Post

Day-9 Setting up Sysmon

Posted
By Cyberpengunine__
1 min read

Sysmon Setup

In our previous blog, we introduced Sysmon. Now, let’s set it up on our Windows server. Start your previously created Vultr Windows server instance. Use RDP for remote access.

RDP.png

  • Search for “Sysmon Sysinternals” online. Download the latest Windows version.

sysmon-download.png

  • Extract the downloaded files.

extract-files.png

  • For Sysmon configuration, use the Olaf GitHub repository. Search for “Olafhartong Sysmon config” and download the sysmonconfig.xml file.

sysmon-config.png

  • Place it in the extracted Sysmon folder.

config-save-in-sysmon.png

  • Check if Sysmon is already installed in Event Viewer > Applications and Service logs > Microsoft > Windows and Services.

no-sysmon-in-services.png

no-sysmon-eventviewer.png

  • If not, proceed with the following:

  • Open PowerShell as an administrator. Change the directory to the folder where we extracted the sysmon. Then,

cd-powershell.png

  • Type .\sysmon64.exe in PowerShell to see available options.

sysmon-options.png

  • Install Sysmon using:

.\sysmon64.exe -i sysmonconfig.xml

agreement.png

  • Agree the Licence Agreement and the installation will be done.

installed-sysmon.png

  • Refresh Services and Event Viewer > Applications and Service logs > Microsoft > Windows to verify Sysmon’s status.

eventviewer-sysmon.png

service-sysmon.png

MYDFIR 30Day SOC_Challenge
soc_challenge soc cybersecurity day9of30
This post is licensed under CC BY 4.0 by the author.