This project investigates the deployment and use of Microsoft Sysmon for behavioural monitoring of Windows systems. The objective was to install Sysmon within a Windows virtual machine and prepare a lab environment for behavioural monitoring and MITRE ATT&CK analysis. During the deployment process, a compatibility issue was identified and investigated. The project documents the installation process, troubleshooting steps, findings and lessons learned.
- Download and install Microsoft Sysmon
- Verify successful deployment
- Investigate Sysmon service behaviour
- Analyse installation issues
- Perform root cause analysis
- Document findings and lessons learned
- Prepare for future behavioural monitoring projects
| Component | Details |
|---|---|
| Host System | macOS |
| Hardware | Apple Silicon MacBook Pro |
| Hypervisor | UTM |
| Guest Operating System | Windows 11 ARM64 |
| Monitoring Tool | Sysmon v15.21 |
| Shell | Windows PowerShell |
Sysmon (System Monitor) is a Windows system service and device driver developed by Microsoft Sysinternals.
It provides detailed telemetry that helps security analysts and defenders monitor system activity such as:
- Process creation
- Network connections
- File creation
- Driver loading
- Registry modifications
- Process injection activity
Sysmon is widely used in:
- Security Operations Centers (SOC)
- Threat Hunting
- Detection Engineering
- Digital Forensics
- Incident Response
The Sysmon package was downloaded from Microsoft Sysinternals and extracted using PowerShell.
The extracted package contained:
- Sysmon.exe
- Sysmon64.exe
- Sysmon64a.exe
- Eula.txt
These files represent the different Sysmon binaries required for deployment on various Windows architectures.
Following command is used to unzip the file. After extraction, PowerShell was used to verify the presence of the installation files.
Expand-Archive .\Sysmon.zip -DestinationPath .\Sysmoncd .\Sysmon
ls
PowerShell confirmed that all Sysmon installation files were successfully extracted and available for deployment.
Sysmon was installed using the following command:
.\Sysmon64.exe -accepteula -iThe installation command:
- Accepts the Sysinternals EULA
- Installs the Sysmon service
- Installs the Sysmon kernel driver
- Creates the required Windows service
After installation, the Sysmon service status was checked.
Get-Service Sysmon64
The service was successfully registered within Windows but remained in a stopped state.
Expected status:
Running
Observed status:
Stopped
A manual startup attempt was performed.
Start-Service Sysmon64The service failed to start.
PowerShell returned:
Cannot start service Sysmon64.
Several troubleshooting actions were performed.
- Verified service installation
- Verified extracted binaries
- Disabled Microsoft Vulnerable Driver Blocklist
- Rebooted virtual machine
- Reinstalled Sysmon
- Attempted manual service startup
- Investigated Windows Security settings
The issue persisted despite these actions.
The system architecture was investigated to determine whether compatibility issues existed.
systeminfo | findstr /B /C:"System Type"System Type: ARM64-based PC
The Windows virtual machine was running:
Windows 11 ARM64
rather than a traditional x64 installation.
Sysmon relies on a kernel-mode driver to capture detailed behavioural telemetry.
Although the Sysmon service successfully installed, the required driver could not start correctly within the Windows 11 ARM64 virtual machine environment.
The issue was determined to be related to architecture compatibility rather than an installation or configuration error.
| Finding | Status |
|---|---|
| Sysmon Downloaded | successful |
| Sysmon Extracted | successful |
| Installation Completed | successful |
| Service Registered | successful |
| Service Started | unsucessful |
| Telemetry Collection Available | unsucessful |
| Root Cause Identified | successful |
This project provided practical experience with:
- Service management
- PowerShell navigation
- Software deployment
- Monitoring tool installation
- Security troubleshooting
- Log investigation
- Understanding telemetry collection
- Sysmon architecture
- Driver-based monitoring
- Identifying symptoms
- Collecting evidence
- Testing hypotheses
- Performing root cause analysis
Future testing will be performed on a Windows x64 environment.
Planned activities include:
- Sysmon configuration analysis
- Event ID investigation
- Process creation monitoring
- Network connection monitoring
- MITRE ATT&CK mapping
- Detection engineering exercises
- Behavioural monitoring research
- PowerShell
- Windows Administration
- Security Tool Deployment
- Troubleshooting
- Root Cause Analysis
- Security Monitoring Concepts
- Behavioural Monitoring Fundamentals
- Technical Documentation
- Microsoft Sysinternals Sysmon
- Windows PowerShell Documentation
- MITRE ATT&CK Framework
Effa Azhar
Cybersecurity Student | SOC Analyst Enthusiast | Behavioural Monitoring Research