System Monitor (Sysmon) is a Windows system service and device driver that monitors and logs system activity to the Windows event log. Part of the Microsoft Sysinternals suite, Sysmon provides detailed telemetry about process creation, network connections, file changes, and other system events that are essential for threat detection and incident response.
What Sysmon Does
Sysmon enriches standard Windows event logs by capturing high-level monitoring events including:
- Process creation (Event ID 1) - Complete process trees with parent-child relationships, command-line arguments, and image hashes
- Network connections (Event ID 3) - TCP/UDP connections with source/destination IPs, ports, and process information
- File creation (Event ID 11) - New file creation events with timestamps and process details
- File time changes (Event ID 2) - Timestomping detection by tracking file creation time modifications
- DNS queries (Event ID 22) - Domain name resolution requests for C2 detection
- Process termination (Event ID 5) - Process exit events for complete lifecycle tracking
- Image loading (Event ID 7) - DLL and driver loading events
- Registry modifications (Event ID 12, 13, 14) - Registry key and value changes
Why Sysmon Matters
Standard Windows Event Logs provide limited context for security investigations. Sysmon fills critical visibility gaps by:
- Capturing process ancestry - Understanding which parent process launched suspicious activity
- Tracking network activity - Identifying outbound connections to malicious IPs or domains
- Detecting evasion techniques - Timestomping, fileless execution, and other anti-forensics tactics
- Providing structured data - Consistent event format that integrates with SIEM platforms
ISM Compliance
Sysmon helps organizations meet ISM system monitoring requirements, including:
- ISM-0580: Event logging policy implementation
- ISM-1405: Centralised event logging facility
- ISM-0585: Detailed event logging (date, time, user, process, filename, equipment)
- ISM-1959: Consistent and structured log format
- ISM-1526: Ongoing system monitoring
For comprehensive guidance on implementing ISM monitoring controls, see Practical ISM E01: Guidelines for system monitoring.
Related Resources
- Windows 11 Native Sysmon - Microsoft’s integration of Sysmon into Windows 11 and Windows Server 2025
- HTB Sherlock - Unit 42: Sysmon Log Analysis - Complete DFIR walkthrough using Sysmon logs to investigate an UltraVNC intrusion campaign
- Practical ISM E01: Guidelines for system monitoring - ISM control implementation for system monitoring and logging