Microsoft has made a significant announcement regarding the integration of Sysmon into its upcoming Windows 11 and Windows Server 2025. This integration, set to roll out next year, will eliminate the need for users to deploy Sysinternals tools separately, streamlining the process for IT professionals.
Enhanced Monitoring Capabilities
Mark Russinovich, the creator of Sysinternals, shared that the native inclusion of Sysmon will allow users to utilize custom configuration files to filter captured events, which will be logged in the Windows event log. This functionality opens up a multitude of use cases, particularly for security applications.
Sysmon, or System Monitor, is a free tool from Microsoft that can be configured to monitor and block suspicious activities while logging events to the Windows Event Log. By default, it tracks basic events such as process creation and termination. However, users can create advanced configuration files to monitor more complex behaviors, including:
- Process tampering
- DNS queries
- Executable file creation
- Changes to the Windows clipboard
- Auto-backup of deleted files
This tool has gained popularity among security professionals for threat hunting and diagnosing persistent issues within Windows environments. The traditional requirement for individual installations across devices often posed challenges in management and coverage, especially in larger IT settings.
Simplified Deployment and Management
With Sysmon’s native support in Windows, users and administrators can easily install it via the “Optional features” settings in Windows 11. Furthermore, software updates will be delivered directly through Windows Update, significantly simplifying deployment and ongoing management.
Microsoft assures that the built-in Sysmon will retain its standard feature set, including support for custom configuration files and advanced event filtering. Administrators can enable Sysmon through the Command Prompt with the following command for basic monitoring:
sysmon -iFor those looking to implement more advanced monitoring with a custom configuration file, the command is as follows:
sysmon -i <nameofconfig_file>For instance, to log the creation of new executables in the C:ProgramData and C:Users directories, users can utilize the following configuration file:
MD5,SHA256
C:ProgramData
C:Users
Once implemented, any new executable created in these directories will be logged in the Windows Event Logs, enhancing visibility and control.
Key Events Logged by Sysmon
Sysmon captures a variety of events that are crucial for security monitoring, including:
- Event ID 1 – Process Creation: Essential for detecting suspicious command-line activity.
- Event ID 3 – Network Connection: Logs outbound connections, aiding in anomaly detection or identifying command-and-control (C2) activity.
- Event ID 8 – Process Access: Reveals attempts to access LSASS, which can indicate credential dumping.
- Event ID 11 – File Creation: Tracks script file generation, often a precursor to malware staging.
- Event ID 25 – Process Tampering: Helps identify techniques like process hollowing that are used to evade detection.
- Event IDs 20 & 21 – WMI Events: Captures persistent activity through WMI consumers and filters.
In addition to these enhancements, Microsoft has confirmed that comprehensive documentation on using Sysmon will be released next year, alongside new enterprise management features and AI-powered threat detection capabilities.
For those eager to explore Sysmon’s capabilities in their environments, the individual tool is available on the Sysinternals site, where users can also find example configurations to guide their implementation.
