Sysmon

• System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.^[1]
  • There is also a Sysmon for Linux to allow logging
• It is FREE, but does NOT come pre-installed on Windows
• Super easy to install and use
  • Three steps to install:
    • Download it from [here (from Microsoft): Sysmon.zip]
    • Unzip the file
    • Open PowerShell or CMD, CD to the location, and run sysmon -accepteula -i
      • You can add a configuration file later with sysmon -c c:\windows\config.xml^[2]
  • Events are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
• Customizing Sysmon for your environment is a good idea, and as mentioned before, you can add a config file to the install later.
  • GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template
  • GitHub - olafhartong/sysmon-modular: A repository of sysmon configuration modules

A Sysmon Event ID Breakdown - Updated to Include 29!! - Black Hills Information Security
Deploying Sysmon through Group Policy (GPO) *Updated scroll down* - Syspanda
GitHub - nsacyber/Event-Forwarding-Guidance: Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber

WEC Server
Windows Event Collector - Win32 apps | Microsoft Learn

Metadata

Sources

Sysmon - Sysinternals | Microsoft Learn
GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing
GitHub - olafhartong/sysmon-modular: A repository of sysmon configuration modules
Building A Perfect Sysmon Configuration File | CQURE Academy
Sysmon Threat Analysis Guide

Tags

#tools_win