# Sysmon Installation

### **What is Sysmon?**

* Sysmon (System Monitor) is a Windows system service that logs system activities like process creation, network connections, and file changes. It provides detailed event logs that help detect malicious activity and security threats.

### **Why Use Sysmon?**

* **Advanced Logging** – Records system activities beyond standard Windows logs.
* **Security Monitoring** – Detects malware, suspicious scripts, and unauthorized access.
* **Forensic Analysis** – Helps in investigating security incidents.
* **Lightweight & Free** – Runs efficiently without slowing down the system.

## Install Sysmon

### **Step 1: Download Sysmon**

1. Open a web browser and visit the [Sysmon download page](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
2. Click **Download Sysmon**.
3. If using Linux, download it from the official GitHub repository.

### **Step 2: Download the Configuration File**

1. Go to the [sysmon-config.xml GitHub page](https://raw.githubusercontent.com/olafhartong/sysmon-modular/refs/heads/master/sysmonconfig.xml).
2. Click **Raw**, then right-click and choose **Save As, name it whatever you want**.\ <br>

   <figure><img src="/files/VkUW3ZEg77FlZ6F6uGfI" alt=""><figcaption></figcaption></figure>
3. You can save it as `sysmonconfig`.

### **Step 3: Extract Sysmon**

1. Right-click the downloaded **Sysmon ZIP** file.
2. Select **Extract All** and choose a location.<br>

   <figure><img src="/files/5mvWD54YqSFGefokA8Ht" alt=""><figcaption></figcaption></figure>

### **Step 4: Open PowerShell as Administrator**

1. Click the **Windows Start Button**.
2. Type **PowerShell**, then right-click and select **Run as Administrator**.
3. Click **Yes** to allow changes.

### **Step 5: Navigate to the Sysmon Directory**

1. In PowerShell, use the `cd` command to change to the extracted Sysmon folder:

   ```powershell
   cd "C:\Users\YourUser\Downloads\Sysmon"
   ```

### **Step 6: Move the Configuration File**

Ensure `sysmonconfig` is inside the same directory as `Sysmon64.exe`.<br>

<figure><img src="/files/RIzgzfCCGkYlwvWC2nPx" alt=""><figcaption></figcaption></figure>

### **Step 7: Install Sysmon with the Configuration**

Run the following command in PowerShell:

```powershell
.\Sysmon64.exe -i sysmonconfig.xml
```

Accept the license agreement when prompted.<br>

<figure><img src="/files/Oyuq1MRmTI3m8NTq1omK" alt=""><figcaption></figcaption></figure>

### **Step 8: Verify Sysmon Installation**

#### **1. Check Running Services**

* Open **Run** (`Win + R`), type `services.msc`, and press **Enter**.
* Look for **Sysmon** in the list.

#### **2. Check Event Logs**

* Open **Run** (`Win + R`), type `eventvwr.msc`, and press **Enter**.
* Go to:

  ```
  Applications and Service Logs > Microsoft > Windows > Sysmon > Operational
  ```
* If logs appear, Sysmon is working.<br>

  <figure><img src="/files/1zf18ht0HyfwzfOIhXW0" alt=""><figcaption></figcaption></figure>

#### **3. Check via Command Line**

Run this in **PowerShell (Admin)**:<br>

```powershell
Get-Service Sysmon64
```

<figure><img src="/files/jXXQYg1UwN03jYrsC5y8" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://osamaa.gitbook.io/osama_homepage/cybersecurity-soc-analyst-labs/automation-lab-home-project/sysmon-installation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.