Sysmon - System Monitor

Sysmon (System Monitor) is a Windows system service and device driver that monitors and logs system activity to the Windows event log. It provides detailed information about process creations, network connections, file modifications, and more. This information can be used to help diagnose operational problems, investigate security incidents, and understand how applications and systems behave.

Important: Sysmon requires administrator privileges to install and run. Ensure you understand the configuration options before deploying Sysmon in a production environment.

Key Features

Process Monitoring: Tracks process creation, termination, and associated command lines.
Network Connection Monitoring: Logs inbound and outbound network connections, including source and destination IP addresses, ports, and protocols.
File System Activity: Monitors file creation, deletion, and modification events.
Registry Monitoring: Logs changes to specific registry keys.
Driver Loading: Records when drivers are loaded into memory.
WMI Event Monitoring: Captures WMI activity.
File Creation Time Preservation: Records the original file creation time, which can be spoofed.

Installation and Configuration

Sysmon is installed via the command line. A configuration file (XML format) is crucial for defining what events Sysmon should capture. Without a configuration file, Sysmon logs a very broad set of events, which can be overwhelming.

Installing Sysmon

Download the latest version of Sysmon from the Microsoft Sysinternals website. To install, open an elevated command prompt or PowerShell and run:

                # Download the latest release from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
                # Extract the downloaded zip file to a directory.
                # Open an elevated command prompt or PowerShell in that directory.
                .\Sysmon64.exe -accepteula -i sysmonconfig-export.xml
            

Replace sysmonconfig-export.xml with the path to your desired configuration file.

Basic Configuration Example

A minimal configuration file might look like this:

                <?xml version="1.0" encoding="utf-8"?>
                <Sysmon schemaversion="4.80">
                  <HashAlgorithms>MD5,SHA1,SHA256,IMPHASH</HashAlgorithms>
                  <EventFiltering>
                    <ProcessCreate onmatch="include">
                      <Image condition="is">C:\Windows\System32\notepad.exe</Image>
                    </ProcessCreate>
                    <NetworkConnect onmatch="include">
                      <DestinationPort condition="is">80,443</DestinationPort>
                    </NetworkConnect>
                  </EventFiltering>
                </Sysmon>
            

Viewing Sysmon Events