TrustedSec Sysmon Community Guide
Sysmon is a free tool initially developed by Mark Russinovich and has contributions by Tomas Garnier, David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, and others at Microsoft. The tool is designed to extend the current logging capabilities in Windows to aid in understanding and detecting attackers by behavior. It was developed originally for internal use at Microsoft. (Note: There are still two versions of the tool—internal and external.) Currently, the tool supports 64-bit and 32-bit systems and uses a single command line tool for installation and configuration management.
This guide was created because documentation for this helpful, powerful tool previously didn’t exist. The goal of the Community Guide is to make it the best resource possible for all things Sysmon.
It is critically important to us that the Community Guide remain open source and collaborative. We’ve released it on Github so that we can facilitate an open conversation about how to make improvements to the guide as necessary. As new versions of Sysmon are released, we’ll be able to update the guide and maintain accuracy, regardless of what changes are made to the actual tool. As with any tool on Github, users can contribute thoughts, ideas, and code within the repository, which can eventually make it into the tool itself.