Back to Home

Sysmon Installation & Configuration Guide

A comprehensive guide to installing, configuring, and optimizing System Monitor (Sysmon) for advanced endpoint visibility, threat detection, and incident response on Windows systems.

Coming Soon: Microsoft has announced that native Sysmon functionality will be integrated directly into Windows 11 and Windows Server 2025, eliminating the need for separate installation. Until then, follow this guide for manual deployment.

What Is Sysmon

System Monitor (Sysmon) is a Windows system service and device driver developed by Microsoft Sysinternals that monitors and logs system activity to the Windows event log. Unlike native Windows Security auditing, Sysmon provides deep visibility into process creation, network connections, file operations, registry modifications, and other activities that are essential for detecting advanced threats and conducting forensic investigations.

Once installed, Sysmon remains resident across system reboots, starting automatically as a Windows service. It operates at the kernel level through a device driver, allowing it to capture low-level system activity that user-mode applications cannot access. The telemetry Sysmon generates is invaluable for Security Operations Centers (SOCs), threat hunters, and incident responders who need granular endpoint visibility.

Sysmon is free, widely adopted in enterprise environments, and has become a foundational component of endpoint detection and response (EDR) strategies. Its events map directly to MITRE ATT&CK techniques, making it an essential data source for detection engineering and threat hunting programs.

Why Use Sysmon

Native Windows Security auditing, while valuable, has significant gaps in visibility. Sysmon fills these gaps by providing telemetry that Windows does not natively generate, enabling detection of sophisticated attack techniques that would otherwise go unnoticed.

Enhanced Process Visibility

Sysmon Event 1 provides richer process creation data than Windows Event 4688, including process GUID for correlation, full command line, file hashes, parent process information, and original file name even when binaries are renamed.

Network Connection Tracking

Windows Security events do not log outbound network connections. Sysmon Event 3 captures TCP/UDP connections with source and destination IPs, ports, and the responsible process. Essential for detecting command-and-control (C2) traffic.

DNS Query Logging

Sysmon Event 22 logs DNS queries with the querying process, enabling detection of DNS-based C2, data exfiltration, and malicious domain lookups. This capability is not available in native Windows logging.

Process Memory Access

Sysmon Event 10 detects when one process accesses another process's memory, critical for identifying credential dumping tools like Mimikatz that read LSASS memory to extract passwords.

File Creation Monitoring

Sysmon Event 11 logs file creation in specified directories, detecting malware drops, script creation, and suspicious file writes. Event 23 captures file deletions for anti-forensics detection.

Image (DLL) Loading

Sysmon Event 7 tracks DLL loads, enabling detection of DLL side-loading, DLL injection, and malicious library loading. Essential for identifying living-off-the-land attacks that abuse legitimate processes.

Key Advantage: Sysmon events include Process GUIDs that remain consistent across events, enabling correlation of related activities. If a malicious process creates a file, makes network connections, and spawns child processes, all these events share the same Process GUID, simplifying investigation.

Sysmon Event Types

Sysmon generates 29 distinct event types, each capturing different system activities. Understanding these events is essential for effective configuration and detection rule development.

1

Process Creation

Logs detailed process creation including command line, hashes, parent process, user, and integrity level. The most valuable event for detecting malware and suspicious command execution.

3

Network Connection

Captures TCP/UDP connections with source/destination IPs, ports, hostnames, and the initiating process. Critical for C2 detection, data exfiltration monitoring, and lateral movement identification.

7

Image Loaded

Records when a module (DLL, driver) is loaded into a process. Detects DLL injection, side-loading, and malicious library loading. High volume event that requires careful filtering.

10

Process Access

Logs when a process opens another process with specific access rights. Essential for detecting credential dumping (LSASS access), process injection, and memory manipulation.

11

File Created

Records file creation events in monitored directories. Use for detecting malware drops, script file creation, and suspicious writes to startup folders or system directories.

12-14

Registry Events

Monitors registry key and value creation (12), modification (13), and renaming (14). Critical for detecting persistence mechanisms, configuration changes, and malware settings.

22

DNS Query

Captures DNS resolution requests with the querying process. Enables detection of DNS tunneling, domain generation algorithms (DGAs), and malicious domain lookups.

23

File Delete

Logs file deletion events with option to archive deleted files. Useful for detecting anti-forensics activity, evidence destruction, and ransomware behavior.

Additional Sysmon Events:

Event 2 (File creation time changed), Event 4 (Service state changed), Event 5 (Process terminated), Event 6 (Driver loaded), Event 8 (CreateRemoteThread), Event 9 (RawAccessRead), Event 15 (FileCreateStreamHash), Event 16 (ServiceConfigurationChange), Event 17/18 (Pipe created/connected), Event 19-21 (WMI events), Event 24 (Clipboard change), Event 25 (Process tampering), Event 26 (File delete detected), Event 27 (File block executable), Event 28/29 (File block shredding)

System Requirements

Sysmon is designed to run on a wide range of Windows systems with minimal resource overhead. Understanding requirements ensures successful deployment across your environment.

RequirementSpecification
Operating SystemWindows 7 / Windows Server 2008 R2 and later (x86 and x64)
PrivilegesAdministrator rights required for installation and configuration
Memory OverheadMinimal (typically 10-50 MB depending on configuration verbosity)
CPU ImpactLow (1-3% on average systems; higher during intense activity)
Disk SpaceBinary: ~2 MB; Log space varies by configuration and activity
DependenciesNone (standalone utility with no external dependencies)

Performance Note: Sysmon's resource usage scales with system activity and configuration verbosity. High-volume servers (domain controllers, file servers) may require tuning to exclude noisy but benign events. Always test configuration in a staging environment before production deployment.

Installation

Sysmon installation is straightforward using the command-line interface. Download the latest version from the official Microsoft Sysinternals website to ensure you have current capabilities and security updates.

Step 1: Download Sysmon

Download Sysmon from the official Microsoft Sysinternals page:

Step 2: Extract and Install

Extract the downloaded archive and run installation from an elevated command prompt. The archive contains both 32-bit (Sysmon.exe) and 64-bit (Sysmon64.exe) versions.

# Basic installation with default configuration

sysmon64 -accepteula -i

# Installation with custom configuration file

sysmon64 -accepteula -i sysmonconfig.xml

# Update existing configuration

sysmon64 -c sysmonconfig.xml

# View current configuration schema

sysmon64 -s

# Uninstall Sysmon

sysmon64 -u

Installation Command Options

OptionDescription
-i [config]Install service and driver, optionally with configuration file
-c [config]Update configuration of installed Sysmon, or print current config if no file specified
-u [force]Uninstall service and driver; use 'force' to remove even if removal fails
-accepteulaAutomatically accept the license agreement (required for silent installation)
-h [algorithm]Specify hash algorithms (MD5, SHA1, SHA256, IMPHASH, or *)
-n [name]Log network connections; optionally specify process name filter
-lLog module (DLL) loading events
-sPrint the configuration schema definition

Configuration Basics

Sysmon is configured using XML files that define which events to log and filtering rules. Proper configuration is essential for balancing visibility with manageable log volume. Running Sysmon without a configuration file uses default settings that generate minimal useful data.

Configuration Structure

A Sysmon configuration file consists of a root <Sysmon> element containing event filtering rules organized by event type.

<Sysmon schemaversion="4.90">
  <!-- Hash algorithms for file hashing -->
  <HashAlgorithms>SHA256,IMPHASH</HashAlgorithms>

  <!-- Archive directory for deleted files (optional) -->
  <ArchiveDirectory>C:\Sysmon\Archive</ArchiveDirectory>

  <EventFiltering>
    <!-- Process Creation - Log all except excluded -->
    <ProcessCreate onmatch="exclude">
      <Image condition="is">C:\Windows\System32\backgroundTaskHost.exe</Image>
      <Image condition="end with">\Windows\System32\svchost.exe</Image>
    </ProcessCreate>

    <!-- Network Connection - Include specific only -->
    <NetworkConnect onmatch="include">
      <DestinationPort condition="is">443</DestinationPort>
      <DestinationPort condition="is">80</DestinationPort>
    </NetworkConnect>

    <!-- File Creation - Monitor specific directories -->
    <FileCreate onmatch="include">
      <TargetFilename condition="begin with">C:\Users</TargetFilename>
      <TargetFilename condition="contains">\Downloads\</TargetFilename>
    </FileCreate>
  </EventFiltering>
</Sysmon>

Filtering Logic

Sysmon supports two filtering modes for each event type: include and exclude.

onmatch="include"

Only log events that match at least one rule. Use when you want to capture specific activities from known locations or processes. Events that do not match any rule are not logged.

onmatch="exclude"

Log all events except those matching rules. Use when you want broad visibility but need to filter known benign noise. Events matching any rule are not logged.

