        ]
      },
      "keyFields": [
        {
          "name": "User",
          "xpath": "EventData/Data[@Name='User']",
          "description": "Account that created the WMI event consumer"
        },
        {
          "name": "Name",
          "xpath": "EventData/Data[@Name='Name']",
          "description": "Name identifier of the consumer"
        },
        {
          "name": "Type",
          "xpath": "EventData/Data[@Name='Type']",
          "description": "Consumer class type (e.g., CommandLineEventConsumer, ActiveScriptEventConsumer)"
        },
        {
          "name": "Destination",
          "xpath": "EventData/Data[@Name='Destination']",
          "description": "The action to execute: command line or script content depending on Type"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 21,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "WMI consumer-to-filter binding",
      "summary": "A WMI consumer was bound to a filter, completing a persistent event subscription.",
      "details": "Generated when a WMI consumer is bound to an event filter, completing a permanent WMI event subscription. Without this binding, the filter and consumer exist independently but do not function. The presence of all three events (EID 19, 20, 21) within a short time window on the same system indicates subscription creation.",
      "category": "WMI Subscription",
      "tags": [
        "wmi",
        "subscription",
        "persistence",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 19,
          "log": "Sysmon"
        },
        {
          "id": 20,
          "log": "Sysmon"
        },
        {
          "id": 5861,
          "log": "WMI"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1546.003",
          "techniqueName": "Event Triggered Execution: Windows Management Instrumentation Event Subscription",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Presence of EID 19 + 20 + 21 in a short window is the definitive WMI persistence creation sequence",
          "Query root\\subscription namespace to confirm the subscription survives reboot",
          "Correlate Filter and Consumer names with EID 19 and 20 detail to review the full subscription contents",
          "Enumerate the root\\subscription namespace to verify whether the subscription persists after reboot"
        ],
        "commonFalsePositives": [
          "SCCM and monitoring products that rely on WMI subscriptions"
        ]
      },
      "keyFields": [
        {
          "name": "User",
          "xpath": "EventData/Data[@Name='User']",
          "description": "Account that created the binding"
        },
        {
          "name": "Consumer",
          "xpath": "EventData/Data[@Name='Consumer']",
          "description": "Reference path to the bound WMI consumer"
        },
        {
          "name": "Filter",
          "xpath": "EventData/Data[@Name='Filter']",
          "description": "Reference path to the bound WMI event filter"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-03-30"
    },
    {
      "id": 22,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "DNS query",
      "summary": "A process made a DNS query.",
      "details": "Generated when a process makes a DNS query. DNS is the most common C2 discovery channel. This event captures the domain lookup that precedes a network connection, and correlating with EID 3 on the same Image links a domain name to the subsequent IP-level connection. DNS tunneling produces high query volumes to unusual subdomains of a single parent domain.",
      "category": "DNS Activity",
      "tags": [
        "dns",
        "c2",
        "exfiltration",
        "network",
        "dns-tunneling"
      ],
      "relatedEventIds": [
        {
          "id": 3,
          "log": "Sysmon"
        },
        {
          "id": 3006,
          "log": "DNSClient"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1071.004",
          "techniqueName": "Application Layer Protocol: DNS",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        },
        {
          "techniqueId": "T1568",
          "techniqueName": "Dynamic Resolution",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "QueryName with high entropy subdomains (random-looking labels) under a single parent domain indicates DNS tunneling",
          "Image that does not ordinarily make DNS lookups (e.g., mshta.exe, regsvr32.exe, certutil.exe) querying external domains is suspicious",
          "Correlate QueryResults (resolved IPs) with EID 3 DestinationIp to link domain names to connection events",
          "Newly registered domains, dynamic DNS providers, and TLDs unusual for the environment warrant investigation"
        ],
        "commonFalsePositives": [
