Sysmon Installation

What is Sysmon?

Sysmon (System Monitor) is a Windows system service that logs system activities like process creation, network connections, and file changes. It provides detailed event logs that help detect malicious activity and security threats.

Why Use Sysmon?

Advanced Logging – Records system activities beyond standard Windows logs.
Security Monitoring – Detects malware, suspicious scripts, and unauthorized access.
Forensic Analysis – Helps in investigating security incidents.
Lightweight & Free – Runs efficiently without slowing down the system.

Install Sysmon

Step 1: Download Sysmon

Open a web browser and visit the Sysmon download page.
Click Download Sysmon.
If using Linux, download it from the official GitHub repository.

Step 2: Download the Configuration File

Go to the sysmon-config.xml GitHub page.
Click Raw, then right-click and choose Save As, name it whatever you want.
You can save it as sysmonconfig.

Step 3: Extract Sysmon

Right-click the downloaded Sysmon ZIP file.
Select Extract All and choose a location.

Step 4: Open PowerShell as Administrator

Click the Windows Start Button.
Type PowerShell, then right-click and select Run as Administrator.
Click Yes to allow changes.

Step 5: Navigate to the Sysmon Directory

In PowerShell, use the cd command to change to the extracted Sysmon folder:
```
cd "C:\Users\YourUser\Downloads\Sysmon"
```

Step 6: Move the Configuration File

Ensure sysmonconfig is inside the same directory as Sysmon64.exe.

Step 7: Install Sysmon with the Configuration

Run the following command in PowerShell:

.\Sysmon64.exe -i sysmonconfig.xml

Accept the license agreement when prompted.

Step 8: Verify Sysmon Installation

1. Check Running Services

Open Run (Win + R), type services.msc, and press Enter.
Look for Sysmon in the list.

2. Check Event Logs

Open Run (Win + R), type eventvwr.msc, and press Enter.

Go to:

Applications and Service Logs > Microsoft > Windows > Sysmon > Operational

If logs appear, Sysmon is working.

3. Check via Command Line

Run this in PowerShell (Admin):

Get-Service Sysmon64

PreviousAutomation Lab - Home Project NextWazuh & TheHive: Installation, Configuration, and Optimization

Last updated 9 months ago

hashtagWhat is Sysmon?

hashtagWhy Use Sysmon?

hashtagInstall Sysmon

hashtagStep 1: Download Sysmon

hashtagStep 2: Download the Configuration File

hashtagStep 3: Extract Sysmon

hashtagStep 4: Open PowerShell as Administrator

hashtagStep 5: Navigate to the Sysmon Directory

hashtagStep 6: Move the Configuration File

hashtagStep 7: Install Sysmon with the Configuration

hashtagStep 8: Verify Sysmon Installation

hashtag1. Check Running Services

hashtag2. Check Event Logs

hashtag3. Check via Command Line