Setting up Sysmon

2016-12-01 Read original →

This guide provides a practical walkthrough for installing and using Sysmon for detecting malicious activity on Windows systems.

What is Sysmon?

Sysmon is a Microsoft/Sysinternals service that provides detailed logging information on items that are not normally logged in default Windows logging configurations. It serves dual purposes: troubleshooting and security monitoring.

Sysmon overview

Installation Process

  1. Download from the Sysinternals website
  2. Create an XML configuration file with filtering rules
  3. Install via administrative command prompt using: sysmon.exe -i config.xml
  4. Access logs in Event Viewer under Applications and Services → Microsoft → Windows → Sysmon → Operational

Installation command

Event Viewer location

Sample Configuration

The configuration should capture file hashes, filter driver loads, terminate processes, and exclude certain network connections based on your environment’s needs.

Configuration example

Detection Capabilities

Sysmon captures valuable security data including:

  • Event ID 1 (Process Creation): Reveals PowerShell execution with base64-encoded commands

Process creation event

  • Event ID 3 (Network Connect): Shows malware communicating with command-and-control servers

Network connection event

  • Command execution: Records tools like whoami.exe run by attackers

Command execution detection

Strategic Value

Referencing the Cyber Kill Chain framework, Sysmon enhances your visibility into a number of critical areas: delivery, exploitation, installation and command and control.

Cyber Kill Chain mapping

Conclusion

This foundational guide emphasizes how Sysmon provides forensic-level detail beyond standard Windows Event logs for identifying compromise and attacker behavior.