Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
Powered by GitBook
On this page
  • What is Sysmon?
  • Why Use Sysmon?
  • Install Sysmon
  • Step 1: Download Sysmon
  • Step 2: Download the Configuration File
  • Step 3: Extract Sysmon
  • Step 4: Open PowerShell as Administrator
  • Step 5: Navigate to the Sysmon Directory
  • Step 6: Move the Configuration File
  • Step 7: Install Sysmon with the Configuration
  • Step 8: Verify Sysmon Installation
  1. Automation Lab - Home Project

Sysmon Installation

PreviousAutomation Lab - Home ProjectNextWazuh & TheHive: Installation, Configuration, and Optimization

Last updated 14 days ago

What is Sysmon?

  • Sysmon (System Monitor) is a Windows system service that logs system activities like process creation, network connections, and file changes. It provides detailed event logs that help detect malicious activity and security threats.

Why Use Sysmon?

  • Advanced Logging – Records system activities beyond standard Windows logs.

  • Security Monitoring – Detects malware, suspicious scripts, and unauthorized access.

  • Forensic Analysis – Helps in investigating security incidents.

  • Lightweight & Free – Runs efficiently without slowing down the system.

Install Sysmon

Step 1: Download Sysmon

  1. Open a web browser and visit the .

  2. Click Download Sysmon.

  3. If using Linux, download it from the official GitHub repository.

Step 2: Download the Configuration File

  1. Go to the .

  2. Click Raw, then right-click and choose Save As, name it whatever you want.

  3. You can save it as sysmonconfig.

Step 3: Extract Sysmon

  1. Right-click the downloaded Sysmon ZIP file.

  2. Select Extract All and choose a location.

Step 4: Open PowerShell as Administrator

  1. Click the Windows Start Button.

  2. Type PowerShell, then right-click and select Run as Administrator.

  3. Click Yes to allow changes.

Step 5: Navigate to the Sysmon Directory

  1. In PowerShell, use the cd command to change to the extracted Sysmon folder:

    cd "C:\Users\YourUser\Downloads\Sysmon"

Step 6: Move the Configuration File

Ensure sysmonconfig is inside the same directory as Sysmon64.exe.

Step 7: Install Sysmon with the Configuration

Run the following command in PowerShell:

.\Sysmon64.exe -i sysmonconfig.xml

Accept the license agreement when prompted.

Step 8: Verify Sysmon Installation

1. Check Running Services

  • Open Run (Win + R), type services.msc, and press Enter.

  • Look for Sysmon in the list.

2. Check Event Logs

  • Open Run (Win + R), type eventvwr.msc, and press Enter.

  • Go to:

    Applications and Service Logs > Microsoft > Windows > Sysmon > Operational

  • If logs appear, Sysmon is working.

3. Check via Command Line

Run this in PowerShell (Admin): 

Get-Service Sysmon64

Sysmon download page
sysmon-config.xml GitHub page