Efficacy Testing
Efficacy testing validates that your Sysmon configuration actually generates the events it is designed to detect. Deploying Sysmon without verifying detection coverage is like installing a smoke detector without testing it -- you will not know it works until you need it.
What Is Efficacy Testing?
Efficacy testing for Sysmon means performing known actions on a system and confirming that the corresponding Sysmon events appear in the event log. It answers three questions:
- Is Sysmon running and logging? -- The service is active and writing to the event log.
- Does the config detect what it should? -- The rules match the activities they are designed to capture.
- Are exclusion rules too aggressive? -- Legitimate detections are not being suppressed by overly broad exclusions.
Organizations that do not perform efficacy testing commonly discover gaps only during incident response -- when it is too late. Regular validation (after initial deployment, after config changes, and periodically) ensures your monitoring remains effective.
ICS Watch Dog Efficacy Test Script
The ICS Watch Dog project includes a PowerShell validation script that tests Sysmon config efficacy by triggering safe, benign actions and verifying the events appear in the Sysmon log.
Requirements
- Windows with Sysmon installed, configured, and running
- Administrator privileges (required to read the Sysmon event log)
- PowerShell 3.0 or later
- No external modules or dependencies
Download
Download the script from the ICS Watch Dog repository:
tools/Test-SysmonConfig.ps1Usage
Run from an elevated (Administrator) PowerShell prompt:
# Run default observation-only tests (9 Event IDs)
.\Test-SysmonConfig.ps1
# Run all tests including registry and WMI changes (14 Event IDs)
.\Test-SysmonConfig.ps1 -AllowSystemChanges
# Increase wait time for slow systems (default: 10 seconds)
.\Test-SysmonConfig.ps1 -WaitSeconds 20
# Skip the confirmation prompt (for automated testing)
.\Test-SysmonConfig.ps1 -SkipConfirmationTest Groups
Tests are divided into two groups based on system impact:
| Group | Runs By Default | Event IDs | What It Does |
|---|---|---|---|
| Observation-only | Yes | 1, 3, 5, 11, 15, 17, 18, 22, 26 | Starts/stops a process, creates/deletes temp files, makes a network connection, creates a named pipe, performs a DNS query. All artifacts are ephemeral. |
| System changes | No (requires -AllowSystemChanges) |
12, 13, 19, 20, 21 | Creates a HKCU Run key registry entry and WMI event subscriptions. All changes are cleaned up automatically, but failed cleanup leaves artifacts on the system. |
OT environments: Start with the default observation-only tests. Only use -AllowSystemChanges after reviewing the planned changes the script displays and understanding the manual cleanup steps below. System changes should be tested in a lab environment first.
How It Works
- Pre-flight checks -- Verifies administrator privileges, Sysmon service running, event log accessible, PowerShell version.
- Planned changes display -- Shows every action the script will perform, with full paths and warnings for system-modifying tests.
- Confirmation prompt -- Requires you to type Y before proceeding (override with
-SkipConfirmation). - Execute triggers -- Performs safe actions that should generate Sysmon events.
- Wait for propagation -- Pauses to allow Sysmon to write events to the log (configurable via
-WaitSeconds). - Verify events -- Queries the Sysmon event log for each expected Event ID within the test time window.
- Cleanup -- Removes all test artifacts with per-item success/failure reporting.
- Summary report -- Pass/fail per Event ID, cleanup status, and guidance for any failures.
Interpreting Results
A [PASS] result means the Sysmon event appeared in the log within the wait period. A [FAIL] result may indicate:
- The Sysmon config does not monitor this event type (check your config's RuleGroup for the Event ID)
- The event type is disabled in the config (e.g., ImageLoad and FileDelete are disabled by default in most ICS Watch Dog configs)
- Event log propagation was slower than the wait period -- re-run with
-WaitSeconds 30 - The config uses include rules that did not match the specific test action (review the rule conditions)
Not all Event IDs will pass with every config. For example, the community file-create-only config only monitors Event ID 11 -- all other tests will correctly show [FAIL]. The test validates what your config detects.
