Event 3: Network Connection
Quick Answer
Sysmon Event 3 logs all TCP and UDP network connections initiated by processes, recording source and destination IPs, ports, and the process responsible. This event is critical for detecting command-and-control communications, data exfiltration, and lateral movement across networks.
Technical Details
Event ID: 3
Sysmon- Network Activity
Event Description
Logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields.
Analyst Notes & Scenarios
- Crucial Fields: Image, User, Protocol, SourceIp, DestinationIp, DestinationPort, Initiated.
- Monitor connections to known malicious IPs/domains (Threat Intel).
- Look for unusual ports or protocols used by standard processes (e.g., svchost to port 80/443, non-browser to 80/443).
- Identify beaconing patterns (regular connections to the same external IP).
- Filter legitimate/noisy connections in Sysmon config (e.g., browser traffic, internal monitoring tools).
- Initiated=false indicates an inbound connection.
Key Log Fields
UtcTime- UTC timestamp of connectionProcessGuid- Process GUID for correlationProcessId- Process ID making the connectionImage- Process executable pathUser- Account running the processProtocol- Network protocol (tcp/udp)Initiated- Connection direction (true=outbound, false=inbound)SourceIsIpv6- Whether source address is IPv6SourceIp- Source IP addressSourceHostname- Source hostname if resolvedSourcePort- Source port numberSourcePortName- Source port service nameDestinationIsIpv6- Whether destination address is IPv6DestinationIp- Destination IP addressDestinationHostname- Destination hostname if resolvedDestinationPort- Destination port numberDestinationPortName- Destination port service name
MITRE ATT&CK® Mapping (23)
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Event Comparison
Event 3 provides process-level network visibility that native Windows lacks. Combine with Event 22 (DNS Query) to see full connection lifecycle from DNS resolution to TCP/UDP connection.
What This Event Means
Sysmon Event 3 captures every network connection made by processes on the monitored system, providing visibility into outbound and inbound communications that native Windows logging doesn't offer. This event records the initiating process name and ID, the source and destination IP addresses and ports, protocol (TCP or UDP), and whether the connection was initiated or received. This detailed network telemetry enables security analysts to detect malware beaconing to command-and-control servers, identify data exfiltration attempts, monitor lateral movement across the network, and discover unauthorized network services running on endpoints. The combination of process-level attribution with network connection details is powerful for threat hunting - you can see exactly which executable is communicating with external infrastructure or internal systems. For instance, when a document viewer like Adobe Reader suddenly initiates network connections to unknown IP addresses, it likely indicates exploitation or embedded malware. The event is invaluable for detecting living-off-the-land techniques where legitimate system utilities like PowerShell, certutil, or bitsadmin are abused to communicate with attacker infrastructure. By correlating Event 3 with process creation (Event 1) and file creation (Event 11), analysts can trace the complete attack lifecycle from initial execution through network communication to file system changes. Advanced threat hunters use Event 3 to identify beaconing patterns characteristic of specific malware families, detect DNS tunneling through unusual port 53 traffic patterns, and spot data exfiltration through large uploads to cloud storage services or unknown destinations.
Security Implications
- Connections to known malicious IPs or suspicious foreign countries from business applications indicate compromise
- Document viewers or Office applications making network connections suggest exploitation or malicious macros
- Regular beaconing patterns (connections every N seconds/minutes) reveal command-and-control communication
- Connections from PowerShell or scripting engines to internet IPs show malware or attacker activity
- Internal lateral movement via SMB (port 445) or RDP (port 3389) from user workstations indicates spreading
Detection Strategies
Implement network connection baselining to understand normal communication patterns for applications in your environment. Alert on network connections from unusual processes, especially document viewers, media players, or other applications that shouldn't initiate connections. Integrate threat intelligence feeds to automatically flag connections to known malicious IPs, domains, and infrastructure. Monitor for beaconing behavior by analyzing connection frequency and regularity, particularly connections that occur at precise intervals characteristic of automated malware callbacks. Detect data exfiltration by tracking upload volume from client systems to external destinations, especially large transfers to newly observed domains. Flag internal lateral movement by monitoring for workstation-to-workstation connections on administrative ports like 135, 139, 445, 3389. Correlate network connections with process execution to identify which parent process spawned the communicating executable. Detailed Sysmon configuration recommendations and SIEM detection rules will be added in upcoming releases.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
TrickBot malware generates distinctive Sysmon Event 3 patterns with connections to numerous C2 servers for redundancy
APT29 (Cozy Bear) campaigns show specific beaconing patterns in Event 3 logs, connecting to compromised websites every 10-30 minutes
Ransomware exfiltration visible in Event 3 as large outbound transfers from victim systems to attacker-controlled storage before encryption