Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  • What is Sysmon?
  • Why Use Sysmon?
  • Install Sysmon
  • Step 1: Download Sysmon
  • Step 2: Download the Configuration File
  • Step 3: Extract Sysmon
  • Step 4: Open PowerShell as Administrator
  • Step 5: Navigate to the Sysmon Directory
  • Step 6: Move the Configuration File
  • Step 7: Install Sysmon with the Configuration
  • Step 8: Verify Sysmon Installation
  1. Automation Lab - Home Project

Sysmon Installation

PreviousAutomation Lab - Home ProjectNextWazuh & TheHive: Installation, Configuration, and Optimization

Last updated 2 months ago

What is Sysmon?

  • Sysmon (System Monitor) is a Windows system service that logs system activities like process creation, network connections, and file changes. It provides detailed event logs that help detect malicious activity and security threats.

Why Use Sysmon?

  • Advanced Logging – Records system activities beyond standard Windows logs.

  • Security Monitoring – Detects malware, suspicious scripts, and unauthorized access.

  • Forensic Analysis – Helps in investigating security incidents.

  • Lightweight & Free – Runs efficiently without slowing down the system.

Install Sysmon

Step 1: Download Sysmon

  1. Open a web browser and visit the .

  2. Click Download Sysmon.

  3. If using Linux, download it from the official GitHub repository.

Step 2: Download the Configuration File

  1. Go to the .

  2. Click Raw, then right-click and choose Save As, name it whatever you want.

  3. You can save it as sysmonconfig.

Step 3: Extract Sysmon

  1. Right-click the downloaded Sysmon ZIP file.

  2. Select Extract All and choose a location.

Step 4: Open PowerShell as Administrator

  1. Click the Windows Start Button.

  2. Type PowerShell, then right-click and select Run as Administrator.

  3. Click Yes to allow changes.

Step 5: Navigate to the Sysmon Directory

  1. In PowerShell, use the cd command to change to the extracted Sysmon folder:

    cd "C:\Users\YourUser\Downloads\Sysmon"

Step 6: Move the Configuration File

Ensure sysmonconfig is inside the same directory as Sysmon64.exe.

Step 7: Install Sysmon with the Configuration

Run the following command in PowerShell:

.\Sysmon64.exe -i sysmonconfig.xml

Accept the license agreement when prompted.

Step 8: Verify Sysmon Installation

1. Check Running Services

  • Open Run (Win + R), type services.msc, and press Enter.

  • Look for Sysmon in the list.

2. Check Event Logs

  • Open Run (Win + R), type eventvwr.msc, and press Enter.

  • Go to:

    Applications and Service Logs > Microsoft > Windows > Sysmon > Operational

  • If logs appear, Sysmon is working.

3. Check via Command Line

Run this in PowerShell (Admin): 

Get-Service Sysmon64

Sysmon download page
sysmon-config.xml GitHub page