Sandeep Gokhale's Blog
Sysmon

Photo by Parker Coffman on Unsplash

Sysmon

Working with Sysmon

Sandeep Gokhale's photo
Sandeep Gokhale
·

2 min read

Having a great time Working with Sysmon Tool. Sysmon plays a crucial role in providing valuable insights around security. This blog has the steps to install the tool.

Pre Requisite

Step 1:

https://download.sysinternals.com/files/Sysmon.zip Download this zip file & extract the zip.

Step 2:

Inside the extracted folder, Save this file as config.xml

<Sysmon schemaversion="4.82">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include" />
    <!-- Log network connection if the destination port equal 443 -->
    <!-- or 80, and process isn't InternetExplorer -->
    <NetworkConnect onmatch="include">
      <DestinationPort>443</DestinationPort>
      <DestinationPort>80</DestinationPort>
    </NetworkConnect>
    <NetworkConnect onmatch="include">
      <Image condition="is">C:\Windows\System32\cmd.exe</Image>
      <Image condition="is">C:\Windows\System32\powershell.exe</Image>
    </NetworkConnect>
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">iexplore.exe</Image>
    </NetworkConnect>
    <ClipboardChange onmatch="exclude">
    </ClipboardChange>
  </EventFiltering>
</Sysmon>

Step 3:

Install Sysmon, run the below in terminal (as admin) .\sysmon64.exe -i



PS C:\Sysmon> .\sysmon64.exe -i


System Monitor v15.15 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.

Step 4:

Verify Installation

  1. Check services and you should be able to find sysmon64.exe running

  2. Check the event viewer --> You should be able to see

Step 5:

Other Commands

To update the configuration to some other file or load an updated configuration

.\Sysmon64.exe -c .\config.xml

Output when everything is correct


System Monitor v15.15 - System activity monitor By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2024 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.82 Sysmon schema version: 4.90 Configuration file validated. Configuration updated.

Have Fun!

Thank You

If you have reached so far, congratulations. Please feel free to share your thoughts via the comments.

Let's Connect

Feel free to connect with me on LinkedIn and Twitter if you have any questions.

Until Next time!

Did you find this article valuable?

Support Sandeep Gokhale's Blog by becoming a sponsor. Any amount is appreciated!

SecurityCloudobservabilityAWSAzure