Sysmon Installation & Configuration Guide
A comprehensive guide to installing, configuring, and optimizing System Monitor (Sysmon) for advanced endpoint visibility, threat detection, and incident response on Windows systems.
Coming Soon: Microsoft has announced that native Sysmon functionality will be integrated directly into Windows 11 and Windows Server 2025, eliminating the need for separate installation. Until then, follow this guide for manual deployment.
What Is Sysmon
System Monitor (Sysmon) is a Windows system service and device driver developed by Microsoft Sysinternals that monitors and logs system activity to the Windows event log. Unlike native Windows Security auditing, Sysmon provides deep visibility into process creation, network connections, file operations, registry modifications, and other activities that are essential for detecting advanced threats and conducting forensic investigations.
Once installed, Sysmon remains resident across system reboots, starting automatically as a Windows service. It operates at the kernel level through a device driver, allowing it to capture low-level system activity that user-mode applications cannot access. The telemetry Sysmon generates is invaluable for Security Operations Centers (SOCs), threat hunters, and incident responders who need granular endpoint visibility.
Sysmon is free, widely adopted in enterprise environments, and has become a foundational component of endpoint detection and response (EDR) strategies. Its events map directly to MITRE ATT&CK techniques, making it an essential data source for detection engineering and threat hunting programs.
Why Use Sysmon
Native Windows Security auditing, while valuable, has significant gaps in visibility. Sysmon fills these gaps by providing telemetry that Windows does not natively generate, enabling detection of sophisticated attack techniques that would otherwise go unnoticed.
Enhanced Process Visibility
Sysmon Event 1 provides richer process creation data than Windows Event 4688, including process GUID for correlation, full command line, file hashes, parent process information, and original file name even when binaries are renamed.
Network Connection Tracking
Windows Security events do not log outbound network connections. Sysmon Event 3 captures TCP/UDP connections with source and destination IPs, ports, and the responsible process. Essential for detecting command-and-control (C2) traffic.
DNS Query Logging
Sysmon Event 22 logs DNS queries with the querying process, enabling detection of DNS-based C2, data exfiltration, and malicious domain lookups. This capability is not available in native Windows logging.
Process Memory Access
Sysmon Event 10 detects when one process accesses another process's memory, critical for identifying credential dumping tools like Mimikatz that read LSASS memory to extract passwords.
File Creation Monitoring
Sysmon Event 11 logs file creation in specified directories, detecting malware drops, script creation, and suspicious file writes. Event 23 captures file deletions for anti-forensics detection.
Image (DLL) Loading
Sysmon Event 7 tracks DLL loads, enabling detection of DLL side-loading, DLL injection, and malicious library loading. Essential for identifying living-off-the-land attacks that abuse legitimate processes.
Key Advantage: Sysmon events include Process GUIDs that remain consistent across events, enabling correlation of related activities. If a malicious process creates a file, makes network connections, and spawns child processes, all these events share the same Process GUID, simplifying investigation.
Sysmon Event Types
Sysmon generates 29 distinct event types, each capturing different system activities. Understanding these events is essential for effective configuration and detection rule development.
Process Creation
Logs detailed process creation including command line, hashes, parent process, user, and integrity level. The most valuable event for detecting malware and suspicious command execution.
Network Connection
Captures TCP/UDP connections with source/destination IPs, ports, hostnames, and the initiating process. Critical for C2 detection, data exfiltration monitoring, and lateral movement identification.
Image Loaded
Records when a module (DLL, driver) is loaded into a process. Detects DLL injection, side-loading, and malicious library loading. High volume event that requires careful filtering.
Process Access
Logs when a process opens another process with specific access rights. Essential for detecting credential dumping (LSASS access), process injection, and memory manipulation.
File Created
Records file creation events in monitored directories. Use for detecting malware drops, script file creation, and suspicious writes to startup folders or system directories.
DNS Query
Captures DNS resolution requests with the querying process. Enables detection of DNS tunneling, domain generation algorithms (DGAs), and malicious domain lookups.
File Delete
Logs file deletion events with option to archive deleted files. Useful for detecting anti-forensics activity, evidence destruction, and ransomware behavior.
Additional Sysmon Events:
Event 2 (File creation time changed), Event 4 (Service state changed), Event 5 (Process terminated), Event 6 (Driver loaded), Event 8 (CreateRemoteThread), Event 9 (RawAccessRead), Event 15 (FileCreateStreamHash), Event 16 (ServiceConfigurationChange), Event 17/18 (Pipe created/connected), Event 19-21 (WMI events), Event 24 (Clipboard change), Event 25 (Process tampering), Event 26 (File delete detected), Event 27 (File block executable), Event 28/29 (File block shredding)
System Requirements
Sysmon is designed to run on a wide range of Windows systems with minimal resource overhead. Understanding requirements ensures successful deployment across your environment.
| Requirement | Specification |
|---|---|
| Operating System | Windows 7 / Windows Server 2008 R2 and later (x86 and x64) |
| Privileges | Administrator rights required for installation and configuration |
| Memory Overhead | Minimal (typically 10-50 MB depending on configuration verbosity) |
| CPU Impact | Low (1-3% on average systems; higher during intense activity) |
| Disk Space | Binary: ~2 MB; Log space varies by configuration and activity |
| Dependencies | None (standalone utility with no external dependencies) |
Performance Note: Sysmon's resource usage scales with system activity and configuration verbosity. High-volume servers (domain controllers, file servers) may require tuning to exclude noisy but benign events. Always test configuration in a staging environment before production deployment.
Installation
Sysmon installation is straightforward using the command-line interface. Download the latest version from the official Microsoft Sysinternals website to ensure you have current capabilities and security updates.
Step 1: Download Sysmon
Download Sysmon from the official Microsoft Sysinternals page:
Official Download URL:
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmonStep 2: Extract and Install
Extract the downloaded archive and run installation from an elevated command prompt. The archive contains both 32-bit (Sysmon.exe) and 64-bit (Sysmon64.exe) versions.
# Basic installation with default configuration
sysmon64 -accepteula -i
# Installation with custom configuration file
sysmon64 -accepteula -i sysmonconfig.xml
# Update existing configuration
sysmon64 -c sysmonconfig.xml
# View current configuration schema
sysmon64 -s
# Uninstall Sysmon
sysmon64 -u
Installation Command Options
| Option | Description |
|---|---|
| -i [config] | Install service and driver, optionally with configuration file |
| -c [config] | Update configuration of installed Sysmon, or print current config if no file specified |
| -u [force] | Uninstall service and driver; use 'force' to remove even if removal fails |
| -accepteula | Automatically accept the license agreement (required for silent installation) |
| -h [algorithm] | Specify hash algorithms (MD5, SHA1, SHA256, IMPHASH, or *) |
| -n [name] | Log network connections; optionally specify process name filter |
| -l | Log module (DLL) loading events |
| -s | Print the configuration schema definition |
Configuration Basics
Sysmon is configured using XML files that define which events to log and filtering rules. Proper configuration is essential for balancing visibility with manageable log volume. Running Sysmon without a configuration file uses default settings that generate minimal useful data.
Configuration Structure
A Sysmon configuration file consists of a root <Sysmon> element containing event filtering rules organized by event type.
<Sysmon schemaversion="4.90">
<!-- Hash algorithms for file hashing -->
<HashAlgorithms>SHA256,IMPHASH</HashAlgorithms>
<!-- Archive directory for deleted files (optional) -->
<ArchiveDirectory>C:\Sysmon\Archive</ArchiveDirectory>
<EventFiltering>
<!-- Process Creation - Log all except excluded -->
<ProcessCreate onmatch="exclude">
<Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
<Image condition="end with">\Windows\System32\svchost.exe</Image>
</ProcessCreate>
<!-- Network Connection - Include specific only -->
<NetworkConnect onmatch="include">
<DestinationPort condition="is">443</DestinationPort>
<DestinationPort condition="is">80</DestinationPort>
</NetworkConnect>
<!-- File Creation - Monitor specific directories -->
<FileCreate onmatch="include">
<TargetFilename condition="begin with">C:\Users</TargetFilename>
<TargetFilename condition="contains">\Downloads\</TargetFilename>
</FileCreate>
</EventFiltering>
</Sysmon>Filtering Logic
Sysmon supports two filtering modes for each event type: include and exclude.
onmatch="include"
Only log events that match at least one rule. Use when you want to capture specific activities from known locations or processes. Events that do not match any rule are not logged.
onmatch="exclude"
Log all events except those matching rules. Use when you want broad visibility but need to filter known benign noise. Events matching any rule are not logged.
Condition Operators
| Condition | Description | Example |
|---|---|---|
| is | Exact match (case insensitive) | condition="is">cmd.exe |
| is not | Does not exactly match | condition="is not">svchost.exe |
| contains | Contains substring | condition="contains">\\Temp\\ |
| begin with | Starts with string | condition="begin with">C:\\Windows |
| end with | Ends with string | condition="end with">.exe |
| image | Matches any path portion | condition="image">explorer.exe |
| less than / more than | Numeric comparison | condition="less than">1024 |
Configuration Templates
Creating a comprehensive Sysmon configuration from scratch is time-consuming and error-prone. The security community has developed extensively tested configuration templates that provide excellent detection coverage while managing log volume.
SwiftOnSecurity Sysmon Config
The most widely adopted Sysmon configuration template. Provides high-quality default event tracing with extensive documentation. Excellent starting point for organizations new to Sysmon. Maintained actively with community contributions.
github.com/SwiftOnSecurity/sysmon-configSysmon Modular (Olaf Hartong)
A modular approach to Sysmon configuration that allows enabling/disabling specific detection modules. More comprehensive than SwiftOnSecurity with additional detection capabilities. Excellent for mature security teams wanting granular control.
github.com/olafhartong/sysmon-modularFlorian Roth's Config
A comprehensive configuration focused on detecting known attack techniques. Includes rules aligned with threat intelligence and MITRE ATT&CK framework. Good for organizations prioritizing threat detection over operational monitoring.
github.com/Neo23x0/sysmon-configRecommendation: Start with the SwiftOnSecurity configuration for initial deployment. After observing your environment's behavior for 1-2 weeks, tune exclusions for noisy benign events and consider adding rules from sysmon-modular for enhanced detection.
Tuning and Filtering
Effective Sysmon deployment requires balancing detection coverage with manageable data volume. Without proper tuning, Sysmon can generate excessive noise that overwhelms SIEM platforms and obscures real threats. Follow these strategies for optimal configuration.
High-Volume Events to Filter
Certain events generate significant volume in typical environments. Implement careful exclusions while preserving detection capability:
Event 7 (Image Loaded)
Extremely high volume. Exclude system DLLs, antivirus, and known software. Include only unsigned DLLs, DLLs from suspicious paths (Temp, AppData), or specific threat-related libraries.
Event 3 (Network Connection)
High volume on servers. Exclude known legitimate services (browsers to trusted domains, backup software, update services). Focus on unusual ports, unexpected processes making connections, and internal lateral movement.
Environment-Specific Tuning
Antivirus/EDR Exclusions
Security software generates substantial event volume. Exclude known AV/EDR processes from process creation and image loading events. Document all exclusions for security review.
Development Environments
Developer workstations compile code frequently, triggering massive process creation events. Consider separate, less verbose configurations for development systems.
Domain Controllers
DCs have unique activity patterns. Tune for LDAP, Kerberos, and replication traffic while maintaining high visibility for administrative actions and authentication anomalies.
Warning: Every exclusion is a potential blind spot. Attackers can hide in exclusions by naming malware after excluded processes or operating from excluded paths. Regularly audit exclusions and limit them to truly necessary cases.
Enterprise Deployment
Deploying Sysmon across an enterprise requires centralized management for installation, configuration updates, and monitoring. Use existing management infrastructure for consistent deployment.
Group Policy Deployment
Use Group Policy preferences or startup scripts to deploy Sysmon across domain-joined systems:
# Example deployment script (deploy-sysmon.bat)
@echo off
set SYSMON_PATH=\\domain.local\SYSVOL\domain.local\scripts\Sysmon
set CONFIG_PATH=\\domain.local\SYSVOL\domain.local\scripts\Sysmon\sysmonconfig.xml
:: Check if Sysmon is already installed
sc query Sysmon64 >nul 2>&1
if %ERRORLEVEL% EQU 0 (
:: Update configuration if already installed
"%SYSMON_PATH%\Sysmon64.exe" -c "%CONFIG_PATH%"
) else (
:: Fresh installation
"%SYSMON_PATH%\Sysmon64.exe" -accepteula -i "%CONFIG_PATH%"
)Microsoft Endpoint Configuration Manager (SCCM/MECM)
Create an application or package deployment for granular control over Sysmon installation across your environment. Use compliance settings to verify Sysmon is running and configuration is current.
Configuration Version Control
-c configfile.xml /signature)Viewing Sysmon Logs
Sysmon writes events to a dedicated event log channel. Events can be viewed locally with Event Viewer or collected centrally using your SIEM platform.
Event Log Location
Event Viewer Path:
Applications and Services Logs → Microsoft → Windows → Sysmon → Operational
PowerShell Query:
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 50
Command-Line Log Access
# View recent Sysmon events
wevtutil qe Microsoft-Windows-Sysmon/Operational /c:10 /f:text
# Export Sysmon logs to file
wevtutil epl Microsoft-Windows-Sysmon/Operational C:\Logs\sysmon_export.evtx
# Clear Sysmon log (requires admin)
wevtutil cl Microsoft-Windows-Sysmon/Operational
Log Size Configuration
The default Sysmon log size is often insufficient for busy systems. Increase the maximum log size to retain more events locally:
# Set Sysmon log to 1GB maximum size
wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:1073741824
Detection Strategies with Sysmon
Sysmon events map directly to MITRE ATT&CK techniques, enabling detection of sophisticated attack patterns. The following strategies leverage Sysmon telemetry for high-fidelity threat detection.
Credential Dumping Detection
Monitor Event 10 (ProcessAccess) for processes accessing LSASS memory. Alert on any process other than known security software accessing LSASS.exe with memory read permissions.
MITRE ATT&CK: T1003.001 (OS Credential Dumping: LSASS Memory)
Living-off-the-Land Binary Detection
Use Event 1 (ProcessCreate) to detect abuse of legitimate Windows binaries. Alert on unusual parent-child process relationships, suspicious command-line arguments to certutil, mshta, regsvr32, rundll32, and other LOLBins.
MITRE ATT&CK: T1218 (System Binary Proxy Execution)
Command-and-Control Detection
Correlate Event 3 (NetworkConnect) with Event 22 (DNSQuery) to identify suspicious outbound connections. Look for beaconing patterns, connections to rare domains, and processes making unexpected network calls.
MITRE ATT&CK: T1071 (Application Layer Protocol)
Detection Engineering Tip: Start with high-fidelity detections that generate few false positives. Event 10 targeting LSASS, Event 8 for remote thread creation, and suspicious parent-child process combinations are excellent starting points. Gradually add more comprehensive rules as you understand your environment's baseline.
Troubleshooting
Sysmon Service Not Starting
- Verify administrator privileges during installation
- Check for conflicting security software blocking driver installation
- Review Windows Event Log for service startup errors
- Try uninstalling (
sysmon64 -u force) and reinstalling
Events Not Being Logged
- Verify configuration file syntax:
sysmon64 -cto print current config - Check that the event type is not excluded in configuration
- Ensure Sysmon service is running:
sc query Sysmon64 - Verify schema version matches your Sysmon version
High System Resource Usage
- Review configuration for overly verbose event types (Event 7, 12-14)
- Add exclusions for known high-volume benign processes
- Use
includerules instead ofexcludefor high-volume event types - Consider separate configurations for different system roles
Configuration Not Applying
- Verify XML syntax is valid (no unclosed tags, proper nesting)
- Check schema version in config matches Sysmon version
- Run configuration update as administrator:
sysmon64 -c config.xml - Verify file path is correct and accessible
Official Resources
Related Guides
Explore Sysmon Events
Browse our database of 29 Sysmon event types with detailed explanations, detection strategies, and MITRE ATT&CK mappings to build effective detection rules.