          "Browsers and applications query thousands of domains during normal browsing and telemetry",
          "Windows Update, Microsoft telemetry, and CDN lookups generate high DNS query volumes"
        ]
      },
      "keyFields": [
        {
          "name": "QueryName",
          "xpath": "EventData/Data[@Name='QueryName']",
          "description": "DNS name queried by the process"
        },
        {
          "name": "QueryResults",
          "xpath": "EventData/Data[@Name='QueryResults']",
          "description": "Resolved IP addresses returned by the query"
        },
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process making the DNS query"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the querying process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-10"
    },
    {
      "id": 23,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "File deleted",
      "summary": "A file was deleted.",
      "details": "Generated when a file is deleted. If the Sysmon configuration enables file archiving, deleted files can be preserved in the archive directory. This event captures anti-forensic file deletion (attackers deleting tools or logs after use), ransomware staging (bulk deletion of backup files before encryption), and artifact cleanup. The Hashes field allows retrospective threat intelligence lookups even after the file is removed from disk.",
      "category": "File Activity",
      "tags": [
        "file-deletion",
        "anti-forensics",
        "defense-evasion",
        "ransomware"
      ],
      "relatedEventIds": [
        {
          "id": 11,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070.004",
          "techniqueName": "Indicator Removal: File Deletion",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1485",
          "techniqueName": "Data Destruction",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Hash the deleted file (if archived) and check against threat intelligence",
          "Bulk file deletions by a single process in a short window may indicate ransomware or destructive activity",
          "Deletion of log files, backup catalogs, or Volume Shadow Copies warrants immediate investigation",
          "Correlate with EID 11 to recover what the file was and when it was created"
        ],
        "commonFalsePositives": [
          "Temp file cleanup by browsers, installers, and system processes is very high volume",
          "Log rotation and cleanup tasks delete files as part of normal operations"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that deleted the file"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "Full path of the deleted file"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Hashes of the deleted file content"
        },
        {
          "name": "IsExecutable",
          "xpath": "EventData/Data[@Name='IsExecutable']",
          "description": "Whether the deleted file was a PE executable"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 24,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Clipboard changed",
      "summary": "New content was placed in the clipboard.",
      "details": "Generated when the clipboard content changes. This event supports detection of clipboard hijacking, where malware monitors the clipboard and substitutes cryptocurrency wallet addresses or other sensitive values. It also captures intentional clipboard data collection by malicious processes. The event can be high-volume on busy systems.",
      "category": "Clipboard Activity",
      "tags": [
        "clipboard",
        "collection",
        "credential-access",
        "clipboard-hijacking"
      ],
      "relatedEventIds": [
        {
          "id": 1,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1115",
          "techniqueName": "Clipboard Data",
          "tactics": [
            {
              "tacticId": "TA0009",
              "tacticName": "Collection"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Image that is not a user-facing application (e.g., a background process, scripting engine) accessing the clipboard is suspicious",
          "Frequent clipboard changes by the same unexpected Image may indicate clipboard monitoring or hijacking",
          "Correlate with EID 1 to review the full context of the process writing to the clipboard"
        ],
        "commonFalsePositives": [
          "Password managers, productivity apps, and remote desktop tools interact with the clipboard extensively",
          "Any application with a paste or copy function will generate these events during normal use"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that changed the clipboard content"
        },
        {
          "name": "Session",
          "xpath": "EventData/Data[@Name='Session']",
