Call us on:

November 30, 2016

Sysmon is a utility that's packaged with the Windows Sysinternals toolset, which is a set of windows tools for administrators or advanced users. Sysmon itself is simply a Windows service and device driver that collects system events of interest and forwards them to the Windows event log. You can get started with it by downloading it here. You can install it as a service with the following command line:

sysmon -accepteula –i –h md5,sha256 –n


This will get you Process and Network events and for each Process Creation event, you’ll get both an MD5 hash as well as a SHA256 hash. You can get much more nuanced with configuration and filtering of events using a config file, but the above is all you need to get started. 

Sysmon emits many useful events from a detection perspective, but the bulk of the value comes from the Process Creation event. Start with that event for the bulk of your exploration and then begin to explore the others, such as Network Connection, Driver Loaded, Image Loaded, etc.

To get started on the analytics and some basic hunting and detection work, I would recommend starting with Splunk’s free license, or the open source Elastic Stack. In both cases you would use a forwarder running on Windows hosts to forward Sysmon events from the Windows Event log, directly to your analytics platform. The analytics front end you choose, either Splunk or Kibana, becomes the interface through which you would do your hunting or detection development.

Check out this corresponding blog post for some more ideas of what you can do with Sysmon from a strategic hunting and advanced threat detection perspective.

We would love to help you.
Get in touch with us to discuss your situation.