Event ID 4 — Sysmon service state changed

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: Sysmon service state changed
Opcode: Info

Description

The service state change event reports the state of the Sysmon service (started or stopped).

Message #

Sysmon service state changed:
UtcTime: %1
State: %2
Version: %3
SchemaVersion: %4

Fields #

Name	Description
`UtcTime` UnicodeString → string	Time in UTC when event was created
`State` UnicodeString → string	Sysmon service state (i.e. stopped)
`Version` UnicodeString → string	Sysmon version
`SchemaVersion` UnicodeString → string	Sysmon config schema version

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 4,
    "version": 3,
    "level": 4,
    "task": 4,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:52:28.220847+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 9788
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UtcTime": "2023-11-05 22:52:28.214",
    "State": "Started",
    "Version": "15.0",
    "SchemaVersion": "4.90"
  },
  "message": ""
}

Detection Patterns #

Defense Evasion: Hide Artifacts

Sysmon Event ID 4: Sysmon service state changedOREvent ID 16: ServiceConfigurationChange

1 rule

Sigma

Sysmon Configuration Modification (source)

frack113

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-4-sysmon-service-state-changed
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-4.yml