Event ID Test Details
The following table describes each test action and what it validates:
Observation-Only Tests (Default)
| Event ID | Event Type | Test Action | Config Rule Matched |
|---|---|---|---|
| 1 | ProcessCreate | Starts notepad.exe (hidden window, closed immediately) | Exclude-based: notepad.exe is not in the exclude list |
| 3 | NetworkConnect | TCP connection to example.com port 80 (no data sent) | Exclude-based: PowerShell is not excluded |
| 5 | ProcessTerminate | Stops the notepad.exe process started above | Exclude-based: notepad.exe is not excluded |
| 11 | FileCreate | Creates a .bat file in the user Temp directory | Include-based: matches .bat extension and Temp path rules |
| 15 | FileCreateStreamHash | Creates a .exe file in the user Temp directory | Include-based: matches .exe extension rule |
| 17 | PipeCreate | Creates a named pipe (ICSWatchDog-EfficacyTest-Pipe) | Exclude-based: custom pipe name is not in the exclude list |
| 18 | PipeConnect | Connects to the named pipe created above | Exclude-based: custom pipe name is not in the exclude list |
| 22 | DnsQuery | DNS query for icswatchdog-efficacy-test.example.com (non-existent, fails harmlessly) | Exclude-based: test domain is not in the exclude list |
| 26 | FileDeleteDetected | Deletes the .bat test file created by the EID 11 test | Include-based: matches .bat extension rule |
System Change Tests (Requires -AllowSystemChanges)
| Event ID | Event Type | Test Action | Config Rule Matched |
|---|---|---|---|
| 12 | RegistryCreate | Creates a value in HKCU\...\CurrentVersion\Run | Include-based: matches Run key monitoring rule |
| 13 | RegistryValueSet | Sets the value created above (points to non-existent executable) | Include-based: matches Run key monitoring rule |
| 19 | WmiFilterCreate | Creates a WMI event filter (harmless query, cleaned up) | Exclude-based (empty exclude): all WMI events logged |
| 20 | WmiConsumerCreate | Creates a WMI command-line consumer (points to non-existent executable) | Exclude-based (empty exclude): all WMI events logged |
| 21 | WmiBindingCreate | Binds the filter to the consumer (cleaned up immediately) | Exclude-based (empty exclude): all WMI events logged |
Event IDs Not Tested
The following Event IDs are not included in the script because they cannot be safely triggered from PowerShell without risking system stability or requiring specialized tools:
| Event ID | Event Type | Why Not Tested |
|---|---|---|
| 2 | FileCreateTime | Requires modifying file timestamps (timestomping) -- suspicious activity on a production system |
| 6 | DriverLoad | Requires loading a kernel driver -- unsafe on production systems |
| 7 | ImageLoad | Disabled by default in most configs due to extreme event volume; can generate millions of events per day |
| 8 | CreateRemoteThread | Requires injecting a thread into another process -- process injection technique |
| 9 | RawAccessRead | Disabled by default in most configs; requires raw disk reads |
| 10 | ProcessAccess | Config only monitors lsass.exe access; testing requires opening a handle to LSASS |
| 23 | FileDelete (archived) | Disabled by default; archives deleted files to disk, consuming storage |
| 25 | ProcessTampering | Requires process hollowing or herpaderping techniques -- advanced offensive operations |
To test these Event IDs, use dedicated security testing tools in a lab environment (see Advanced Testing Tools below).
Manual Cleanup
If the script reports cleanup failures, use these commands to manually remove test artifacts. All artifacts use the prefix ICSWatchDog-EfficacyTest for easy identification.
Files
Test files are created in the user's Temp directory:
# Check for remaining test files
Get-ChildItem -Path $env:TEMP -Filter "ICSWatchDog-EfficacyTest*"
# Remove them
Remove-Item -Path "$env:TEMP\ICSWatchDog-EfficacyTest*" -ForceRegistry
The system change test creates a single value in the HKCU Run key:
# Check for the test registry value
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "ICSWatchDog-EfficacyTest" -ErrorAction SilentlyContinue
# Remove it
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "ICSWatchDog-EfficacyTest" -ForceImportant: If the registry value is not removed, Windows will attempt to launch C:\ICSWatchDog-EfficacyTest-DoesNotExist.exe at next logon. This will fail harmlessly (the file does not exist) but will generate an error message.
WMI Subscriptions
The system change test creates three WMI objects. Remove them in this order (binding first, then consumer, then filter):
# Remove binding
Get-WmiObject -Namespace "root/subscription" -Class "__FilterToConsumerBinding" |
Where-Object { $_.Filter -like "*ICSWatchDog-EfficacyTest*" } | Remove-WmiObject
# Remove consumer
Get-WmiObject -Namespace "root/subscription" -Class "CommandLineEventConsumer" |
Where-Object { $_.Name -eq "ICSWatchDog-EfficacyTest-Consumer" } | Remove-WmiObject
# Remove filter
Get-WmiObject -Namespace "root/subscription" -Class "__EventFilter" |
Where-Object { $_.Name -eq "ICSWatchDog-EfficacyTest-Filter" } | Remove-WmiObjectTo verify all WMI test objects are removed:
# Should return no results
Get-WmiObject -Namespace "root/subscription" -Class "__EventFilter" |
Where-Object { $_.Name -like "*ICSWatchDog*" }
Get-WmiObject -Namespace "root/subscription" -Class "CommandLineEventConsumer" |
Where-Object { $_.Name -like "*ICSWatchDog*" }
Get-WmiObject -Namespace "root/subscription" -Class "__FilterToConsumerBinding" |
Where-Object { $_.Filter -like "*ICSWatchDog*" }Advanced Testing Tools
The ICS Watch Dog efficacy test script is a focused smoke test. For organizations wanting deeper adversary emulation and detection validation, these tools provide broader coverage:
| Tool | Type | Best For | OT Suitability |
|---|---|---|---|
| Atomic Red Team | Open source, PowerShell-based | ATT&CK-mapped detection tests (1,070+ techniques) | Lab only -- many tests are destructive or modify system state significantly |
| SysmonSimulator | Open source, C binary | Triggering specific Sysmon Event IDs including unsafe ones (8, 10, 25) | Lab only -- uses process injection and other offensive techniques |
| MITRE Caldera | Open source, C2 platform | Automated adversary emulation with agent-based execution | Lab only -- requires C2 infrastructure and agent deployment |
| Scythe | Commercial | Purple team exercises with repeatable campaigns | Lab only -- commercial platform for mature security programs |
Do not run adversary emulation tools on production OT systems. These tools perform actions that can disrupt operations, trigger security alerts, and leave artifacts that are difficult to distinguish from real attacks. Always use isolated lab environments that mirror your production setup.
When to Test
Run efficacy tests:
- After initial Sysmon deployment -- Confirm the config is working before relying on it for detection.
- After config changes -- Verify that rule modifications did not break existing detections.
- After Sysmon version upgrades -- Confirm compatibility with the new version.
- Periodically -- Quarterly or semi-annually to catch configuration drift or accidental changes.
- During incident response preparation -- Validate detection capability as part of IR readiness exercises.