Networkforensic

Sysmon
Setup and config files

12 Maj 2026 

Information:
I have for a long time been writing detection for the Sysmon made by Sysinternals by Microsoft. The config file is very well tested on live attacks and a lot of malware. Tested with Atomic-Red test tools as well. It have been tested in Blue-teams/ Red-Team pen-tests with high success. It is used in forensic cases to monitor behavior on hacked / malware infected systems.

There have been a focus on, only to log what is importent. If you log everything that Sysmon can log, you will get way to many logs from the endpoints send to your SIEM system. That can have big impact on licenses in SIEM systems.

Use of undocumented Sysmon Config files
If you use "undocumented" config files, you basically don´t known why something is logged in the first place. This config is documnted in it self, with rule names and references to MITRE, LOBAS, LOLBINS and so on. You will know why and what is logged and send to SIEM. From there you can build near Real-Time Alerting in Splunk, Elastic. You can combine this with validation on things like HASH values, IP's from other TI systems like Recorded Future, MISP VirusTotal and others. VT is recommended..

Rule based detections
Sinse Sysmon support "rule based detections". Many of the rules have been written as souch. This help to keep the amount of logs send to SIEM down and collection of logs very accurate.

Detection types
All detections are made with rule names, and are related to MITRE, LOLAPPS, LOLBAS, LOLDRIVERS, Industrial protocols and more.

AutoRuns
Sysinternals AutoRuns is a tool that is very good at keeping an eye on what is happening in the regestry on Windows Systems. An implementation of Sysinternal Autoruns detections, have been added as well to the Sysmon config file. So the Sysmon config will work as AutoRuns.

Recommendation for Event ID 3: Network connection
Note: You will need to customize network detections in Event ID 3 to match your needs. I have added a lot of common detection to the sysmon config file for a start. You can have other demands. But there is monitoring for Industrial protocol ports, Some remote admin tools, commonn malware start locations and lot more.

Not Covered
"Event ID 24: ClipboardChange" are not covered. Because this can be a security risk in most environments. You don't what to have copyed password in clear txt into an accessible folder. But this can be very useful in other scenarios, like malware testing.

Supported Sysmon version
The Sysmon config can be used on Sysmon from version 15.20. (Sysmon schema version: 4.91)
This also cover Sysmon Native from windows 11 25H2 (Sysmon schema version: 4.91)

SIEM system
Logs send to SIEM systems like Security Onion (elastic) or Splunk works verry well. But I reccormed to use it with Winlogbeat from elastic and sending your logs to Security Onion. And i also reccormed that you use proper Windows logging set by Security policys in Windows as GPO's. I can recommend to follow the NSACyber guide.
Then you will have a very good logging system togheter win IDS destection.

Sysmon install / uninstall  / Auto update Config file
Sysmon Install / Uinstall / Config Update script is included. 

This makes it verry easy to Install / uninstall Sysmon and update the Sysmon Config file on clients and servers just by changing 1 file on a central location. I can reccormend the use of your own web-server. You can auto update all clients and servers with my lates config file by using Task Scheduler in Windows. Config files for Task Scheduler is included for you to import to Task Scheduler. You just have to change from where you want hosts to get the config file from in the PowerShell script.

For Windows 11 25H2 i can highly reccormend using the Native version. This makes all deploy and installation and maintenance easy.

Monitoring of Sysmon alerts.
It is easy to monitor Sysmon alerts and create Notables in Splunk ore Alerts Dashboards in Security Onion.





Sysmon with install / uninstall scripts and auto update scripts. 

Windows 11 - Windows Server 2025 (Native Sysmon)
Filename: Sysmon_Win11-Serv2025_Config_162.zip
SHA1: f65fe0e163a6b8d4ed4be3698c4f6509498b1e23

Windows 10 - Windows Server 2016 higher (Sysinternals)
Filename: Sysmon_15.20_Config_162.zip
SHA1: b135a05881fdba33df055368092b35bcc7819ccc

Sysmon Cheatsheet
Filename: Sysmon-Cheatsheet.pdf
SHA1:e573f2c2b46a5abef726b73f3690005b04780e5e

Latest updates

12-05-2026
Changes:
- Sysmon Config 162
- GHOSTLOCK

30-04-2026
Changes:
- Sysmon Config 161
- Dns query - exclude Danish domains update

18-04-2026
Changes:
- Sysmon Config 160
- LOLRMM
- Network detection - OT

16-04-2026
Changes:
- Sysmon Config 159
- Enhanced detection for WSL

14-04-2026
Changes:
- Sysmon Config 158
- Network detection - OT

05-04-2026
Changes:
- Sysmon Config 157
- Data Encrypted for Impact

04-04-2026
Changes:
- Sysmon Config 156
- Download sysmon config change
- Additional Cloud Credentials

03-04-2026
Changes:
- Sysmon Config 155
- Local Data Staging

28-03-2026
Changes:
- Sysmon 15.20

24-03-2026
Changes:
Sysmon Config 154
- Updated for Native Sysmon

20-03-2026
Changes:
Sysmon Config 153
- Program Compatibility Assistant
- File Deletion - Forensic artifact files
- Unsecured Credentials

13-03-2026
Changes:
Sysmon Config 150
- STUN Detection
- File Metadata update

07-03-2026
Changes:
Sysmon Config 149
- Forensic Artifact
- OS Credential Dumping
- Disable Windows Error Reporting

04-03-2026
Changes:
Sysmon Config 148
- LOLBAS - File and Directory Permissions Modification
- Inhibit System Recovery

28-02-2026
Changes:
Sysmon Config 147
- LOLBAS Ingress Tool Transfer

22-02-2026
Changes:
Sysmon Config 146
- Network Service Discovery

19-02-2026
Changes:
Sysmon Config 145
- Local Data Staging

10-02-2026
Changes:
Sysmon Config 144
- Boot or Logon Autostart Execution
- Time Provider change

10-02-2026
Changes:
Sysmon Config 143
- Change Default File Association