Skip to main content

Microsoft (Windows) Sysmon

Sysmon

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.

Please refer to the following Microsoft Sysinternals documentation regading this provided tool:

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Note: Sysmon is a tool to add incremental insight to existing data collection. It's feature sets (or lack thereoff) may not suffice as a complete replacement to an EDR agent deployment.

Background

Fluency - NXLog - Sysmon

Fluency collects logs from Windows Servers via the NXLog log collection agent. For Windows systems with NXLog installed and configured, the Sysmon data can be uploaded as a part of the regular log collection. (See the Fluency NXLog Config Wizard plugin for more information on NXLog. Ensure that the Sysmon option is checked when generating the nxlog.conf file.)

Installation

Sysmon installation has two parts:

  1. The first portion is the creation/download of the Sysmon config file.
  2. The second portion is the driver installation via command line, with this Sysmon configuration file.

Download

Installation pkg

Download the installation package from the Microsoft Sysinternals website:

Sysmon installation pkg: https://download.sysinternals.com/files/Sysmon.zip

Configuration file

Fluency does not provide an offical configuration file. An example Sysmon configuation file can be downloaded from our AWS repository:

AWS repo: https://s3.amazonaws.com/SecurityDo/public/2024/sysmonconfig.xml

Note that the above file is heavily based on the following free / open-source repository:

https://github.com/olafhartong/sysmon-modular

As this is a free, open-source source, please validate and test all changes intenrally prior to deployment in production.

Installation

Download the two required items from your Fluency instance, or from the links above.

Unpack the Sysmon.zip file, and create/copy the installation package folder to the desired location:

C:\Program Files\Sysmon

Copy file

Copy/move the sysmonconfig.xml file to the same directory:

Copy config

From the Start Menu, search for and run Command Prompt as Administrator:

Open CMD

Once in the Command Prompt, change the working path to the Sysmon installation folder:

cd "C:\Program Files\Sysmon"

CD working dir

Run the Sysmon executable. (Choose the one that matches the architecture of your system, likely Sysmon64.exe):

Sysmon64.exe -accepteula -i sysmonconfig.xml

Sysmon install cmd

Wait for the tool to complete the installation. Sysmon will start automatically:

Copy file

NXLog (Log Forwarder) Installation

Please ensure that a log collection agent, such as NXLog, is also installed on the system. Sysmon is a log generator, and by itself does not export logs.

See: NXLog Installation Guide.

Once the logs are collected, they should show up in Fluency as Windows AD events, under the Channel:

Microsoft-Windows-Sysmon/Operational

Un-install Sysmon

Sysmon can be removed with the following command, run from the Sysmon installation directory:

Sysmon64.exe -accepteula -u

Remove

Page last updated: 2024 Oct 01