Condition Operators

ConditionDescriptionExample
isExact match (case insensitive)condition="is">cmd.exe
is notDoes not exactly matchcondition="is not">svchost.exe
containsContains substringcondition="contains">\\Temp\\
begin withStarts with stringcondition="begin with">C:\\Windows
end withEnds with stringcondition="end with">.exe
imageMatches any path portioncondition="image">explorer.exe
less than / more thanNumeric comparisoncondition="less than">1024

Configuration Templates

Creating a comprehensive Sysmon configuration from scratch is time-consuming and error-prone. The security community has developed extensively tested configuration templates that provide excellent detection coverage while managing log volume.

SwiftOnSecurity Sysmon Config

The most widely adopted Sysmon configuration template. Provides high-quality default event tracing with extensive documentation. Excellent starting point for organizations new to Sysmon. Maintained actively with community contributions.

github.com/SwiftOnSecurity/sysmon-config

Sysmon Modular (Olaf Hartong)

A modular approach to Sysmon configuration that allows enabling/disabling specific detection modules. More comprehensive than SwiftOnSecurity with additional detection capabilities. Excellent for mature security teams wanting granular control.

github.com/olafhartong/sysmon-modular

Florian Roth's Config

A comprehensive configuration focused on detecting known attack techniques. Includes rules aligned with threat intelligence and MITRE ATT&CK framework. Good for organizations prioritizing threat detection over operational monitoring.

github.com/Neo23x0/sysmon-config

Recommendation: Start with the SwiftOnSecurity configuration for initial deployment. After observing your environment's behavior for 1-2 weeks, tune exclusions for noisy benign events and consider adding rules from sysmon-modular for enhanced detection.

Tuning and Filtering

Effective Sysmon deployment requires balancing detection coverage with manageable data volume. Without proper tuning, Sysmon can generate excessive noise that overwhelms SIEM platforms and obscures real threats. Follow these strategies for optimal configuration.

High-Volume Events to Filter

Certain events generate significant volume in typical environments. Implement careful exclusions while preserving detection capability:

Event 7 (Image Loaded)

Extremely high volume. Exclude system DLLs, antivirus, and known software. Include only unsigned DLLs, DLLs from suspicious paths (Temp, AppData), or specific threat-related libraries.

Event 3 (Network Connection)

High volume on servers. Exclude known legitimate services (browsers to trusted domains, backup software, update services). Focus on unusual ports, unexpected processes making connections, and internal lateral movement.

Events 12-14 (Registry)

Very high volume. Focus on persistence-related keys (Run, RunOnce, Services, Scheduled Tasks) and exclude volatile operational registry activity from known software.

Environment-Specific Tuning

Antivirus/EDR Exclusions

Security software generates substantial event volume. Exclude known AV/EDR processes from process creation and image loading events. Document all exclusions for security review.

Development Environments

Developer workstations compile code frequently, triggering massive process creation events. Consider separate, less verbose configurations for development systems.

Domain Controllers

DCs have unique activity patterns. Tune for LDAP, Kerberos, and replication traffic while maintaining high visibility for administrative actions and authentication anomalies.

Warning: Every exclusion is a potential blind spot. Attackers can hide in exclusions by naming malware after excluded processes or operating from excluded paths. Regularly audit exclusions and limit them to truly necessary cases.

Enterprise Deployment

Deploying Sysmon across an enterprise requires centralized management for installation, configuration updates, and monitoring. Use existing management infrastructure for consistent deployment.

Group Policy Deployment

Use Group Policy preferences or startup scripts to deploy Sysmon across domain-joined systems:

# Example deployment script (deploy-sysmon.bat)

@echo off
set SYSMON_PATH=\\domain.local\SYSVOL\domain.local\scripts\Sysmon
set CONFIG_PATH=\\domain.local\SYSVOL\domain.local\scripts\Sysmon\sysmonconfig.xml

:: Check if Sysmon is already installed
sc query Sysmon64 >nul 2>&1
if %ERRORLEVEL% EQU 0 (
    :: Update configuration if already installed
    "%SYSMON_PATH%\Sysmon64.exe" -c "%CONFIG_PATH%"
) else (
    :: Fresh installation
    "%SYSMON_PATH%\Sysmon64.exe" -accepteula -i "%CONFIG_PATH%"
)

Microsoft Endpoint Configuration Manager (SCCM/MECM)

Create an application or package deployment for granular control over Sysmon installation across your environment. Use compliance settings to verify Sysmon is running and configuration is current.

