- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
The main purpose of the free tool is to analyze a machine with suspicious behavior. Sysmon appears to be a command-line utility; however, sysmon.exe is just the installer for the Sysmon service. To install Sysmon, you just launch the command with the parameter -i:
This will configure Sysmon to only log the creation of Windows processes and changes in file creation times. If you also want to monitor network connections, you have to add the parameter -n:
sysmon -i -n
You can also enable the networking monitoring feature at a later time:
sysmon -c -n
With sysmon -c, you can view the configuration of the service:
Once the Sysmon service is running, you can find its Event Log entries in the Windows Event Viewer at Applications and Services Logs > Microsoft > Windows > Sysmon > Operational. Event ID 1 stands for process creations, event ID 2 indicates file creation time changes, and event ID 3 indicates network connections.
Windows processes are created whenever you launch an application. Thus, you will see quite a few of such entries in the Event Log.
Process creation event
As you can see in the screenshot, you get detailed information about the process.
Malware and hackers sometimes change the creation time of files to cover their activities. If you want to try this Sysmon feature, you can change the creation time of a file (named test.txt in the example) with this PowerShell command:
(Get-Item test.txt).CreationTime = "Saturday, August 9, 2014 6:51:04 AM"
Changed file creation time
Note that the creation time in the Event Log uses UTC time even if your computer is in another time zone.
The network connection log entries give you detailed information about the program that established the connection and the protocol it used.
Network connection detected
You can uninstall the Sysmon service with the -u parameter: