At Blumira, we feel very strongly about the benefits of Sysmon. Enabling Sysmon is one of the first and most common recommendations we make to our customers. In fact, our new Poshim PowerShell agent that simplifies Windows log collection installs it by default — that’s how important we believe Sysmon is for visibility.
Sysmon (short for System Monitor) is part of the Sysinternals software package developed by Mark Russinovich, a set of free tools intended to troubleshoot, diagnose, manage and monitor Windows environments.
The Sysinternals suite is now owned by Microsoft and enriches the standard Windows logs by producing some higher level monitoring of events such as process creations, network connections and changes to the file system.
How much do we love Sysmon? Let us count the ways…
By default, Windows logging capabilities via Event Viewer are pretty limited. If you have a file server you can do more with Windows logging, like auditing file shares. And if you’re really advanced, you can set special ACLs (access control lists) on Hive files to detect when a threat actor tries to access your shadow copies.
Generally, however, Windows Event Viewer is clunky and difficult to work with. And it can’t provide real visibility into the processes within your machines. That’s where Sysmon comes in; it gives you that information and the ability to see the network connections happening within your environment. It produces a higher level of monitoring into certain events like process creation, network connections, and changes that might be happening to the file system.
Contrary to what cyber attackers want you to think, there are a finite number of ways to attack a machine. Sysmon — along with PowerShell transcription command line logging — will provide enough visibility to detect any threat that’s getting dropped into a new environment because it will give you broad process of memory visibility.
Sysmon doesn’t just tell you which processes are being run, but also: When did those processes end? What’s the executable or binary that’s running itself? Where’s the hash? All of that information makes it easy to see if malicious code is trying to hide itself or mimic a legitimate program like PowerShell. With Sysmon, you can even capture all deleted .exe files to determine if there is an attacker in your environment trying to hide their path.
Sysmon can also help detect ransomware exfiltration by detecting rclone, which is one of the only tools that threat actors use to exfiltrate data.
Obviously no one wants to get hit with a cyberattack, but what’s worse is getting hit with a cyberattack and not knowing what happened — or not knowing if something else malicious occured. In those cases, you’d have to look through your entire Active Directory and just hope that you find another user.
It’s much easier to collect that data with Sysmon. Even if you have zero detections for it, you will be able to walk back and understand exactly what happened during an incident. Sysmon gives you deep visibility into every OS that’s running in your environment, so you’ll be able to say with high confidence that you know what your environment is doing, because you have all of the logs for it. Put simply: Sysmon will save your sanity during the IR process.
Sysmon can provide broad visibility across your environment in a variety of ways, and in that sense it essentially mimics what EDR is trying to do. However, you can often get much better fidelity and detections by looking into Sysmon data. Oftentimes Sysmon detects behaviors even before an endpoint detection and response (EDR) tool will.
That’s not to say that Sysmon is a viable replacement for robust EDR software; although Sysmon is excellent at detecting behaviors, but it doesn’t help with the response component of EDR. Sysmon also assumes that you have the capability to centralize your logs.
For small IT and security teams that don’t have the budget or resources to deploy EDR, however, enabling Sysmon is certainly better than nothing.
Sysmon is extremely easy to install and deploy. Following three steps will turn on an incredible amount of logging.
The security team at Blumira has released a script, PowerShell Shim (PoShim), that automates Sysmon deployment even further, requiring only a one-liner command. PoShim handles the installation and configuration for both NXLog and Sysmon to ship logs over Sysmon to a targeted IP. It will automatically pull down the needed binaries, install them, and properly configure them to ensure you are getting the most visibility possible for each machine – as each configuration is built for that machine.
Learn More And Install PoShim >
The only potential drawback of using Sysmon is that it generates more data. If you’re sending Sysmon logs to a security incident and event management (SIEM) that charges based on log volume, you will have to pay more, even though Sysmon itself is free. If that’s the case, you’ll have to decide if you want the amount of data that comes with it for logging access.
Layering a centralized logging solution like Blumira with Sysmon gives you even deeper visibility into your environment. At Blumira, we offer a pricing model that’s very simple (per user), which means that you can ingest as much data as you want and you won’t get charged more.
Sysmon is a perfect fit for Blumira customers because getting more visibility into your Windows environment is truly free.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.