EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 3InformationSysmonT1071

Windows Event ID 3Network Connection

Sysmon Event 3 fires for every TCP and UDP network connection initiated by a process, recording the source process, destination IP, port, hostname (via DNS), and protocol. Unlike Windows Firewall Event 5156, Sysmon 3 includes the full process image path and is not filtered by firewall rules — giving visibility into connections that the firewall allows but that a security team would want to investigate.

MITRE ATT&CK

Technique

T1071 · Application Layer Protocol

Tactic

Command and Control

View on attack.mitre.org →

Why It Matters

Network connections are the external expression of what a compromised process is doing — C2 beacons, lateral movement, data exfiltration, and payload downloads all generate Sysmon 3 events. No native Windows event provides equivalent process-to-connection mapping with this fidelity. Sysmon 3 enables detections that require correlating process identity with network behavior: powershell.exe connecting to an external IP, rundll32.exe making an outbound SMB connection, or a process beaconing to the same IP at regular intervals.

Key Fields

ImageThe process making the connection — unexpected processes with outbound connections are the primary signal: powershell.exe, rundll32.exe, mshta.exe, wscript.exe connecting externally are rarely legitimate
DestinationIpThe destination IP address — compare against threat intelligence feeds, your known-good IP list, and cloud provider ranges (unexpected Azure/AWS IPs from non-cloud processes can indicate C2 via cloud infrastructure)
DestinationPortThe destination port — common C2 ports: 443 (HTTPS, hardest to detect), 80 (HTTP), 4444 (Metasploit default), 8080, 8443; unusual high ports from common processes are suspicious
DestinationHostnameDNS hostname of the destination — newly registered domains, DGA (algorithmically generated) hostnames, and hostnames with high entropy are C2 indicators; legitimate services use recognizable hostnames
InitiatedTrue = outbound connection initiated by the process; False = inbound connection received. Outbound from unexpected processes = C2 or exfiltration; inbound to a non-server process = reverse shell
ProtocolTCP or UDP — most C2 uses TCP; UDP beacons are less common but harder to inspect; DNS-based C2 appears as high-volume UDP port 53 from processes that don't normally use DNS

Investigation Tips

  1. 1.Process-to-connection anomalies: powershell.exe, wscript.exe, mshta.exe, rundll32.exe, regsvr32.exe, certutil.exe, or any Office application making outbound TCP connections to external IPs. These processes have no legitimate business connecting externally in most environments.
  2. 2.C2 beacon pattern: the same process connecting to the same destination IP at regular intervals (every 60s, 300s, etc.). Use a time-series analysis on Sysmon 3 events grouped by Image + DestinationIp — regular periodicity with low jitter is a beacon signature.
  3. 3.Newly registered or high-entropy domain names in DestinationHostname — DGA domains (e.g. xkqjfmzbn.com) and freshly registered domains (< 30 days old) are common C2 infrastructure. Enrich with passive DNS or domain age data.
  4. 4.Unexpected outbound SMB (port 445) from a workstation to another workstation — Sysmon 3 from rundll32.exe or cmd.exe to port 445 on an internal host = UNC path DLL loading or lateral movement attempt.
  5. 5.High-volume DNS queries (UDP port 53) from processes that don't normally use DNS — DNS tunneling for data exfiltration or C2 generates unusually high query rates from non-browser processes.
  6. 6.Inbound connections (Initiated = false) to non-server processes on workstations — a reverse shell waiting for a C2 callback appears as an inbound connection to cmd.exe or powershell.exe.

Related Event IDs

1Sysmon Process Create — identifies the process making the connection and its launch context
4688Native process creation — correlate with Sysmon 3 if Sysmon Event 1 is not available
4624Successful logon — establish which user account owns the session making the connection

Frequently Asked Questions

Why is Sysmon Event 3 better than Windows Firewall Event 5156 for detecting C2 traffic?
Windows Firewall Event 5156 records network connections allowed by the firewall, but it only fires for connections that the firewall policy processes — and it lacks process context in a usable form. Sysmon 3 fires for every connection regardless of firewall rules, includes the full Image path of the connecting process, and is correlated with the Sysmon process tree (linking back to Event 1 via ProcessId). This means Sysmon 3 can answer 'which process made this connection and what was its full launch chain' in a single query. With 5156 alone, you know a connection was allowed; with Sysmon 3, you know exactly which process initiated it and can immediately assess whether that process should be making that connection.
How do I detect C2 beaconing using Sysmon Event 3?
Group Sysmon 3 events by Image + DestinationIp + DestinationPort and compute the time delta between consecutive connections. C2 beacons show regular intervals (e.g. every 60 seconds ± a small jitter). Legitimate traffic is bursty — browsers make many connections in short windows, then go quiet. In KQL: use bin() on TimeGenerated at the suspected interval, count Sysmon 3 events per bucket per Image+Destination pair, and look for consistent non-zero counts across all time buckets. C2 beacons maintain presence even during off-hours when legitimate traffic drops to near-zero.
Sysmon Event 3 is generating enormous log volume — how do I make it manageable?
Sysmon 3 is the highest-volume Sysmon event on most systems. Three filtering strategies: (1) Network-based exclusion in the Sysmon config — exclude connections to known-good IP ranges (corporate DNS, patch servers, cloud CDNs) by DestinationIp or DestinationPort. (2) Process-based exclusion — exclude connections from high-volume, low-risk processes (browsers, update agents, AV) by Image path. (3) Ingest selectively — collect Sysmon 3 only for processes in your high-risk watchlist (powershell.exe, cmd.exe, wscript.exe, mshta.exe, rundll32.exe, certutil.exe, Office applications) and discard the rest at the collector. This reduces volume by 80–95% while preserving coverage of the processes attackers actually use.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 3

See Event ID 3 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects network connection patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →