# Sysmon

Having a great time Working with Sysmon Tool. Sysmon plays a crucial role in providing valuable insights around security. This blog has the steps to install the tool.

## Pre Requisite

### Step 1:

[https://download.sysinternals.com/files/Sysmon.zip](https://download.sysinternals.com/files/Sysmon.zip) Download this zip file & extract the zip.

### Step 2:

Inside the extracted folder, Save this file as config.xml

```plaintext
<Sysmon schemaversion="4.82">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
    <!-- Do not log process termination -->
    <ProcessTerminate onmatch="include" />
    <!-- Log network connection if the destination port equal 443 -->
    <!-- or 80, and process isn't InternetExplorer -->
    <NetworkConnect onmatch="include">
      <DestinationPort>443</DestinationPort>
      <DestinationPort>80</DestinationPort>
    </NetworkConnect>
    <NetworkConnect onmatch="include">
      <Image condition="is">C:\Windows\System32\cmd.exe</Image>
      <Image condition="is">C:\Windows\System32\powershell.exe</Image>
    </NetworkConnect>
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">iexplore.exe</Image>
    </NetworkConnect>
    <ClipboardChange onmatch="exclude">
    </ClipboardChange>
  </EventFiltering>
</Sysmon>
```

### Step 3:

Install Sysmon, run the below in terminal (as admin) .\\sysmon64.exe -i

```plaintext


PS C:\Sysmon> .\sysmon64.exe -i


System Monitor v15.15 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.
```

### Step 4:

Verify Installation

1. Check services and you should be able to find sysmon64.exe running
    
2. Check the event viewer --&gt; You should be able to see
    

### Step 5:

Other Commands

To update the configuration to some other file or load an updated configuration

```plaintext
.\Sysmon64.exe -c .\config.xml
```

Output when everything is correct

```plaintext

System Monitor v15.15 - System activity monitor By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2024 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.82 Sysmon schema version: 4.90 Configuration file validated. Configuration updated.
```

### Have Fun!

---

## **Thank You**

If you have reached so far, congratulations. Please feel free to share your thoughts via the comments.

---

### Let's Connect

Feel free to connect with me on [**LinkedIn**](https://www.linkedin.com/in/sandeepgokhale/) and [**Twitter**](https://twitter.com/thegokhale) if you have any questions.

Until Next time!