          "description": "Session in which the clipboard change occurred"
        },
        {
          "name": "ClientInfo",
          "xpath": "EventData/Data[@Name='ClientInfo']",
          "description": "Client information associated with the clipboard change"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Hash of the clipboard content"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 25,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "Process tampering",
      "summary": "A process image was tampered with (hollowing or herpaderping detected).",
      "details": "Generated when Sysmon detects that a process's memory image does not match its on-disk image, indicating process hollowing or process herpaderping. Process hollowing replaces a legitimate process's memory with a malicious payload after creation. Process herpaderping modifies the on-disk executable after mapping it into memory. Both techniques are used to evade process-based detections and allowlisting. This is a high-fidelity detection event with very low false positive rates.",
      "category": "Code Injection",
      "tags": [
        "process-hollowing",
        "herpaderping",
        "defense-evasion",
        "injection"
      ],
      "relatedEventIds": [
        {
          "id": 1,
          "log": "Sysmon"
        },
        {
          "id": 8,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1055.012",
          "techniqueName": "Process Injection: Process Hollowing",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1055",
          "techniqueName": "Process Injection",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Any EID 25 alert should be treated as a high-confidence indicator — false positive rates are very low",
          "Identify Image and ProcessId, then correlate with EID 1 to find what created this process and what command line was used",
          "Type: Hollowing indicates the memory image was replaced; Type: Herpaderping indicates on-disk file was modified after mapping",
          "Correlate with EID 3 and EID 11 from the same process to identify C2 communications or file drops during the tampered process lifetime"
        ],
        "commonFalsePositives": [
          "Certain software protection and licensing systems (e.g., Denuvo, some DRM) may trigger hollowing-like detections",
          "JIT compilation in .NET and Java applications can produce anomalous memory mappings, though typically not flagged by Sysmon's heuristic"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Path of the process that was tampered with; hollowed or herpaderped system processes are highest priority"
        },
        {
          "name": "Type",
          "xpath": "EventData/Data[@Name='Type']",
          "description": "Tampering type: Herpaderp = image replacement on disk after mapping, Hollowing = process memory hollowed"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "PID of the tampered process"
        },
        {
          "name": "RuleName",
          "xpath": "EventData/Data[@Name='RuleName']",
          "description": "Sysmon rule that triggered this event; useful for identifying which process type was targeted"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Sysmon Process Tampering — Hollowing or Herpaderping",
          "rule": "Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 25\n| project TimeGenerated, Computer, UserName,\n    Image = extract(@'<Data Name=\"Image\">(.+?)</Data>', 1, EventData),\n    Type = extract(@'<Data Name=\"Type\">(.+?)</Data>', 1, EventData),\n    ProcessId = extract(@'<Data Name=\"ProcessId\">(.+?)</Data>', 1, EventData)\n| extend Severity = \"HIGH - Process tampering detected\"",
          "notes": "Any EID 25 event should be treated as high confidence malicious activity. Process hollowing and Herpaderping are used to evade AV/EDR by running malicious code inside legitimate process images."
        },
        {
          "platform": "Splunk",
          "title": "Sysmon Process Tampering Detection",
          "rule": "index=sysmon EventCode=25\n| eval severity=\"HIGH\"\n| table _time, Image, Type, ProcessId, host, severity",
          "notes": "Zero-noise rule. Process tampering is not a benign operation — treat every event as an incident until proven otherwise."
        },
        {
          "platform": "Sigma",
          "title": "Sysmon Process Tampering",
          "rule": "title: Sysmon Process Tampering\nstatus: stable\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection:\n        EventID: 25\ncondition: selection\nfalsepositives:\n    - None known in production environments\nlevel: critical",
          "notes": "Requires Sysmon 13+ with ProcessTampering enabled in the Sysmon configuration. No false positives in practice."
