Microsoft has recently integrated the System Monitor, commonly known as Sysmon, directly into Windows 11 through a system update. Previously, this powerful tool was available only as a standalone download or as part of the Sysinternals suite. Once installed, Sysmon operates discreetly in the background, logging its activities in the Windows Event Log.
Identifying Suspicious Processes
Mark Russinovich, the developer behind the Sysinternals suite, has outlined several indicators that can help users identify suspicious processes:
- No icons, descriptions, or company names in the process details.
- The process is running from a Windows directory or a user profile.
- It was initiated with an incorrect parent process.
- The process name contains spelling errors.
- It consists of unsigned executable files.
- Its executable files are packed.
- It hosts suspicious DLLs or services.
- It has open TCP/IP endpoints.
- The executable file contains unusual URLs or character strings.
Install and Start Sysmon
To install Sysmon, begin by typing system in the taskbar’s search box and selecting the Control Panel. In the icon view, navigate to Programs > Programs and Features, or in the category view, click on Uninstall a program. From there, access Turn Windows features on or off on the left side.
Scroll down, check the box next to Sysmon, and confirm by clicking OK. Windows will then install the Sysmon files on your computer. Afterward, click Close and restart your PC.
Next, to set up and activate Sysmon, open the Command Prompt by typing cmd in the search box. Select Run as administrator when prompted. The Command Prompt will open in the C:WindowsSystem32 directory, where you can simply enter sysmon.exe -i and press Enter. A series of system messages will appear, concluding with Sysmon started, indicating that the service is now running in the background.
Viewing Sysmon Messages
Sysmon does not feature its own user interface; instead, it communicates through the Event Viewer. To access this tool, type event in the search box and select Event Viewer. In the Event Viewer, expand Application and Service Logs, and navigate to Microsoft > Windows > Sysmon > Operational to view the logged events.
While the number of entries may seem overwhelming, this is typical behavior for Sysmon, which meticulously records all program and driver activities on your system. By double-clicking on individual entries, you can see the associated executable file and its origin.
Analyzing the Sysmon Logs
When analyzing Sysmon logs, important details such as the date, time, and event specifics are displayed. The Image line reveals the full path of the file, along with its version. This information is crucial for identifying potential malware embedded in the system.
Narrowing Down Sysmon Events
Filtering through Sysmon events can be a laborious task, as many entries stem from benign applications. To streamline this process, users can load an XML configuration file into Sysmon, which can filter out irrelevant events. Microsoft has provided a basic version of such a configuration file, which can be customized according to user needs.
Loading a Sysmon Configuration
To load an XML configuration file, open the Command Prompt with administrative rights and use the command sysmon.exe -i [path to XML file]. For instance, if your configuration file is named configsysmon.xml and located in the C:Temp folder, the command would be sysmon.exe -i C:Tempconfigsysmon.xml.
What to Do After the Analysis?
If you identify a suspicious process or driver, the first step should be to run a full scan with your antivirus software. Additionally, consider uploading the file indicated in the event log to VirusTotal for further analysis. If a process appears unnecessary, you might rename the file temporarily and restart your computer to observe any changes.
Process Monitor Versus System Monitor
In addition to Sysmon, another tool available for monitoring processes is Process Monitor (Procmon). While Sysmon continuously logs events in the background, Procmon captures a snapshot of all currently running processes. Both tools are offered by Microsoft and can be downloaded for free, providing users with essential resources for system monitoring and security.
