Microsoft has made a significant announcement regarding the integration of Sysmon, a powerful tool from its Sysinternals suite, into the upcoming Windows 11 and Windows Server 2025. This change, set to take effect next year, will eliminate the need for users to deploy Sysmon as a standalone application.
Seamless Integration of Sysmon
Mark Russinovich, the creator of Sysinternals, shared that the native inclusion of Sysmon will allow users to leverage its functionality directly within Windows. The tool enables the use of custom configuration files to filter captured events, which are then logged in the Windows event log. This capability opens the door to a myriad of applications, particularly in the realm of security.
Sysmon, short for System Monitor, is a free tool that can be tailored to monitor and log suspicious activities, thus enhancing security measures on Windows systems. By default, Sysmon tracks fundamental events such as process creation and termination. However, its true potential lies in the ability to create advanced configuration files that can monitor intricate behaviors, including:
- Process tampering
- DNS queries
- Executable file creation
- Changes to the Windows clipboard
- Auto-backup of deleted files
This tool has gained popularity among security professionals for threat hunting and diagnosing persistent issues within Windows environments. Traditionally, the necessity to install Sysmon individually on each device posed challenges in management and coverage, especially in larger IT infrastructures.
Enhanced Deployment and Management
With Sysmon’s native support in Windows, installation becomes a breeze. Users and administrators can access it through the “Optional features” settings in Windows 11, receiving updates seamlessly via Windows Update. This streamlined approach significantly simplifies deployment and management processes.
Microsoft assures that the built-in version will maintain Sysmon’s standard features, including support for custom configuration files and advanced event filtering. Once installed, administrators can initiate Sysmon monitoring through the Command Prompt with the following command:
sysmon -iFor those looking to implement more sophisticated monitoring using a custom configuration file, the command is as follows:
sysmon -i <nameofconfig_file>For instance, to log the creation of new executables in the C:ProgramData and C:Users directories, one might use the following configuration:
MD5,SHA256
C:ProgramData
C:Users
Upon executing this configuration, any new executable created in the specified directories will be logged into the Event Logs, providing valuable oversight.
Key Events Logged by Sysmon
Sysmon is capable of logging various critical events, including:
- Event ID 1 – Process Creation: Essential for identifying suspicious command-line activities.
- Event ID 3 – Network Connection: Records outbound connections, aiding in anomaly detection and identifying command-and-control (C2) activity.
- Event ID 8 – Process Access: Useful for detecting attempts to access LSASS for credential dumping.
- Event ID 11 – File Creation: Monitors script file generation, often associated with malware staging.
- Event ID 25 – Process Tampering: Helps uncover process hollowing and other evasion techniques.
- Event IDs 20 & 21 – WMI Events: Captures persistent activities through WMI consumers and filters.
In addition to these enhancements, Microsoft has confirmed that comprehensive documentation on Sysmon’s usage will be released next year, alongside new enterprise management features and AI-driven threat detection capabilities.
For those eager to explore or deploy Sysmon in their environments prior to its native integration, the individual tool is available on the Sysinternals site, along with example configurations provided by SwiftOnSecurity.