        }
      ],
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 26,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "File delete detected",
      "summary": "A file deletion was detected (Sysmon v13+; monitoring only, no archive).",
      "details": "Generated when a file is deleted (Sysmon v13+). Unlike EID 23 which archives the deleted file, EID 26 only records the deletion event without saving a copy, making it lower-cost for high-volume environments. Bulk deletions by a single process, especially targeting document files, are a ransomware indicator. Deletions targeting log files, forensic tools, or security software indicate anti-forensic activity.",
      "category": "File System",
      "tags": [
        "file-delete",
        "defense-evasion",
        "ransomware",
        "anti-forensics"
      ],
      "relatedEventIds": [
        {
          "id": 23,
          "log": "Sysmon"
        },
        {
          "id": 1,
          "log": "Sysmon"
        },
        {
          "id": 11,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1485",
          "techniqueName": "Data Destruction",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        },
        {
          "techniqueId": "T1070.004",
          "techniqueName": "Indicator Removal: File Deletion",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "High-volume deletions of document files by an unexpected process is a ransomware indicator — correlate with EID 11 to check for concurrent encrypted file creation",
          "Deletions targeting event log files, VSS snapshots, backup tools, or EDR components indicate anti-forensic behavior",
          "IsExecutable: true combined with a non-uninstaller process warrants immediate investigation",
          "Correlate Image with EID 1 to review full process ancestry and ParentCommandLine"
        ],
        "commonFalsePositives": [
          "File cleanup by backup software, temporary file managers, or application uninstallers",
          "IDEs and build systems deleting intermediate build artifacts"
        ]
      },
      "keyFields": [
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that deleted the file"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "Full path of the deleted file"
        },
        {
          "name": "IsExecutable",
          "xpath": "EventData/Data[@Name='IsExecutable']",
          "description": "Whether the deleted file was a PE executable"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Hashes of the deleted file content"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 27,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Warning",
      "title": "FileBlockExecutable",
      "summary": "Sysmon blocked the creation of an executable file by a monitored process.",
      "details": "Generated (Sysmon 14.0+) when a process matching a configured FileBlockExecutable rule attempts to create an executable file (PE with MZ header) and Sysmon blocks the write. The file creation is prevented, providing enforcement capability beyond detection. This directly prevents the dropper stage of many malware infection chains by blocking processes like Office applications or browsers from writing executable files to disk.",
      "category": "File Block",
      "tags": [
        "sysmon",
        "file-block",
        "executable",
        "dropper",
        "defense"
      ],
      "relatedEventIds": [
        {
          "id": 11,
          "log": "Sysmon"
        },
        {
          "id": 29,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1105",
          "techniqueName": "Ingress Tool Transfer",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        },
        {
          "techniqueId": "T1204.002",
          "techniqueName": "User Execution: Malicious File",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "Requires Sysmon 14.0 or later and a FileBlockExecutable rule configured in the Sysmon configuration XML.",
          "command": "sysmon64.exe -c sysmon-config.xml"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Image field identifies which process attempted to drop the executable — Office apps, browsers, script interpreters are highest priority",
          "TargetFilename reveals the intended drop location — temp directories, startup folders, and AppData are most significant",
          "Unlike EID 11 (FileCreate), EID 27 means the file was NOT written — but the attempt itself is the indicator"
        ],
        "commonFalsePositives": [
          "Legitimate software updaters or package managers that write executables and were not excluded in the Sysmon config",
          "Development tools compiling and writing output binaries"
        ]
      },
      "keyFields": [
        {
          "name": "RuleName",
          "xpath": "EventData/Data[@Name='RuleName']",
          "description": "Sysmon rule that triggered the block"
        },
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that attempted to create the executable"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "Intended path of the blocked executable file"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Hashes of the blocked executable content"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the blocked process"
        },
        {
          "name": "ProcessGuid",
          "xpath": "EventData/Data[@Name='ProcessGuid']",
          "description": "Unique GUID of the blocked process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 28,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Warning",
      "title": "FileBlockShredding",