Configuration Version Control

Store configuration files in version control (Git) to track changes over time
Use signed configuration files to prevent tampering (-c configfile.xml /signature)
Test configuration changes in staging before production deployment
Document exclusions with business justification for audit purposes

Viewing Sysmon Logs

Sysmon writes events to a dedicated event log channel. Events can be viewed locally with Event Viewer or collected centrally using your SIEM platform.

Event Log Location

Event Viewer Path:

Applications and Services Logs → Microsoft → Windows → Sysmon → Operational

PowerShell Query:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 50

Command-Line Log Access

# View recent Sysmon events

wevtutil qe Microsoft-Windows-Sysmon/Operational /c:10 /f:text

# Export Sysmon logs to file

wevtutil epl Microsoft-Windows-Sysmon/Operational C:\Logs\sysmon_export.evtx

# Clear Sysmon log (requires admin)

wevtutil cl Microsoft-Windows-Sysmon/Operational

Log Size Configuration

The default Sysmon log size is often insufficient for busy systems. Increase the maximum log size to retain more events locally:

# Set Sysmon log to 1GB maximum size

wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:1073741824

Detection Strategies with Sysmon

Sysmon events map directly to MITRE ATT&CK techniques, enabling detection of sophisticated attack patterns. The following strategies leverage Sysmon telemetry for high-fidelity threat detection.

Credential Dumping Detection

Monitor Event 10 (ProcessAccess) for processes accessing LSASS memory. Alert on any process other than known security software accessing LSASS.exe with memory read permissions.

MITRE ATT&CK: T1003.001 (OS Credential Dumping: LSASS Memory)

Living-off-the-Land Binary Detection

Use Event 1 (ProcessCreate) to detect abuse of legitimate Windows binaries. Alert on unusual parent-child process relationships, suspicious command-line arguments to certutil, mshta, regsvr32, rundll32, and other LOLBins.

MITRE ATT&CK: T1218 (System Binary Proxy Execution)

Command-and-Control Detection

Correlate Event 3 (NetworkConnect) with Event 22 (DNSQuery) to identify suspicious outbound connections. Look for beaconing patterns, connections to rare domains, and processes making unexpected network calls.

MITRE ATT&CK: T1071 (Application Layer Protocol)

Persistence Mechanism Detection

Monitor registry events (12-14) for modifications to Run keys, Services, Scheduled Tasks, and other persistence locations. Correlate with Event 11 (FileCreate) for files dropped in startup folders.

MITRE ATT&CK: T1547 (Boot or Logon Autostart Execution)

Process Injection Detection

Use Event 8 (CreateRemoteThread) to detect cross-process thread creation, a common injection technique. Correlate with Event 10 (ProcessAccess) for comprehensive injection visibility.

MITRE ATT&CK: T1055 (Process Injection)

Detection Engineering Tip: Start with high-fidelity detections that generate few false positives. Event 10 targeting LSASS, Event 8 for remote thread creation, and suspicious parent-child process combinations are excellent starting points. Gradually add more comprehensive rules as you understand your environment's baseline.

Troubleshooting

Sysmon Service Not Starting

  • Verify administrator privileges during installation
  • Check for conflicting security software blocking driver installation
  • Review Windows Event Log for service startup errors
  • Try uninstalling (sysmon64 -u force) and reinstalling

Events Not Being Logged

  • Verify configuration file syntax: sysmon64 -c to print current config
  • Check that the event type is not excluded in configuration
  • Ensure Sysmon service is running: sc query Sysmon64
  • Verify schema version matches your Sysmon version

High System Resource Usage

  • Review configuration for overly verbose event types (Event 7, 12-14)
  • Add exclusions for known high-volume benign processes
  • Use include rules instead of exclude for high-volume event types
  • Consider separate configurations for different system roles

Configuration Not Applying

  • Verify XML syntax is valid (no unclosed tags, proper nesting)
  • Check schema version in config matches Sysmon version
  • Run configuration update as administrator: sysmon64 -c config.xml
  • Verify file path is correct and accessible

Official Resources

Related Guides

Explore Sysmon Events

Browse our database of 29 Sysmon event types with detailed explanations, detection strategies, and MITRE ATT&CK mappings to build effective detection rules.