The Sysmon tool is part of the Sysinternals software suite provided by Microsoft. The Sysmon tool allows us to analyze, and monitor Windows system events and logs. Through Sysmon, we can analyze and investigate system events and use them to identify threats and respond to incidents … This software has become one of the most widely used tools in the field of SOC and threat hunting.
Overview of Sysmon Capabilities
Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Multiple hashes can be used at the same time.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Includes a session GUID in each event to allow correlation of events on same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Logs opens for raw read access of disks and volumes.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Automatically reload configuration if changed in the registry.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
Sysmon – Windows Sysinternals | Microsoft Docs
How To Install Sysmon On Windows System?
There are two ways to install Sysmon, both of which are described in this article.
Install Sysmon via PowerShell
To install Sysmon via PowerShell, you must run the following commands in the PowerShell environment:
Step 1: In the first step, we download the Install-Sysmon.ps1 file
Step 2: In the second step, we execute the following command
PS# Install-Sysmon -path C:\Users\example\DesktopInstall Via Executable File
In the second step of installing Sysmon, we have to go to the Microsoft site and download Sysmon from it
 Download Sysmon (3.1 MB)
Note: If you want to download Sysmon for Linux operating system, you must go to Github of this tool.
Download Sysmon for Linux (GitHub)
After downloading Sysmon, we extract it from the Zip file and use Sysmon.exe on the terminal environment for 32Bit systems and Sysmon64.exe for 64Bit systems.
To install Sysmon with the default settings, use the following command
PS# sysmon -accepteula -iWe also use the following command to install Sysmon with specific configurations and enter the configuration file path in front of -c
PS# sysmon -accepteula -i c:\windows\config.xmlUninstall Sysmon:
PS# sysmon -u
Note: Installing and Uninstalling Sysmon requires restarting the system.
3 Comment