Open in app

Sign in

Write

Sign in

Complete Installation, Configuration, and Log Management of Sysinternals Tools and Sysmon for Your Cybersecurity Home Lab

IritT
9 min readDec 1, 2024

--

Sysinternals tools, developed by Microsoft, are essential for system monitoring and diagnostics, offering deep insights into Windows systems. Among these, Sysmon is a powerful tool for logging critical events such as process creation, network activity, and file changes, making it invaluable for security and forensic analysis. This guide provides a step-by-step approach to installing, configuring, and utilizing Sysinternals tools and Sysmon for effective system monitoring.

Step 1: Open PowerShell as Administrator

Before starting, ensure you have administrative privileges, as these tools require elevated permissions to install and execute.

  1. Open PowerShell with Admin Privileges:

Press Win+X and select Windows PowerShell (Admin).

Alternatively, search for PowerShell, right-click the result, and select Run as Administrator.

2. Verify Admin Access: Run the following command: Ensure you see a list of privileges available to your account.

whoami /priv

Step 2: Download and Extract the Sysinternals Suite

  1. Download the Sysinternals Tools:

Download the full suite from Microsoft’s official website.

Download the Sysinternals Suite: as a ZIP file to C:\SysinternalsSuite.zip. You can change the destination path if needed

Invoke-WebRequest -Uri https://download.sysinternals.com/files/SysinternalsSuite.zip -OutFile "C:\SysinternalsSuite.zip"

2. Extract the Files:

Extract the downloaded ZIP file to a directory (C:\Sysinternals):

Expand-Archive -Path "C:\SysinternalsSuite.zip" -DestinationPath "C:\Sysinternals"

Step 3: Add Sysinternals to System Path

To use the tools from any directory in PowerShell, add the Sysinternals folder to the system PATH:

  1. Update the System PATH Variable:
[System.Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Sysinternals", [System.EnvironmentVariableTarget]::Machine)

Step 4: Manually Updating Path for Current Session and Verifying Installation:

2. Update PATH for the Current Session & Test the PATH Update (Run any Sysinternals tool (pslist):)

$env:Path = $env:Path + ";C:\Sysinternals"
pslist

3. When accept the license agreement to the License

4. After agreeing to the license, the pslist command should provide you with the details about running processes on your system.

pslist

Step 4: Install Sysmon

Sysmon (System Monitor) is a core component of the Sysinternals suite, providing detailed logs of process creation, network connections, and registry modifications.

  1. Install Sysmon:
C:\Sysinternals\Sysmon.exe -accepteula -install

The -accepteula flag automatically accepts the license agreement.

The -install flag installs Sysmon as a Windows service, so it starts running in the background to log events.

This installs Sysmon as a Windows service and starts it automatically

2. Verify Installation:

Check Sysmon’s service status:

Get-Service | Where-Object { $_.DisplayName -like "*Sysmon*" }

Press Win+R, type eventvwr.msc, and navigate to:

Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

If the Get-Service command didn’t return any results for Sysmon, meaning the Sysmon service is not currently installed or running, we need to reinstall Sysmon

C:\Sysinternals\Sysmon.exe -accepteula -i

Verify Installation After Reinstallation

Get-Service | Where-Object { $_.DisplayName -like "*Sysmon*" -and $_.Status -eq "Running" }

Step 5: Apply a Custom Sysmon Configuration

To enhance Sysmon’s capabilities and tailor its logging functionality to your needs, it’s recommended to use a pre-built configuration file. This file allows Sysmon to focus on critical events, reducing unnecessary noise while capturing valuable data for security monitoring and analysis.

  1. Download a Configuration File:

Use a well-maintained Sysmon configuration from GitHub (SwiftOnSecurity):

  1. Downloading a Pre-Built Configuration File:

We need to Go to the SwiftOnSecurity Sysmon Config GitHub repository for a well-maintained config file.

Get-ChildItem -Path C:\ -Recurse -Filter "Sysmon.exe" -ErrorAction SilentlyContinue
  1. Create a Dedicated Directory: Create a new directory, C:\TOOLS, to store all Sysinternals tools, including Sysmon:
New-Item -ItemType Directory -Path C:\TOOLS

2. Move Sysinternals Tools: Move the extracted files from C:\Sysinternals to C:\TOOLS:

Move-Item -Path C:\Sysinternals\* -Destination C:\TOOLS\

3. Verify the Move: Check that all files are now in the new directory:

Get-ChildItem -Path C:\TOOLS

4. Adding Sysinternals Tools to the System Path: To run Sysinternals tools without navigating to their folder each time:

Update the System PATH Variable:

Add C:\TOOLS to the system’s PATH environment variable:

[System.Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\TOOLS", [System.EnvironmentVariableTarget]::Machine)

5. Verify the PATH Update: Check that the PATH variable includes C:\TOOLS:

echo $env:Path

6. Clone the Repository:

Open PowerShell and navigate to the directory where you want to save the configuration file, such as C:\TOOLS.

After Downloading List the contents of the cloned repository to ensure the file was successfully downloaded:

cd C:\TOOLS
git clone https://github.com/SwiftOnSecurity/sysmon-config.git
cd C:\TOOLS\sysmon-config
Get-ChildItem

7. Applying the Sysmon Configuration

C:\TOOLS\sysmon.exe -accepteula -c C:\TOOLS\sysmon-config\sysmonconfig-export.xml

Verify Sysmon Service: After applying the configuration, you need to check that Sysmon is still running correctly.

Get-Service sysmon

Checking Event Viewer

Need to Open Event Viewer by prassing win+r ant type eventvwr.msc.

Need to Navigate to Applications and Services Logs > Microsoft > Windows > you need to scroll down to Sysmon > Operational

Here, you will see the events logged by Sysmon, including process creation, network connections, file access, and registry modifications.

Viewing Sysmon Logs via PowerShell

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational"

View 10 Recent Events from Sysmon Log in PowerShell

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Select-Object TimeCreated, Id, Message | Sort-Object TimeCreated -Descending | Select-Object -First 10 | Format-Table -AutoSize

Event ID 1: Process creation

Event ID 3: Network connection

Event ID 10: File creation or modification

Event ID 11: File creation time change

Event ID 12: Registry object added or deleted

Getting Sysmon Logs for a Specific Event ID (Event ID 1 for Process Creation):

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Id -eq 1 }

Getting Sysmon Logs for Network Connections (Event ID 3):

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Id -eq 3 }

Getting Logs for File Creation/Modification (Event ID 11):

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Id -eq 11 }

Filtering Sysmon Logs by Time Range (logs from the past 24 hours)

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-1) }

Displaying Specific Information from Sysmon Logs (specific fields such as process name, PID, and command line)

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Id -eq 1 } | Select-Object TimeCreated, Id, Message | Format-Table -AutoSize

Exporting Logs to a File: To export Sysmon logs to a text file

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Id -eq 1 } | Out-File "C:\path\to\save\sysmon_logs.txt"

Exporting Sysmon Logs to a CSV File in C:\TOOLS Directory

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Id -eq 1 } | Select-Object TimeCreated, Id, Message | Export-Csv "C:\TOOLS\sysmon_logs.csv" -NoTypeInformation

Step 5: Other Sysinternals Tools for Logging

In addition to Sysmon, there are several other Sysinternals tools that can help you monitor logs, network activity, and system behavior.

Tool 1: Procmon (Process Monitor)

Procmon is a real-time monitoring tool that tracks file system, registry, and process/thread activity.

Run Procmon:

cd C:\TOOLS
.\Procmon.exe

Procmon will display all system activity in real-time. You can filter events based on specific criteria such as process names, file paths, or registry keys.

Save Procmon Logs: You can capture events to a file for later analysis by running:

.\Procmon.exe /Minimized /Quiet

This will save the log to C:\Logs\procmon_log.pml.

Tool 2: PsLogList

PsLogList lets you query and view Windows event logs, such as System, Application, and Security logs.

View System Log:

cd C:\TOOLS
.\PsLogList.exe

This will display the System event logs.

Export Logs to a File in CSV format, making it easier to open and analyze with spreadsheet software.


.\PsLogList.exe Security /csv > C:\TOOLS\security_logs.csv

Tool 3: Tcpview

Tcpview is useful for monitoring network connections, showing both incoming and outgoing TCP and UDP connections.

Run Tcpview:

cd C:\TOOLS
.\Tcpview.exe

Tcpview will show all active connections, including the process using the connection, remote addresses, and the status of the connection.

Tool 4: PsExec

PsExec allows you to execute processes on remote systems, helping you gather logs from remote machines.

Run Command Remotely:

cd C:\TOOLS
.\PsExec.exe \\RemotePC cmd

Replace \\RemoteComputer with the name of the remote machine. This will open a command prompt on the remote computer.

Additional Considerations

Running Sysinternals Tools: Some tools may require administrative privileges to run, so we will ensure we run PowerShell as Administrator when executing these tools.

Using Sysinternals Online: If you prefer not to download the entire suite, we can also use individual Sysinternals tools directly from Microsoft’s Sysinternals online repository

This will download only pslist.exe directly into our specified directory.

Invoke-WebRequest -Uri "https://live.sysinternals.com/pslist.exe" -OutFile "C:\Tools\pslist.exe"

Additional Considerations

Performance Impact: Be mindful that tools like Sysmon may affect system performance, especially when logging every process and network connection. It’s advisable to optimize your configuration to balance monitoring needs with system performance.

Customization: If you’re not tracking the necessary events by default, modify the Sysmon configuration file to include additional log details, such as suspicious process activities or unusual registry modifications.

Conclusion

The installation and configuration of tools like Sysinternals and Sysmon provide deep system monitoring and diagnostics for Windows, particularly focusing on critical activities such as process creation, network connections, and file changes. These tools are essential for security analysis and troubleshooting, especially in a home lab environment for cybersecurity learning. Using additional tools like Procmon, PsLogList, and Tcpview offers flexibility in monitoring system activities and network behavior, making them integral parts of an effective event logging and security monitoring system.

--

--

IritT
IritT

Written by IritT

92 Followers
6 Following

In the world of cybersecurity, the strongest defense is knowledge. Hack the mind, secure the future.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams