How to Setup Windows Sysmon
System Monitor, commonly known as Sysmon, is a service and device driver for Windows systems that persists through system restarts once installed. Its purpose is to oversee and record system activities, storing this data in the Windows event log. It offers comprehensive insights into the initiation of processes, network connections, and modifications to the timestamps of file creation.
Please follow this steps to see how to setup WindowsSysmon:
1.The first step is to download the Sysmon v15.11 from the official Microsoft website Sysmon v15.11.
2.The second step is for the downloaded archive (Symon.zip) to be unzipped.
3.To install Sysmon, open CMD, navigate to the folder containing the unzipped archive using the command:
cd <folder name>
After which the following command will be executed:
Once it is installed, Sysmon will start monitoring automatically. For more details related to installation and configuration, go to the Sysmon v15.11.
In order for our Windows Agent to be able to send the logs to CYBERQUEST server, the following script must be run:
Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon/Operational] " "=-.
To view the events logs which are generated by Sysmon, you have to go to EventViewer and following this path:
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational