In computer science, a system monitor is a component used to monitor system resources and performance in a computer system. Sysmon is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. – It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them. Kindly refer to these related guides: How to detect registry keys: Process Monitor using Sysinternals Tools, how to use the PsInfo utility, and how to enable Automatic Logon on Windows 10.
In this way, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
For other SysInternal tools I have written about, see the following links
- Process Explorer (SysInternal Tools),
- How to use Sysinternals Live Tools,
- How to download and use Windows SysInternals tools locally,
- Process Explorer (Replace built-in Task Manager),
- Detect registry keys – Process Monitor “SysInternal Tools”.
Below are some capabilities of the Sysmon tool
– Logs process creation with full command line for both current and parent processes.
– Records the hash of process image files using SHA1 (the default), MD5, SHA256, or IMPHASH.
– Multiple hashes can be used at the same time.
– Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
– Include a session GUID in each event to allow correlation of events on the same logon session.
– Logs loading of drivers or DLLs with their signatures and hashes.
– Logs opens for raw read access of disks and volumes.
– Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
– Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
– Automatically reload configuration if changed in the registry.
– Rule filtering to include or exclude certain events dynamically.
– Generates events from early in the boot process to
Download Sysmon from the following link. Extract the zipped file as shown below
To install and uninstall Sysmon, use the command-line options below. This command can be used to check and modify Sysmon’s configuration as well.
Command usage information as shown below.
Install: sysmon64 -i [<configfile>] Update configuration: sysmon64 -c [<configfile>] Install event manifest: sysmon64 -m Print schema: sysmon64 -s Uninstall: sysmon64 -u [force]
Below is a brief information about the parameters used and its description.
-i: Is used to install service and driver. Optionally take a configuration file. - c: Is the Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file. - m: Install the event manifest (done on service install as well). - s: Print configuration schema definition. - u: Uninstall service and driver. Adding force causes uninstall to proceed even when some components are not installed.: Uninstall service and driver. Adding force causes uninstall to proceed even when some components are not installed.
Install Sysmon: This method installs sysmon with the default settings. This will process images hashes with sha1 with no network monitoring. Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.
sysmon -accepteula –i
Note: You can install Sysmon with a configuration file without using the above method as shown below.
– In this case, you have to have a configuration file created already. Below is the command to achieve this.
sysmon –accepteula –i c:\windows\config.xml
Uninstall Sysmon: To uninstall Sysmon. the the following
For other command usage, see the following commandss and parameters below.
#Dump the current configuration sysmon –c #Change the configuration of sysmon with a configuration file (as described below) sysmon –c c:\windows\config.xml #Change the configuration to default settings sysmon –c -- #Show the configuration schema: sysmon -s
View Sysmon Logs: To view the log launch the Windows Event Viewer. This can be launched from the command prompt on the fly by entering the command as shown “eventvwr“.
Note: In order to have the Sysmon event appear on the Windows Event console, you will need to create a custom view. For more details, see the following link. When this is done, you can now view Sysmon events (logs) as shown below.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.