Sysmon.exeSECURITY TOOLSysmon.exe - System Monitor Security Analysis
Sysmon.exe (System Monitor) is a **Microsoft Sysinternals** tool providing detailed logging of process creation, network connections, file changes, and more. Sysmon is **critical for threat detection** but is a **high-value target for attackers** who attempt to blind, disable, or evade it. Sysmon tampering indicates sophisticated adversaries.
Risk Summary
HIGH priority for SOC triage. Sysmon is a critical security monitoring tool. Attempts to disable, uninstall, or evade Sysmon indicate advanced adversary activity. Monitor for Sysmon service tampering, driver unloading, and process termination attempts.
Overview
What is Sysmon.exe?
Sysmon (System Monitor) is an advanced Windows logging tool from Microsoft Sysinternals.
Core Functions
Logging Capabilities:
- Process creation (Event ID 1)
- Network connections (Event ID 3)
- File creation (Event ID 11)
- Registry modifications (Event ID 12-14)
- Process injection (Event ID 8)
- DNS queries (Event ID 22)
Security Significance
- Detection Foundation: Critical for EDR
- Attacker Target: High-value to disable
- Evasion Attempts: Sophisticated attackers evade
- Config Sensitivity: Rules reveal detection gaps
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\Sysmon.exe or custom |
| Parent | services.exe |
| User | NT AUTHORITY\SYSTEM |
| Status | Running as service |
Service Details
Service Name: Sysmon (or Sysmon64)
Driver: SysmonDrv.sys
Installation Check
sc query sysmon
sc query sysmon64
Common Locations
C:\Windows\Sysmon.exeC:\Windows\Sysmon64.exeCustom installation pathsSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Path: C:\Windows\Sysmon.exe
Parent: services.exe
User: NT AUTHORITY\SYSTEM
Status: Running continuously
SUSPICIOUS
Status: Service stopped
Service deleted
Driver unloaded
Activity: Config dumped
Binary replaced
Process terminated
Warning Signs
| Indicator | Meaning |
|---|---|
| Sysmon service stopped | Attacker blinding |
| Driver unloaded | Tampering attempt |
| Config exported | Evasion recon |
| Binary modified | Rootkit activity |
Abuse Techniques
Attack Techniques
Technique #1: Service Termination (T1562.001)
sc stop Sysmon
sc delete Sysmon
net stop Sysmon
Technique #2: Driver Unloading (T1562.001)
fltMC unload SysmonDrv
Technique #3: Configuration Extraction (T1518.001)
sysmon -c
:: Reveals detection rules
Technique #4: Evasion via Technique Knowledge
- Avoid logged behaviors
- Use techniques not in config
- Timing attacks during log rotation
Detection Guidance
Detection Strategies
Priority #1: Sysmon Service Status
$sysmon = Get-Service Sysmon* -ErrorAction SilentlyContinue
if (-not $sysmon -or $sysmon.Status -ne 'Running') {
Write-Warning "CRITICAL: Sysmon not running!"
}
Priority #2: Termination Attempts
Process IN ["sc.exe", "net.exe"] AND
CommandLine CONTAINS "Sysmon"
→ ALERT: CRITICAL
Priority #3: Driver Unload
Process = "fltMC.exe" AND
CommandLine CONTAINS "SysmonDrv"
→ ALERT: CRITICAL
Priority #4: Config Dump
Process = "Sysmon*.exe" AND
CommandLine CONTAINS "-c"
→ ALERT: HIGH - Config extraction
Remediation Steps
Protection and Remediation
Defense: Rename Sysmon
Install with non-obvious name:
sysmon.exe -i -d SomethingElse
Defense: Protect Sysmon Service
Restrict service modification permissions.
Defense: Monitor Sysmon Health
Alert on Sysmon service state changes.
If Tampering Detected
- Investigate who stopped Sysmon
- Check for related malicious activity
- Restore Sysmon immediately
- Review gaps in logging
- Hunt for missed activity
Investigation Checklist
Investigation Checklist
- Verify Sysmon service is running
- Check driver is loaded
- Review service modification attempts
- Check for config extraction
- Verify binary integrity
- Review logging gaps
- Correlate with other alerts