Day 9 : Setting up And Configuring Sysmon

On Day 8, I read up about Sysmon, its functionalities and the features that it offers. Continuing upon that, today I will be installing Sysmon onto my Windows Server VM so that the generated logs from that machine can be forwarded to my Elasticsearch instance.

Downloading and Setting up Sysmon

Firstly, I used RDP to connect to Windows server from my laptop. Next, in the browser, I headed to the Official Microsoft page and clicked on Download Sysmon to download the latest version of Sysmon, which, as of writing this article, is 15.15.

Next, I headed to the downloads folder and extracted the Sysmon.zip file.

For the configuration file, I will be using Olaf's configuration file from here. Scroll down and download the sysmonconfig.xml file into the extracted Sysmon folder.

Next, I opened PowerShell and typed in the following installation command:

.\Sysmon64.exe -i sysmonconfig.xml        

Now, to make sure that Sysmon is up and running, I checked the services tab and the Windows Event viewer and sure enough, Sysmon is present in both:

Conclusion

With invaluable guidance from Mr. Stevens at MYDFIR (his website) and his YT video outlining day 9 of the 30-Day SOC Challenge, I successfully set up and configured Sysmon onto my Windows Server 2022 with a pre-defined configuration file.