Event 1: Process Create
Quick Answer
Sysmon Event 1 logs detailed process creation activity including command-line parameters, file hashes, parent process information, and digital signatures. This event is more comprehensive than Windows Event 4688, making it essential for malware detection, threat hunting, and forensic investigations.
Technical Details
Event ID: 1
Sysmon- Process Execution
Event Description
Process creation provides extended information about a newly created process.
Analyst Notes & Scenarios
- Crucial Fields: Image, CommandLine, ParentImage, ParentCommandLine, User, Hashes, ProcessGuid, ParentProcessGuid.
- Look for suspicious parent-child relationships (e.g., Word -> PowerShell, svchost -> cmd).
- Analyze CommandLine for encoded scripts, suspicious flags, or network destinations.
- Use Hashes for threat intel lookups (VirusTotal, etc.).
- Requires careful Sysmon configuration (filtering) to manage volume.
- Correlate ProcessGuid with other events (Network, Registry, File).
Key Log Fields
UtcTime- UTC timestamp of process creationProcessGuid- Unique process GUID for correlation across Sysmon eventsProcessId- Process ID (PID)Image- Full path to the process executableFileVersion- File version of the executableDescription- Description from executable metadataProduct- Product name from executable metadataCompany- Company name from executable metadataOriginalFileName- Original filename from executable metadata (detects renamed files)CommandLine- Full command line with argumentsCurrentDirectory- Working directory of the processUser- Account that created the process (Domain\User format)LogonGuid- Logon GUID for correlationLogonId- Logon ID for correlation with Windows eventsIntegrityLevel- Process integrity level (Low/Medium/High/System)Hashes- File hashes (MD5, SHA1, SHA256, IMPHASH based on config)ParentProcessGuid- Parent process GUIDParentProcessId- Parent process PIDParentImage- Parent process executable pathParentCommandLine- Parent process command line
MITRE ATT&CK® Mapping (23)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba. Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6) **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team) An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent) Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)
Event Comparison
Sysmon Event 1 is superior to Windows Event 4688. Sysmon provides hashes, signature status, parent command line, and IMPHASH - all missing from 4688. Use Sysmon when possible.
What This Event Means
Sysmon Event 1 provides the most comprehensive visibility into process execution on Windows systems, surpassing native Windows Event 4688 with additional critical details that security analysts depend on for threat detection and investigation. Every time a process starts, this event captures the full command line with all parameters, multiple cryptographic hashes of the executable (MD5, SHA256, IMPHASH), the parent process and its command line, the user account context, digital signature information, and the current working directory. These rich details enable security teams to detect malicious process execution through multiple methods: suspicious command-line patterns, known malicious file hashes, unsigned or invalidly signed executables, unusual parent-child process relationships, and processes launched from suspect directories. The parent process information is particularly valuable for detecting process injection, DLL side-loading, and legitimate binaries being abused to launch malicious code. For example, attackers often inject malicious code into legitimate processes like explorer.exe or svchost.exe, which becomes visible when these processes spawn unexpected child processes. The hash values enable immediate malware identification through threat intelligence feeds and can identify file modifications even when filenames remain the same. Integration points include automatically checking process hashes against VirusTotal or internal threat intelligence platforms, comparing command-line patterns against known attack frameworks like Cobalt Strike or Metasploit, and baselining normal parent-child relationships to identify deviations.
Security Implications
- PowerShell execution with encoded commands or IEX indicates malware or exploitation frameworks
- Unsigned executables or processes with invalid signatures often signal malware execution
- Process trees showing Office apps spawning scripting engines reveal macro-based malware
- Process hollowing attacks visible through PID recycling and unexpected parent-child relationships
- Hash values enable instant malware identification and historical analysis of when malware first appeared
Detection Strategies
Configure Sysmon to log all process creation events and forward to centralized SIEM for correlation and analysis. Create detection rules for suspicious command-line patterns including base64 encoded commands, download utilities (certutil, bitsadmin), and remote execution tools. Implement hash-based detection by integrating process hashes with threat intelligence feeds and flagging unknown hashes from critical systems. Build baselines of legitimate parent-child process relationships and alert on violations such as Office applications spawning cmd.exe or PowerShell. Monitor for unsigned executables or those with revoked certificates running in your environment. Track processes executing from user-writable directories especially AppData, Temp, Downloads. Correlate with network connections (Event 3) to identify command-and-control beaconing. Sample Sysmon configuration files and SIEM correlation rules will be provided in future updates.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Emotet malware execution chain visible in Sysmon: winword.exe → powershell.exe with encoded command → cmd.exe → malicious DLL via rundll32
Cobalt Strike beacon deployment shows explorer.exe spawning suspicious processes with specific IMPHASH values unique to Cobalt Strike artifacts
LockBit ransomware execution captured in Sysmon Event 1 with distinctive command-line parameters for encryption and network share access