Installing Sysmon on Windows - CastleDefender

# How to Install Sysmon with Olaf Hartong’s Modular Configuration 04-15-2025 Tags: #Wazuh #Windows #SIEM #Sysmon Links: --- **Table of Contents** - [[#What is Sysmon?|What is Sysmon?]] - [[#Step 1: Download Sysmon|Step 1: Download Sysmon]] - [[#Step 2: Get the Olaf Hartong Sysmon Configuration|Step 2: Get the Olaf Hartong Sysmon Configuration]] - [[#Step 3: Prepare the Sysmon Files|Step 3: Prepare the Sysmon Files]] - [[#Step 4: Install Sysmon|Step 4: Install Sysmon]] - [[#Step 5: Verify Sysmon is Running|Step 5: Verify Sysmon is Running]] - [[#Final Tips|Final Tips]] - [[#References|References]] --- ## What is Sysmon? Sysmon (System Monitor) is one of the most powerful tools for endpoint monitoring on Windows. It logs detailed information about process creations, network connections, file changes, and more — critical for detecting malicious activity early. In this guide, we’ll walk through how to download and install Sysmon using **Olaf Hartong’s modular configuration**, which is a well-maintained, community-trusted config designed to maximize visibility while reducing noise. --- ## Step 1: Download Sysmon Start by downloading the official Sysmon tool from Microsoft’s Sysinternals Suite: 👉 [Download Sysmon here](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) Save the downloaded ZIP file to an easily accessible folder on your system. --- ## Step 2: Get the Olaf Hartong Sysmon Configuration Olaf Hartong maintains a modular Sysmon configuration that is designed to be both powerful and flexible. 1. Go to [Olaf Hartong's sysmon-modular GitHub page](https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml). 2. Click on **"Raw"** to view the raw XML code. 3. Right-click anywhere on the page and select **"Save As"** to download the file. 4. Save it as **`sysmon_config.xml`**. --- ## Step 3: Prepare the Sysmon Files 1. **Extract** the ZIP file you downloaded from Sysinternals (right-click → Extract All). 2. **Move** the `sysmon_config.xml` you just saved into the extracted Sysmon directory. This keeps everything organized in one place. --- ## Step 4: Install Sysmon Now it's time to install Sysmon using the custom configuration file: 1. **Open PowerShell as Administrator**: - Press **Windows Key**, search for "PowerShell." - Right-click on **Windows PowerShell** and select **Run as Administrator**. 2. **Change Directory** into your Sysmon folder: `cd C:\Path\To\Your\SysmonFolder` 3. **Install Sysmon with the custom config**: `.\Sysmon64.exe -i .\sysmon_config.xml` 4. Press **Enter**. You will be prompted to agree to the license agreements — type **Y** to accept. --- ## Step 5: Verify Sysmon is Running After installation, you can verify that Sysmon is correctly logging events: 1. Open **Event Viewer**. 2. Navigate to: `Applications and Services Logs → Microsoft → Windows → Sysmon → Operational` If you see logs appearing there, congratulations — Sysmon is up and running! --- ## Final Tips - If you need to **update** the configuration later, you can re-run: `.\Sysmon64.exe -c .\sysmon_config.xml` - If you ever want to **uninstall Sysmon**, simply run: `.\Sysmon64.exe -u` - Regularly check Olaf’s [GitHub repository](https://github.com/olafhartong/sysmon-modular) for updated configuration files, as new attack techniques and event tuning updates are added often. --- By using Sysmon with a solid configuration like Olaf Hartong’s, you are setting yourself up for much stronger visibility into potential threats on your network — an essential step for defenders, SOC teams, and cybersecurity enthusiasts alike. --- ## References >*Sysmon Download*: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon >Olaf Hartong, *sysmon-config.xml*: https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml >MyDFIR, *Cybersecurity Tool: Sysmon Installation Tutorial*": https://www.youtube.com/watch?v=uJ7pv6blyog