System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using
Windows Event Collection or
SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.
Overview of Sysmon Capabilities
Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5 or SHA256.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
Uses Sysmon simple command-line options to install and uninstall it, as well as to check and modify Sysmon’s configuration:
Install: Sysmon.exe -i [-h [sha1|md5|sha256]] [-n]
Configure: Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--]
Uninstall: Sysmon.exe -u
|-c||Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided.|
|-h||Specify the hash algorithm used for image identification (default is SHA1).|
|-i||Install service and driver.|
|-m||Install the event manifest (done on service install as well).|
|-n||Log network connections.|
|-u||Uninstall service and driver.|
The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"
On older systems events write to the System event log.
Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.
Neither install nor uninstall require a reboot.
Install with default settings (process images hashed with sha1 and no network monitoring):
sysmon –i -accepteula
Install with md5 hashing of process created and monitoring network connections:
sysmon –i -accepteula –h md5 –n
Dump the current configuration:
Change the configuration (when Sysmon is running) to be hash sha256 and no network monitoring:
sysmon –c –h sha256
Change the configuration to default settings:
sysmon –c --
On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational", and on older systems events write to the System event log. Event timestamps are in UTC standard time.
The following are examples of each event type that Sysmon generates.
Event ID 1: Process creation
The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithm in the HashType field.
Example of the process creation event:
The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
The network connection event logs tcp/udp connections on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the ip addresses, port numbers, ipv6 status, hostnames and port names of both source and destinations.