Sysmon

Logging endpoints and environment on Windows

System Monitor (Sysmon) is a Windows system service and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about:

• process creations

• network connections

• changes to files

Events within Sysmon are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational.

Here is a list of some important Sysmon events:

Event ID	Event Description
1	Process Creation
3	Network Connection
7	Image Loaded
8	CreateRemoteThread
11	File Created
12/13/14	Registry Event
15	FileCreateStreamHash
22	DNS Event