EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 1InformationSysmonT1059

Windows Event ID 1Process Create

Sysmon Event 1 fires every time a process is created, capturing a richer dataset than the native Windows Event 4688 — including full command line, parent command line, file hashes (MD5, SHA256, IMPHASH), integrity level, and the OriginalFileName from the PE header. This last field is critical: attackers often rename malicious executables to blend in, but Windows records the original file name embedded in the binary itself, exposing the masquerade.

MITRE ATT&CK

Technique

T1059 · Command and Scripting Interpreter

Tactic

Execution

View on attack.mitre.org →

Why It Matters

Event 1 is the foundation of process-based threat detection. The combination of parent image, command line, and hashes enables detection that native 4688 cannot match: IMPHASH clustering groups malware from the same source regardless of filename, OriginalFileName catches renamed executables, and ParentCommandLine reveals the full launch context. Every LOLBin abuse, every macro-to-shell delivery chain, and every encoded PowerShell payload is visible in Sysmon 1 — with enough context to distinguish attack from noise without pivoting to other events.

Key Fields

ImageFull path of the new process executable — attackers often place malware in Temp, AppData, or rename it to mimic system binaries; check path and name together
CommandLineFull command line including all arguments — reveals -EncodedCommand flags, LOLBin abuse parameters, and remote script URIs that are invisible in 4688 without command-line auditing enabled
ParentImageFull path of the parent process — the single most important field for detecting delivery chains: Office → powershell, browser → cmd, svchost → wscript all indicate compromise
ParentCommandLineFull command line of the parent process — gives context the parent event alone cannot: what arguments the parent was called with before spawning the child
HashesMD5, SHA256, and IMPHASH of the executable — SHA256 for VirusTotal lookups; IMPHASH (import hash) groups binaries compiled from the same source code regardless of filename, exposing malware families
OriginalFileNameFile name embedded in the PE header at compile time — attackers rename executables to evade detection; OriginalFileName = 'mimikatz.exe' in a file named 'svchost.exe' is the evasion exposed
IntegrityLevelProcess token integrity: System > High > Medium > Low — a Medium integrity process spawning a High integrity child without UAC prompt is a UAC bypass; System-level from a user session is suspicious

Investigation Tips

  1. 1.Parent-child anomalies are the highest-signal pattern: WINWORD.EXE → powershell.exe, chrome.exe → cmd.exe, excel.exe → wscript.exe all indicate macro or browser-based delivery. Any Office application spawning a shell is a near-certain malicious macro.
  2. 2.Check OriginalFileName against Image — if they differ, the binary was renamed. OriginalFileName = 'Mimikatz.exe', 'nc.exe', 'psexec.exe', or any known attack tool in a binary with a benign-looking Image path is an active masquerade.
  3. 3.Hash the Image with IMPHASH and search across all Sysmon 1 events in your environment — IMPHASH clustering groups malware variants from the same build. A batch of hosts running the same IMPHASH across different filenames = coordinated deployment.
  4. 4.Look for processes launching from user-writable paths: C:\Users\*\AppData\, C:\Users\*\Downloads\, C:\Windows\Temp\, C:\ProgramData\ — legitimate system binaries launch from System32 or Program Files.
  5. 5.IntegrityLevel = High or System from a process whose parent is Medium integrity with no UAC prompt event (4688/4703 elevation) = UAC bypass; pivot to the uac-bypass detection guide.
  6. 6.Search CommandLine for known LOLBin abuse patterns: certutil -urlcache, certutil -decode, bitsadmin /transfer, regsvr32 /s /i:http://, mshta http://, wmic process call create — all are download or execution primitives masquerading as system tools.

Related Event IDs

4688Native process creation — lower fidelity but available without Sysmon; no hashes or OriginalFileName
4104PowerShell Script Block Logging — captures de-obfuscated content of PowerShell processes seen in Sysmon 1
4698Scheduled task created — Sysmon 1 shows the process spawned by the task scheduler

Frequently Asked Questions

What does Sysmon Event 1 capture that Windows Event 4688 does not?
Sysmon 1 adds four critical fields that 4688 lacks even with command-line logging enabled: (1) Hashes (MD5, SHA256, IMPHASH) — enables VirusTotal lookups and IMPHASH-based malware family clustering without needing an EDR. (2) OriginalFileName — the PE header resource name that exposes renamed malicious executables. (3) ParentCommandLine — the full arguments the parent was called with, not just its image path. (4) IntegrityLevel — the process token integrity, enabling UAC bypass detection. Together these fields turn process telemetry into attribution-quality evidence.
What is IMPHASH and why does it matter for threat hunting?
IMPHASH (Import Hash) is a hash of the import address table of a PE binary — the list of Windows API functions the executable imports. Because malware variants from the same source code compile with the same imports in the same order, they share the same IMPHASH even when the file content (and SHA256) differs. This means you can cluster malware families: if three compromised hosts run the same IMPHASH across three different filenames, they are running variants of the same tool. Search your Sysmon 1 logs by IMPHASH to find all instances of a malware family across an environment — even if the attacker changed the filename on each host.
How do I reduce Sysmon Event 1 volume without losing attack visibility?
Use Sysmon's XML configuration file to exclude known-good processes by Image path, Company name, or hash. Start by excluding high-volume, low-risk processes: antivirus scanners, browser update helpers, Windows telemetry services. The community SwiftOnSecurity Sysmon config is a well-maintained baseline that balances noise reduction with detection coverage. Never exclude by process name alone — attackers rename executables. Exclude by SHA256 hash or full signed path from a known vendor. The goal is reducing noise on known-good binaries, not reducing coverage of user-writable paths where malware lives.
Why is OriginalFileName more reliable than Image for detecting renamed malware?
Image is simply the file path on disk — an attacker can rename mimikatz.exe to svchost.exe and Image will show C:\Windows\Temp\svchost.exe, which looks legitimate. OriginalFileName is extracted from the VersionInfo resource embedded in the PE binary at compile time, which the attacker rarely changes (it requires recompiling the tool). Sysmon reads this field directly from the binary header before execution. A mismatch between OriginalFileName and the filename portion of Image — especially when OriginalFileName matches a known attack tool — is one of the highest-confidence masquerade detections available.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 1

See Event ID 1 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects process create patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →