Deploying Sysmon for Enhanced Threat Detection

Welcome to the Deploying Sysmon for Enhanced Threat Detection lab!

This lab is designed to introduce you to the practical setup and use of Sysmon for monitoring and detecting suspicious activity on Windows systems.

You will learn how to install Sysmon with a custom configuration, verify its functionality, and simulate real-world attack behavior using Atomic Red Team to see how Sysmon captures key forensic evidence.

Whether you are a student, researcher, or enthusiast, this space is meant to provide a hands-on experience and foster learning in incident response and Windows threat detection.

Task 1: Locate the Tools

Objective

Access the lab tools required to install and test Sysmon from the designated folder on the desktop.

Steps

1. Navigate to the Desktop on the Windows system.

2. Open the folder named: Deploying Sysmon

1. Inside this folder, you will find multiple ZIP archives. To begin with, verify the presence of the following key items:

2. Sysmon.zip

3. sysmon-config-master.zip

Once you've located and confirmed all required files are present, you are ready to proceed to the next task: installing Sysmon.

Task 2: Install Sysmon with Configuration

Objective

Install Sysmon as a Windows service using the provided configuration file to enable enhanced system activity logging.

Steps

1. Extract the Sysmon.zip ZIP archive. In the extracted folder, you will find three Sysmon executables, in this case, the most appropriate installer is Sysmon64.exe.

Before installing Sysmon, you will need to extract the ZIP archive containing the custom Sysmon configuration file.

1. Navigate back to the Deploying Sysmon folder and extract the sysmon-config-master.zip ZIP archive.

Inside the extracted folder, you will find the custom Sysmon config file: sysmonconfig-export.xml

Copy this file to the Sysmon folder you extracted earlier that contains the Sysmon installer.

1. Once you have copied the custom Sysmon configuration file in to the folder containing the Sysmon installer executable, open a PowerShell window in the folder.

This can be done by holding the SHIFT key and right-clicking inside the folder and clicking on the Open PowerShell window here option as shown in the following screenshot.

1. Run the Sysmon installation command with the configuration file:

Sysmon64.exe -accepteula -i sysmonconfig-export.xml

As shown in the preceding screenshot, you should see a confirmation message indicating Sysmon has been installed as a system service.

1. In order to verify that the Sysmon64 service is running, you can use the Windows Services utility to check the status of installed services.

As shown in the following screenshot, the Sysmon64 service should be in a "Running" state.

Once confirmed, proceed to Task 3 to verify logging.

Task 3: Verify Sysmon is Logging

Objective

Ensure that Sysmon is actively logging system events and writing them to the Windows Event Log.

Steps

1. Open Event Viewer:

2. Press Windows + R, type eventvwr, and press Enter.

3. In the left-hand panel, navigate to

Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

1. Wait a few seconds for events to populate. You should start seeing event entries with IDs like:
2. Event ID 1 – Process creation
3. Event ID 3 – Network connection
4. Event ID 11 – File creation

1. A good way to verify Sysmon logging is to execute a PowerShell command frequently used by attackers/threats for the purposes of Discovery:

whoami /priv

This command enumerates the working privilege set for the user you are currently using or have access to, in this case, the user account you have access to is the "Administrator" account.

As shown in the following screenshot, Sysmon logs this command and provides enhanced information that better contextualizes the event log.

Confirmation

If you see these events, Sysmon is working correctly and capturing system activity. You are now ready to simulate malicious activity in Task 4 using Atomic Red Team.

Task 4: Setup Atomic Red Team & Run a Simulated Attack

Objectives

• Prepare the Atomic Red Team testing environment to simulate adversary techniques on the Windows system.
• Use Atomic Red Team to simulate the creation of a Scheduled Task for purposes of persistence; a technique commonly seen in real-world compromises.
• Review Sysmon logs to identify evidence of the simulated attack, verifying detection.

Steps

1. Open a PowerShell session with Administrative privileges and navigate to the following directory: C:\AtomicRedTeam

As shown in the following screenshot, inside the folder, you will find another folder called: invoke-atomicredteam. This folder contains the Atomic Red Team PowerShell module.

1. Navigate into the invoke-atomicredteam folder and import the module: Invoke-AtomicRedTeam.psd1.

Import-Module Invoke-AtomicRedTeam.psd1

Once the module is imported and commands are visible, you're ready to execute an Atomic test to emulate/simulate adversarial activity.

1. Simulating Scheduled Task Creation (T1053.005)

In the same PowerShell session, run the folllowing command:

Invoke-AtomicTest T1053.005 -TestNumbers 1

This Atomic Test will simulate the creation and deletion of a non-malicious Windows Scheduled Task.

1. Review Sysmon logs to identify evidence of the simulated PowerShell execution, verifying detection.

Open Event Viewer again if not already open and navigate to:

Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

Look for:

• Event ID 1: A powershell.exe process with a command line matching the atomic test.
• Parent process details and user context.

As shown in the following screenshot the Atomic Tes T1053.005 triggers Sysmon Event ID 1 and possibly 4698 in the Security log/Channel.

Reflection Point

Evaluate what Sysmon captured and consider how this information supports incident response and threat detection.

Discussion Points

• What specific details did Sysmon capture about the PowerShell execution?
• Executable name, command line, hashes, user context, parent process, etc.
• How might this event help an incident responder?
• Would this activity be flagged by an EDR or SIEM?
• What additional events could help confirm or dismiss malicious intent?

Conclusion

Understanding what Sysmon logs and how it relates to simulated adversary behavior is key to building an effective detection strategy. This reflection helps bridge tool output with real-world security use cases.