Cheat sheet — Windows & Endpoint Telemetry¶
Companion to Module 02 — Windows & Endpoint Telemetry · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Sysmon — install and manage¶
sysmon64.exe -accepteula -i sysmonconfig.xml # install with a config
sysmon64.exe -c sysmonconfig.xml # update the running config (no reinstall)
sysmon64.exe -c # dump the current config to console
sysmon64.exe -u # uninstall the service+driver
Grab the community baseline instead of starting blank:
# SwiftOnSecurity/sysmon-config — the tuned "what's worth collecting" starting point
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile sysmonconfig.xml
Events land in Applications and Services Logs → Microsoft → Windows → Sysmon/Operational.
The Event IDs you actually read¶
| ID | Event | Why it matters |
|---|---|---|
| 1 | Process creation | The workhorse — carries CommandLine, Image, ParentImage (ancestry) |
| 3 | Network connection | Which process talked to which IP/port |
| 5 | Process terminated | Lifecycle / short-lived proc detection |
| 7 | Image loaded | DLL side-loading, unsigned modules |
| 8 | CreateRemoteThread | Classic process injection |
| 10 | ProcessAccess | Credential dumping (LSASS handle opens) |
| 11 | File create | Dropped payloads, persistence files |
| 12/13/14 | Registry (create/set/rename) | Run keys, service installs |
| 22 | DNS query | Endpoint-side name resolution |
The gold in Event ID 1 is ParentImage → Image — the lineage, not the single process.
Sysmon config — structure¶
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- onmatch="include" = log ONLY matches; "exclude" = log everything EXCEPT -->
<RuleGroup groupRelation="or">
<ProcessCreate onmatch="include">
<ParentImage condition="end with">\WINWORD.EXE</ParentImage>
<Image condition="end with">\powershell.exe</Image>
</ProcessCreate>
</RuleGroup>
</EventFiltering>
</Sysmon>
Common condition values: is, is any, contains, begin with, end with, image, excludes.
Sigma — the portable detection format¶
title: Office App Spawning PowerShell
logsource:
product: windows
category: process_creation # maps to Sysmon EID 1 / Security 4688
detection:
selection:
ParentImage|endswith: '\WINWORD.EXE'
Image|endswith: '\powershell.exe'
condition: selection
falsepositives:
- Rare legitimate Office add-ins
level: high
Modifiers you reach for: |contains, |startswith, |endswith, |re (regex), |base64, |all.
Gotchas worth remembering¶
- Ancestry, not the process.
powershell.exeruns all day;winword.exe → powershell.exe -encis a macro dropper. Always pivot onParentImage, not justImage. - The config is the detection strategy. Every
excludeis a place an attacker can choose to live. Weigh exclusions as carefully as inclusions — a "tidy" config can hand out a blind spot. - You can't log retroactively. Sysmon only records after it's installed. Telemetry is a before-the-incident decision.
- Reading the telemetry is only half the job. A detection that "would fire" is not a detection. Author it (Sigma) and prove it fires on the malicious chain and stays quiet on benign activity.
onmatchinverts meaning.includelogs only what matches;excludelogs everything else. Mixing them up silently produces the opposite of what you intended — verify against real events.- Command line is the payload. Attackers hide in arguments (
-enc,-nop,IEX, download cradles), soCommandLinecapture is non-negotiable — the baseline config already turns it on.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).