Event ID 255 — Error report: UtcTime: UtcTime ID: ID Description: Description.

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Error
Collection Priority: Recommended (JSCU-NL)
Task: Error report
Opcode: Info

Description

This event is generated when an **error occurred within Sysmon**. They can happen if the system is under heavy load and certain tasks could not be performed or a bug exists in the Sysmon service.

Message #

Error report:
UtcTime: %1
ID: %2
Description: %3

Fields #

Name	Description
`UtcTime` UnicodeString → string	—
`ID` UnicodeString → string	—
`Description` UnicodeString → string	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 255,
    "version": 3,
    "level": 2,
    "task": 255,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T00:55:58.314139+00:00",
    "event_record_id": 1050594,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 9788
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UtcTime": "2023-11-06 00:55:58.306",
    "ID": "IMAGE_LOAD",
    "Description": "Failed to find process image name"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Sysmon Configuration Error source high: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-255-error
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-255.yml