SOC Event Lookup
Event ID 1ProcessP1

Sysmon Event ID 1: Process creation

Sysmon Event ID 1 records process creation and is one of the most important events for reconstructing command execution, parent-child process chains, and suspicious process launches.

Applicable version
Sysmon 1.0 and later
Last reviewed
2026-07-10

Trigger Scenarios

Whenever Sysmon observes a new process start, it records Event ID 1 with process image, command line, parent process, hashes, user, integrity level, and related metadata according to the active Sysmon configuration.

Key Fields

Image

The executable path for the new process. Analysts use this to distinguish expected binaries from unusual paths such as user-writable directories, temp folders, or renamed tools.

CommandLine

The command line used to launch the process. This field is often the strongest signal for suspicious script execution, living-off-the-land abuse, encoded commands, and tool parameters.

ParentImage / ParentCommandLine

The parent process context. Office spawning PowerShell, a service spawning cmd.exe, or a browser spawning a script host can be more suspicious than the child process alone.

Hashes

Configured file hashes for the process image. These help correlate binaries across hosts and support allowlisting, blocklisting, and malware triage workflows.

Common False Positives

  • Administrative scripts and endpoint management tools can generate large volumes of PowerShell, cmd.exe, msiexec.exe, or wmic.exe process creation events.
  • Software installers and update agents often spawn short-lived child processes with complex command lines.
  • Developer workstations can legitimately run interpreters, compilers, shells, and unsigned local tools at high frequency.

Related Events

MITRE ATT&CK Mapping

  • T1059Command and Scripting Interpreter
  • T1105Ingress Tool Transfer
  • T1204User Execution

Detection Notes

T1059 execution is concrete when Image is powershell.exe with -EncodedCommand or -ExecutionPolicy Bypass and CommandLine references C:\\Users\\ or C:\\ProgramData\\. ParentImage WINWORD.EXE or browser process launching that interpreter is a high-signal chain; join ProcessGuid to Event ID 3.

Microsoft Sentinel KQL
Sysmon
| where EventID == 1
| where Image has_any ("\\powershell.exe", "\\cmd.exe", "\\wscript.exe", "\\cscript.exe", "\\mshta.exe")
| project TimeGenerated, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| order by TimeGenerated desc
Splunk SPL
index=sysmon EventCode=1
| search Image IN ("*\\powershell.exe", "*\\cmd.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\mshta.exe")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine
Sample Log
UtcTime: 2026-07-10 03:20:11.123
ProcessGuid: {11111111-2222-3333-4444-555555555555}
ProcessId: 4242
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Public\script.ps1
CurrentDirectory: C:\Users\Public\
User: CORP\jsmith
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Public\script.ps1
Hashes: SHA256=REDACTED

Source