Sysmon Installation on Windows

Updated Jul 31, 2023

Sysmon
Sysmon installation behaviors
Requirements
Before you begin
Install Sysmon
Update Sysmon

Sysmon

Sysmon is a Windows system service and device driver that monitors and logs system activity. When Sysmon is enabled, it forwards relevant logs to Arctic Wolf. Arctic Wolf Agent uses a specific Sysmon configuration that is optimized for Arctic Wolf’s backend. Agent also automatically updates the Arctic Wolf Sysmon configuration.

Note: See Arctic Wolf Agent Installation on Windows to bulk install Agent on Windows computers across your organization.

Sysmon installation behaviors

On a clean installation of the Arctic Wolf Agent and Sysmon, without an existing Sysmon configuration, the Arctic Wolf configuration is applied and set by default. If a different configuration already exists, it will not be overwritten.
Agent does not overwrite existing Sysmon configurations. It only overwrites existing Arctic Wolf configurations.
The installation method does not affect how the Agent interacts with Sysmon.
The location of Sysmon.exe does not change the behaviour of Sysmon on the system, as it runs as a service and a separate driver.
Sysmon events are forwarded to Arctic Wolf regardless of how Sysmon was installed and what configuration it uses. However, the Arctic Wolf pipeline is optimized to work with Arctic Wolf configurations. If you use your own configuration, some events may not be alerted on.

Requirements

One of the following operating systems (OS):
- Windows 8.1 or newer for 64- and 32-bit systems
- Windows Server 2012 or newer for 64-bit systems
Note: Arctic Wolf Agent OS minimum requirements are different from Sysmon minimum OS requirements. If you are installing Sysmon, you must ensure that you are installing the appropriate version for your OS.

Before you begin

Download the Sysmon.zip file for the latest Sysmon version from the Microsoft website, which includes the .exe file(s).
If you are installing with the Sysmon Assistant, download the SysmonAssistant.zip file from the Arctic Wolf Portal and extract it to access the .msi file.

Install Sysmon

Install Sysmon using your desired deployment method. Arctic Wolf provides an optional Sysmon Assistant installer to help you install the correct version of Sysmon. To receive your Sysmon Assistant installer, visit the Arctic Wolf Portal. The following installation options are available:

Software deployment tool
Command line
Group Policy Management
Microsoft Intune

Install Sysmon with a software deployment tool

Package the Sysmon Assistant installation files together:

Note: You do not need to include Sysmon64a.exe.

Tip: Packaging both of the .exe files lets the Sysmon Assistant installer choose the appropriate file for your systems. For example, if your organization includes both 32-bit and 64-bit systems, the installer will install Sysmon on each system using the appropriate .exe file.
- SysmonAssistant.msi
- Sysmon.exe
- Sysmon64.exe
Follow the instructions for your software deployment tool to install .msi packages.

Install Sysmon with the command line

If you would like to manage the Sysmon configuration yourself, you can install Sysmon without using Sysmon Assistant:

Unzip the sysmon.zip file and run the appropriate command:
- 32-bit systems — sysmon.exe -i -accepteula
- 64-bit systems — sysmon64.exe -i -accepteula

Manage Sysmon with Group Policy Management

This section describes how to install, redeploy, or remove Sysmon with Group Policy Management.

Install Sysmon with Group Policy Management

Note: Group Policy installation does not support VPN connected endpoints.

Prepare the Sysmon Assistant installation package.
Create a distribution point.
Create a Group Policy Object.
Assign the Sysmon Assistant package.
Enable startup policy for the Sysmon Assistant package.

Step 1: Prepare the Sysmon Assistant installation package

Package the Sysmon Assistant installation files together:

Note: You do not need to include Sysmon64a.exe.

Tip: Packaging both of the .exe files lets the Sysmon Assistant installer choose the appropriate file for your systems. For example, if your organization includes both 32-bit and 64-bit systems, the installer will install Sysmon on each system using the appropriate .exe file.
- SysmonAssistant.msi
- Sysmon.exe
- Sysmon64.exe

Step 2: Create a distribution point

Sign in to the server as an administrator user.
Create a shared network folder for the SysmonAssistant.msi package.
Set a minimum of Read permissions on the folder to allow access to the distribution package.
Copy the package from Prepare the Sysmon Assistant installation package into the shared folder.

Step 3: Create a Group Policy Object

The ArcticWolfAgent.msi package is deployed or distributed through Group Policy as a Group Policy Object (GPO).

From the Start menu, open the Group Policy Management application.
In the navigation menu, click Forest: <DomainName>, where <DomainName> is the name of your domain, and then click the Domains folder.
Right-click the domain name. If you:
- Already have an Arctic Wolf Sysmon GPO — Select Link an Existing GPO, and then select Edit.
- Do not have an existing Arctic Wolf Sysmon GPO — Create a new GPO:
  1. Select Create a GPO in this domain, and Link it here.
  2. In the New GPO dialog box, enter a name for the new GPO.
  3. Verify that the Source Starter GPO menu says (none).
  4. Click OK to create a new GPO.
  5. Right-click the new GPO, and then click Enforced to enable it.
    
    Tip: Once enabled, a lock appears over the GPO icon in the navigation menu.
  6. Right-click the new GPO, and then select Edit.
In the new window, right-click on the Agent object, and then click Properties.
Click the Security tab.
Select a group or user, and then select the Allow checkbox for Apply Group Policy.

The policy is applied to the specified groups.
Click OK.

Step 4: Assign the Sysmon Assistant package

You can assign one package per machine. If the Sysmon Assistant is assigned, it is automatically installed.

If you do not have Group Policy Management open, open it and right-click the Arctic Wolf Sysmon object that you created, and then click Edit.
In Computer Configuration, expand Policies in the navigation pane, and then expand Software Settings.
Right-click Software Installation, and then click New > Package.
In the Open dialog box, type the full UNC path of the distribution point containing the .msi file and select the .msi file to create the Agent package.
Click Open.
Click Assigned, and then click OK.

The package is added to the Group Policy window.
Close the Group Policy snap-in, and then click OK to exit.

If group policy applies and is applied to the client computer, and the distribution point is accessible, the assigned package will install when the client computers start.

Step 5: Enable startup policy for the Sysmon Assistant package

Enabling startup policy is optional but recommended if you are having Sysmon deployment issues. This policy is intended to speed up the process of deploying the Sysmon Assistant package.

If you do not have Group Policy Management open, open it and right-click the Sysmon Assistant object that you created, and then click Edit.
In Computer Settings, expand Policies in the navigation pane, and then expand Administrative Templates > System > Logon.
Open the Always wait for the network computer startup and logon setting.
Select Enabled, and then click OK to close the dialog.
In the navigation pane, expand Group Policy under System.
Right-click the Specify startup policy processing wait time setting and click Edit.
Select Enabled, and then set the Amount of time to wait to 90.
Click OK to save your changes, and then close the Group Policy snap-in and click OK to exit.

Redeploy the Sysmon Assistant package with Group Policy Management

You may need to redeploy the SysmonAssistant.msi package, for example during an upgrade.

If necessary, make changes to the distribution package. See Prepare the Sysmon Assistant installation package.

Note: To update Sysmon, see Update Sysmon.
Open Group Policy Management and right-click the Sysmon Assistant object that you created, and then click Edit.
Expand the Software Settings element, per user or per machine, that contains the deployed package.
Expand the Software Installation element that contains the deployed package.
Right-click the package in the right pane of the Group Policy window.
Click All Tasks > Redeploy application.
Click Yes to reinstall the application wherever it is installed.
Close the Group Policy snap-in, and then click OK to exit.

Remove the Sysmon Assistant package with Group Policy Management

Open Group Policy Management and right-click the Sysmon Assistant object that you created, and then click Edit.
Expand the Software Settings element, per user or per machine, that contains the deployed package.
Expand the Software Installation element that contains the deployed package.
Right-click the package in the right pane of the Group Policy window.
Click All Tasks > Remove, and then click Immediately uninstall the software from users and computers.
Click OK to continue.
Close the Group Policy snap-in, and then click OK to exit.

Step 1: Add the Win32 app to Intune

Download and install the Intune application packager from Microsoft.

Tip: See the Microsoft documentation for more information about installing this software.
Install the Microsoft Win32 Content Prep Tool, available on GitHub. This allows you to convert a file to a .intunewin file to upload for distribution.
Do one of the following:

Note: Arctic Wolf recommends using Sysmon Assistant. However, some infrastructures may find it more helpful to manage Sysmon manually.
- If you are using Sysmon Assistant — Note the Sysmon Assistant .msi filename and location for the next step.
- If you are not using Sysmon Assistant — Note the Sysmon 32-bit or 64-bit .exe filename and location for the next step.
Run the following command, where:
- <setup_folder> is the source folder.
- <source_setup_file> is the filename of the source file from the previous step.
- <output_folder> is the location for the new .intunewin file.
```
IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>
```

Step 2: Add Sysmon to Intune

In the App information section:
1. Click Select file to add the .intunewin file.
2. Enter a description in the Description field.
3. Enter Microsoft in the Publisher field.
In the Program section:
1. In the Install command field, do one of the following:
  - If you are using Sysmon Assistant — Enter the following command, where <assistant_filename> is the name of the Sysmon Assistant .msi file:
```
msiexec /i <assistant_filename>.msi /q
```
  - If you are not using Sysmon Assistant — Enter the following command, where <sysmon_filename> is the name of the Sysmon .exe file:
```
 <sysmon_filename>.exe -i -accepteula
```
2. In the Uninstall command field, do one of the following:
  - If you are using Sysmon Assistant — Enter the following command, where <guid> is the GUID of the application:
    
    Note: The GUID automatically populates when you use the .intunewin package.
```
msiexec /x "<guid>" /qn
```
  - If you are not using Sysmon Assistant — Enter the following command, where <sysmon_filename> is the name of the Sysmon .exe file:
```
 <sysmon_filename>.exe -u
```
In the Requirements section, specify the operating system architecture and minimum operating system.
In the Detection rules section, select Manually configure detection rules in the Rules format list, and then add the .exe file path, folder, and detection method.
In the following sections, use the default settings.
In the Assignments section, select the device group that you want to target.
In the Review + create section, add the application.

Update Sysmon

Download the latest version of Sysmon from the Microsoft website.
If you are reinstalling using the Sysmon Assistant, download the SysmonAssistant.zip file from the Arctic Wolf Portal and extract it to access the .msi file.

Note: Older versions of Sysmon Assistant may not reinstall Sysmon properly.
Install Sysmon.

Note: If you reinstall using the Sysmon Assistant, ensure that the latest versions of Sysmon.exe and Sysmon64.exe are located in the same shared folder as Sysmon Assistant.