Microsoft announced today that it will integrate Sysmon natively into Windows 11 and Windows Server 2025 next year, making it unnecessary to deploy the standalone Sysinternals tools.
"Next year, Windows updates for Windows 11 and Windows Server 2025 will bring Sysmon functionality natively to Windows," reads an announcement by Sysinternals creator Mark Russinovich.
"Sysmon functionality allows you to use custom configuration files to filter captured events. These events are written to the Windows event log. enabling a wide range of use cases including by security applications."
Sysmon (or System Monitor) is a free Microsoft Sysinternals tool that can be configured to monitor for and block malicious/suspicious activity and log events to the Windows Event Log.
By default, Sysmon monitors basic events, such as process creation and termination. However, it is possible to create advanced configuration files that let you monitor and perform more advanced behavior, such as monitoring process tampering, DNS queries, executable file creation, Windows clipboard changes, and auto-backing up deleted files.
Sysmon is a very popular tool for threat hunting and diagnosing persistent issues in Windows, but it normally needs to be installed individually on devices, making it harder to manage and reducing coverage in large IT environments.
With Sysmon now natively supported in Windows, users and admins can install it via Windows 11's "Optional features" settings dialog and receive new software updates directly through Windows Update, making deployment and management much easier.
Microsoft says the built-in capabilities will retain Sysmon's standard feature set, including support for custom configuration files and advanced event filtering.
Once installed, admins can enable it via the Command Prompt using the following command for basic monitoring:
sysmon -i
... continue reading