Windows Server

SysInternal: What is System Monitor (Sysmon) and how to install and use it

In computer science, system monitor is a component used to monitor system resources and performance in a computer system.

Sysmon: Sysmon is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.

– It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analysing them.
– In this way, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

For other SysInternal tools I have written about, see the following links

Below are some capabilities of Sysmon tool
– Logs process creation with full command line for both current and parent processes.
– Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
– Multiple hashes can be used at the same time.
– Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
– Include a session GUID in each events to allow correlation of events on same logon session.
– Logs loading of drivers or DLLs with their signatures and hashes.
– Logs opens for raw read access of disks and volumes.
– Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
– Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
– Automatically reload configuration if changed in the registry.
– Rule filtering to include or exclude certain events dynamically.
– Generates events from early in the boot process to 

Download Sysmon from https://download.sysinternals.com/files/Sysmon.zip
– Extract the zipped file as shown below

To install and uninstall Sysmon, use the command-line options below. This command can be used to check and modify Sysmon’s configuration as well.

Command usage information as shown below.

Install: sysmon64 -i [<configfile>]
Update configuration: sysmon64 -c [<configfile>]
Install event manifest: sysmon64 -m
Print schema: sysmon64 -s
Uninstall: sysmon64 -u [force]

Below is a brief information about the parameters used and its description.

-i: Is used to install service and driver. Optionally take a configuration file.
- c: Is the Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.
- m: Install the event manifest (done on service install as well).
- s: Print configuration schema definition.
- u: Uninstall service and driver. Adding force causes uninstall to proceed even when some components are not installed.: Uninstall service and driver. Adding force causes uninstall to proceed even when some components are not installed.

Install Sysmon: This method installs sysmon with the default settings. This will process images hashes with sha1 with no network monitoring. Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.

sysmon -accepteula  –i

Note: You can install Sysmon with a configuration file without using the above method as shown below.
– In this case, you have to have a configuration file created already. Below is the command to achieve this.

sysmon –accepteula –i c:\windows\config.xml

Uninstall Sysmon: To uninstall Sysmon. the the following

sysmon –u

For other command usage, see the following commandss and parameters below.

#Dump the current configuration
sysmon –c

#Change the configuration of sysmon with a configuration file (as described below)
sysmon –c c:\windows\config.xml

#Change the configuration to default settings
sysmon –c --

#Show the configuration schema:
sysmon -s

View Sysmon Logs: To view the log launch the Windows Event Viewer.
– This can be launched from the command prompt on the fly by entering the command as shown “eventvwr“.

– For various methods to launch the Windows Event viewer, see https://techdirectarchive.com/2020/02/06/various-methods-to-launch-the-event-viewer/
– Failure Reasons for Windows Event Viewer, see https://techdirectarchive.com/2019/01/31/failure-reasons-for-windows-event-viewer/

Note: In order to have the Sysmon event appear on the Windows Event console, you will need to create a custom view. For more details, see https://techdirectarchive.com/2020/05/03/sysmon-how-to-create-a-custom-view-in-windows-event-viewer/

When this is done, you can now view Sysmon events (logs) as shown below.

See the following video below for more details from the creator of SysInternal tools.

If you found this article useful, kindly leave a comment below.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x