Jet Mariano

Tag: incident response

  • Sysmon on Windows

    Sysmon Event ID 1 in action.
    Each entry records a process creation event, showing when a process started and providing the first layer of visibility into how activity begins on an endpoint.

    Seeing What Actually Happens

    Why this post exists

    Sysmon is often misunderstood.

    Some expect dashboards.
    Others expect alerts.
    A few expect it to magically explain incidents on its own.

    Sysmon does none of those things.

    What it does extremely well is something more fundamental.
    It records what actually happened.

    Think of Sysmon as a black box flight recorder for a computer.

    What Sysmon is

    Sysmon (System Monitor) is a Windows system service from Microsoft Sysinternals.

    Once installed, it continuously records detailed system activity into the Windows Event Log, including:

    • Process creation and command lines
    • Network connections
    • DLL and driver loading
    • Process access and injection behavior

    Sysmon does not block activity.
    It does not alert.
    It observes and records.

    What Sysmon is not

    Sysmon is not:

    • A SIEM
    • A reporting platform
    • An inventory system
    • A centralized logging solution

    Sysmon logs locally on each endpoint only.

    Visibility comes later, when those logs are queried, collected, or forwarded.

    Where Sysmon logs live

    All Sysmon telemetry is written to the Windows Event Log on each machine.

    Log path:

    Microsoft-Windows-Sysmon/Operational

    These logs can be:

    • Queried locally with PowerShell
    • Forwarded using Windows Event Forwarding
    • Collected by a SIEM
    • Reviewed during investigations

    Why companies deploy Sysmon

    Most security incidents are investigated after the fact.

    Without Sysmon, questions like these are difficult to answer:

    • How did this process start?
    • What command launched it?
    • What network connection did it make?
    • Was this behavior normal for this system?

    Sysmon provides the raw telemetry needed to answer those questions with evidence, not assumptions.

    Where Sysmon comes from

    Sysmon is part of Microsoft Sysinternals and is downloaded directly from Microsoft:

    https://learn.microsoft.com/sysinternals/downloads/sysmon

    It is free and does not require licensing.

    Why Sysmon requires configuration

    Out of the box, Sysmon logs too much.

    A configuration file is required to:

    • Reduce noise
    • Focus on meaningful security events
    • Avoid unnecessary performance impact

    Most mature configurations are based on known attacker behaviors, not generic logging.

    This is where MITRE ATT&CK and Atomic Red Team come in.

    Sysmon, MITRE ATT&CK, and Atomic Red Team

    MITRE ATT&CK documents how attackers behave, not just which tools they use.

    Atomic Red Team provides small, controlled tests that simulate those behaviors.

    Sysmon supplies the telemetry that proves whether those behaviors are visible.

    Together, they form a feedback loop:

    • ATT&CK defines behaviors
    • Atomic Red Team tests them
    • Sysmon records them

    Key Sysmon Event IDs (1–10)

    Event ID 1
    Process Create
    Records process start, parent process, and command line.

    Event ID 2
    File Creation Time Changed
    Indicates possible timestamp manipulation.

    Event ID 3
    Network Connection
    Records outbound network connections per process.

    Event ID 4
    Sysmon Service State Changed
    Shows Sysmon startup or shutdown.

    Event ID 5
    Process Terminated
    Records process exit.

    Event ID 6
    Driver Loaded
    Useful for detecting suspicious or unsigned drivers.

    Event ID 7
    Image Loaded
    Shows DLLs loaded by a process.

    Event ID 8
    CreateRemoteThread
    Often associated with injection techniques.

    Event ID 9
    RawAccessRead
    Can indicate disk or credential access attempts.

    Event ID 10
    Process Access
    Records when one process accesses another.

    Installing Sysmon

    Sysmon is installed from an elevated PowerShell session.

    Example:

    sysmon64.exe -accepteula -i sysmonconfig.xml

    This installs Sysmon using a predefined configuration file.

    Rollout considerations

    Sysmon performs deep system inspection during installation.

    In some environments, this can cause:

    • Extended login times
    • Temporary sluggishness
    • The appearance that the system is unresponsive

    Because of this, many organizations choose manual or staged deployment instead of broad GPO rollout.

    Confirming Sysmon is installed

    Sysmon does not report inventory centrally.

    Coverage is confirmed by querying endpoints.

    Check for the Sysmon service:

    Get-Service -Name Sysmon64

    If present, Sysmon is installed.

    Confirming Sysmon logging

    Check that the Sysmon event log exists:

    Get-WinEvent -ListLog "Microsoft-Windows-Sysmon/Operational"

    If the log exists, Sysmon is logging locally.

    Viewing Sysmon telemetry (examples)

    Show recent process creation events (Event ID 1):

    Get-WinEvent -FilterHashtable @{
  LogName   = "Microsoft-Windows-Sysmon/Operational"
  Id        = 1
  StartTime = (Get-Date).AddMinutes(-10)
} -MaxEvents 10 |
Select TimeCreated, Id, MachineName, Message

    Show recent network connection events (Event ID 3):

    Get-WinEvent -FilterHashtable @{
  LogName   = "Microsoft-Windows-Sysmon/Operational"
  Id        = 3
  StartTime = (Get-Date).AddMinutes(-10)
} -MaxEvents 10 |
Select TimeCreated, Id, MachineName, Message

    Show driver load events (Event ID 6):

    Get-WinEvent -FilterHashtable @{
  LogName   = "Microsoft-Windows-Sysmon/Operational"
  Id        = 6
  StartTime = (Get-Date).AddMinutes(-30)
} -MaxEvents 5 |
Select TimeCreated, Id, MachineName, Message

    Show process access events (Event ID 10):

    Get-WinEvent -FilterHashtable @{
  LogName   = "Microsoft-Windows-Sysmon/Operational"
  Id        = 10
  StartTime = (Get-Date).AddMinutes(-30)
} -MaxEvents 5 |
Select TimeCreated, Id, MachineName, Message

    Plain-language summary

    Sysmon records activity.
    Windows stores the records.
    PowerShell reads the records.
    Other tools collect the records.

    Sysmon is the recorder, not the reporter.

    Why this matters

    Security improves when decisions are based on evidence.

    Sysmon does not replace other tools.
    It reinforces them by preserving the truth of what happened.

    That alone makes it worth deploying thoughtfully.

    © 2012–2026 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • How to Install Sysmon on Windows 11 (Step-by-Step Guide)

    System Monitoring Made Simple for IT Admins & Security Pros

    Sysmon (System Monitor) is part of Microsoft’s Sysinternals Suite, and it gives you deep visibility into process creation, network connections, file changes, and system activity. For threat detection, forensics, and baselining, Sysmon is one of the most powerful free tools you can deploy.

    In this guide, I’ll walk through the step-by-step process of installing Sysmon cleanly on a Windows 11 machine, loading a hardened configuration, enabling the event log, and validating that everything is working.

    This is the exact method I used on my laptop — clean, repeatable, and production-ready.

    1. Prerequisites

    Before you start:

    • Log in as a user with Local Administrator rights.
    • Open PowerShell as Administrator.

    You’ll be using a mixture of PowerShell commands and Event Viewer, so make sure you have admin elevation.

    2. Download Sysinternals Suite

    Microsoft distributes Sysmon inside the Sysinternals Suite ZIP.

    1. Download Sysinternals Suite from Microsoft’s official site.
    2. Create a clean directory:
    New-Item -ItemType Directory -Path "C:\Sysinternals" -Force
    1. Extract the ZIP:
    Expand-Archive "$env:USERPROFILE\Downloads\SysinternalsSuite.zip" `
  -DestinationPath "C:\Sysinternals" -Force
    1. Verify Sysmon64.exe exists:
    Get-ChildItem "C:\Sysinternals" -Filter Sysmon64.exe -Recurse

    You should see something similar to:

    Sysmon64.exe   Length: 4563248

    If the file is non-zero in size, it’s valid.

    3. Prepare Your Sysmon Configuration File

    Sysmon must be installed with a configuration that tells it what to monitor.
    You can use:

    • A basic config
    • A hardened config
    • The community-recommended SwiftOnSecurity config

    Here’s how to set up a config folder:

    New-Item -ItemType Directory -Path "C:\Scripts\Sysmon" -Force

    Copy your Sysmon config into it:

    Copy-Item "$env:USERPROFILE\Downloads\sysmonconfig-export.xml" `
  "C:\Scripts\Sysmon\sysmonconfig.xml" -Force

    Verify it:

    Get-ChildItem "C:\Scripts\Sysmon"

    You should see:

    sysmonconfig.xml   Length: (non-zero)

    4. Install Sysmon with the Config

    Navigate to the Sysinternals directory:

    cd "C:\Sysinternals"

    If Sysmon was previously installed, uninstall it first:

    .\Sysmon64.exe -u force

    Then install it cleanly with your XML config:

    .\Sysmon64.exe -i C:\Scripts\Sysmon\sysmonconfig.xml

    Expected output:

    Sysmon64 installed.
SysmonDrv installed.
Sysmon64 started.

    Check service status:

    Get-Service Sysmon64

    You should see:

    Running  Sysmon64

    5. Register the Sysmon Event Manifest

    This step ensures the Sysmon event log is visible in Event Viewer.

    .\Sysmon64.exe -m

    Output:

    Event manifest/format registered successfully

    6. Enable the Sysmon Event Log

    Check if the Sysmon log exists:

    wevtutil el | Select-String "Sysmon"

    You should see:

    Microsoft-Windows-Sysmon/Operational

    Enable the log:

    wevtutil sl "Microsoft-Windows-Sysmon/Operational" /e:true

    7. Validate That Sysmon Is Working

    Method A: Quick PowerShell validation

    wevtutil qe Microsoft-Windows-Sysmon/Operational /c:5 /f:text

    If you see any events (Event ID 1, 5, etc.), Sysmon is working.

    Method B: Event Viewer

    Open Event Viewer:

    Applications and Services Logs
  → Microsoft
      → Windows
          → Sysmon
              → Operational

    You should start seeing:

    • Event ID 1 – Process Create
    • Event ID 5 – Process Terminate
    • Other IDs depending on your config

    Method C: Live test

    Run:

    Start-Process notepad.exe

    Then refresh Sysmon → Operational log.

    You should immediately see a new Event ID 1 logging Notepad’s process creation.

    If you see this event, Sysmon is fully operational.

    8. Optional: Create a Shortcut for Faster Access

    Desktop Shortcut

    1. Right-click Desktop → New → Shortcut
    2. Enter:
    eventvwr.msc /c:Microsoft-Windows-Sysmon/Operational
    1. Name it Sysmon Log

    Now you can open Sysmon in one click.

    Event Viewer Favorites

    Right-click Sysmon → OperationalAdd to Favorites.

    9. Updating the Sysmon Config Later

    If you want to modify or replace the config:

    cd C:\Sysinternals
.\Sysmon64.exe -c C:\Scripts\Sysmon\sysmonconfig.xml

    You should see:

    Configuration updated.

    No reinstall required.

    10. Uninstall Sysmon (if needed)

    cd C:\Sysinternals
.\Sysmon64.exe -u force

    This removes:

    • Sysmon64 service
    • SysmonDrv driver
    • Registry entries
    • Event manifest

    Conclusion

    Once installed, Sysmon becomes a powerful source of system telemetry for:

    • Threat hunting
    • Malware investigation
    • Lateral movement detection
    • Process monitoring
    • Incident response
    • Forensic analysis

    With a hardened config, Sysmon gives deep visibility with minimal overhead — making it an essential component of any Windows security stack.

    If you’re deploying Sysmon across multiple endpoints (like we do at work), you can automate it using Intune, GPO, or a custom PowerShell deployment package.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • When Inbox Rules Go Rogue: A 10-Command Playbook to Stop Impersonation

    Macro ant on a leaf—small bug, big damage. Quiet inbox rules (forward/delete/hide) are how real-account impersonation starts. This post shows 10 PowerShell fixes to stop it fast.

    Excerpt
    Most “email impersonation” losses start quietly—rules that forward, delete, or hide mail. This playbook backs up evidence, stops the bleed, removes risky rules, clears forwarding, and verifies. Calm hands, clear steps.

    Intro
    Most “email impersonation” (BEC) starts in two ways:

    1. Real-account misuse—someone phishes a password/token and quietly adds inbox rules (forward, delete, hide) or enables mailbox forwarding.
    2. No-account spoofing—look-alike domains and weak SPF/DKIM/DMARC let crooks send as if they’re us.

    This post fixes bucket #1 fast. You don’t need Compliance Center/Purview to clean a single mailbox: run these in Windows PowerShell 5.1 to back up → stop all rules → remove risky patterns → clear forwarding → verify. The examples below target [email protected]. After cleanup, keep the door shut by disabling SMTP AUTH/legacy protocols and blocking external auto-forwarding. (For bucket #2, tighten SPF/DKIM/DMARC—that’s outside this quick fix.)

    Perspective
    There are no super heroes in IT—no capes, no instant rescues. When rules go rogue, heroics make noise; runbooks make progress. The job is to protect people’s work with boring, proven steps.

    Practice (today, not someday)

    • Connect (read-only) — open a secure session to Exchange Online for the mailbox you’re fixing. Import-Module ExchangeOnlineManagement -RequiredVersion 3.9.0 -Force Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowBanner:$false $mbx = "[email protected]"
    • Backup rules to CSV (read-only) — take a snapshot so you have evidence and an easy rollback reference. $ts = (Get-Date).ToString('yyyyMMdd-HHmm') Get-InboxRule -Mailbox $mbx | Select Name,Enabled,Priority,From,SentTo,SubjectContainsWords,MoveToFolder,ForwardTo,RedirectTo,DeleteMessage,StopProcessingRules | Sort Priority | Export-Csv "$env:USERPROFILE\Desktop\$($mbx)-InboxRules-$ts.csv" -NoTypeInformation -Encoding UTF8
    • Disable all rules (change) — safe stop; nothing runs while you fix things. Get-InboxRule -Mailbox $mbx | Disable-InboxRule -Confirm:$false
    • Remove delete rules (change) — get rid of any rule that silently deletes messages. Get-InboxRule -Mailbox $mbx | Where-Object {$_.DeleteMessage} | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Remove hide/stop rules (change) — remove rules that hide mail (Junk/Archive/RSS/Conversation History) or halt further processing. Get-InboxRule -Mailbox $mbx | Where-Object { $_.StopProcessingRules -or ($_.MoveToFolder -match 'Junk|Archive|RSS|Conversation History') } | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Remove forward/redirect rules, focusing on external (change) — strip any rule that forwards or redirects mail, especially off-tenant. $internal = @('jetmariano.us') # add internal domains if needed $rules = Get-InboxRule -Mailbox $mbx foreach($r in $rules){ $targets=@() foreach($t in @($r.ForwardTo)+@($r.RedirectTo)){ if($t -is [string]){$targets+=$t} elseif($t.PrimarySmtpAddress){$targets+=$t.PrimarySmtpAddress.ToString()} elseif($t.Address){$targets+=$t.Address.ToString()} elseif($t){$targets+=$t.ToString()} } $external = $false foreach($addr in $targets){ if($addr -match '@'){ $domain = ($addr -split '@')[-1].ToLower() if(-not ($internal -contains $domain)){ $external = $true } } } if($external -or $targets.Count -gt 0){ Remove-InboxRule -Mailbox $mbx -Identity $r.Name -Confirm:$false } }
    • Clear mailbox-level forwarding (change) — turn off any top-level forwarding set on the mailbox. Set-Mailbox -Identity $mbx -DeliverToMailboxAndForward:$false -ForwardingSmtpAddress $null -ForwardingAddress $null
    • Verify list and count (read-only) — prove you’re clean; zero is ideal. Get-InboxRule -Mailbox $mbx | Sort Priority | Format-Table Name,Enabled,ForwardTo,RedirectTo,MoveToFolder,DeleteMessage -Auto (Get-InboxRule -Mailbox $mbx | Measure-Object).Count
    • Re-enable only safe movers (optional change) — if you truly want routine filing, turn on only simple move-to-folder rules. Get-InboxRule -Mailbox $mbx | Where-Object { $_.MoveToFolder -and -not $_.ForwardTo -and -not $_.RedirectTo -and -not $_.DeleteMessage -and -not $_.StopProcessingRules } | ForEach-Object { Enable-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Disconnect (read-only) — close your session cleanly. Disconnect-ExchangeOnline -Confirm:$false

    Final Reflection
    The work narrowed down to steady steps. Not a clever hack—just patience, order, and protection of someone’s inbox.

    Pocket I’m Keeping
    Runbooks over heroics.

    What I Hear Now
    Be steady. Protect the work. I’ll show you the next step.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!