Jet Mariano

Tag: incident response

  • How to Install Sysmon on Windows 11 (Step-by-Step Guide)

    System Monitoring Made Simple for IT Admins & Security Pros

    Sysmon (System Monitor) is part of Microsoft’s Sysinternals Suite, and it gives you deep visibility into process creation, network connections, file changes, and system activity. For threat detection, forensics, and baselining, Sysmon is one of the most powerful free tools you can deploy.

    In this guide, I’ll walk through the step-by-step process of installing Sysmon cleanly on a Windows 11 machine, loading a hardened configuration, enabling the event log, and validating that everything is working.

    This is the exact method I used on my laptop — clean, repeatable, and production-ready.

    1. Prerequisites

    Before you start:

    • Log in as a user with Local Administrator rights.
    • Open PowerShell as Administrator.

    You’ll be using a mixture of PowerShell commands and Event Viewer, so make sure you have admin elevation.

    2. Download Sysinternals Suite

    Microsoft distributes Sysmon inside the Sysinternals Suite ZIP.

    1. Download Sysinternals Suite from Microsoft’s official site.
    2. Create a clean directory:
    New-Item -ItemType Directory -Path "C:\Sysinternals" -Force
    1. Extract the ZIP:
    Expand-Archive "$env:USERPROFILE\Downloads\SysinternalsSuite.zip" `
  -DestinationPath "C:\Sysinternals" -Force
    1. Verify Sysmon64.exe exists:
    Get-ChildItem "C:\Sysinternals" -Filter Sysmon64.exe -Recurse

    You should see something similar to:

    Sysmon64.exe   Length: 4563248

    If the file is non-zero in size, it’s valid.

    3. Prepare Your Sysmon Configuration File

    Sysmon must be installed with a configuration that tells it what to monitor.
    You can use:

    • A basic config
    • A hardened config
    • The community-recommended SwiftOnSecurity config

    Here’s how to set up a config folder:

    New-Item -ItemType Directory -Path "C:\Scripts\Sysmon" -Force

    Copy your Sysmon config into it:

    Copy-Item "$env:USERPROFILE\Downloads\sysmonconfig-export.xml" `
  "C:\Scripts\Sysmon\sysmonconfig.xml" -Force

    Verify it:

    Get-ChildItem "C:\Scripts\Sysmon"

    You should see:

    sysmonconfig.xml   Length: (non-zero)

    4. Install Sysmon with the Config

    Navigate to the Sysinternals directory:

    cd "C:\Sysinternals"

    If Sysmon was previously installed, uninstall it first:

    .\Sysmon64.exe -u force

    Then install it cleanly with your XML config:

    .\Sysmon64.exe -i C:\Scripts\Sysmon\sysmonconfig.xml

    Expected output:

    Sysmon64 installed.
SysmonDrv installed.
Sysmon64 started.

    Check service status:

    Get-Service Sysmon64

    You should see:

    Running  Sysmon64

    5. Register the Sysmon Event Manifest

    This step ensures the Sysmon event log is visible in Event Viewer.

    .\Sysmon64.exe -m

    Output:

    Event manifest/format registered successfully

    6. Enable the Sysmon Event Log

    Check if the Sysmon log exists:

    wevtutil el | Select-String "Sysmon"

    You should see:

    Microsoft-Windows-Sysmon/Operational

    Enable the log:

    wevtutil sl "Microsoft-Windows-Sysmon/Operational" /e:true

    7. Validate That Sysmon Is Working

    Method A: Quick PowerShell validation

    wevtutil qe Microsoft-Windows-Sysmon/Operational /c:5 /f:text

    If you see any events (Event ID 1, 5, etc.), Sysmon is working.

    Method B: Event Viewer

    Open Event Viewer:

    Applications and Services Logs
  → Microsoft
      → Windows
          → Sysmon
              → Operational

    You should start seeing:

    • Event ID 1 – Process Create
    • Event ID 5 – Process Terminate
    • Other IDs depending on your config

    Method C: Live test

    Run:

    Start-Process notepad.exe

    Then refresh Sysmon → Operational log.

    You should immediately see a new Event ID 1 logging Notepad’s process creation.

    If you see this event, Sysmon is fully operational.

    8. Optional: Create a Shortcut for Faster Access

    Desktop Shortcut

    1. Right-click Desktop → New → Shortcut
    2. Enter:
    eventvwr.msc /c:Microsoft-Windows-Sysmon/Operational
    1. Name it Sysmon Log

    Now you can open Sysmon in one click.

    Event Viewer Favorites

    Right-click Sysmon → OperationalAdd to Favorites.

    9. Updating the Sysmon Config Later

    If you want to modify or replace the config:

    cd C:\Sysinternals
.\Sysmon64.exe -c C:\Scripts\Sysmon\sysmonconfig.xml

    You should see:

    Configuration updated.

    No reinstall required.

    10. Uninstall Sysmon (if needed)

    cd C:\Sysinternals
.\Sysmon64.exe -u force

    This removes:

    • Sysmon64 service
    • SysmonDrv driver
    • Registry entries
    • Event manifest

    Conclusion

    Once installed, Sysmon becomes a powerful source of system telemetry for:

    • Threat hunting
    • Malware investigation
    • Lateral movement detection
    • Process monitoring
    • Incident response
    • Forensic analysis

    With a hardened config, Sysmon gives deep visibility with minimal overhead — making it an essential component of any Windows security stack.

    If you’re deploying Sysmon across multiple endpoints (like we do at work), you can automate it using Intune, GPO, or a custom PowerShell deployment package.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • When Inbox Rules Go Rogue: A 10-Command Playbook to Stop Impersonation

    Macro ant on a leaf—small bug, big damage. Quiet inbox rules (forward/delete/hide) are how real-account impersonation starts. This post shows 10 PowerShell fixes to stop it fast.

    Excerpt
    Most “email impersonation” losses start quietly—rules that forward, delete, or hide mail. This playbook backs up evidence, stops the bleed, removes risky rules, clears forwarding, and verifies. Calm hands, clear steps.

    Intro
    Most “email impersonation” (BEC) starts in two ways:

    1. Real-account misuse—someone phishes a password/token and quietly adds inbox rules (forward, delete, hide) or enables mailbox forwarding.
    2. No-account spoofing—look-alike domains and weak SPF/DKIM/DMARC let crooks send as if they’re us.

    This post fixes bucket #1 fast. You don’t need Compliance Center/Purview to clean a single mailbox: run these in Windows PowerShell 5.1 to back up → stop all rules → remove risky patterns → clear forwarding → verify. The examples below target [email protected]. After cleanup, keep the door shut by disabling SMTP AUTH/legacy protocols and blocking external auto-forwarding. (For bucket #2, tighten SPF/DKIM/DMARC—that’s outside this quick fix.)

    Perspective
    There are no super heroes in IT—no capes, no instant rescues. When rules go rogue, heroics make noise; runbooks make progress. The job is to protect people’s work with boring, proven steps.

    Practice (today, not someday)

    • Connect (read-only) — open a secure session to Exchange Online for the mailbox you’re fixing. Import-Module ExchangeOnlineManagement -RequiredVersion 3.9.0 -Force Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowBanner:$false $mbx = "[email protected]"
    • Backup rules to CSV (read-only) — take a snapshot so you have evidence and an easy rollback reference. $ts = (Get-Date).ToString('yyyyMMdd-HHmm') Get-InboxRule -Mailbox $mbx | Select Name,Enabled,Priority,From,SentTo,SubjectContainsWords,MoveToFolder,ForwardTo,RedirectTo,DeleteMessage,StopProcessingRules | Sort Priority | Export-Csv "$env:USERPROFILE\Desktop\$($mbx)-InboxRules-$ts.csv" -NoTypeInformation -Encoding UTF8
    • Disable all rules (change) — safe stop; nothing runs while you fix things. Get-InboxRule -Mailbox $mbx | Disable-InboxRule -Confirm:$false
    • Remove delete rules (change) — get rid of any rule that silently deletes messages. Get-InboxRule -Mailbox $mbx | Where-Object {$_.DeleteMessage} | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Remove hide/stop rules (change) — remove rules that hide mail (Junk/Archive/RSS/Conversation History) or halt further processing. Get-InboxRule -Mailbox $mbx | Where-Object { $_.StopProcessingRules -or ($_.MoveToFolder -match 'Junk|Archive|RSS|Conversation History') } | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Remove forward/redirect rules, focusing on external (change) — strip any rule that forwards or redirects mail, especially off-tenant. $internal = @('jetmariano.us') # add internal domains if needed $rules = Get-InboxRule -Mailbox $mbx foreach($r in $rules){ $targets=@() foreach($t in @($r.ForwardTo)+@($r.RedirectTo)){ if($t -is [string]){$targets+=$t} elseif($t.PrimarySmtpAddress){$targets+=$t.PrimarySmtpAddress.ToString()} elseif($t.Address){$targets+=$t.Address.ToString()} elseif($t){$targets+=$t.ToString()} } $external = $false foreach($addr in $targets){ if($addr -match '@'){ $domain = ($addr -split '@')[-1].ToLower() if(-not ($internal -contains $domain)){ $external = $true } } } if($external -or $targets.Count -gt 0){ Remove-InboxRule -Mailbox $mbx -Identity $r.Name -Confirm:$false } }
    • Clear mailbox-level forwarding (change) — turn off any top-level forwarding set on the mailbox. Set-Mailbox -Identity $mbx -DeliverToMailboxAndForward:$false -ForwardingSmtpAddress $null -ForwardingAddress $null
    • Verify list and count (read-only) — prove you’re clean; zero is ideal. Get-InboxRule -Mailbox $mbx | Sort Priority | Format-Table Name,Enabled,ForwardTo,RedirectTo,MoveToFolder,DeleteMessage -Auto (Get-InboxRule -Mailbox $mbx | Measure-Object).Count
    • Re-enable only safe movers (optional change) — if you truly want routine filing, turn on only simple move-to-folder rules. Get-InboxRule -Mailbox $mbx | Where-Object { $_.MoveToFolder -and -not $_.ForwardTo -and -not $_.RedirectTo -and -not $_.DeleteMessage -and -not $_.StopProcessingRules } | ForEach-Object { Enable-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Disconnect (read-only) — close your session cleanly. Disconnect-ExchangeOnline -Confirm:$false

    Final Reflection
    The work narrowed down to steady steps. Not a clever hack—just patience, order, and protection of someone’s inbox.

    Pocket I’m Keeping
    Runbooks over heroics.

    What I Hear Now
    Be steady. Protect the work. I’ll show you the next step.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!