Sysmon Event Log
WindowsExecution EvidenceDisk ImageSIEM / Log Aggregator
Location
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtxDescription
Microsoft Sysinternals System Monitor log capturing process creation with hashes (Event 1), network connections (Event 3), file creation (Event 11), registry modifications (Event 13), and DNS queries (Event 22).
Forensic Value
Sysmon provides process-level granularity that native Windows logs lack. Process GUIDs allow reconstructing full parent-child execution trees even across reboots. Network connection events tie processes to C2 IPs and beaconing intervals. File-create-time changes (Event 2) expose timestomping attempts.
Tools Required
KAPEEvtxECmd (Eric Zimmerman)ChainsawSysmon View
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target EventLogs
EvtxECmd
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" --csv C:\output --csvf Sysmon.csv
PowerShell
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 5000 | Export-Csv sysmon_events.csv
Chainsaw
chainsaw hunt "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" -s sigma/ --mapping mappings/sigma-event-logs-all.yml
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
T1059T1071T1055