{
  "id": "3",
  "source": "sysmon",
  "category": "Network",
  "name": "Network connection detected",
  "priority": "P1",
  "applicable_version": "Sysmon 1.0 and later; network connection logging must be enabled",
  "last_reviewed": "2026-07-10",
  "definition": "Sysmon Event ID 3 records network connections initiated by a process and links outbound activity to the responsible image, user, process GUID, and destination.",
  "trigger_scenarios": "Sysmon generates the event when a configured process establishes a TCP or UDP connection. The event is disabled by default in Sysmon and must be explicitly enabled in the configuration.",
  "key_fields": [
    {
      "field": "Image / ProcessGuid",
      "explanation": "The executable and stable process identifier responsible for the connection. ProcessGuid can be joined to Event ID 1 for command-line and parent-process context."
    },
    {
      "field": "DestinationIp / DestinationHostname",
      "explanation": "The remote address and hostname observed for the connection. Compare both values because name resolution and direct-IP connections provide different investigative clues."
    },
    {
      "field": "DestinationPort",
      "explanation": "The remote service port. Rare ports, ports that do not match the process role, and external administrative services are useful starting points."
    },
    {
      "field": "Initiated",
      "explanation": "Indicates whether the local process initiated the connection. Most outbound command-and-control hunting focuses on initiated connections."
    }
  ],
  "false_positives": [
    "Browsers, endpoint agents, update clients, and cloud applications make frequent external connections.",
    "CDNs and shared hosting can make an unfamiliar destination appear suspicious without additional context.",
    "Remote administration and monitoring platforms can legitimately use uncommon ports."
  ],
  "related_event_ids": [
    "1",
    "22"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1071",
      "technique_name": "Application Layer Protocol"
    },
    {
      "technique_id": "T1105",
      "technique_name": "Ingress Tool Transfer"
    }
  ],
  "detection_notes": "T1071/T1105 is concrete when Initiated is true, DestinationPort is 443 or 80, and Image is powershell.exe, mshta.exe, or a binary under C:\\\\Users\\\\. Join ProcessGuid to Event ID 1; periodic connections to one DestinationIp are beacon candidates.",
  "kql_snippet": "Sysmon\n| where EventID == 3 and Initiated == \"true\"\n| where Image has_any (\"\\\\powershell.exe\", \"\\\\rundll32.exe\", \"\\\\mshta.exe\")\n| project TimeGenerated, Computer, User, Image, DestinationIp, DestinationHostname, DestinationPort, ProcessGuid\n| order by TimeGenerated desc",
  "spl_snippet": "index=sysmon EventCode=3 Initiated=true\n| search Image IN (\"*\\\\powershell.exe\", \"*\\\\rundll32.exe\", \"*\\\\mshta.exe\")\n| table _time, host, User, Image, DestinationIp, DestinationHostname, DestinationPort, ProcessGuid",
  "sample_log": "UtcTime: 2026-07-10 03:20:14.000\nProcessGuid: {11111111-2222-3333-4444-555555555555}\nImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nUser: CORP\\jsmith\nProtocol: tcp\nInitiated: true\nDestinationHostname: example.invalid\nDestinationIp: 203.0.113.10\nDestinationPort: 443",
  "source_url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
  "route": "/sysmon-events/3/",
  "canonical_url": "https://soceventlookup.com/sysmon-events/3/",
  "json_url": "/api/events/sysmon/3.json"
}