      "summary": "Sysmon blocked a file shredding (secure deletion) attempt by a monitored process.",
      "details": "Generated (Sysmon 14.0+) when a process matching a FileBlockShredding rule attempts to securely delete (shred) a file by overwriting its content before deletion to prevent forensic recovery, and Sysmon blocks the operation. File shredding is used by attackers to destroy forensic evidence after an operation. Blocking shredding preserves evidence that would otherwise be irrecoverably destroyed.",
      "category": "File Block",
      "tags": [
        "sysmon",
        "file-block",
        "shredding",
        "anti-forensic",
        "evidence-preservation"
      ],
      "relatedEventIds": [
        {
          "id": 23,
          "log": "Sysmon"
        },
        {
          "id": 27,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1485",
          "techniqueName": "Data Destruction",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        },
        {
          "techniqueId": "T1070.004",
          "techniqueName": "Indicator Removal: File Deletion",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "Requires Sysmon 14.0 or later and a FileBlockShredding rule configured in the Sysmon configuration XML.",
          "command": "sysmon64.exe -c sysmon-config.xml"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify the process attempting shredding (Image) — dedicated shredding tools (sdelete.exe, cipher.exe /w) in attacker context are high-confidence indicators",
          "TargetFilename reveals what the attacker was trying to destroy — log files, malware binaries, and credential stores are highest priority targets",
          "Correlate with EID 23 (FileDelete) for the same process to see what was successfully deleted before the block"
        ],
        "commonFalsePositives": [
          "Legitimate secure deletion tools used by data-at-rest compliance processes",
          "Enterprise DLP or device management software performing secure wipe operations"
        ]
      },
      "keyFields": [
        {
          "name": "RuleName",
          "xpath": "EventData/Data[@Name='RuleName']",
          "description": "Sysmon rule that triggered the shredding block"
        },
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that attempted to shred the file"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "Path of the file targeted for shredding"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the blocked process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 29,
      "log": "Sysmon",
      "provider": "Microsoft-Windows-Sysmon",
      "channel": "Microsoft-Windows-Sysmon/Operational",
      "level": "Information",
      "title": "FileExecutableDetected",
      "summary": "Sysmon detected the creation of an executable file in a monitored directory.",
      "details": "Generated (Sysmon 14.0+) when an executable file (detected by MZ/PE header content, not just file extension) is created in a directory monitored by a FileExecutableDetected rule. Unlike EID 11 which triggers on any file write matching a path filter, EID 29 specifically detects PE executables by content, catching renamed executables regardless of extension. This is the detection-only complement to EID 27 (FileBlockExecutable).",
      "category": "File Detection",
      "tags": [
        "sysmon",
        "executable-detection",
        "dropper",
        "staging"
      ],
      "relatedEventIds": [
        {
          "id": 11,
          "log": "Sysmon"
        },
        {
          "id": 27,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1105",
          "techniqueName": "Ingress Tool Transfer",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "Requires Sysmon 14.0 or later and a FileExecutableDetected rule in the Sysmon configuration XML specifying the directories to monitor.",
          "command": "sysmon64.exe -c sysmon-config.xml"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "EID 29 detects by MZ/PE header content, not extension — catches executables renamed to .txt, .jpg, or other extensions to evade EID 11 extension filters",
          "Monitor high-value staging paths: %TEMP%, %APPDATA%, user Download folders, and web server document roots",
          "Correlate Hashes with threat intelligence immediately — the executable was already written to disk when this event fires"
        ],
        "commonFalsePositives": [
          "Software installers and update mechanisms writing executables to monitored directories",
          "Broad directory monitoring rules that include application installation paths"
        ]
      },
      "keyFields": [
        {
          "name": "RuleName",
          "xpath": "EventData/Data[@Name='RuleName']",
          "description": "Sysmon rule that triggered the detection"
        },
        {
          "name": "Image",
          "xpath": "EventData/Data[@Name='Image']",
          "description": "Full path of the process that created the executable file"
        },
        {
          "name": "TargetFilename",
          "xpath": "EventData/Data[@Name='TargetFilename']",
          "description": "Path of the detected executable file"
        },
        {
          "name": "Hashes",
          "xpath": "EventData/Data[@Name='Hashes']",
          "description": "Hashes of the detected executable"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID of the creating process"
        }
      ],
      "source": {
        "name": "Microsoft Sysinternals - Sysmon",
        "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows 7 / Server 2008 R2"
      },
      "lastReviewed": "2026-04-04"
    }
  ]
}