Sysmon Event ID 16

SourceSysmon
Discussions on Event ID 16
Ask a question about this event

16: Sysmon config state changed

This is an event from Sysmon.

On this page

Sysmon config state changed. This event may or may not include a hash.  A hash will depend on whether Sysmon was called with a configuration XML file or if it was just used via configuration settings on the command line.  If a configuration XML was specified then the hash of the file will be logged so that you can detect if anyone reconfigures Sysmon with an unauthorized configuration file which will produce a different hash. 

Free Security Log Resources by Randy

Description Fields in 16

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • Configuration
  • ConfigurationFileHash

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 16

Sysmon config state changed:
UtcTime: 2017-04-28 21:24:31.661
Configuration: sysmon64 -i -h sha256 -l -n
ConfigurationFileHash:

 

Event XML: (without configuration XML; config specified via cmd line)
 
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>16</EventID>
        <Version>3</Version>
        <Level>4</Level>
        <Task>16</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-04-28T21:24:31.661858200Z" />
        <EventRecordID>1</EventRecordID>
        <Correlation />
        <Execution ProcessID="32420" ThreadID="24524" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-21-311908031-1195731464-1505490484-1605" />
    </System>
    <EventData>
        <Data Name="UtcTime">2017-04-28 21:24:31.661</Data>
        <Data Name="Configuration">sysmon64 -i -h sha256 -l -n</Data>
        <Data Name="ConfigurationFileHash">
        </Data>
    </EventData>
</Event>

 

Event XML: (with user specified configuration XML)
 
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>16</EventID>
        <Version>3</Version>
        <Level>4</Level>
        <Task>16</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-04-28T21:24:31.661858200Z" />
        <EventRecordID>1</EventRecordID>
        <Correlation />
        <Execution ProcessID="32420" ThreadID="24524" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-21-311908031-1195731464-1505490484-1605" />
    </System>
    <EventData>
        <Data Name="UtcTime">2017-04-28 21:24:31.661</Data>
        <Data Name="Configuration">config.xml</Data>
        <Data Name="ConfigurationFileHash">SHA1=MM93VR46DP26CC35JZ5AD4AI29DP9JL99JM43JF9</Data>
    </EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources