Sysmon: How to install, upgrade, and uninstall
Introduction If you’re on this page you probably don’t need me to explain much about what Sysmon is or why it is an excellent tool for security monitoring. In short:
It’s part of Microsoft’s Sysinternals Suite So it should play nice with Windows It can monitor almost anything that happens on a Windows host So it can detect all the most common MITRE ATT&CKs It logs using Windows Event Logs So it’s easy to export to a SIEM etc for analysis However, if you’ve tried rolling Sysmon out to a large number of machines, and then removing or updating it, you may have experienced some issues. At least, I did. So I’ve collated some of my findings.