Sysmon

Supercharge your windows event logging.

System Monitor (Sysmon) is a part of the Sysinternals Tools from Microsoft. It extends the Windows Event Logging Service and allows the logging of events like process creates, network connections, file changes, driver loads and many more.

Installation

Download the latest release from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).

#provide your own config.xml
sysmon -accepteula -i c:\windows\config.xml

Create your sysmon config

The most important part is to create, tune and maintain your sysmon config. Some good example configs can be found under:

SwiftOnSecurity
Sysmon-Modular

It’s recommended to use a different config at least for your client, servers and dc.

Sysmon

Installation #

Create your sysmon config #

Installation

Create your sysmon config